NL-03-1140, Changes to Technical Specification Bases

From kanterella
(Redirected from NL-03-1140)
Jump to navigation Jump to search
Changes to Technical Specification Bases
ML031640234
Person / Time
Site: Vogtle  Southern Nuclear icon.png
Issue date: 06/11/2003
From: Gasser J
Southern Nuclear Operating Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NL-03-1140
Download: ML031640234 (109)


Text

Jeffrey I Gasser Southern Nuclear W -

Vice President Operating Company. Inc.

40 Inverness Center Parkway Post Office Box 1295 Birmingham, Alabama 35201 Tel 205.992.7721 Fax 205.992.0403 June 11, 2003 SOUTHERN A COMPANY Energy to Serve YourWorW' Docket Nos.: 50-424 NL-03-1140 50-425 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555-0001 Vogtle Electric Generating Plant Changes To Technical Specification Bases Ladies and Gentlemen:

The Vogtle Electric Generating Plant (VEGP) Unit 1 and Unit 2 Technical Specifications, section 5.5.14, Technical Specifications (TS) Bases Control Program, provide for changes to the Bases without prior NRC approval. In addition, TS section 5.5.14 requires that Bases changes made without prior NRC approval be provided to the NRC on a frequency consistent with 10 CFR 50.71(e). Pursuant to TS section 5.5.14, Southern Nuclear Operating Company hereby submits Bases changes made to the VEGP TS Bases under the provisions of TS section 5.5.14. This submittal reflects changes since May 5, 2001 through November 16, 2002.

This letter contains no NRC commitments. If you have any questions, please advise.

Sincerely, ffrey T. Gasser JTG/TDH/daj

Enclosure:

Bases Changes cc: Southern Nuclear Opetating Company Mr. J. D. Woodard, Executive Vice President Mr. W. F. Kitchens, General Manager - Plant Vogtle Mr. M. Sheibani, Engineering Supervisor - Plant Vogtle Document Services RTYPE: CVC7000 U. S. Nuclear Regulatory Commission Mr. L. A. Reyes, Regional Administrator Mr. F. Rinaldi, NRR Project Manager - Vogtle Mr. J. Zeiler, Senior Resident Inspector - Vogtle (O

SR Applicability B 3.0 BASES SR 3.0.2 interval is not specified in the regulabons is the Note in the Containment (contnued) Leakage Rate Testing Program, SR 3.0.2 is not applicable." This exception is provided because the program already includes extension of test intervals.

As stated in SR 3.0.2, the 25% extension also does not apply to the inital portion of a peiodic Complebon Time that requires performance on a once per ..." basis. The 25% extension applies to each performance after the initial performance. The inital performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an altemative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with Refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or up to the limit of the specffied Frequency, whichever Is greater, applies from the point in time that It is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of (continued)

Vogtle Units 1 and 2 B 3.0-12 Rev. 1-4J02

SR Applicability B 3.0 BASES SR 3.0.3 personnel, the me required to perform the Surveillance, (continued) the safety significance of the delay in completing the required Surveillance, and the recogniton that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on bme intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a me limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, Inaddition to unit conditions, planning, availability of personnel, and the time required to perForm the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(aX4) and its implementation guidance, NRC Regulatory Guide 1.182, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluafon should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this (continued)

Vogge Units I and 2 B 3.0-13 Rev. 14/02

SR Applicability B 3.0 BASES SR 3.0.3 evaluation should be used to determine the safest course of action.

(continued) All missed Surveillances will be placed in'the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit.

The provisions of this Specification should not be interpreted as endosing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified conditon in the Applicability.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) is not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment.

When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s), since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability.

(continued)

Vogte Units 1 and 2 B 3.0-14 Rev. 24/02

SR Applicability B 3.0 BASES SR 3.0.4 However, since the LCO is not met in this instance, LCO 3.0.4 will (contnued) govem any restrictions that may (or may not) apply to MODE or other specified conditon changes.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes In MODES or other specified conditions in the Applicability that result from any unit shutdown.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Altemately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been, reached. Further discussion of the specific formats of SRs annotation is found in Section 1.4, Frequency.

SR 3.0.4 is only applicable for MODE changes when entering MODE 4 from MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2. Furthermore, SR 3.0.4 Is applicable when entering any other specified condition in the Applicability only while operating MODES 1,2, 3, or 4. The requirements of SR 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1,2, 3, or 4) because the ACTIONS of individual Specificatons sufficiently define the remedial measures to be taken.

Vogtle Units 1 and 2 B 3.0-15 Rev. 2-4/02 l

SDM B 3.1.1 BASES APPLICABLE SDM satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). Even I SAFETY ANALYSES though it is not directly observed from the control room, (continued) SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.

LCO SDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through the soluble boron concentration.

The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4). For the boron dilution accident, if the LCO is violated, the minimum required time assumed for operator action to terminate dilution may no longer be applicable. The required SDM is specified in the COLR.

APPLICABILITY In MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, Control Bank Insertion Limits."

ACTIONS The ACTIONS table is modified by a Note prohibiting transibon to a lower MODE within the Applicability and entry into MODE 5 from MODE 6. LCO 3.0.4 already prohibits entry into MODE 4 from MODE 5 and into MODE 3 from MODE 4 when SDM requirements are not met.

A.1 If the SDM requirements are not met, boration must be initiated promptly.

A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that (continued)

Vogtle Units 1 and 2 B 3.1.1-4 Rev. 2-10/01

Core Reactivity B 3.1.2 BASES APPLICABLE Design calculations and safety analyses are performed for each fuel SAFETYANALYSES cycle for the purpose of predetermining reactvity behavior and (continued) the RCS boron concentration requirements for reactivity control durng fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle life (BOL) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOL, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core bumups beyond BOL, or that an unexpected change in core conditions has occurred.

The normalization of predicted RCS boron concentration to the measured value Is typically performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performed at BOL conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

Core reactivity satisfies Criterion 2 of 10 CFR 50.36 (cX2)(ii).

LCO Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed.

During operation, therefore, the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the (continued)

Vogte Units 1 and 2 B 3.1.2-3 Rev. 1-10/01

MTC B 3.1.3 BASES APPLICABLE conditions appropriate to each accident. The bounding value is SAFETY ANALYSES determined by considering rodded and unrodded conditons, whether (continued) the reactor is at full or zero power, and whether it is at BOL or EOL.

The most conservative combina6on appropriate to the accident is then used for the analysis (Ref. 2).

MTC values are bounded in reload safety evaluations assuming steady state conditions at BOL and EOL. An EOL measurement is conducted at conditions when the RCS boron concentration reaches approximately 300 ppm. The measured value may be extrapolated to project the EOL value, in order to confirm reload design predictions.

MTC satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). Even though it is not directly observed and controlled from the control room, MTC is considered an initial condition process variable because of its dependence on boron concentration.

LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation.

Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positive than a given lower bound. The MTC is most positive at BOL; this upper bound must not be exceeded. This maximum upper limit occurs at BOL, all rods out (ARO), hot zero power conditions. At EOL the MTC takes on its most negative value, when the lower bound becomes Important This LCO exists to ensure that both the upper and lower bounds are not exceeded.

During operation, therefore, the conditions of the LCO can only be ensured through measurement. The Surveillance checks at BOL and EOL on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met (continued)

Vogtle Units 1 and 2 B 3.1.33 Rev. 1-10/01

Rod Group Alignment Limits B 3.1.4 BASES APPLICABLE sufficient reactivity worth is held in the control rods to meet the SDM SAFETY ANALYSES requirement, with the maximum worth rod stuck fully withdrawn.

(continued)

Two types of analysis are performed in regard to static rod misalignment. With control banks at their insertion limits, one type of analysis considers the case when any one rod is completely inserted into the core. The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit. Satisfying limits on departure from nucleate boiling ratio in both of these cases bounds the situation when a rod is misaligned from its group by 12 steps.

Another type of misalignment occurs if one RCCA falls to Insert upon a reactor trip and remains stuck fully withdrawn. This condition is assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref. 3).

The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the requirements on SDM and ejected rod worth are preserved.

Continued operation of the reactor with a misaligned control rod is allowed if the heat flux hot channel factor (FQ(Z)) and the nuclear enthalpy hot channel factor (FH)are verified to be within their limits in the COLR and the safety analysis is verified to remain valid.

When a control rod is misaligned, the assumptions that are used to determine the rod insertion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and FQ(Z) and FN. must be verified directly by incore mapping. Bases Section 3.2 (Power Distribution Limits) contains more complete discussions of the relation of F0 (Z) and FAH to the operating limits.

Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed In safety analyses. Therefore they satisfy Criterion 2 of 10 CFR 50.36 (c)(2Xii).

(continued)

VogUe Units 1 and 2 B 3.1.44 Rev. 1-10/01

Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABLE a. There be no violations of:

SAFETY ANALYSES (continued) 1. specified acceptable fuel design limits, or

2. RCS pressure boundary integrity; and
b. The core remains subcritical after accident transients.

As such, the shutdown bank insertion limits affect safety analysis involving core reactvity and SDM (Ref. 3).

The shutdown bank insertion limits preserve an initial condition assumed in the safety analyses and, as such, satisfy Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO The shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.

The shutdown bank insertion limits are defined in the COLR.

APPLICABILITY The shutdown banks must be within their insertion limits, with the reactor in MODES 1 and 2. The applicability In MODE 2 begins at initial control bank withdrawal, during an approach to criticality, and contnues throughout MODE 2, until all control bank rods are again fully inserted by reactor trip or by shutdown. This ensures that a sufficient amount of negaive reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE 3, unless an approach to criticality is being made. In MODE 3, 4, 5, or 6, the shutdown banks are fully Inserted in the core and contribute to the SDM. Refer to LCO 3.1.1 for SDM requirements in MODES 3, 4, and 5. LCO 3.9.1, Boron Concentration," ensures adequate SDM in MODE 6.

The Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR 3.1.4.2. This SR verifies the freedom of the rods to (continued)

Vogtle Units I and 2 B 3.1.5-3 Rev. 1-10/01

Control Bank Insertion Limits B 3.1.6 BASES APPLICABLE Operation at the insertion limits or AFD limits may approach SAFETY ANALYSES the maximum allowable linear heat generation rate or peaking (continued) factor with the allowed QPTR present. Operation at the insertion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected RCCA worths.

The control and shutdown bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 3).

The insertion limits satisfy Criterion 2 of 10 CFR 50.36 (cX2Xii), in I that they are initial conditions assumed in the safety analysis.

LCO The limits on control banks sequence, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate negative reactivity insertion is available on trip. The overlap between control banks provides more uniform rates of reactivity insertion and withdrawal and is imposed to maintain acceptable power peaking during control bank motion.

APPLICABILITY The control bank sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2 with kf 2 1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions. Applicability in MODES 3, 4, and 5 is not required, since neither the power distribution nor ejected rod worth assumptions would be exceeded in these MODES.

The applicability requirements have been modified by a Note indicating the LCO requirements are suspended during the performance of SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the LCO.

(continued)

Vogtle Units I and 2 B 3.1.6-4 Rev. 1-10/01

Rod Position Indication B 3.1.7 BASES APPLICABLE outside their limits undetected. Therefore, the acceptance criteria for SAFETY ANALYSES rod position indication is that rod positions must be known with (continued) sufficient accuracy in order to verify the core Is operating within the assumed group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits"). The rod positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, "Rod Group Alignment Limits"). Rod positions are continuously monitored to provide operators with information that ensures the plant is operating within the bounds of the accident analysis assumptions.

The rod position indicator channels satisfy Criterion 2 of 10 CFR I 50.36 (cX2Xii). The rod position indicators monitor rod position, which is an initial condition of the accident.

LCO LCO 3.1.7 specifies that the Digital Rod Position Indication System be OPERABLE for each shutdown and control rod and that the Demand Position Indication System be OPERABLE for each rod group. This operability is demonstrated through the performance of SR 3.1.7.1, which verifies that the digital rod position indication for each rod Is within 12 steps of the applicable group demand position for the full range of rod travel. Additional verification that DRPI is within 12 steps of the demand position indication occurs in accordance with LCO 3.1.4 and SR 3.1.4.1.

This requirement ensures that rod position indicabon during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged. OPERABILITY of the postion indicator channels ensures that inoperable, misaligned, or mispositioned rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.

APPLICABILITY The requirements on the DRPI and step counters are only applicable in MODES I and 2 (consistent with LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6), because these are the only MODES (continued)

Vogtle Units 1 and 2 B 3.1.7-3 Rev. 1-10/01

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASES (continued)

APPLICABLE The fuel is protected by LCOs that preserve the initial SAFETY ANALYSES conditions of the core assumed during the safety analyses. The methods for development of the LCOs that are excepted by this LCO are described in the Westinghouse Reload Safety Evaluation Methodology Report (Ref. 4). The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.

The FSAR defines requirements for initial testing of the facility, including PHYSICS TESTS. Tables 14.2.1-1 and 14.2.1-2 summarize the zero, low power, and power tests. Reload fuel cycle PHYSICS TESTS are performed in accordance with Technical Specification requirements, fuel vendor guidelines, and established industry practices. Athough these PHYSICS TESTS are generally accomplished within the limits for all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to 5 5% RTP, the reactor coolant temperature is kept a 5414°F, and SDM is 2 the limit specified In the COLR.

The PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are AFD and QPTR, which represent initial conditions of the unit safety analyses. Also involved are the movable control components (control and shutdown rods), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR.

PHYSICS TESTS meet the criteria for inclusion in the Technical Specifications, since the components and process variable LCOs suspended during PHYSICS TESTS meet Criteria 1, 2, and 3 of 10 CFR 50.36 (X2)(ii).

Reference 5 allows special test exceptions (STEs) to be included as part of the LCO that they afect. It was decided, however, to retain this STE as a separate LCO because it was less cumbersome and provided additional clarity.

(continued)

Vogtle Units I and 2 B 3.1.W Rev. 2-1 0/01

FQ(Z)

B 3.2.1 BASES (continued)

APPLICABLE This LCO precludes core power distributions that violate the SAFETY ANALYSES following fuel design criteria:

a. During a large break loss of coolant accident (LOCA), the peak cladding temperature must not exceed 2200°F (Ref. 1);
b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleate boiling (DNB) condition;
c. During an ejected rod accident, the fission energy input to the fuel will be below 200 cat/gm (Ref. 2); and
d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 3).

Limits on FQ(Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains valid. Other criteria must also be met (e.g., maximum cladding oxidation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.

FQ(Z) limits assumed in the LOCA analysis are typically limiting relative to (i.e., lower than) the Fo(Z) limit assumed in safety analyses for other postulated accidents. Therefore, this LCO provides conservative limits for other postulated accidents.

FQ(Z) satisfies Criterion 2 of 10 CFR 50.36 (c)(2Xii).

LCO To ensure that the Heat Flux Hot Channel Factor, FQ(Z), will remain within limits during steady state operation, FQ(Z) shall be limited by the following relationships which define the steady state limits:

(continued)

Vogtle Units I and 2 B 3.2.1-2 Rev. 1-10101

FaH B 3.2.2 BASES APPLICABLE transients that may be DNB limited are assumed to begin SAFETY ANALYSES with an initial FN as a function of power level defined by the (continued) COLR limit equalion The LOCA safety analysis indirectly models F AH as an input parameter. The Nuclear Heat Flux Hot Channel Factor (FO(Z)) and the axial peaking factors are inserted directly into the LOCA safety analyses that verify the acceptability of the resulting peak cladding temperature (Ref. 3).

The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the safety and accident analyses remain valid. The following LCOs ensure this: LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO 3.1.7, "Control Bank Insertion Limits,"

LCO 3.2.2, "Nuclear Enthalpy Rise Hot Channel Factor (FN)," and LCO 3.2.1, "Heat Flux Hot Channel Factor (FQ(Z))."

