ML11298A216: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:TECHNICAL SPECIFICATIONS BASES FOR NORTH ANNA UNITS 1 & 2 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iRevision 39 B 2.1SAFETY LIMITS (SLs). . . . . . . . . . . . . . . . . . B 2.1.1-1B 2.1.1Reactor Core SLs . . . . . . . . . . . . . . . . . B 2.1.1-1B 2.1.2Reactor Coolant System (RCS) Pressure SL . . . . . B 2.1.2-1B 3.0LIMITING CONDITION FOR OPERATION (LCO)
{{#Wiki_filter:}}
APPLICABILITY. . . . . . . . . . . . . . . . . . . . B 3.0-1B 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITY. . . . . . .B 3.0-12B 3.1REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . B 3.1.1-1B 3.1.1SHUTDOWN MARGIN (SDM). . . . . . . . . . . . . . . B 3.1.1-1B 3.1.2Core Reactivity. . . . . . . . . . . . . . . . . . B 3.1.2-1B 3.1.3Moderator Temperature Coefficient (MTC). . . . . . B 3.1.3-1B 3.1.4Rod Group Alignment Limits . . . . . . . . . . . . B 3.1.4-1B 3.1.5Shutdown Bank Insertion Limits . . . . . . . . . . B 3.1.5-1B 3.1.6Control Bank Insertion Limits. . . . . . . . . . . B 3.1.6-1B 3.1.7Rod Position Indication. . . . . . . . . . . . . . B 3.1.7-1B 3.1.8Primary Grade Water Flow Path Isolation Valves . . . . . . . . . . . . . . . . . . . . B 3.1.8-1B 3.1.9PHYSICS TESTS Exceptions-MODE
: 2. . . . . . . . . . B 3.1.9-1B 3.2POWER DISTRIBUTION LIMITS. . . . . . . . . . . . . . . B 3.2.1-1B 3.2.1Heat Flux Hot Channel Factor (F Q(Z)). . . . . . . . B 3.2.1-1B 3.2.2Nuclear Enthalpy Rise Hot Channel Factor (). . . B 3.2.2-1B 3.2.3AXIAL FLUX DIFFERENCE (AFD). . . . . . . . . . . . B 3.2.3-1B 3.2.4QUADRANT POWER TILT RATIO (QPTR) . . . . . . . . . B 3.2.4-1B 3.3INSTRUMENTATION. . . . . . . . . . . . . . . . . . . . B 3.3.1-1B 3.3.1Reactor Trip System (RTS) Instrumentation. . . . . B 3.3.1-1B 3.3.2Engineered Safety Feature Actuation System (ESFAS) Instrumentation. . . . . . . . . . . . B 3.3.2-1B 3.3.3Post Accident Monitoring (PAM)
Instrumentation. . . . . . . . . . . . . . . . B 3.3.3-1B 3.3.4Remote Shutdown System . . . . . . . . . . . . . . B 3.3.4-1B 3.3.5Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation. . . . . . . . . . B 3.3.5-1B 3.3.6Main Control Room/Emergency Switchgear Room (MCR/ESGR) Envelope Isolation Actuation Instrumentation. . . . . . . . . . . . . . . . B 3.3.6-1B 3.4REACTOR COOLANT SYSTEM (RCS) . . . . . . . . . . . . . B 3.4.1-1B 3.4.1RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits . . . . . . B 3.4.1-1B 3.4.2RCS Minimum Temperature for Criticality. . . . . . B 3.4.2-1B 3.4.3RCS Pressure and Temperature (P/T) Limits. . . . . B 3.4.3-1B 3.4.4RCS Loops-MODES 1 and 2. . . . . . . . . . . . . . B 3.4.4-1B 3.4.5RCS Loops-MODE 3 . . . . . . . . . . . . . . . . . B 3.4.5-1B 3.4.6RCS Loops-MODE 4 . . . . . . . . . . . . . . . . . B 3.4.6-1B 3.4.7RCS Loops-MODE 5, Loops Filled . . . . . . . . . . B 3.4.7-1B 3.4.8RCS Loops-MODE 5, Loops Not Filled . . . . . . . . B 3.4.8-1B 3.4.9Pressurizer. . . . . . . . . . . . . . . . . . . . B 3.4.9-1 F NH North Anna Units 1 and 2iiRevision 39 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSB 3.4REACTOR COOLANT SYSTEM (RCS) (continued)B 3.4.10Pressurizer Safety Valves. . . . . . . . . . . . .B 3.4.10-1B 3.4.11Pressurizer Power Operated Relief Valves (PORVs). . . . . . . . . . . . . . . . . . . .B 3.4.11-1B 3.4.12Low Temperature Overpressure Protection (LTOP) System. . . . . . . . . . . . . . . . .B 3.4.12-1B 3.4.13RCS Operational LEAKAGE. . . . . . . . . . . . . .B 3.4.13-1B 3.4.14RCS Pressure Isolation Valve (PIV) Leakage . . . .B 3.4.14-1B 3.4.15RCS Leakage Detection Instrumentation. . . . . . .B 3.4.15-1B 3.4.16RCS Specific Activity. . . . . . . . . . . . . . .B 3.4.16-1B 3.4.17RCS Loop Isolation Valves. . . . . . . . . . . . .B 3.4.17-1B 3.4.18RCS Isolated Loop Startup. . . . . . . . . . . . .B 3.4.18-1B 3.4.19RCS Loops-Test Exceptions. . . . . . . . . . . . .B 3.4.19-1B 3.4.20Steam Generator (SG) Tube Integrity. . . . . . . .B 3.4.20-1B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS). . . . . . . . . B 3.5.1-1B 3.5.1Accumulators . . . . . . . . . . . . . . . . . . . B 3.5.1-1B 3.5.2ECCS-Operating . . . . . . . . . . . . . . . . . . B 3.5.2-1B 3.5.3ECCS-Shutdown. . . . . . . . . . . . . . . . . . . B 3.5.3-1B 3.5.4Refueling Water Storage Tank (RWST). . . . . . . . B 3.5.4-1B 3.5.5Seal Injection Flow. . . . . . . . . . . . . . . . B 3.5.5-1B 3.5.6Boron Injection Tank (BIT) . . . . . . . . . . . . B 3.5.6-1B 3.6CONTAINMENT SYSTEMS. . . . . . . . . . . . . . . . . . B 3.6.1-1B 3.6.1Containment. . . . . . . . . . . . . . . . . . . . B 3.6.1-1B 3.6.2Containment Air Locks. . . . . . . . . . . . . . . B 3.6.2-1B 3.6.3Containment Isolation Valves . . . . . . . . . . . B 3.6.3-1B 3.6.4Containment Pressure . . . . . . . . . . . . . . . B 3.6.4-1B 3.6.5Containment Air Temperature. . . . . . . . . . . . B 3.6.5-1B 3.6.6Quench Spray (QS) System . . . . . . . . . . . . . B 3.6.6-1B 3.6.7Recirculation Spray (RS) System. . . . . . . . . . B 3.6.7-1B 3.6.8Chemical Addition System . . . . . . . . . . . . . B 3.6.8-1B 3.7PLANT SYSTEMS. . . . . . . . . . . . . . . . . . . . . B 3.7.1-1B 3.7.1Main Steam Safety Valves (MSSVs) . . . . . . . . . B 3.7.1-1B 3.7.2Main Steam Trip Valves (MSTVs) . . . . . . . . . . B 3.7.2-1B 3.7.3Main Feedwater Isolation Valves (MFIVs), Main Feedwater Pump Discharge Valves (MFPDVs), Main Feedwater Regulating Valves (MFRVs), and Main Feedwater Regulating Bypass Valves (MFRBVs). . . . . . . . . . . . . . . . B 3.7.3-1B 3.7.4Steam Generator Power Operated Relief Valves (SG PORVs) . . . . . . . . . . . . . . . . . . B 3.7.4-1B 3.7.5Auxiliary Feedwater (AFW) System . . . . . . . . . B 3.7.5-1B 3.7.6Emergency Condensate Storage Tank (ECST) . . . . . B 3.7.6-1B 3.7.7Secondary Specific Activity. . . . . . . . . . . . B 3.7.7-1B 3.7.8Service Water (SW) System. . . . . . . . . . . . . B 3.7.8-1B 3.7.9Ultimate Heat Sink (UHS) . . . . . . . . . . . . . B 3.7.9-1 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iiiRevision 39 B 3.7PLANT SYSTEMS (continued)B 3.7.10Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS). . . . . . . . . . . . . . . . . . . . .B 3.7.10-1B 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS) . . .B 3.7.11-1B 3.7.12Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS) . . .B 3.7.12-1B 3.7.13Not Used B 3.7.14Not Used B 3.7.15Fuel Building Ventilation System (FBVS). . . . . .B 3.7.15-1B 3.7.16Fuel Storage Pool Water Level. . . . . . . . . . .B 3.7.16-1B 3.7.17Fuel Storage Pool Boron Concentration. . . . . . .B 3.7.17-1B 3.7.18Spent Fuel Pool Storage. . . . . . . . . . . . . .B 3.7.18-1B 3.7.19Component Cooling Water (CC) System. . . . . . . .B 3.7.19-1B 3.8ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . B 3.8.1-1B 3.8.1AC Sources-Operating . . . . . . . . . . . . . . . B 3.8.1-1B 3.8.2AC Sources-Shutdown. . . . . . . . . . . . . . . . B 3.8.2-1B 3.8.3Diesel Fuel Oil and Starting Air . . . . . . . . . B 3.8.3-1B 3.8.4DC Sources-Operating . . . . . . . . . . . . . . . B 3.8.4-1B 3.8.5DC Sources-Shutdown. . . . . . . . . . . . . . . . B 3.8.5-1B 3.8.6Battery Cell Parameters. . . . . . . . . . . . . . B 3.8.6-1B 3.8.7Inverters-Operating. . . . . . . . . . . . . . . . B 3.8.7-1B 3.8.8Inverters-Shutdown . . . . . . . . . . . . . . . . B 3.8.8-1B 3.8.9Distribution Systems-Operating . . . . . . . . . . B 3.8.9-1B 3.8.10Distribution Systems-Shutdown. . . . . . . . . . .B 3.8.10-1B 3.9REFUELING OPERATIONS . . . . . . . . . . . . . . . . . B 3.9.1-1B 3.9.1Boron Concentration. . . . . . . . . . . . . . . . B 3.9.1-1B 3.9.2Primary Grade Water Flow Path Isolation Valves-MODE
: 6. . . . . . . . . . . . . . . . . B 3.9.2-1B 3.9.3Nuclear Instrumentation. . . . . . . . . . . . . . B 3.9.3-1B 3.9.4Containment Penetrations . . . . . . . . . . . . . B 3.9.4-1B 3.9.5Residual Heat Removal (RHR) and Coolant Circulation-High Water Level . . . . . . . . . B 3.9.5-1B 3.9.6Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level. . . . . . . . . . B 3.9.6-1B 3.9.7Refueling Cavity Water Level . . . . . . . . . . . B 3.9.7-1 Intentionally Blank North Anna Units 1 and 2B 2.1.1-1Revision 13 Reactor Core SLs B 2.1.1 B 2.1  SAFETY LIMITS (SLS)B 2.1.1Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not exceeded during steady state
 