F,&H and FO(Z) are measured periodically using the movable incore detector system. Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition I events) are accomplished by operating the core within the limits of the LCOs on AFD, QPTR, and Bank Insertion Limits.

F,Hsatisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO FN shall be maintained within the limits of the relationship provided in the COLR.

The FH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the least heat removal capability and thus the highest probability for DNB.

The limiting value of FH, described by the equation contained in the COLR, is the design radial peaking factor used in the unit safety analyses.

(continued)

Vogtle Units Iand 2 B 3.2.2-3 Rev. 1-10/01

AFD (RAOC Methodology)

B 3.2.3 BASES (continued)

APPLICABLE The AFD is a measure of the axial power distribution skewing SAFETY ANALYSES to either the top or bottom half of the core. The AFD is sensitive to many core related parameters such as control bank positions, core power level, axial bumup, axial xenon distribution, and, to a lesser extent, reactor coolant temperature and boron concentration.

The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.

The RAOC methodology (Ref. 2) establishes a xenon distribution library with tentatively wide AFD limits. One dimensional axial power distribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, and for initial conditions of anticipated transients.

The tentative limits are adjusted as necessary to meet the safety analysis requirements.

The limits on the AFD ensure that the Heat Flux Hot Channel Factor (Fa(Z)) is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition 2, 3, or 4 events. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important Condition 4 event is the LOCA. The most important Condition 3 event is the loss of flow accident. The most important Condition 2 events are uncontrolled bank withdrawal and boration or dilution accidents. Condition 2 accidents simulated to begin from within the AFD limits are used to confirm the adequacy of the Overpower AT and Overtemperature AT trip setpoints.

The limits on the AFD satisfy Criterion 2 of 10 CFR 50.36 (cX2Xii).

LCO The shape of the power profile in the axial (i.e., the vertical) direction is under the control of the operator through the manual operation of the control banks.

(continued)

Vogtle Units 1 and 2 B 3.2.3-2 Rev. 2-1 0101

QPTR B 3.2.4 APPLICABLE established to preclude core power distributions that exceed SAFETY ANALYSES the safety analyses limits.

(continued)

The QPTR limits ensure that F AH and FQ(Z) remain below their limiting values by preventing an undetected change in the radial power distribution.

In MODE 1, the Fi and FQ(Z) limits must be maintained to preclude core power distriions from exceeding design limits assumed in the safety analyses.

The QPTR satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). I LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat generation rate contributing to excessive power peaks resulting from X-Y plane power tilts. The value of 1.02 was selected because the purpose of the LCO is to limit, or require detection of, gross changes in core power distribution between monthly incore flux maps. In addition, it is the lowest value of quadrant power tilt that can be used for an alarm without spurious actuation.

APPLICABILITY The QPTR limit must be maintained in MODE I with THERMAL POWER > 50% RTP to prevent core power distributions from exceeding the design limits.

Applicability in MODE I 50% RTP and in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, therefore, not important. Note that the FIH and Fa(Z) LCOs still apply, but allow progressively higher peaking factors at 50% RTP or lower.

(continued)

Vogtle Units 1 and 2 B 3.2.4-2 Rev. 1-10101

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. OvertemDerature AT (continued)

SAFETY ANALYSES, LCO, and has the same effect on AT as a power increase. The APPLICABILITY Overtemperature AT trip Function uses each loop's AT as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

  • reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature;
  • pressurizer pressure -the Trip Setpoint is varied to correct for changes in system pressure; and
  • axial power distribution - f(AFD)x, the f(AFD) Function is used in the calculation of the Overtemperature AT trip. It is a function of the indicated difference between the upper and lower NIS power range detectors. This Function measures the axial power distribution. The Overtemperature AT Trip Setpoint is varied to account for imbalances in the axial power distributon as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

Dynamic compensation is included for RTD response time delays.

The Overtemperature AT trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. A trip occurs if Overtemperature AT is indicated in two loops. Since the pressure and temperature signals are used for other control functions, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection functon actuation, and a single failure in the other channels providing the protection function actuation.

(continued)

Vogtle Units 1 and 2 B 3.3.1-17 Rev. 18/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. Overtemperature AT (continued)

SAFETY ANALYSES, LCO, and as close as possible to 588.40 F. The value of r for the APPLICABLITY remaining RCS loops will be set appropriately less than 588.40 F based on the actual loop specific indicated Tv,,.

In the case of decreasing temperature, the compensated temperature difference shall be no more negative than 3 OF to limit the increase in the setpoint during cooldown transients.

The engineering scaling calculations use each of the referenced parameters as an exact gain or reference value.

Tolerances are not applied to the individual gain or reference parameters. Tolerances are applied to each calibration module and the overall string calibration. In order to ensure that the Overtemperature AT setpoint is consistent with the assumpfons of the safety analyses, it is necessary to verify during the CHANNEL OPERATIONAL TEST that the Overtemperature AT setpoint is within the appropriate calibration tolerances for the defined calibration conditions (Ref. 9).

The LCO requires all four channels of the Overtemperature AT trip Function to be OPERABLE. Note that the Overtemperature AT Function receives input from channels shared with other RTS Functions. Failures that affect mulfiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature AT trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor Is not operating and there is insufFicient heat production to be concemed about DNB.

(continued)

Vogtle Units 1 and 2 B 3.3.1-19 Rev. 2-8/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE 9. Pressurizer Water Level - High (continued)

SAFETY ANALYSES, LCO, and set below the safety valve setting. Therefore, with APPLICABILITY the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for over filling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow-Low (LOOP 1 LOOP 2 LOOP 3 LOOP 4 FI-0414 FI-0424 FI-0434 -FI-0444 FI-041 5 FI-0425 FI-0435 FI-0445 FI-0416 FI-0426 FI-0436 FI-0446)

NOTE: The setpoints are given in percent of Loop flow.

a. Reactor Coolant Flow - Low (Single Loon)

The Reactor Coolant Flow - Low (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to nornal variations In loop flow. Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

(continued)

Vogtle Units 1 and 2 B 3.3.1-25 Rev. 1-02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE 19. Automatic Tri Logic (continued)

SAFETY ANALYSES, LCO, and coil to trip the breaker open when needed. Each RTB APPLICABILITY is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two channels of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the Rod Control System is capable of rod withdrawal.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (cX2Xii).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1.

In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection function(s) affected.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

(continued)

Vogtle Units 1 and 2 B 3.3.1-40 Rev. 1-10/01

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.15 (continued)

REQUIREMENTS Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements; or by the summation of allocation sensor, signal processing, and actuation logic response bmes with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable resonse me tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) using vendor engineering specifications. WCAP-13632-P-A Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements,"

(Ref. 10), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P Revision 1, Elimination of Periodic Protection Channel Response Time Tests," (Ref. 11), provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

As appropriate, each channel's response must be verified every 18 months on a STAGGERED TEST BASIS. Testing of the final actuation devices is included in the testing. Response times cannot be determined during unit operation because equipment operation Is required to measure response (continued)

Vogtle Units 1 and 2 B 3.3.1463 Rev. 3-8/02

RTS Instrumentation B 3.3.1 BASES REFERENCES 2. FSAR, Chapter 6.

(continued)

3. FSAR, Chapter 15.
4. IEEE-279-1971.
5. 10 CFR 50.49.
6. WCAP-1 1269, Westinghouse Setpoint Methodology for Protection Systems; as supplemented by:

Amendments 48 and 49 (Unit 1) and Amendments 27 and 28 (Unit 2), deletion of RTS Power Range Neutron Flux High Negative Rate Trip.

  • Amendments 60 (Unit 1)and 39 (Unit 2), RTS Overtemperature AT setpoint revision.
  • Amendments 57 (Unit 1)and 36 (Unit 2), RTS Overtemperature and Overpower AT time constants and Overtemperature AT setpoint.
  • Amendments 43 and 44 (Unit 1) and 23 and 24 (Unit 2),

revised Overtemperature and Overpower AT trip setpoints and allowable values.

  • Amendments 104 (Unit 1) and 82 (Unit 2), revised RTS Intermediate Range Neutron Flux, Source Range Neutron Flux, and P-6 trip setpoints and allowable values.
  • Amendments 127 (Unit 1) and 105 (Unit 2), revised Overtemperature AT trip setpoint to limit value of the compensated temperature difference and revised the modifier for axial flux difference.
7. WCAP-10271-P-A, Supplement 1, May 1986.
8. FSAR, Chapter 16.
9. Westinghouse Letter GP-1 6696, November 5, 1997.
10. WCAP-13632-P-A Revision 2, Elimination of Periodic Sensor Response Time Testing Requirements," January 1996.

(continued)

Vogtle Units 1 and 2 B 3.3.1-65 Rev. 48102

RTS Instrumentation B 3.3.1 BASES REFERENCES 11. WCAP-14036-P-A Revision 1, 6 Elimination of Periodic (continued) Protection Channel Response Time Tests," October 1998.

12. WCAP-14333-P-A, Rev. 1, October 1998.
13. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

Vogtle Units 1 and 2 B 3.3.1-6 Rev. 08/02 l

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Safety Iniection - Steam Une Pressure - Low SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY This Function is anticipatory in nature and has a typical lead/lag ratio of 50/5.

Steam Une Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P - 11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P - 11 setpoint. Below P - 11, feed line break is not a concern.

Inside containment, SLB will be terminated by automatic Si actuation via Containment Pressure - High 1, and outside containment SLB will be terminated by the Steam Une Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment SDrav Containment Spray provides two primary functions:
1. Lowers containment pressure and temperature after an HELB in containment; and
2. Reduces the amount of radioactive iodine in the containment atmosphere.

These functions are necessary to:

  • Ensure the pressure boundary integrity of the containment structure; and
  • Umit the release of radioactive iodine to the environment in the event of a failure of the containment structure.

The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST. When the RWST reaches the Tank Empty setpoint 10%, the (continued)

Vogtle Units 1 and 2 B 3.3.2-14 Rev. 1-9/02

ESFAS Instrumentation B 3.3.2 BASES ACTUATION RELAYS response is affected, then the actuation logic and actuation (continued) relay TS requirements should be applied, in additon to any necessary system TS requirements.

The ESFAS instrumentabon satisfies Criterion 3 of 10 CFR 50.36 (c)(2) (ii).

ACTIONS In the event a channel's Trip Setpoint Is found nonconservative with respect to the Allowable Value, or the transmitter, Instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis),

then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

(continued)

Vogtle Units 1 and 2 B 3.3.2-36 Rev. 1-10/01

PAM Instrumentation B 3.3.3 BASES APPLICABLE

  • Initiate action necessary to protect the public and to estimate the SAFETY ANALYSES magnitude of any impending threat.

(continued)

PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36 (cX2Xii). Category I, non-Type A, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents. Therefore, Category I, non-Type A, variables are important for reducing public risk.

LCO The PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide 1.97 Type A monitors, which provide information required by the control room operators to perform certain manual actions specified in the unit Emergency Operating Procedures. These manual actions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide 1.97 instruments that have been designated Category I, non-Type A.

The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident This capability is consistent with the recommendations of Reference 1.

LCO 3.3.3 requires two OPERABLE channels for most Functions.

Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident.

Furthermore, OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirrn the validity of displayed information. More than two channels may be installed if the unit specific Regulatory Guide 1.97 analyses (Ref. 1) determined that failure of one accident monitoring channel results in information ambiguity (that is, the redundant displays disagree) that could lead operators to defeat or fail to accomplish a required safety function.

(continued)

Vogtle Units I and 2 B 3.3.33 Rev. 1-10/01

PAM Instrumentation B 3.3.3 BASES ACTIONS 1.1 (continued)

Condition I applies when two hydrogen monitor channels are inoperable. Required Action 1.1 requires restoring one hydrogen monitor channel to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable because it is unlikely that a LOCA (which would cause core damage) would occur during this time.

J. I If the Required Action and associated Completion Time of Conditions H or I are not met and Table 3.3.3-1 directs entry into Condition J, the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderiy manner and without challenging unit systems.

Condition J is modified by a Note that excludes the Containment Radiation and RVLIS Functions. These Functions are addressed by another Condition.

K.1 Altemate means of monitoring Reactor Vessel Water Level (RVLIS) and Containment Area Radiation are available. These altemate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these altemate means are used, the Required Action is not to shut down the unit but rather to follow the directions of Specification 5.6.8, in the Administrative Controls section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the altemate means are equivalent to the installed PAM channels, justify the areas (continued)

Vogtle Units 1 and 2 B 3.3.3-17 Rev. I1-1 1/01

Remote Shutdown System B 3.3.4 BASES APPLICABLE The Remote Shutdown System is considered an important SAFETY ANALYSES contributor to the reduction of unit risk to accidents and (continued) as such it satisfies Criterion 4 of 10 CFR 50.36 (cX2Xii). I LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the nstrumentation and controls necessary to place and maintain the unit in MODE 3 from a location other than the control room. The Instrumentation and controls required are listed in Table 3.3.4-1 in the accompanying LCO.

The controls, instrumentation, and transfer switches are required for:

  • Core reactivity control (initial and long term);
  • RCS pressure control;
  • RCS inventory control via charging flow; and
  • Safety support systems for the above Functions.

A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table 3.3.4-1 may indicate that the required information or control capability is available from several altemate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control sources is OPERABLE.

The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.

(continued)

Vogtle Units 1 and 2 B 3.3.4-2 Rev. 1-10/01

LOP DG Start Instrumentation B 3.3.5 BASES APPLICABLE Accident analyses credit the loading of the DG based on the loss of SAFETY ANALYSES offsite power during a loss of coolant accident (LOCA). The actual DG (continued) start has historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

The required channels of LOP instrumentation, in conjunction with the ESF systems powered from the DGs, and the turbine-driven Auxiliary Feedwater Pump provide unit protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed.

The delay times assumed in the safety analysis for the ESF equipment include the DG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," include the appropriate DG loading and sequencing delay.

The LOP instrumentation channels satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii).

LCO The LCO for LOP instrumentation requires that four channels per bus of both the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP instrumentation supports safety systems associated with the ESFAS. In MODES 5 and 6, the four channels must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed. Loss of the LOP instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.

(continued)

Vogtle Units 1 and 2 B 3.3.5-3 Rev. 1-10/01

Containment Ventilation Isolation Instrumentation B 3.3.6 BASES (continued)

APPLICABLE The safety analyses assume that the containment remains SAFETY ANALYSES intact with penetrations unnecessary for core cooling isolated early in the event, within approximately 60 seconds. The isolation of the purge supply and exhaust valves has not been analyzed mechanistically In the dose calculations, although its rapid Isolation is assumed. The containment purge supply and exhaust isolation radiation monitors act as backup to the Si signal to ensure closing of the purge supply and exhaust valves for events occurring in MODES I through 4. Manual isolation (using Individual valve handswitches) following a radiation alarm is the assumed means for isolating containment in the event of a fuel handling accident during shutdown. Containment isolation in tum ensures meeting the containment leakage rate assumptions of the safety analyses, and ensures that the calculated accidental offsite radiological doses are below 10 CFR 100 (Ref. 1) limits.

The containment ventilation isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2Xii). I LCO The LCO requirements ensure that the instrumentation necessary to initiate Containment Ventilation Isolation, listed in Table 3.3.6-1, is OPERABLE.

Manual Initiation The LCO requires two channels OPERABLE. The operator can initiate Containment ventilation isolation at any time by using either of two switches in the control room (containment isolation Phase A switches). Either switch actuates both trains. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one CIA handswitch and the interconnecting wiring to the actuation logic cabinet.

(continued)

Vogtle Units I and 2 B 3.3.6-2 Rev. 2-10101

Containment Ventilation Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.4 REQUIREMENTS (continued) A COT is performed every 92 days on each required channel to ensure the entre channel will perform the intended Function. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1 366 (Ref. 2). For MODES 1, 2, 3, and 4, this test verifies the capability of the nstrumentation to provide the containment purge and exhaust system isolation. During CORE ALTERATIONS and movement of irradiated fuel in containment, this test verifies the capability of the required channels to generate the signals required for input to the control room alarm. The setpoint shall be left consistent with the current unit specific calibration procedure tolerance.

SR 3.3.6.5 SR 3.3.6.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowed to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode Is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

I For slave relays and associated auxiliary relays in the CVI actuation system circuit that are Potter and Brumfield (P&B) type Motor Driven Relays (MDR), the SLAVE RELAY TEST is performed on an 18-month frequency. This test frequency is based on relay reliability assessments presented in WCAP-1 3878, Reliability Assessment of Potter and Brumfield MDR Series Relays." The reliability assessments are relay specific and apply only to Potter and Brumfield MDR series relays.

Quarterly testing of the slave relays associated with non-P&B MDR auxiliary relays will be administratively controlled until an altemate method of testing the auxiliary relays Is developed or until they are replaced by P&B MDR series relays.

SR 3.3.6.6 SR 3.3.6.6 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and is performed every 18 months. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some Instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

(continued)

Vogtle Units I and 2 B 3.3.6-9 Rev. 2-2/02 l

Containment Ventilation Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.6 (continued)

REQUIREMENTS The test also includes trip devices that provide actuation signals directly to the SSPS, bypassing the analog process control equipment. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them. The Frequency is based on the known reliability of the Function and the redundancy available, and has been shown to be acceptable through operating experience.

SR 3.3.6.7 A CHANNEL CALIBRATION Is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.

SR 3.3.6.8 This SR ensures the individual channel RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response time testing acceptance criteria are included in the FSAR.

Individual component response times are not modeled in the analyses.

The analyses model the overall or elapsed time, from the point at which the parameter exceeds the Trip Setpoint Valve at the sensor, to the point at which the equipment in both trains reaches the required functional state.

RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel.

The final actuation device in one train is tested with each channel.

Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

(continued)

Vogtle Units 1 and 2 B 3.3.6-1 0 Rev. 1-2/02 l

Containment Ventilation Isolation Instrumentation B 3.3.6 BASES REFERENCES 1. 10CFR100.11.

2. NUREG-1366.
3. WCAP-13878-P-A, Rev. 2, August 2000.
4. WCAP-13900, Rev. 0, April 1994.
5. WCAP-14129, Rev. 1, January 1999.

Vogtle Units 1 and 2 B 3.3.6-11 Rev. 1-2/02

CREFS Actuation Instrumentation B 3.3.7 BASES (continued)

APPLICABLE The control room must be kept habitable for the operators SAFETY ANALYSES stationed there during accident recovery and post accident operations.

The CREFS acts to terminate the supply of unfiltered outside air to the control room, initiate filtration, and pressurize the control room. These actions are necessary to ensure the control room Is kept habitable for the operators stationed there during accident recovery and post accident operations by minimizing the radiation exposure of control room personnel.

In MODES 1, 2, 3, and 4, the radiation monitor actuation of the CREFS is a backup for the Si signal actuation. This ensures initiation of the CREFS during a loss of coolant accident.

The radiation monitor actuation of the CREFS during movement of irradiated fuel assemblies and CORE ALTERATIONS is the primary means to ensure control room habitability in the event of a fuel handling accident.

The CREFS Actuation Instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2Xii).

LCO The LCO requirements ensure that instrumentation necessary to initiate the CREFS is OPERABLE.

1. Manual Initiation The LCO requires one channel OPERABLE. The operator can initiate the CREFS at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

Since manual Initiation is not a credited Function, only one manual initiation channel for both units is required OPERABLE.

Each channel consists of one push button and the interconnecting wiring to the actuation logic cabinet.

(continued)

Vogte Units 1 and 2 B 3.3.7-2 Rev. 1-10/01

HFASA Instrumentabon B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 High Flux at Shutdown Alarm (HFASA)

BASES BACKGROUND The primary purpose of the HFASA is to wam the operator of an unplanned boron dilution event in sufficient time (15 minutes prior to loss of shutdown margin) to allow manual action to terminate the event. The HFASA is used for this purpose in MODES 3 and 4, and MODE 5 with the loops filled.

The HFASA consists of two channels of alarms, with each channel receiving input from one source range channel. An alarm setpoint of 52.3 times background provides at least 15 minutes from the time the HFASA occurs to the total loss of shutdown margin due to an unplanned dilution event. This meets the Standard Review Plan criteria for mitigating the consequences of an unplanned dilution event by relying on operator action.

APPLICABLE The analysis presented in Reference I identifies credible SAFETY ANALYSES boron dilution Initiators. Time intervals from the HFASA until loss of shutdown margin were calculated. The results demonstrate that sufficient time for operator response is available to terminate an inadvertent dilution event taking credit for one HFASA with a setpoint of s2.3 times background.

The HFASA satisfied Criterion 3 of 10 CFR 50.36 (X2)(ii). I LCO The LCO requires two channels of HFASA to be OPERABLE with input from two source range channels to provide protection against single failure.

APPLICABILITY The HFASA must be OPERABLE in MODES 3, 4, and 5.

The Applicability is modified by a Note which allows the HFASA to be blocked in MODE 3 during reactor startup so that spurious alarms are not generated.

(continued)

Vogte Units I and 2 B 3.3.8-1 Rev. 2-10101

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES APPLICABLE transients analyzed include loss of coolant flow events and dropped SAFETY ANALYSES or stuck rod events. A key assumption for the analysis of these (continued) events is that the core power distribution is within the limits of LCO 3.1.6, "Control Bank Insertion Limits"; LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)"; and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."

The pressurizer pressure limit of 2199 psig and the RCS average temperature limit of 592.50F correspond to analytical limits of 2185 psig and 594.40 F used in the safety analyses, with allowance for measurement uncertainty.

The indicated RCS flow value of 384,509 gpm corresponds to an analytical value of 374,400 gpm with allowance for measurement and indicabon uncertainties.

The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36 (cX2Xii).

LCO This LCO specifies limits on the monitored process variables -

pressurizer pressure (PI-0455A,B&C, Pl-0456 & PI-0456A, Pl-0457 &

PI-0457A, and Pl-0458 & PI-0458A), RCS average temperature (TI-0412, Tl4422, TI-0432, and TI-0442), and RCS total flow rate (FI-0414, FI-0415, FI-0416, FI-0424, FI-0425, FI-0426, FI-0434, FI-0435, Fl-0436, FI-0444, FI-0445, FI-0446)-to ensure the core operates within the limits assumed in the safety analyses. Operating within these limits will result in meeting the DNB design criterion in the event of a DNB limited transient.

RCS total flow rate contains a measurement error of 2.7% based on performing a precision heat balance above 90% RTP and using the result to calibrate the RCS flow rate indicators. This measurement uncertainty includes a 0.1% penalty to account for potential fouling of the feedwater venturi, which might not be detected and could bias the result from the precision heat balance in a nonconservative manner.

Any fouling that might bias the flow rate measurement greater than 0.1% can be detected by monitoring and trending various plant performance parameters. If detected, either the effect of the fouling shall be quantified and (continued)

Vogte Units 1 and 2 B 3.4.1-3 Rev. 1-10/01

RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE Accidents (DBAs), the closely aligned temperature for hot zero power SAFETY ANALYSES (HZP) is a process variable that is an initial condition of DBAs, such (continued) as the rod cluster control assembly (RCCA) withdrawal, RCCA ejection, and main steam line break accidents performed at zero power that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

All low power safety analyses assume initial RCS loop temperatures 2 the HZP temperature of 557°F (Ref. 1). The minimum temperature for criticality limitation provides a small band, 6 0F, for critical operation below HZP. This band allows critical operation below HZP during plant startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality.

The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). I LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (kff Ž 1.0) at a temperature less than a small band below the HZP temperature, which is assumed In the safety analysis.

Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.

APPLICABILITY In MODE I and MODE 2, with keff. 1.0, LCO 3.4.2 is applicable since the reactor can only be critical (kef Ž 1.0) in these MODES.

The special test exception of LCO 3.1.8, "MODE 2 PHYSICS TESTS Exceptions," permits PHYSICS TESTS to be performed at

  • 5% RTP with RCS loop average temperatures slightly lower than normally allowed so that fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be necessary to operate outside the normal restrictions of this LCO. For example, to measure the MTC at beginning of cycle, (contnued)

Vogtle Units 1 and 2 B 3.4.2-2 Rev. 1-10101

RCS P/T Limits B 3.4.3 BASES (continued)

APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition.

Reference 7 establishes the methodology for determining the PIT limits. Alfthough the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.

RCS PIT limits satisfy Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO The two elements of this LCO are:

a. The limit curves for heatup, cooldown, and ISLH testing; and
b. Limits on the rate of change of temperature.

The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the PIT limit curves.

Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follow:

a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature; (continued)

Vogtle Units 1 and 2 B 3.4.3-3 Rev. 1-10101

RCS Loops-MODES 1 and 2 B 3.4.4 BASES APPLICABLE All of the accident/safety analyses performed at full rated thermal SAFETY ANALYSES power assume that all four RCS loops are in operation as an initial (continued) condition. Some accident/safety analyses have been performed at zero power conditions assuming only two RCS loops are in operation to conservatively bound lower modes of operation. The events which assume only two RCPs in operation include the uncontrolled RCCA (Bank) withdrawal from subcritical and the rod ejection events. While all accident/safety analyses performed at full rate thermal power assume that all the RCS loops are in operation, selected events examine the effects resulting from a loss of RCP operation. These include the complete and partial loss of forced RCS flow, reactor coolant pump rotor seizure, and reactor coolant pump shaft break events. For each of these events, it is demonstrated that all the applicable safety criteria are satisfied. For the remaining accident/safety analyses, operation of all four RCS loops during the transient up to the time of reactor trip is assumed thereby ensuring that all the applicable acceptance criteria are satisfied. Those transients analyzed beyond the time of reactor trip were examined assuming that a loss of offsite power occurs which results in the RCPs coasting down.

By ensuring that the plant operates with all RCS loops in operation in MODES 1 and 2, adequate heat transfer is provided between the fuel cladding and the reactor coolant.

RCS Loops - MODES 1 and 2 satisfy Criterion 2 of 10 CFR 50.36 (cX2)(ii). I LCO The purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNB, four pumps are required at rated power.

An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG in accordance with the Steam Generator Tube Surveillance Program.

(continued)

Vogtle Units 1 and 2 B 3.4.4-2 Rev. 1-10101

RCS Loops-MODE 3 B 3.4.5 BASES APPLICABLE met. For those conditions when the Rod Control System is SAFETY ANALYSES not capable of rod withdrawal, two RCS loops are required to (continued) be OPERABLE, but only one RCS loop is required to be in operation to be consistent with MODE 3 accident analyses.

Failure to provide decay heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

RCS Loops-MODE 3 satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The purpose of this LCO is to require that at least two RCS loops be OPERABLE. In MODE 3 with the RTBs in the closed position and Rod Control System capable of rod withdrawal, two RCS loops must be in operation. Two RCS loops are required to be in operation in MODE 3 with RTBs closed and Rod Control System capable of rod withdrawal due to the postulation of a power excursion because of an inadvertent control rod withdrawal. The required number of RCS loops in operation ensures that the Safety Limit criteria will be met for all of the postulated accidents.

With the RTBs in the open position, or the CRDMs de-energized, the Rod Control System is not capable of rod withdrawal; therefore, only one RCS loop in operation is necessary to ensure removal of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop Is required to be OPERABLE to ensure adequate decay heat removal capability.

The Note permits all RCPs to be de-energized for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to perform tests that are designed to validate various accident analyses values. One of these tests is validation of the pump coastdown curve used as input to a number of accident analyses including a loss of flow accident. This test is generally performed in MODE 3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a (continued)

Vogtle Units I and 2 B 3.4.5-2 Rev. 1-10/01

RCS Loops-MODE 4 B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Loops - MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the component cooling water via the residual heat removal (RHR) heat exchangers.

The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through four RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.

In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that two paths be available to provide redundancy for decay heat removal.

APPLICABLE In MODE 4, RCS circulaton is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event.

The RCS and RHR loops provide this circulation.

RCS Loops - MODE 4 satisfies Criterion 4 of 10 CFR 50.36 (cX2Xii). I LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS (continued)

Vogtle Units 1 and 2 B 3.4.6-1 Rev. 1-10101

RCS Loops -MODE 5, Loops Filled B 3.4.7 BASES BACKGROUND for the removal of decay heat, the U-tubes must be completely (continued) submerged, which is achieved if the SG level criteria are satisfied.

APPLICABLE In MODE 5, RCS circulation is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event.

The RHR loops provide this circulation.

RCS loops - MODE 5 (Loops Filled) satisfies Criterion 4 of 10 CFR 50.36 (c)(2Xii). I LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or two SGs with secondary side water level above the highest point of the SG U-tubes. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. An additional RHR loop is required to be OPERABLE to meet single failure considerations. However, if the standby RHR loop is not OPERABLE, an acceptable altemate method is two SGs with their secondary side water levels above the highest point of the SG U-tubes. Should the operating RHR loop fail, the SGs could be used to remove the decay heat. SG wide (Li 501-504) and SG narrow (LI 517-519, Ll 527-529, Li 537-539, LI 547-549, and LI 551-554) range instrumentation are available for determining SG water level.

Note I permits all RHR pumps to be de-energized 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note Is to permit tests designed to validate various accident analyses values. These tests are initially performed during startup testing. However, if changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time period is adequate to perform the necessary testing, and operating experience has shown that boron stratification is not likely during this short period with no forced flow.

(continued)

Vogtle Units I and 2 B 3.4.7-2 Rev. 1-10/01

RCS Loops -MODE 5, Loops Not Filled B 3.4.8 BASES BACKGROUND OPERABLE. Opening the applicable valve(s) is necessary to (continued) facilitate chemistry control of the RCS (Ref. 1).

APPLICABLE In MODE 5, RCS circulation is considered in the determination SAFETY ANALYSES of the time available for mitigation of the accidental boron dilubon event. The RHR loops provide this circulation. The flow provided by one RHR loop is adequate for heat removal and for boron mixing.

The active volume of the RCS is also considered in the analysis of malfunctions of the chemical and volume control system (CVCS) that could result in a decrease in the boron concentration of the RCS.

RCS loops in MODE 5 (loops not filled) satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii). I LCO The purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transferring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the RHR System unless forced flow is used. A minimum of one running RHR pump meets the LCO requirement for one loop In operation. An additional RHR loop is required to be OPERABLE to meet single failure considerations.

Note 1 permits all RHR pumps to be de-energized for

  • 15 minutes when switching from one loop to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet temperature is maintained greater than 10°F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped.

Note 2 allows one RHR loop to be inoperable for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, provided that the other loop is OPERABLE and in operabon. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when these tests are safe and possible.

(contnued)

Vogtle Units I and 2 B 3.4.8-2 Rev. 1-10101

Pressurizer B 3.4.9 BASES BACKGROUND Two groups of pressurizer heaters can be administratively (continued) loaded onto the non-Class 1E emergency buses. The Class 1E 4160-V breakers supplying the non-Class 1E buses are automatically opened upon a safety injection signal, but they can be closed under administrative procedure.

APPLICABLE In MODES 1, 2, and 3, the LCO requirement for a steam bubble SAFETY ANALYSES is reflected implicitly In the accident analyses. Safety analyses performed for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumpbon, the analyses neglect the small fraction of noncondensible gases normally present.

Safety analyses presented in the FSAR (Ref. 1) do not take credit for pressurizer heater operation; however, an implicit initial condition assumption of the safety analyses is that the RCS is operating at normal pressure.

The maximum pressurizer water level limit satisfies Criterion 2 of 10 CFR 50.36 (c)(2Xii). Although the heaters are not specifically used in accident analysis, the need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-0737 (Ref. 2), is the reason for providing an LCO.

LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume < 1656 cubic feet, which is equivalent to 92%

(LI-0459A, LI-0460A, LI-0461A), ensures that a steam bubble exists.

Limiting the LCO maximum operating water level preserves the steam space for pressure control. The LCO has been established to ensure the capability to establish and maintain pressure control for steady state operation and to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 2 150 kW, capable of being powered from an emergency power supply. This means that the two required groups of pressurizer heaters must be capable of being powered from a Class 1E 4160-V power supply. This is accomplished by administratively loading the two required (continued)

Vogtle Units 1 and 2 B 3.4.9-2 Rev. 2-10/01

Pressurizer Safety Valves B 3.4.10 BASES (continued)

LCO Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I The three pressurizer safety valves are set to open at an RCS pressure of 2460 psig, and within the specified tolerance, to avoid exceeding the maximum design pressure SL, and to maintain accident analyses assumptions. The upper and lower pressure tolerance limits are based on the +/-2% tolerance requirements assumed in the safety analyses.

The limit protected by this Specification is the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure.

APPLICABILITY In MODES 1, 2, and 3, OPERABILITY of three valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents.

MODE 3 is conservatively included, although the listed accidents may not require the safety valves for protection.

The LCO is not applicable in MODE 4, MODE 5, or MODE 6 (with the reactor vessel head on) because the cold overpressure protection system is in service. Overpressure protection is not required in MODE 6 with reactor vessel head removed.

The Note allows entry into MODE 3 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 54 hour6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> exception is based on 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> outage time for each of the three valves. The 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> period is derived from operating experience that hot testing can be performed in this timeframe.

(continued)

Vogtle Units 1 and 2 B 3.4.10-3 Rev. 2-1 0/01

Pressurizer PORVs B 3.4.11 BASES BACKGROUND safety valves and also may be used for cold overpressure (continued) protection. See LCO 3.4.12, "Cold Overpressure Protection System (COPS)."

APPLICABLE Plant operators may employ the PORVs to depressurize the RCS SAFETY ANALYSES in response to certain plant transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event. A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs or auxiliary pressurizer spray may be used for RCS depressurization, which is one of the steps performed to equalize the primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.

In addition, in the event of an inadvertent safety injection actuation at power, the potential for pressurizer filling and subsequent water relief via the pressurizer safetes (PSVs) is evaluated (FSAR section 15.5.1).

Operator action to make one PORV available is credited in the analysis to mitigate this event. If the PORV Is available for automatic actuation, the event consequences would be mitigated directly by preventing water relief through the PSVs. However, automatic actuation is not required to mitigate this event. The analysis includes an acceptable delay for the operator to open a block valve and to manually control the PORV if necessary.

The PORVs also provide the safety-related means for reactor coolant system depressurization to achieve safety-grade cold shutdown and to mitigate the effects of a loss of heat sink or an SGTR. They are modeled in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling rabo (DNBR) criteria, pressurizer filling, or reactor coolant saturation are critical (Ref. 2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint, thus the DNBR calculabon is more conservative. As such, automatic actuation is not required to mitgate these events, and PORV automatic operation is, therefore, not an assumed safety function. Events that assume this condition include a turbine trip, loss of normal feedwater, and feedwater line break (Ref. 2).

Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36 (cX2)(ii). I (continued)

Vogtle Units 1 and 2 B 3.4.11-2 Rev. 3-10/01

COPS B 3.4.12 BASES APPLICABLE RHR Suction Relief Valve Performance (continued)

SAFETY ANALYSES As the RCS P/T limits are decreased to reflect the loss of toughness in the reactor vessel materials due to neutron embrittlement, the RHR suction relief valves must be analyzed to still accommodate the design basis transients for COPS.

The RHR suction relief valves are considered active components.

Thus, the failure of one valve is assumed to represent the worst case single active failure.

RCS Vent Performance With the RCS depressurized, analyses show a vent size of 2.14 square inches (based on an equivalent length of 10 feet of pipe, i.e., a vent capable of relieving 670 gpm waterfnow at 470 psig) is capable of mitigating the allowed COPS overpressure transient. The capacity of a vent this size is greater than the flow of the limiting transient for the COPS configuration, with both safety injection pumps incapable of injecting into the RCS, maintaining RCS pressure less than the maximum pressure on the P/T limit curve.

The RCS vent size will be re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance.

The RCS vent is passive and is not subject to active failure.

The COPS satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO requires that the COPS Is OPERABLE. The COPS is OPERABLE when the minimum coolant input and pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference I limits as a result of an operational transient.

To limit the coolant input capability, the LCO requires both safety injection pumps to be incapable of injecting into the RCS and all accumulator discharge isolation valves closed and immobilized when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR.

(continued)

Vogtle Units I and 2 B 3.4.12-7 Rev. 2-10/01

RCS Operational LEAKAGE B 3.4.13 BASES (continued)

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analyses for an event resulting in steam discharge to the atmosphere assumes primary to secondary LEAKAGE at the Technical Specification limit as an initial condition.

The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36 I (cX2Xii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicatve of an off-normal conditon. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.
b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.
c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary (continued)

Vogtle Units 1 and 2 B 3.4.13-2 Rev. 1-10/01

RCS PIV Leakage B 3.4.14 BASES BACKGROUND PIVs are provided to isolate the RCS from the following (continued) typically connected systems:

a. Residual Heat Removal (RHR) System;
b. Safety Injection System; and
c. Chemical and Volume Control System.

The PIVs are listed in the FSAR, Section 16.3 (Ref. 6).

Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurzation of a low pressure system and the loss of the integrity of a fission product barrier.

APPLICABLE Reference 4 identified potential intersystem LOCAs as a SAFETY ANALYSES significant contributor to the risk of core melt. The dominant accident sequence in the intersystem LOCA category is the failure of the low pressure portion of the RHR System outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the RHR System downstream of the PIVs from the RCS. Because the low pressure portion of the RHR System is typically designed for 600 psig, overpressurization failure of the RHR low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

Reference 5 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA.

RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on (continued)

Vogtle Units 1 and 2 B 3.4.14-2 Rev. 1-10101

RCS Leakage Detection Instrumentation B 3.4.15 BASES APPLICABLE The safety significance of RCS LEAKAGE varies widely depending on SAFETY ANALYSES its source, rate, and duration. Therefore, detecting and monitoring (continued) RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative nformation to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the unit and the public.

RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36 (c)(2)(ii). I LCO One method of protecting against large RCS leakage derives from the ability of instruments to rapidly detect extremely small leaks. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that extremely small leaks are detected in time to allow actions to place the plant in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitors, in combination with a gaseous or particulate radioactivity monitor and/or a containment air cooler condensate flow rate monitor, provides an acceptable minimum.

APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.

In MODE 5 or 6, the temperature is to be s 200°F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation are much smaller.

Therefore, the requirements of this LCO are not applicable in MODES 5 and 6.

(continued)

Vogtle Units 1 and 2 B 3.4.15-4 Rev. 1-10101

RCS Specific Activity B 3.4.16 BASES APPLICABLE probability of a SGTR accident occurring during the SAFETY ANALYSES established 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> time limit. The occurrence of an SGTR (continued) accident at these permissible levels could increase the site boundary dose levels, but still be within 10 CFR 100 dose guideline limits.

RCS specific activity satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO The specific iodine activity is limited to 1.0 pCi/gm DOSE EQUIVALENT 1-131, and the gross specific activity in the reactor coolant is limited to the number of pCVgm equal to 100 divided by!

(average disintegration energy of the sum of the average beta and gamma energies of the coolant nuclides). The limit on DOSE EQUIVALENT 1-131 ensures the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> thyroid dose to an Individual at the exclusion area boundary during the Design Basis Accident (DBA) will be a small fraction of the allowed thyroid dose. The limit on gross specific activity ensures the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> whole body dose to an Individual at the exclusion area boundary during the DBA will be a small fraction of the allowed whole body dose.

The SGTR accident analysis (Ref. 2) shows that the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> site boundary dose levels are within acceptable limits. Violaton of the LCO may result in reactor coolant radioactvity levels that could, in the event of an SGTR, lead to exclusion area boundary doses that exceed the 10 CFR 100 dose guideline limits.

APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS average temperature 2 500 0F, operation within the LCO limits for DOSE EQUIVALENT 1-131 and gross specific acUvity are necessary to contain the potential consequences of an SGTR to within the acceptable site boundary dose values.

For operation in MODE 3 with RCS average temperature < 500 0F, and in MODES 4 and 5, the release of radioactivity in the event of a SGTR is unlikely since the saturation pressure of the reactor coolant is below the lift pressure seffings of the main steam safety valves.

(continued)

Vogtle Units 1 and 2 B 3.4.16-3 Rev. 1-10/01

Accumulators B 3.5.1 BASES APPLICABLE For both the large and small break LOCA analyses, a nominal SAFETY ANALYSES contained accumulator water volume is used. The contained (continued) water volume is the same as the deliverable volume for the accumulators, since the accumulators are emptied, once discharged.

For small breaks, an increase in water volume Is a peak clad temperature penalty. For large breaks, an increase in water volume can be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the break during the core reflooding portion of the transient. The analysis makes a conservative assumption with respect to ignoring or taking credit for line water volume from the accumulator to the check valve. The safety analysis assumes values of 6433 gallons and 7031 gallons. To allow for instrument inaccuracy, values of 6555 gallons (29.2% of instrument span) and 6909 gallons (70.7% of instrument span) are specified.

The minimum boron concentration setpoint is used in the post LOCA boron concentration calculation. The calculation is performed to assure reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly insertion. A reduction in the accumulator minimum boron concentration would produce a subsequent reduction in the available containment sump concentration for post LOCA shutdown and an increase in the maximum sump-pH. The maximum boron concentration is used in determining the cold leg to hot leg recirculation injection switchover time and minimum sump pH.

The large and small break LOCA analyses are performed at the minimum nitrogen cover pressure, since sensitivity analyses have demonstrated that higher nitrogen cover pressure results in a computed peak clad temperature benefit. The maximum nitrogen cover pressure limit prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity.

The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Refs. 2 and 4).

The accumulators satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I (continued)

Vogtle Units I and 2 B 3.5.1-4 Rev. 1-10/01

ECCS - Operating B 3.5.2 B 3.5 EMERGENCY CORE COOUNG SYSTEMS (ECCS)

B 3.5.2 ECCS-Operating BASES BACKGROUND The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:

a. Loss of coolant accident (LOCA), coolant leakage greater than the capability of the normal charging system;
b. Rod ejection accident;
c. Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater; and
d. Steam generator tube rupture (SGTR).

The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.

There are three phases of ECCS operation: injection, cold leg recirculation, and hot leg recirculation. In the injection phase, water is taken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the containment sumps have enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation. After approximately 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the potential for boiling in the top of the core and ensure boron precipitation never occurs.

The ECCS consists of three separate subsystems:

centrifugal charging (high head), safety injection (SI) (intermediate head), and residual heat removal (RHR) (low head). Each subsystem consists of two redundant, 100% capacity trains. The ECCS accumulators and the RWST are also part of the (continued)

Vogtle Units I and 2 8 3.5.2-1 Rev. 103/02

ECCS-Operating B 3.5.2 BASES APPLICABLE The effects on containment mass and energy releases are SAFETY ANALYSES accounted for in appropriate analyses (Refs. 3 and 4). The (continued) LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It-also ensures that the centrifugal charging and SI pumps will deliver sufficient water and boron during a small LOCA to maintain core subcriticality. For smaller LOCAs, the centrifugal charging pump delivers sufficient fluid to maintain RCS Inventory. For a small break LOCA, the steam generators continue to serve as the heat sink, providing part of the required core cooling.

The ECCS trains satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO In MODES 1, 2, and 3, two Independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.

In MODES 1, 2, and 3, an ECCS train consists of a centrifugal charging subsystem, an SI subsystem, and an RHR subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an SI signal and automatcally transferring suction to the containment sump.

During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the four cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply its flow to the RCS hot and cold legs.

The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.

(continued)

Vogtle Units 1 and 2 B 3.5.2-5 Rev. 1-10/01

ECCS-Shutdown B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.3 ECCS-Shutdown BASES BACKGROUND The Background section for Bases 3.5.2, "ECCS-Operating," is applicable to these Bases, with the following modifications.

In MODE 4, the required ECCS train consists of two separate subsystems: centrifugal charging (high head) and residual heat removal (RHR) (low head).

The ECCS flow paths consist of piping, valves, heat exchangers, and pumps such that water from the refueling water storage tank (RWST) or containment emergency sump can be injected into the Reactor Coolant System (RCS) following the accidents described in Bases 3.5.2.

APPLICABLE The Applicable Safety Analyses section of Bases 3.5.2 also SAFETY ANALYSES applies to this Bases section.

Due to the stable conditions associated with operation in MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is understood in these reducUons that certain automatic safety injection (SI) actuation is not available. In this MODE, sufficient time exists for manual actuation of the required ECCS to mitigate the consequences of a DBA.

Only one train of ECCS Is required for MODE 4. This requirement dictates that single failures are not considered during this MODE of operation. The ECCS trains satisfy Criterion 3 of 10 CFR 50.36 (c)(2Xii). I LCO In MODE 4, one of the two Independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.

(continued)

Vogtle Units 1 and 2 B 3.5.3-1 Rev. 1-10/01

RWST B 3.5.4 BASES APPLICABLE results show that the departure from nucleate boiling design SAFETY ANALYSES basis is met. The delay has been established as 27 seconds, (continued) with offsite power available, or 39 seconds without offsite power (includes 12 seconds for the Emergency Diesel Generator). This response me includes an electronics delay, a stroke time for the RWST valves, and a stroke time for the VCT valves.

For a large break LOCA analysis, the minimum water volume limit of 499,091 gallons and the lower boron concentration limit of 2400 ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The large break LOCA is the limiting case since the safety analysis assumes that all control rods are out of the core.

The upper limit on boron concentration of 2600 ppm is used to determine the maximum allowable time to switch to hot leg recirculation following a LOCA. The purpose of switching from cold leg to hot leg injection is to avoid boron precipitation in the core following the accident In the ECCS analysis, the containment spray temperature is assumed to be equal to the RWST lower temperature limit of 440 F. If the lower temperature limit is violated, the containment spray further reduces containment pressure, which decreases the rate at which steam can be vented out the break and increases peak clad temperature. (The reduction in containment pressure correspondingly reduces the density of the vented steam. This reduces the flow of steam out of the core, which translates into a decrease in the ECCS flooding rate. This decrease in the flooding rate causes the increase in peak clad temperature.) The upper temperature limit of 116°F is used in the small break LOCA analysis and containment OPERABILITY analysis.

Exceeding this temperature will result in a higher peak clad temperature, because there is less heat transfer from the core to the Injected water for the small break LOCA and higher containment pressures due to reduced containment spray cooling capacity. For the containment response following an MSLB, the lower limit on boron concentration and the upper limit on RWST water temperature are used to maximize the total energy release to containment.

The RWST satisfies Criterion 3 of 10 CFR 50.36 (cX2Xii).

(continued)

Vogtle Units 1 and 2 B 3.5.4-4 Rev. 1-10/01

Seal Injection Flow B 3.5.5 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.5 Seal Injection Flow BASES BACKGROUND This LCO is applicable only to those units that utilize the centrifugal charging pumps for safety injection (SI). The function of the seal injection throttle valves during an accident is similar to the function of the ECCS throttle valves in that each restricts flow from the centrifugal charging pump header to the Reactor Coolant System (RCS).

The restriction on reactor coolant pump (RCP) seal Injection flow limits the amount of ECCS flow that would be diverted from the injection path following an accident. This limit is based on safety analysis assumptions that are required because RCP seal injection flow is not isolated during SI.

APPLICABLE All ECCS subsystems are taken credit for in the large break loss SAFETY ANALYSES of coolant accident (LOCA) at full power (Ref. 1). The LOCA analysis establishes the minimum flow for the ECCS pumps. The centrifugal charging pumps are also credited in the small break LOCA analysis.

This analysis establishes the flow and discharge head at the design point for the centrifugal charging pumps. The steam generator tube rupture and main steam line break event analyses also credit the centrifugal charging pumps, but are not limiting in their design.

Reference to these analyses is made in assessing changes to the Seal Injection System for evaluation of their effects in relation to the acceptance limits in these analyses.

This LCO ensures that seal injection flow will be sufficient for RCP seal integrity but limited so that the ECCS trains will be capable of delivering sufficient water to match boiloff rates soon enough to minimize uncovering of the core following a large LOCA. It also ensures that the centrifugal charging pumps will deliver sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the charging pumps alone deliver sufficient fluid to overcome the loss and maintain RCS inventory.

Seal injection flow satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I (continued)

VogUe Units 1 and 2 B 3.5.5-1 Rev. 1-10101

Recirculation Fluid pH Control System B 3.5.6 BASES APPLICABLE 10 CFR 50, Appendix A, General Design Criterion 19, SAFETY ANALYSES respectively.

(continued)

The Recirculation Fluid pH Control System satisfies Criterion 3 of 10 CFR 50.36 (cX2)(ii). I LCO The OPERABILITY of the Recirculation Fluid pH Control System ensures sufficient TSP is maintained in the three TSP storage baskets to increase the long term recirculaton fluid pH to between 7.5 and 10.5 following a LOCA. A pH range of 7.5 to 10.5 is sufficient to prevent significant amounts of iodine released from fuel failure and dissolved in the recirculation fluid, from converting to a volatile form and evolving from solution into the containment atmosphere during the ECCS recirculation phase. In addition, an alkaline pH in this range will minimize chloride induced stress corrosion cracking of austenitic stainless steel components, and minimize the hydrogen produced by the corrosion of galvanized surfaces and zinc-based paints.

In order to achieve the desired pH range of 7.5 to 10.5 in the post-LOCA recirculation solution, a total of between 11,484 pounds (220 f 3) and 14,612 pounds (260 ft3) of TSP is required. The required amount of TSP is determined considering the volume of water involved, the target pH range, and the density of different vendor types of TSP that are available. Although the amount of TSP required is based on mass, a required volume is verified since it is not feasible to weigh the entire amount of TSP in containment.

APPLICABILITY In MODES 1, 2, 3, and 4 a DBA could cause the release of radioactive material in containment requiring the operation of the ECCS Recirculation Fluid pH Control System. The ECCS Recirculation Fluid pH Control System assists In reducing the amount of radioactive material available for release to the outside atmosphere after a DBA.

In MODES 5 and 6, the probability and consequences of an event requiring the ECCS Recirculation Fluid pH control system are reduced due to the pressure and temperature (continued)

Vogtle Units 1 and 2 B 3.5.6-3 Rev. 1-10/01

Containment B 3.6.1 BASES APPLICABLE La is assumed to be 0.2% of containment air weight per day SAFETY ANALYSES (380,455 sccm) in the safety analysis at Pa = 37 psig (continued) (Ref. 3).

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO Containment OPERABILITY is maintained by limiting leakage to s 1.01-a, except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, applicable leakage limits must be met.

Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

FSAR table 6.2.4-1 lists all penetrations and the applicable Appendix J test requirements (Type A, B, or C).

The containment air lock (LCO 3.6.2) leakage rate acceptance criteria are specified in the Containment Leakage Rate Testing Program and the leakage testing requirement for purge valves with resilient seals are specified in LCO 3.6.3. However, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the overall containment leakage rate acceptance criteria specified in the Containment Leakage Rate Testing Program.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE In MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.4, "Containment Penetrations."

(continued)

Vogtle Units 1 and 2 B 3.6.1-3 Rev. 1-10/01

Containment Air Locks 3.6.2 BASES APPLICABLE containment was designed with an allowable leakage rate of SAFETY ANALYSES 0.2% of containment air weight per day for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (continued) and 0.1% per day thereafter (Ref. 2). This leakage rate is defined as La = 0.2% of containment air weight per day, the maximum allowable containment leakage rate at the calculated peak containment intemal pressure Pa = 37 psig following a DBA. This allowable leakage rate (0.2%) forms the basis for the acceptance criteria imposed on the SRs associated with the air locks.

The containment air lcks satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). I LCO Each containment air lock forms part of the containment pressure boundary. As part of containment, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE.

Closure of a single door in each air lock is sufficient to provide a leaktight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into and exit from containment.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. The pressure and temperature limitations of MODES 5 and 6 reduce the probability and consequences of the events events considered for MODES 1, 2, 3, and 4. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. In MODE 6, the requirements for (continued)

VogUe Units I and 2 B 3.6.2-2 Rev. 1-10/01

Containment Isolation Valves B 3.6.3 BASES APPLICABLE compromising the containment boundary as long as the system SAFETY ANALYSES is operated in accordance with the subject LCO.

(continued)

The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36 I (c)(2Xii).

LCO Containment isolation valves form a part of the containment boundary.

The containment isolation valves' safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA.

The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The 24 inch purge valves must be maintained sealed closed.

The valves covered by this LCO are listed along with their associated stroke times in the FSAR (Ref. 2).

The normally closed containment isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact.

Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.

This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents. This LCO is applicable to those containment isolation valves listed in FSAR table 16.3-4 unless otherwise noted.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

(continued)

Vogtle Units 1 and 2 B 3.6.3-4 Rev. 1-10/01

Containment Pressure B 3.6.4 BASES APPLICABLE The containment was also designed for an extemal pressure SAFETY ANALYSES load equivalent to -3 psig. The inadvertent actuation of (continued) the Containment Spray System was analyzed to determine the resulting reduction in containment pressure. The initial pressure condition used in this analysis was 14.093 psia. This resulted in a minimum pressure inside containment of 11.77 psia, which is less than the design load.

For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. Therefore, for the reflood phase, the containment backpressure Is calculated In a manner designed to conservatively minimize, rather than maximize, the containment pressure response In accordance with 10 CFR 50, Appendix K (Ref. 2).

Containment pressure satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO Maintaining containment pressure at less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will remain below the containment design pressure. Maintaining containment pressure at greater than or equal to the LCO lower pressure limit ensures that the containment will not exceed the design negative differential pressure following the inadvertent actuation of the Containment Spray System.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure within limits is essential to ensure initial conditions assumed in the accident analyses are maintained, the LCO is applicable in MODES 1, 2, 3 and 4.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature (continued)

Vogtle Units 1 and 2 B 3.6.4-2 Rev. 1-10/01

Containment Air Temperature B 3.6.5 BASES APPLICABLE assumed to occur simultaneously or consecutively. The SAFETY ANALYSES postulated DBAs are analyzed with regard to Engineered (continued) Safety Feature (ESF) systems, assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train each of the Containment Spray System, Residual Heat Removal System, and Containment Cooling System being rendered inoperable.

The limiting DBA for the maximum peak containment air temperature is an SLB. The initial containment average air temperature assumed in the design basis analyses (Ref. 1) is 120 0F. This resulted in a maximum containment air temperature of 303.10F. The design temperature is 381°F. The design temperature was used in calculating the thermal gradients across the containment wall.

The temperature limit is used to establish the environmental qualification operating envelope for containment. The maximum peak containment air temperature (following an MSLB) was calculated to be less than the containment design temperature. Equipment qualification (Ref. 2) takes into account the most severe environmental conditions including the calculated peak transient temperature following an MSLB (303.1°F).

The temperature limit is also used in the depressurization analyses to ensure that the minimum pressure limit is maintained following an inadvertent actuation of the Containment Spray System (Ref. 1).

The containment pressure transient is sensitive to the initial air mass in containment and, therefore, to the initial containment air temperature. The limiting DBA for establishing the maximum peak containment ntemal pressure Is a LOCA. The temperature limit is used in this analysis to ensure that in the event of an accident, the maximum containment intemal pressure will not be exceeded.

Containment average air temperature satisfies Criterion 2 of 10 CFR 50.36 (c)(2)ii).

(continued)

Vogtle Units I and 2 B 3.6.5-2 Rev. 1-10/01

Containment Spray and Cooling Systems B 3.6.6 BASES BACKGROUND Containment Sprav System (continued)

The Containment Spray System provides a spray of cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce fission products from the containment atmosphere during a DBA. The RWST solution temperature is an important factor in determining the heat removal capability of the Containment Spray System during the injection phase. In the recirculation mode of operation, heat is removed from the containment sump water by the residual heat removal coolers.

Each train of the Containment Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Containment Spray System is actuated either automatically by a containment High-3 pressure signal or manually. An automatic actuation opens the containment spray pump discharge valves, starts the two containment spray pumps, and begins the injection phase. A manual actuation of the Containment Spray System requires the operator to actuate two separate switches on the main control board to begin the same sequence. The injection phase continues until an RWST empty tank level alarm is received (10% level). When the RWST level reaches the empty tank level, the operator manually aligns the system to the recirculation mode. The Containment Spray System in the recirculation mode maintains an equilibrium temperature between the containment atmosphere and the recirculated sump water. Operation of the Containment Spray System in the recirculation mode is controlled by the operator In accordance with the emergency operating procedures.

Containment Cooling Svstem Two trains of containment cooling, each of sufficient capacity to supply 100% of the design cooling requirement, are provided. Each train of four fan units is supplied with cooling water from a separate train of nuclear service cooling water (NSCW). Air is drawn into the coolers through the fan and discharged to the steam generator compartments, pressurizer compartment, and instrument tunnel, and outside the secondary shield in the lower areas of containment.

(continued)

Vogtle Units 1 and 2 B 3.6.6-2 Rev. 1-9/02

Containment Spray and Cooling Systems B 3.6.6 BASES APPLICABLE LCO 3.6.5A for a detailed discussion.) The analyses and SAFETY ANALYSES evaluations assume a unit specific power level of 100%, one (continued) containment spray train and one containment cooling train operating, and inital (pre-accident) containment conditions of 120°F and 3 psig.

The analyses also assume a response time delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure is calculated In a manner designed to conservatively minimize, rather than maximize, the calculated transient containment pressures in accordance with 10 CFR 50, Appendix K (Ref. 2).

The effect of an inadvertent containment spray actuation has been analyzed. An inadvertent spray actuation results in an 11.77 psia containment pressure and is associated with the sudden cooling effect in the interior of the leak tight containment. Additional discussion is provided in the Bases for LCO 3.6.4.

The modeled Containment Spray System actuation from the containment analysis is based on a response time associated with exceeding the containment High-3 pressure setpoint to achieving full flow through the containment spray nozzles.

The Containment Spray System total response time of 94 seconds includes diesel generator (DG) startup (for loss of offsite power), block loading of equipment, containment spray pump startup, and spray line filling. Because the total response time required to develop spray flow cannot be measured in practice, the total response time includes an allotment of 55 seconds for spray line filling (Ref. 3).

Containment cooling train performance for post accident conditions is given in Reference 4. The result of the analysis is that each train can provide 100% of the required peak cooling capacity during the post accident condifon. The train post accident cooling capacity under varying containment ambient conditions, required to perform the accident analyses, is also shown in Reference 4.

(continued)

VogUe Units 1 and 2 B 3.6.6-4 Rev. 1-6/02

Containment Spray and Cooling Systems B 3.6.6 BASES APPLICABLE The modeled Containment Cooling System actuation from the SAFETY ANALYSES containment analysis is based upon a response time associated (continued) with exceeding the containment High-1 pressure setpoint to achieving I full Containment Cooling System air and safety grade cooling water flow. The Containment Cooling System fan response time of I 48 seconds includes signal delay and DG startup (for loss of offsite power) (Ref. 3).

The Containment Spray System and the Containment Cooling System satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii).

LCO During a DBA, a minimum of one containment cooling train and one containment spray train are required to maintain the containment peak pressure and temperature below the design limits (Ref. 4).

Additionally, one containment spray train is also required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two containment spray trains and two containment cooling trains must be OPERABLE. Therefore, in the event of an accident, at least one train in each system operates, assuming the worst case single active failure occurs.

Each Containment Spray System typically includes a spray pump, spray headers, nozzles, valves, piping, Instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an ESF actuation signal and manually transferring suction to the containment sump.

Each Containment Cooling System typically includes demisters, cooling coils, dampers, fans, instruments, and controls to ensure an OPERABLE flow path.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment and an increase in containment pressure and temperature requiring the operation of the containment spray trains and containment cooling trains.

(continued)

Vogtle Units 1 and 2 B 3.6.6-5 Rev. 2-6/02

Hydrogen Recombiners B 3.6.7 BASES APPLICABLE Hydrogen may accumulate in containment following a LOCA as a SAFETY ANALYSES result of:

(continued)

a. A metal steam reaction between the zirconium fuel rod cladding and the reactor coolant;
b. Radiolytic decomposition of water in the Reactor Coolant System (RCS) and the containment sump;
c. Hydrogen in the RCS at the time of the LOCA (i.e., hydrogen dissolved in the reactor coolant and hydrogen gas in the pressurizer vapor space); or
d. Corrosion of metals exposed to containment spray and Emergency Core Cooling System solutions.

To evaluate the potental for hydrogen accumulation in containment following a LOCA, the hydrogen generabon as a function of time following the initiabon of the accident is calculated. Conservative assumptons recommended by Reference 3 are used to maximize the amount of hydrogen calculated.

Based on the conservatve assumptions used to calculate the hydrogen concentraton versus time after a LOCA, the hydrogen concentration in the primary containment would reach 3.5 v/o about 6 days after the LOCA and 4.0 v/o about 2 days later f no recombiner was functioning (Ref. 3). Initating the hydrogen recombiners when the primary containment hydrogen concentration reaches 3.5 v/o will maintain the hydrogen concentraton in the primary containment below flammability limits.

The hydrogen recombiners are designed such that, with the conservatively calculated hydrogen generation rates discussed above, a single recombiner is capable of limiting the peak hydrogen concentration in containment to less than 4.0 v/o (Ref. 3). The Hydrogen Purge System is similarly designed such that one of two redundant trains is an adequate backup to the redundant hydrogen recombiners.

The hydrogen recombiners satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii).

(continued)

Vogtle Units I and 2 B 3.6.7-2 Rev. 1-10/01

MSSVs B 3.7.1 BASES APPLICABLE The transient response for turbine trip without a direct reactor trip from SAFETY ANALYSES full power with all MSSVs OPERABLE presents no hazard to the (continued) integrity of the RCS or the Main Steam System. If a minimum reactivity feedback is assumed, the reactor is tripped on high pressurizer pressure. In this case, the pressurizer safety valves open, and RCS pressure remains below 110% of the design value. The MSSVs also open to limit the secondary steam pressure.

If maximum reactivity feedback is assumed, the reactor is tripped on overtemperature AT. The departure from nucleate boiling ratio increases throughout the transient, and never drops below its initial value. Pressurizer relief valves and MSSVs are activated and prevent overpressurization in the primary and secondary systems. The MSSVs are assumed to have two active and one passive failure modes. The active failure modes are spurious opening, and failure to reclose once opened. The passive failure mode is failure to open upon demand.

Operation with one or more MSSVs inoperable is permitted at the reduced power levels specified in Table 3.7.1-1. If the power levels specified in Table 3.7.1-1 are exceeded, the OPERABLE MSSVs may not have sufficient capacity to preclude primary and/or secondary overpressurization. The reduced power levels specified in Table 3.7.1-1 may be exceeded during a turbine trip/loss of load transient due to the effect of a positive Moderator Temperature Coefficient. With a positive Moderator Temperature Coefficient, the applicable safety analysis for the turbine trip/loss of load event takes implicit credit for the reduced Neutron Flux High Trip Setpoint to terminate the event and prevent primary and secondary overpressurization.

The MSSVs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The accident analysis requires five MSSVs per steam generator to provide overpressure protection for design basis transients occurring at 102% RTP. An MSSV will be considered inoperable if it fails to open on demand. The LCO requires that five MSSVs be OPERABLE in compliance with Reference 2 and the DBA analysis. This is because operation with less than the full number of MSSVs requires limitations (continued)

Vogtle Units I and 2 B 3.7.1-2 Rev. 1-10/01

MSIVs B 3.7.2 BASES APPLICABLE limiting with respect to the steam releases used in meeting SAFETY ANALYSES equipment qualification criteria. The failure of an MSIV has no (continued) effect on the results of these events.

c. A break downstream of the MSIVs will be isolated by the closure of the MSIVs. This is not a limiting scenario with respect to doses or with respect to the core response analyses.
d. For a steam generator tube rupture, dosure of the MSIVs in the faulted loop isolates the ruptured steam generator from the intact steam generators to minimize radiological releases.

The MSIVs satisfy Criterion 3 of 10 CFR 50.36 (cX2)(ii). I LCO This LCO requires that two MSIV systems in each steam line be OPERABLE. The MSIV systems are considered OPERABLE when the isolation times are within limits, and they close on an isolation actuation signal. An OPERABLE MSIV system may consist of an OPERABLE MSIV and inoperable associated bypass valve provided the inoperable bypass valve is maintained closed.

This LCO provides assurance that the MSIV systems will perform their design safety function to mitigate the consequences of accidents that could result in offsite exposures comparable to the 10 CFR 100 (Ref. 6) limits or the NRC staff approved licensing basis.

APPLICABILITY The MSIV systems must be OPERABLE In MODE 1, and in MODES 2 and 3 except when one MSIV system in each steam line is closed, when there is significant mass and energy in the RCS and steam generators. When the MSIV systems are closed, they are already performing the safety function.

In MODE 4, normally most of the MSIV systems are closed, and the steam generator energy is low.

(continued)

Vogtle Units 1 and 2 B 3.7.2-3 Rev. 1-10/01

MFIVs and MFRVs and Associated Bypass Valves B 3.7.3 BASES BACKGROUND The MFIVs and associated bypass valves, and MFRVs and (continued) associated bypass valves, close on receipt of a Tavg - Low coincident with reactor trip (P-4), steam generator water level -

high high, or Si signal. They may also be actuated manually. In addition to the MFIVs and associated bypass valves, and the MFRVs and associated bypass valves, a check valve is available.

The check valve Isolates the feedwater line, penetrating containment, and ensures that the consequences of events do not exceed the capacity of the containment heat removal systems.

A description of the MFIVs and MFRVs is found in the FSAR, Subsection 10.4.7 (Ref. 1).

APPLICABLE The design basis of the MFIVs and MFRVs is established by SAFETY ANALYSES the analyses for the large SLB. It is also influenced by the accident analysis for the large FWLB. Closure of the MFIVs and associated bypass valves, or MFRVs and associated bypass valves, may also be relied on to terminate an SLB for core response analysis and excess feedwater event upon the receipt of a steam generator water level - high high signal or a feedwater isolation signal on high steam generator level.

Failure of an MFIV, MFRV, or the associated bypass valves to close following an SLB or FWLB can result in additional mass and energy being delivered to the steam generators, contributing to cooldown. This failure also results in additional mass and energy releases following an SLB or FWLB event.

The MFIVs and MFRVs satisfy Criterion 3 of 10 CFR 50.36 I (cX2)(ii).

LCO This LCO ensures that the MFIVs, MFRVs, and their associated bypass valves will isolate MFW flow to the steam generators, following an FWLB or main steam line break. These valves will also isolate the nonsafety related portions from the safety related portions of the system.

(continued)

Vogtle Units 1 and 2 B 3.7.3-2 Rev. 1-10/01

ARVs B 3.7.4 BASES APPLICABLE event and other accident analyses. After primary to SAFETY ANALYSES secondary break flow termination, it Is assumed that one ARV (continued) on an intact SG is used to cool the RCS down to 350 0F, at the maximum allowable cooldown rate of 100OF/hour.

The offsite radiological dose analyses show that the failure open of the ARV on the ruptured SG represents the limiting single failure. The resulting offsite radiological doses at the exclusion area boundary, low population zone, and control room are well within the allowable guidelines as specified by Standard Review Plan 15.6.3 and 10 CFR 100. A detailed description of the SGTR analyses can be found in WCAP-1 1731 and associated supplements (Ref. 3).

The ARVs are equipped with manual block valves in the event an ARV spuriously fails open or fails to close during use.

The ARVs satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii).

LCO Three ARV lines are required to be OPERABLE. One ARV line is required from each of three steam generators to ensure that at least one ARV line is available to conduct a unit cooldown following an SGTR, in which one steam generator becomes unavailable, accompanied by a single, active failure of a second ARV line on an unaffected steam generator. A block valve for each required ARV must be OPERABLE to isolate a failed open ARV line.

Failure to meet the LCO can result in the inability to cool the unit to RHR entry conditions following an SGTR event in which the condenser is unavailable for use with the Steam Dump System.

An ARV is considered OPERABLE when it is capable of providing controlled relief of the main steam flow and capable of fully opening and closing on demand. Additionally, it is required that at least two of the three OPERABLE ARVs maintain the capability for local manual actuation via their associated handpumps.

APPLICABILITY In MODES 1, 2, and 3, the ARVs are required to be OPERABLE.

In MODE 4, the pressure and temperature limitations are such that the probability of an SGTR event requiring ARV operation is low. In addition, the RHR system Is available (continued)

Vogtle Units 1 and 2 B 3.7.4-3 Rev. 2-1 0/01

AFW System B 3.7.5 BASES APPLICABLE In addition, the minimum available AFW flow and system SAFETY ANALYSES characteristics are serious considerations in the analysis (continued) of a small break loss of coolant accident (LOCA).

The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valves and containment, combined with a loss of offsite power following turbine trip, and a single active failure of the steam turbine driven AFW pump. In such a case, the ESFAS logic may not detect the affected steam generator if the backflow check valve to the affected MFW header worked properly. One motor driven AFW pump would deliver to the broken MFW header (limited by flow restrictor installed in the AFW line) until the problem was detected, and flow terminated by the operator. Sufficient flow would be delivered to the intact steam generators by the other AFW line and the redundant AFW pump.

The ESFAS automatically actuates the AFW turbine driven pump and associated power operated valves and controls when required to ensure an adequate feedwater supply to the steam generators during loss of power. DC power operated valves are provided for each AFW line to control the AFW flow to each steam generator.

The AFW System satisfies the requirements of Criterion 3 of.

10 CFR 50.36 (c)(2)(ii).

LCO This LCO provides assurance that the AFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent AFW pumps in three diverse trains are required to be OPERABLE to ensure the availability of RHR capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering two of the pumps from independent emergency buses.

The third AFW pump is powered by a different means, a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSIVs. The steam supply valves (1/2HV-3019 and 12HV-3009) for the turbine driven AFW pump are powered from 125 V MCCs 1/2AD1M and 1/2BDIM, respectively. Suction header valve 1/2HV-5113, pump block valve 1/2HV-5106, and discharge header valves 12HV-5120, 5122, 5125, and 5127 are powered from 125 V MCC 1/2CD1M. If 125 V MCC 1/2AD1M or 1/2BD1 M becomes inoperable, the affected steam supply valve Is to be considered inoperable. If both 1/2AD1 M and 1/2BD1 M become (continued)

Vogtle Units I and 2 B 3.7.5-3 Rev. 2-1 0/01

CST B 3.7.6 BASES APPLICABLE power. Single failures that also affect this event include SAFETY ANALYSES the following:

(continued)

a. Failure of the diesel generator powering the motor driven AFW pump to the unaffected steam generator (requiring additional steam to drive the remaining AFW pump turbine);

and

b. Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one motor driven AFW pump).

These are not usually the limiting failures in terms of consequences for these events.

A nonlimiting event considered in CST inventory determinations is a break in either the main feedwater or AFW line near where the two join. This break has the potential for dumping condensate until terminated by operator action, since the Auxiliary Feedwater Actuation System would not detect a difference in pressure between the steam generators for this break location. This loss of condensate inventory is partially compensated for by the retention of steam generator Inventory.

The CST satisfies Criterion 3 of 10 CFR 50.36 (cX2)(ii).

LCO To satisfy accident analysis assumptions, the CST must contain sufficient cooling water to remove decay heat for 60 minutes following a reactor trip from 102% RTP, and then to cool down the RCS to RHR entry conditions, assuming a coincident loss of offsite power and the most adverse single failure. In doing this, it must retain sufficient water to ensure adequate net positive suction head for the AFW pumps during cooldown, as well as account for any losses from the steam driven AFW pump turbine, or before isolating AFW to a broken line.

The CST level required is equivalent to a usable volume of k 340,000 gallons (66% instrument span) which is based on holding the unit in MODE 3 for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, followed by a 5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> cooldown to RHR entry conditions at 50°F/hour with one Reactor Coolant Pump in operation. This basis is (continued)

Vogtle Units 1 and 2 B 3.7.6-2 Rev. 1-10/01

CCW System B 3.7.7 BASES APPLICABLE Therefore, the CCW system has the heat removal capacity to SAFETY ANALYSES perform its design function under normal as well as accident (continued) conditions. The maximum CCW heat exchanger outlet temperature is designed to be less than 120OF during normal cooldown and accident conditions, based upon a Nuclear Service Cooling Water temperature of 100°F (Ref. 4). Normal CCW operating temperature is 100°F at the outlet of the heat exchanger with 105OF at the inlet (Ref. 1). The Emergency Core Cooling System (ECCS) loss of coolant accident (LOCA) analysis and containment OPERABILITY LOCA analysis each model the maximum and minimum performance of the CCW System, respectively. The operation of the CCW System prevents the containment sump fluid from increasing in temperature during the recirculation phase following a LOCA, and provides a gradual reduction in the temperature of this fluid as it is supplied to the Reactor Coolant System (RCS) by the ECCS pumps.

The CCW System is designed to perform its function with a single failure of any active component, assuming a loss of offsite power.

The CCW System also functions to cool the unit from RHR entry conditions (Told < 3500F), to MODE 5 (Told < 200 0F), during normal and post accident operations. The time required to cool from 350°F to 200OF is a function of the number of CCW and RHR trains operating. One CCW train is sufficient to remove decay heat during subsequent operations with Tc,ld < 200 0F.

The CCW System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). I LCO The CCW trains are independent of each other to the degree that each has separate controls and power supplies and the operation of one does not depend on the other. In the event of a DBA, one CCW train Is required to provide the minimum heat removal capability assumed in the safety analysis for the systems to which it supplies cooling water. To ensure this requirement is met, two trains of CCW must be OPERABLE. At least one CCW train will operate assuming the worst case single active failure occurs coincident with a loss of offsite power.

(continued)

Vogtle Units 1 and 2 B 3.7.7-2 Rev. 1-10/01

NSCW B 3.7.8 BASES APPLICABLE The NSCW System, in conjunction with the CCW System, also SAFETY ANALYSES cools the unit.from residual heat removal (RHR), as (continued) discussed in the FSAR, Subsection 5.4.7, (Ref. 3) entry conditions to MODE 5 during normal and post accident operations. The time required for this evolution is a function of the number of CCW and RHR System trains that are operating.

One NSCW System train is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes a maximum NSCW System temperature of 95°F occurring simultaneously with maximum heat loads on the system.

The NSCW System satisfies Criterion 3 of 10 CFR 50.36 (c)(2Xii). I LCO Two NSCW System trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming that the worst case single active failure occurs coincident with the loss of offsite power.

An NSCW System train is considered OPERABLE during MODES 1, 2, 3, and 4 when:

a. Two pumps are OPERABLE; and
b. The associated piping, valves, and instrumentation and controls required to perform the safety related function are OPERABLE.

APPLICABILITY In MODES 1, 2, 3, and 4, the NSCW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the NSCW System and required to be OPERABLE in these MODES.

In MODES 5 and 6, the OPERABILITY requirements of the NSCW System are determined by the systems it supports.

(continued)

VogUe Units I and 2 B 3.7.8-2 Rev. 1-10/01

UHS B 3.7.9 BASES APPLICABLE The operating limits are based on conservative heat transfer SAFETY ANALYSES analyses for the worst case LOCA. Reference 1 provides the (continued) details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and worst case single active failure (e.g., single failure of a manmade structure). The UHS is designed in accordance with Regulatory Guide 1.27 (Ref. 2), which requires a 30 day supply of cooling water in the UHS.

The UHS satisfies Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO The UHS is required to be OPERABLE and is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the NSCW to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the NSCW.

In order to meet these requirements, two NSCW tower basins are required OPERABLE with the following:

1. Basin water level must be > 80.25 feet as measured from the bottom of the basin (73% of instrument span),
2. Basin water temperature must be s 900F,
3. Two OPERABLE trains of NSCW tower fans, each train consisting of four fans and associated spray cells, and
4. Two OPERABLE NSCW basin transfer pumps.

APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.

In MODE 5 or 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.

(continued)

Vogtle Units I and 2 B 3.7.9-2 Rev. 1-10/01

CREFS - Both Units Operating B 3.7.10 BASES (continued)

APPLICABLE The CREFS components are arranged in redundant, safety SAFETY ANALYSES related ventilation trains. The location of components and ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access. The CREFS provides airborne radiological protection for the control room operators, as demonstrated by the control room accident dose analyses for the most limiting design basis loss of coolant accident, fission product release presented in the FSAR, Chapter 15 (Ref. 2).

The analysis of toxic gas releases demonstrates that the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> toxicity limit is not exceeded in the control room and there is sufficient time between detection and reaching the short term toxicity limit, such that the operators have time to put on breathing apparatus following a toxic chemical release, as presented in Reference 1. CREFS is not required for toxic gas.

The worst case single active failure of a component of the CREFS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The CREFS satisfies Criterion 3 of 10 CFR 50.36 (cX2)(ii).

LCO Two independent and redundant CREFS trains per unit are required to be OPERABLE to ensure that at least one is available assuming a single failure disables the other train. Total system failure could result in exceeding a dose of 5 rem to the control room operator in the event of a large radioactive release.

The CREFS is considered OPERABLE when the individual components necessary to limit operator exposure and ensure a control room temperature of s 86°F are OPERABLE in both trains.

A CREFS train is OPERABLE when the associated:

a. Fan is OPERABLE;
b. HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions;
c. Heater, demister, ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained; and (continued)

Vogtle Units. I and 2 B 3.7.10-3 Rev. 1-10J01

PPAFES B 3.7.13 BASES BACKGROUND moisture removal. The primary purpose of the heaters is to (continued) maintain the relative humidity at an acceptable level; however, the VEGP dose analysis assumes no heater operation and an iodine removal efficiency consistent with the iodine removal efficiency in Regulatory Guide 1.52 (Ref. 4) for systems designed to operate inside primary containment (i.e., no humidity control). Therefore, the heaters are not required for PPAFES OPERABILITY.

APPLICABLE The PPAFES design basis is established by the large break SAFETY ANALYSES loss of coolant accident (LOCA). The system evaluation assumes 2 gpm continuous leakage and a 50 gpm leak for 30 minutes due to a passive failure during a Design Basis Accident (DBA). The system restricts the radioactive release to within the 10 CFR 100 (Ref. 4) limits, or the NRC staff approved licensing basis (e.g., a specified fraction of 10 CFR 100 limits). The analysis of the effects and consequences of a large break LOCA are presented in Reference 3.

The PPAFES satisfies Criterion 3 of 10 CFR 50.36 (cX2)(ii). I LCO Two independent and redundant trains of the PPAFES are required to be OPERABLE to ensure that at least one train is available, assuming there is a single failure disabling the other train coincident with a loss of offsite power.

The PPAFES is considered OPERABLE when the individual components necessary to control radioactive releases are OPERABLE in both trains. A PPAFES train is considered OPERABLE when its associated:

a. Fan is OPERABLE;
b. HEPA filter and charcoal adsorber are not excessively restricting flow, and are capable of performing their filtration functions; and
c. Demister, ductwork, valves, and dampers are OPERABLE and air circulation can be maintained.

The LCO is modified by a Note allowing the PPAFES boundary to be opened intermittently under administrative controls without requiring entry into the Condition for an inoperable pressure boundary. For (continued)

Vogtle Units 1 and 2 B 3.7.13-2 Rev. 2-1 0101

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 B 3.7 PLANT SYSTEMS B 3.7.14 Engineered Safety Feature (ESF) Room Cooler and Safety-Related Chiller System BASES BACKGROUND The ESF room cooler and safety-related chiller system provides cooling to ESF equipment rooms during abnormal, accident, and post accident conditions. The ESF room coolers supplement the normal HVAC system in cooling certain rooms during normal operations. The essential chilled water system supplies chilled water to the cooling coils for all ESF room coolers and the Control Room Emergency Filtration System (CREFS).

The ESF room coolers are designed to maintain the ambient air temperature within the continuous duty rating of the ESF equipment served by the system. Each equipment room is cooled by a fan cooler and associated chiller that are powered from the same ESF train as that associated with the equipment in the room. Thus, a power failure or other single failure to one cooling system train will not prevent the cooling of redundant ESF equipment in the other train.

In addition to a manual start capability, automatic cooling of each ESF equipment room is initiated by three possible signals. All room coolers start upon receipt of a high temperature signal from the associated room. Certain room coolers will start upon receipt of an equipment running signal or a safety injection (SI) signal.

The equipment running signal is used to provide supplemental cooling for the normal ventilation system in some ESF equipment rooms. The high room temperature signal supplements the normal cooling system function and does not constitute a credited safety function. The SI signal or the equipment running signal is the credited safety function automatic start and will start only those ESF room coolers which are required to operate during an SI. In addition the safety-related chillers receive an automatic start from the Control Room Isolation (CRI) signal to provide chilled water to the CREFS. In addition, the containment spray pump room coolers start when the containment spray pumps start.

Containment spray is actuated when containment pressure reaches the Hi-3 setpoint, which may occur following a loss of coolant accident or a steam line break.

The ESF room cooler and safety-related chiller system is seismic category 1 and remains operational during and after a safe shutdown earthquake. This system and associated (continued)

Vogtle Units 1 and 2 B 3.7.14-1 Rev. 1-3/02

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 BASES BACKGROUND instrumentation is described in greater detail in FSAR (continued) Sections 7.3 and 9.4, References 1 and 2, respectively.

APPLICABLE The design basis of the ESF room cooler and safety-related SAFETY ANALYSES chiller system is to maintain air temperatures as required in rooms containing safety-related equipment during and after a design basis loss of coolant accident (LOCA), loss of offsite power, and other postulated accidents including a line rupture with a radioactive release inside the auxiliary building.

The ESF room cooler and safety-related chiller system is required to automatically start when the systems or components It supports are, or may be, required to operate following an SI or CRI signal.

The system is designed to perform its function with a single failure of any active component, assuming the loss of offsite power. One train of the ESF room cooler and safety-related chiller system provides 100% of the required cooling for the associated train of ESF equipment.

The ESF room cooler and safety-related chiller system satisfies Criterion 4 of 10 CFR 50.36 (c)(2Xii).

LCO Two ESF room cooler and safety-related chiller system trains are required OPERABLE to provide the required redundancy to ensure that the system functions to remove heat from the ESF equipment rooms during and after an accident assuming the worst case single failure occurs coincident with the loss of offsite power.

The recirculating fan coolers that service the spent fuel heat exchanger and pump rooms are not within the scope of this LCO.

The spent fuel pool cooling and purification system (SFPCPS) is highly desirable but not required to maintain the integrity of the spent fuel stored in the pool. In the unlikely event that both trains of the SFPCPS were to fail, the result would be an increase in the temperature of the water in the pool, and pool water inventory can be made up indefinitely. Therefore, the coolers serving the SFPCPS equipment rooms are highly desirable but not required.

An ESF room cooler and safety-related chiller system train is considered OPERABLE when:

a. Each required fan cooler unit including fan, cooling coils, and instrumentation required to perform the safety-related function is OPERABLE; and (continued)

Vogtle Units 1 and 2 B 3.7.14-2 Rev. 2-3/02

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 BASES LCO b. The associated chilled water system, including the chiller, (continued) water pump, piping, valves, and instrumentation required to perform the safety-related function is OPERABLE.

The LCO is modified by a Note that allows one safety-related chiller train to be removed from service for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> under administrative controls for surveillance testing of the other chiller train. This note is required to allow surveillance testing to be performed separately on each safety-related chiller train. Such testing may include individual automatic starts of each chiller train. Administrative controls must be in place to ensure the train removed from service can be rapidly returned to service if the need arises. When this note is utilized, the train removed from service is not required OPERABLE during the testing of the other train.

APPLICABILITY In MODES 1, 2, 3, and 4, the ESF room cooler and safety-related chiller system must be OPERABLE to provide a safety-related cooling function consistent with the OPERABILITY requirements of the ESF equipment it supports. In MODES 5 and 6, the OPERABILITY requirements of the ESF room cooler and safety-related chiller system to provide supplemental cooling for normal HVAC are determined by the systems it supports. In these MODES, any supplemental cooling provided by the ESF room I

cooler and safety-related chiller system is not a required safety function of the system.

ACTIONS A.1 If one ESF room cooler and safety-related chiller system train is inoperable, action must be taken to restore the train to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the remaining OPERABLE ESF room cooler and safety-related chiller system train is adequate to perform the heat removal function for its associated ESF equipment.

However, the overall reliability is reduced because a single failure in the OPERABLE ESF room cooler and safety-related chiller system train could result in loss of the ESF room cooler and safety-related chiller system function. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this time.

(continued)

Vogtle Units I and 2 B 3.7.14-3 Rev. 1-3/02

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 BASES ACTIONS B.1 and B.2 (continued)

If the ESF room cooler and safety-related chiller system train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.14.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves servicing safety-related equipment provides assurance that the proper flow paths exist for ESF room cooler and safety-related chiller system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency Is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.14.2 This SR verifies proper automatic operation of the ESF room cooler and safety-related chiller system valves servicing safety-related equipment on an actual or simulated actuation signal. The safety-related chiller trains are also required to operate on a CRI signal.

This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative (continued)

VogUe Units 1 and 2 B 3.7.14-4 Rev. 1-3/02

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 BASES SURVEILLANCE SR 3.7.14.2 (continued)

REQUIREMENTS controls. Operating experience has shown that these components usually pass the surveillance when performed at the 18 month frequency. Therefore, the 18 month frequency is acceptable from a reliability standpoint.

SR 3.7.14.3 This SR verifies proper operation of the ESF room cooler and safety-related chiller system fans and pumps on an actual or simulated actuation signal. The safety-related chiller system is I also required to automatically start on a CRI signal. Operating experience has shown that these components usually pass the surveillance when performed at the 18 month Frequency.

Therefore, the 18 month frequency is acceptable from a reliability standpoint.

REFERENCES 1. FSAR, Section 7.3.

2. FSAR, Section 9.4.

Vogtle Units I and 2 B 3.7.14-5 Rev. 1-3102

Fuel Storage Pool Water Level B 3.7.15 B 3.7 PLANT SYSTEMS B 3.7.15 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the FSAR, Subsection 9.1.2 (Ref. 1). A description of the Spent Fuel Pool Cooling and Cleanup System Is given in the FSAR, Subsection 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given In the FSAR, Subsection 15.7.4 (Ref. 3).

APPLICABLE The minimum water level in the fuel storage pool meets SAFETY ANALYSES the assumptions of the fuel handling accident described in Regulatory Guide 1.25 (Ref. 4). The resultant 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> thyroid dose per person at the exclusion area boundary is a small fraction of the 10 CFR 100 (Ref. 5) limits.

According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a fuel handling accident. With 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be c 23 ft of water above the top of the fuel bundle and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that all fuel rods fail, although analysis shows that only the first few rows fall from a hypothetical maximum drop.

The fuel storage pool water level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). I (continued)

Vogtle Units I and 2 B 3.7.15-1 Rev. 1-10J01

Secondary Specific Activity r

B 3.7.16 BASES (continued)

APPLICABLE The accident analysis of the main steam line break (MSLB),

SAFETY ANALYSES as discussed in the FSAR, Chapter 15 (Ref. 2) assumes the initial secondary coolant specific activity to have a radioactive isotope concentration of 0.10 pCi/gm DOSE EQUIVALENT 1-131. This assumption is used in the analysis for determining the radiological consequences of the postulated accident. The accident analysis, based on this and other assumptions, shows that the radiological consequences of an MSLB do not exceed a small fraction of the unit EAB limits (Ref. 1) for whole body and thyroid dose rates.

With the loss of offsite power, the remaining steam generators are available for core decay heat dissipation by venting steam to the atmosphere through the MSSVs and steam generator atmospheric dump valves (ARVs). The Auxiliary Feedwater System supplies the necessary makeup to the steam generators.

Venting continues until the reactor coolant temperature and pressure have decreased sufficiently for the Residual Heat Removal System to complete the cooldown.

In the evaluation of the radiological consequences of this accident, the activity released from the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through the MSSVs and ARVs during the event. Since no credit is taken in the analysis for activity plateout or retention, the resultant radiological consequences represent a conservative estimate of the potential integrated dose due to the postulated steam line failure.

Secondary specific activity limits satisfy Criterion 2 of 10 CFR 50.36 (c)(2Xii). I LCO As indicated In the Applicable Safety Analyses, the specific activity of the secondary coolant is required to be

  • 0.10 PCi/gm DOSE EQUIVALENT 1-131 to limit the radiological consequences of a Design Basis Accident (DBA) to a small fraction of the required limit (Ref. 1).

Monitoring the specific activity of the secondary coolant ensures that when secondary specific activity limits are exceeded, appropriate actions are taken in a timely manner (continued)

Vogtle Units 1 and 2 B 3.7.16-2 Rev. 1-10/01

Fuel Storage Pool Boron Concentration B 3.7.17 BASES (continued)

APPLICABLE maximum required additional boron to compensate for this SAFETY ANALYSES event is 1250 ppm for Unit 2, and 800 ppm for Unit I which (continued) is well below the limit of 2000 ppm.

The concentration of dissolved boron in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO The fuel storage pool boron concentration Is required to be

> 2000 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses of the potential criticality accident scenarios as described In reference 5. The amount of soluble boron required to offset each of the above postulated accidents was evaluated for all of the proposed storage configurations. That evaluation established the amount of soluble boron necessary to ensure that K,ff will be maintained less than or equal to 0.95 should pool temperature exceed the assumed range or a fuel assembly misload occur. The amount of soluble boron necessary to mitigate these events was determined to be 1250 ppm for Unit 2 and 800 ppm for Unit 1. The specified minimum boron concentration of 2000 ppm assures that the concentration will remain above these values. In addition, the boron concentration is consistent with the boron dilution evaluation that demonstrated that any credible dilution event could be terminated prior to reaching the boron concentration for a Kff of

> 0.95. These values are 600 ppm for Unit I and 500 ppm for Unit 2.

APPLICABILITY This LCO applies whenever fuel assemblies are stored in the spent fuel storage pool.

ACTIONS A.1. A.2.1. and A.2.2 The Required Actions are modified by a Note Indicating that LCO 3.0.3 does not apply.

When the concentration of boron in the fuel storage pool is less than required, Immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accident in progress. This is most (continued)

Vogtle Units and 2 B 3.7.17-5 Rev. 3-1 0/01

Fuel Assembly Storage in the Fuel Storage Pool B 3.7.18 BASES BACKGROUND Westinghouse 17x17 fuel assemblies with nominal enrichments (continued) no greater than 2.40 w/o 235U may be stored in a 3-out-of-4 checkerboard arrangement with empty cells in the Unit 2 pool.

Fuel assemblies with initial nominal enrichment greater than 2.40 w/o 235U must satisfy a minimum bumup requirement as shown in Figure 4.3.1-2.

Westinghouse 17x1 7 fuel assemblies may be stored in the Unit 2 pool in a 3x3 array. The center assembly must have an initial enrichment no greater than 3.20 w/o235U. Altematively, the center of the 3x3 array may be loaded with any assembly which meets a maximum infinite multiplication factor (Km,) value of 1.410 at 680F. One method of achieving this value of K. is by the use of IFBAs. The surrounding fuel assemblies must have an initial nominal enrichment no greater than 1.48 w/o2 35U or satisfy a minimum bumup requirement for higher initial enrichments as shown in Figure 4.3.1-3.

APPLICABLE Most fuel storage pool accident conditions will not result SAFETY ANALYSIS in an increase in Kff. Examples of such accidents are the drop of a fuel assembly on top of a rack and the drop of a fuel assembly between rack modules or between rack modules and the pool wall. However, accidents can be postulated for each storage configuration which could increase reactivity beyond the analyzed condition. A discussion of these accidents is contained in B 3.7.17.

The configuration of fuel assemblies in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36 (cX2Xii). I LCO The restrictions on the placement of fuel assemblies within the fuel storage pool ensure the Kff of the fuel storage pool will always remain < 0.95, assuming the pool to be flooded with borated water.

The combination of initial enrichment and burnup are specified in Figures 3.7.18-1 and 3.7.18-2 for all cell storage in the Unit I and Unit 2 pools, respectively. Other acceptable enrichment burnup and checkerboard combinations are described in Figures 4.3.1-1 through 4.3.1-9.

(continued)

Vogtle Units 1 and 2 B 3.7.18-3 Rev. 3-1 0/01

AC Sources - Operating B 3.8.1 BASES BACKGROUND signal is received, all loads needed to recover the unit or maintain it (continued) in a safe condition are retumed to service.

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 7000 kW with 10% overload permissible for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the FSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed In more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the Accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during Accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and
b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36 (X2Xii). I LCO Two qualified circuits between the 230 kV grid system and the onsite Class 1E Electrical Power System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a (con_inued)

Vogtle Units I and 2 B 3.8.1-3 Rev. 1-10101

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS

2. Post Corrective maintenance testing that requires performance of this Surveillance in order to restore the component to OPERABLE, provided the maintenance was required, or performed in conjuncfion with maintenance required to maintain OPERABILITY or reliability.

SR 3.8.1.13 This Surveillance Requirement demonstrates that the DGs can start and run continuously at loads in excess of the maximum expected loading for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, > 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of which is at a load equivalent to Ž 105% of the maximum expected loading and the remainder of the time at a load equivalent to the maximum expected loading of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a kVAR load as close as practicable to 3390 kVAR while loaded 2 6500 kW and maintaining voltage s 4330 V. This kVAR load is chosen to be representative of the actual design basis inductive loading that the DG would experience. The voltage limit of 4330 V is required to prevent operation of any loads at or above the maximum design voltage. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 24 month Frequency allows SR 3.8.1.13 to be scheduled following a teardown inspection. The teardown inspections are performed at 24 month intervals in accordance with manufacturer recommendations. The 24 month Frequency is consistent with the regulatory guidance of Generic Leter 91-04 (Ref. 12).

(continued)

Vogte Units I and 2 8 3.8.1-31 Rev. 24/02

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS This Surveillance is modified by two Notes. Note I states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary kVAR load transients above the limit will not invalidate the test. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR. Examples of unplanned events may include unexpected operational events which cause the equipment to perform the function specified by this Surveillance, for which adequate documentation of the required performance is available.

SR 3.8.1.14 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 11.4 seconds. The 11.4 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(5).

This SR is modified by two Notes. Note 1 ensures that the test Is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at full load conditions prior to performance of this Surveillance Is based on manufacturer recommendations for achieving hot (continued)

Vogtle Units 1 and 2 B 3.8.1-32 Rev. 14/02

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued)

REQUIREMENTS This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. FSAR, Chapter 8.
3. Regulatory Guide 1.9, Rev. 3, July 1993.
4. FSAR, Chapter 6.
5. FSAR, Chapter 15.
6. Regulatory Guide 1.93, Rev. 0, December 1974.
7. Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2,1984.
8. 10 CFR 50, Appendix A, GDC 18.
9. Regulatory Guide 1.108, Rev. 1, August 1977.
10. Regulatory Guide 1.137, Rev. 1, October 1979.
11. IEEE Standard 308-1978.
12. Generic Letter 91-04, "Changes in Technical Specification Intervals to Accommodate a 24-Month Fuel Cycle," April 2, 1991.

Vogtle Units I and 2 B 3.8.1-38 Rev. 14/02

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE recognition that certain testing and maintenance activities must be SAFETY ANALYSES conducted provided an acceptable level of risk is not exceeded.

(continued) During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.
c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.

The AC sources satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO One offsite circuit capable of supplying the onsite Class I E power distribution subsystem(s) of LCO 3.8.10, Distribution Systems - Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with a distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the (continued)

Vogtle Units 1 and 2 B 3.8.2-2 Rev. 1-10101

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND Each DG building contains two ventilation supply fans and associated (continued) dampers. The ventilation supply fans are required to limit the DG building air temperature to s 1200 F to support the operation of the associated DG. The fans in each DG building and associated dampers start and actuate on different signals. Fans 1/2-1566-B7-001 (train A) and 1/2-1566-B7-002 (train B) start automatically and the necessary intake and discharge dampers actuate to the correct position on a train associated DG running signal and fans 1/2-1566-B7-003 and 1/2-1566-B7-004 start automatically and the necessary intake and discharge dampers actuate to the correct position on high DG building temperature signal coincident with a DG running signal.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 4), and in the FSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, air start, and ventilation subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. In MODES 1, 2, 3, and 4, a capacity equivalent to 85,362 gallons (Ref. 8) is required to provide for 2 7 days of operation supplying the maximum post loss of coolant accident load demand.

However, in MODES 5 and 6, the highest DG loading identified for either train is significantly less than the maximum post loss of coolant accident loading for MODES 1 through 4, and the capacity of one storage tank Is sufficient to provide for 7 days of DG operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating (continued)

Vogtle Units 1 and 2 B 3.8.3-2 Rev. 3-10/01

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS F.1 (continued)

With one DG ventilation supply fan inoperable, the capability to maintain the DG building air temperature below the required limit is degraded. In most cases, except for extreme ambient temperatures, one DG ventilation supply fan is sufficient to maintain the DG building temperature below the limit. However, the remaining system capacity is degraded and action must be taken to restore the inoperable fan to operable status within 14 days. The Completion Time allowed is reasonable considering the redundant DG, the remaining fan capacity available for the affected DG, and the fact that an event requiring the DG to operate would have to occur combined with ambient temperatures in excess of 930 F that would require both fans to operate in the affected DG building. Furthermore, DG operation with a single ventilation supply fan combined with ambient temperatures in excess of 93°F would result in temperatures in excess of the limit by a few degrees only (commensurate with the extent to which the ambient temperature exceeds 93 0F).

G.1 With a Required Action and associated Completion Time not met, or one or more DG's fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A through E, or one or more DGs with both required ventilation fans inoperable, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support one DG's operation for at least 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

(continued)

Vogtle Units I and 2 B 3.8.3-8 Rev. 1-10/01

DC Sources -Operating B 3.8.4 BASES APPLICABLE a. An assumed loss of all offsite AC power or all onsite SAFETY ANALYSES AC power; and (continued)

b. A worst case single failure.

The DC sources satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). 1-LCO The DC electrical power sources, each source consisting of one battery, battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any train DC electrical power source does not prevent the minimum safety function from being performed (Ref. 4).

An OPERABLE DC electrical power source requires the battery and one charger per battery to be operating and connected to the associated DC bus.

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided, and containment Integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources- Shutdown."

(continued)

Vogtle Units I and 2 B 3.8.4-3 Rev. 2-10/01

DC Sources-Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources -Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY ANALYSES in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems Is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

The DC sources satisfy Criterion 3 of 10 CFR 50.36 (cX2)(ii). I LCO The DC electrical power sources required to support the necessary portions of AC, DC, and AC vital bus electrical (continued)

VogUe Units I and 2 B 3.8.5-1 Rev. 2-10J01

Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC power source batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown."

APPLICABLE The Initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and Is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions, in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power, and
b. A worst case single failure.

Battery cell parameters satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it In a safe condition after an anticipated operational occurrence or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.

(continued)

Vogtle Units 1 and 2 B 3.8.6-1 Rev. 1-10101

Inverters-Operating B 3.8.7 BASES APPLICABLE a. An assumed loss of all offsite AC electrical power or all onsite SAFETY ANALYSES AC electrical power, and (continued)

b. A worst case single failure.

Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36 (X2)(ii). I LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The six inverters ensure an uninterruptible supply of AC electrical power to the AC vital buses, as specified in Table B 3.8.9-1, even if the 4.16 kV safety buses are de-energized.

OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage and frequency within tolerances and power input to the inverter from a 125 VDC station battery.

This LCO is modified by a Note that allows two inverters to be disconnected from a common battery for s 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, if the vital bus is powered from a Class 1E regulating transformer during the period and all other inverters are operable. This allows an equalizing charge to be placed on one battery. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time period for the allowance minimizes the ime during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.

The intent of this Note is to limit the number of inverters that may be disconnected. Only those Inverters associated with the single battery undergoing an equalizing charge may (continued)

Vogtle Units I and 2 B 3.8.7-3 Rev. 1-10/01

Inverters-Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters -Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7.

"Inverters - Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Protective System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident.

The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I (continued)

Vogte Units 1 and 2 B 3.8.8-1 Rev. 1-10/01

Distribution Systems -Operating B 3.8.9 BASES (continued)

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 1), and In the FSAR, Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Umits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and
b. A worst case single failure.

The distribution systems satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the required AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

(continued)

Vogte Units I and 2 B 3.8.9-2 Rev. 1-10/01

Distribution Systems -Shutdown B 3.8.10 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.10 Distribution Systems -Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Dist,ibution Systems -Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY ANALYSES in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribufon systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6 ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentabon and control capability is available for monitoring and maintaining the unit status; and
c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

The AC and DC electrical power distribution systems sabsfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I (continued)

Vogtle Units 1 and 2 B 3.8.10-1 Rev. 1-10/01

Boron Concentration B 3.9.1 BASES APPLICABLE The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 SAFETY ANALYSES (cX2Xii). I (continued)

LCO The LCO requires that a minimum boron concentration be maintained in all filled portions of the RCS, the refueling canal, and the refueling cavity while in MODE 6. The boron concentration limit specified in the COLR ensures that a core kff of s 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE 6.

APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a keff

'Rod Group Alignment Limits," LCO 3.1.5, "Shutdown Bank Insertion Umits," and LCO 3.1.6, "Control Bank Insertion Limits," ensure an adequate amount of negative reactivity is available to shut down the reactor. In MODES 3,4, and 5, LCO 3.1.1, SHUTDOWN MARGIN" ensures an adequate amount of negative reactivity is available to shut down the reactor.

ACTIONS The ACTIONS table is modified by a Note prohibiting entry into MODE 6 f the RCS boron concentration specified in the COLR is not met.

A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the filled portions of the RCS, the refueling canal, or the refueling cavity is less than its limit, all operabons involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.

Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position or normal cooldown of the coolant volume for the purpose of system temperature control.

(continued)

Vogtle Units 1 and 2 B 3.9.1-3 Rev. 2-1 0/01

Unborated Water Source Isolation Valves B 3.9.2 BASES APPLICABLE dilution flow path from the RMWST, through the chemical mixing tank, SAFETY ANALYSES to the suction of the charging pumps, is provided by the allowance to (continued) open (under administrative control) applicable Chemical and Volume Control System (CVCS) valves. The maximum flow rate possible through this flow path is less than 3.5 gaVmin which is approximately 3.0 percent of the limiting flow rate considered in the analysis for other MODES. At all other times during MODE 6, the valve(s) are secured closed and any other chemical makeup solution which is required during refueling will be borated water supplied from the refueling water storage tank by the RHR pumps. Flow paths from the CVCS which could allow unborated chemical makeup water in excess of 3.5 gaVmin to reach the RCS are always isolated in MODE 6 by maintaining at least one valve secured closed in each applicable flow path. Since the maximum flow rate associated with the available dilution flow paths In MODE 6 Is very small, the total time from initiation of event to the eventual complete loss of shutdown margin is significantly large compared to the minimum required operator action time. Therefore, a considerable amount of time is available for the operator to initiate and terminate procedures for RCS water chemistry adjustments before potential loss of shutdown becomes a concem.

Additionally, the high flux at shutdown (HFAS) alarm is required OPERABLE prior to the applicable CVCS valves being opened. The boron dilution event analysis specifically credits the HFAS alarm when these valves are open. The availability of the HFAS alarm ensures that the operator has a 30 minute waming to terminate the dilution before shutdown margin is lost.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 I (cX2)(ii).

LCO This LCO requires that flow paths to the RCS from unborated water sources be isolated to prevent unplanned boron dilution during MODE 6 and thus avoid a reduction in SDM. This is accomplished by maintaining at least one valve secured closed in each applicable flow path.

The LCO is modified by a Note that allows valves in the flow path from the RMWST, through the chemical mixing tank, to the suction of the charging pumps to be opened under (continued)

Vogtle Units I and 2 B 3.9.2-2 Rev. 1-10/01

Nuclear Instrumentation B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Nuclear Instrumentation BASES BACKGROUND The source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. The installed source range neutron flux monitors (NI-0031 and NI-0032) are part of the Nuclear Instrumentation System (NIS). These detectors are located extemal to the reactor vessel and detect neutrons leaking from the core. Temporary neutron flux detectors which provide equivalent indication may be utilized in place of installed instrumentation.

The installed source range neutron flux monitors are fission chamber detectors. The detectors monitor the neutron flux in counts per second. The instrument range covers seven decades of neutron flux (1E-1 cps to 1E +6 cps) with a 2% instrument accuracy. The detectors also provide continuous visual indication in the control room.

The NIS is designed in accordance with the criteria presented in Reference 1.

APPLICABLE Two OPERABLE source range neutron flux monitors are required SAFETY ANALYSES to provide a signal to alert the operator to unexpected changes in core reactivity such as an improperdy loaded fuel assembly. The need for a safety analysis for an uncontrolled boron dilution accident is minimized by isolabng all unborated water sources except as provided for by LCO 3.9.2, Unborated Water Source Isolation Valves."

The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36 (cX2Xii). I LCO This LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity. To be OPERABLE each monitor must provide visual indication.

(continued)

Vogtle Units 1 and 2 B 3.9.3-1 Rev. 2-1 0/01

Containment Penetrations B 3.9.4 BASES APPLICABLE acceptance of this specification was based on doses for a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> SAFETY ANALYSES release as well as a licensee commitment for a person (continued) designated to close the door quickly.

The requirements of LCO 3.9.7, "Refueling Cavity Water Level," and the minimum decay time of 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> prior to CORE ALTERATIONS ensure that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses that are well within the guideline values specified in 10 CFR 100.

Standard Review Plan, Section 15.7.4, Rev. 1 (Ref. 3), defines "well within" 10 CFR 100 to be 25% or less of the 10 CFR 100 values. The acceptance limits for offsite radiation exposure will be 25% of 10 CFR 100 values or the NRC staff approved licensing basis (e.g., a specified fraction of 10 CFR 100 limits). The radiological consequences of a fuel handling accident in containment have been evaluated assuming that the containment is open to the outside atmosphere. All airbome activity reaching the containment atmosphere Is assumed to be exhausted to the environment within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the accident. The calculated offsite and control room operator doses are within the acceptance criteria of Standard Review Plan 15.7.4 and GDC 19. Therefore, although the containment penetrations do not satisfy any of the 10 CFR 50.36 (cX2Xii) criteria, LCO 3.9.4 provides containment closure capability to minimize potential offsite doses.

LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires the equipment hatch, the air locks, and any penetration providing direct access to the outside atmosphere to be closed or capable of being closed. Personnel air lock closure capability is provided by the availability of at least one door and a designated individual to close it.

Emergency air lock closure capability is provided by the availability of at least one door and a designated Individual to close it. Equipment hatch closure capability is provided by a designated trained hatch closure crew and the necessary equipment. For the OPERABLE containment ventilation penetrations, this LCO ensures that each penetration is solable by the Containment Ventilation Isolation valves.

The OPERABILITY requirements for LCO 3.3.6, Containment Ventilation Isolation Instrumentation ensure that radiation monitor inputs to the control room alarm exist so that operators can take timely (continued)

Vogtle Units 1 and 2 B 3.9.44 Rev. 4-10/01

RHR and Coolant Circulation - High Water Level B 3.9.5 BASES APPLICABLE RHR and Coolant Circulation - High Water Level satisfies Criterion 4 SAFETY ANALYSES of 10 CFR 50.36 (c)(2)(ii). I (continued)

LCO Only one RHR loop is required for decay heat removal in MODE 6, with the water level - 23 ft above the top of the reactor vessel flange.

Only one RHR loop is required to be OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one RHR loop must be OPERABLE and in operation to provide:

a. Removal of decay heat;
b. Mixing of borated coolant to minimize the possibility of criticality; and
c. Indication of reactor coolant temperature.

An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, Instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature. The flow path starts in one of the RCS hot legs and is retumed to the RCS cold legs.

The LCO is modified by a Note that allows the required operating RHR loop to be removed from service for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period provided no operations are permitted that would cause a reduction of the RCS boron concentration. Boron concentration reduction is prohibited because uniform concentration distribution cannot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR isolation valve testing.

During this 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> period, decay heat is removed by natural convection to the large mass of water in the refueling cavity.

APPLICABILITY One RHR loop must be OPERABLE and in operation in MODE 6, with the water level Ž 23 ft above the top of the reactor vessel flange, to provide decay heat removal and mixing of the borated coolant The 23 ft water level was selected (continued)

Vogtle Units 1 and 2 B 3.9.5-2 Rev.1-10101

RHR and Coolant Circulation - Low Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, and to prevent boron stratification. Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then retumed to the RCS via the RCS cold leg(s).

Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE While there is no explicit analysis assumption for the decay SAFETY ANALYSES heat removal function of the RHR system in MODE 6, if the reactor coolant temperature is not maintained below 2000F, boiling of the reactor coolant could result. This could lead to a loss of refueling cavity water level. In addition, boiling of the reactor coolant could lead to a reduction In boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.

RHR and coolant circulation - Low Water Level satisfies Criterion 4 of 10 CFR 50.36 (c)(2Xii). I LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE.

(continued)

Vogtle Units 1 and 2 B 3.9.6-1 Rev. 1-10/01

Refueling Cavity Water Level p B 3.9.7 BASES APPLICABLE Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36 SAFETY ANALYSES (cX2Xii).

(continued)

LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits, as provided by the guidance of Reference 3.

APPLICABILITY LCO 3.9.7 is applicable during CORE ALTERATIONS, except during latching and unlatching of control rod drive shafts, and when moving irradiated fuel assemblies within containment. Unlatching and latching of control rod drive shafts includes drag testing of the associated rod cluster control assembly. The LCO ensures a sufficient level of water is present in the reactor cavity to minimize the radiological consequences of a fuel handling accident in containment. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.15, "Fuel Storage Pool Water Level."

ACTIONS A1 ndA2 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving CORE ALTERATIONS or movement of irradiated fuel assemblies within the containment shall be suspended immediately to ensure that a fuel handling accident cannot occur.

The suspension of CORE ALTERATIONS and fuel movement shall not preclude completion of movement of a component to a safe position.

(continued)

Vogtle Units I and 2 B 3.9.7-2 Rev. 1-10/01