operation, normal operational transients, and anticipated
 
operational occurrences (AOOs). This is accomplished by having a departure from nucle ate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence
 
level (the 95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below
 
the melting temperature.
The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the
 
reactor coolant. Overheating of the fuel is prevented by
 
maintaining the steady state peak linear heat rate (LHR)
 
below the level at which fuel centerline melting occurs. The
 
maximum fuel centerline temperatures are given by the
 
best-estimate relationships defined in SL 2.1.1.2 and are dependent upon whether the Westinghouse or Framatome fuel is evaluated. Overheating of the fuel cladding is prevented by
 
restricting fuel operation to within the nucleate boiling
 
regime, where the heat transfer coefficient is large and the
 
cladding surface temperature is slightly above the coolant
 
saturation temperature.
Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of
 
the fuel. Expansion of the pellet upon centerline melting
 
may cause the pellet to stress the cladding to the point of failure, allowing an un controlled release of activity to the reactor coolant.
Operation above the boundary of the nucleate boiling regime
 
could result in excessive cladding temperature because of
 
the onset of DNB and the resultant sharp reduction in heat
 
transfer coefficient. Inside the steam film, high cladding
 
temperatures are reached, and a cladding water (zirconium
 
water) reaction may take place. This chemical reaction
 
results in oxidation of the fuel cladding to a structurally (continued)
North Anna Units 1 and 2B 2.1.1-2Revision 9 Reactor Core SLs B 2.1.1 BASES BACKGROUND (continued) weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the
 
reactor coolant.
The proper functioning of the Reactor Protection System (RPS) and main steam safety valves prevents violation of the
 
reactor core SLs.
APPLICABLE
 
SAFETY ANALYSES The fuel cladding must not sustain damage as a result of
 
normal operation and AOOs. The reactor core SLs are
 
established to preclude violation of the following fuel
 
design criteria:a.There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in
 
the core does not experience DNB; andb.The hot fuel pellet in the core must not experience centerline fuel melting.
The Reactor Trip System allowable values (Ref.
2), in combination with all the LCOs, are designed to prevent any
 
anticipated combination of transient conditions for Reactor
 
Coolant System (RCS) temperature, pressure, and flow, AFD, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.
Automatic enforcement of these reactor core SLs is provided
 
by the appropriate operation of the RPS and the main steam
 
safety valves.
The SLs represent a design requirement for establishing the
 
RPS trip allowable values identified previously (as
 
indicated in the UFSAR, Ref.
2). LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)
 
Limits," or the assumed initial conditions of the safety
 
analyses provide more restrictive limits to ensure that the
 
SLs are not exceeded.
SAFETY LIMITS The figure provided in the COLR shows the loci of points of
 
THERMAL POWER, RCS pressure, and average temperature for
 
which the minimum DNBR is not less than the safety analyses
 
limit, that fuel centerline temperature remains below (continued)
Reactor Core SLs B 2.1.1 BASESNorth Anna Units 1 and 2B 2.1.1-3Revision 9 SAFETY LIMITS (continued) melting, that the average enthalpy in the hot leg is less than or equal to the enthalpy of saturated liquid, or that
 
the exit quality is within the limits defined by the DNBR
 
correlation.
The reactor core SLs are established to preclude violation
 
of the following fuel design criteria:a.There must be at least a 95% probability at a 95%
confidence level (the 95/95 DNB criterion) that the hot
 
fuel rod in the core does not experience DNB; andb.There must be at least a 95% probability at a 95%
confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.
The reactor core SLs are used to define the various RPS
 
functions such that the above criteria are satisfied during
 
steady state operation, normal operational transients, and
 
anticipated operational occurrences (AOOs). To ensure that
 
the RPS precludes the violation of the above criteria, additional criteria are applied to the Overtemperature and
 
Overpower T reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and that the core
 
exit quality is within the limits defined by the DNBR
 
correlation. Appropriate functioning of the RPS and main
 
steam safety valves ensures that for variations in the
 
THERMAL POWER, RCS pressure, RCS average temperature, RCS
 
flow rate, and AFD that the reactor core SLs will be
 
satisfied during steady state operation, normal operational
 
transients, and AOOs.
APPLICABILITY SL 2.1.1 only applies in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic
 
protection functions are required to be OPERABLE during
 
MODES 1 and 2 to ensure operation within the reactor core SLs. The main steam safety valves or automatic protection
 
actions serve to prevent RCS heatup to the reactor core SL
 
conditions or to initiate a reactor trip function, which
 
forces the unit into MODE
: 3. Allowable values for the reactor trip functions are specified in LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." In MODES 3, 4, 5, and 6, Applicability is not required since the reactor is not
 
generating significant THERMAL POWER.
North Anna Units 1 and 2B 2.1.1-4Revision 0 Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT
 
VIOLATIONS If SL 2.1.1 is violated, the requirement to go to MODE 3 places the unit in a MODE in which this SL is not applicable.
The allowed Completion Time of 1 hour recognizes the importance of bringing the unit to a MODE of operation where
 
this SL is not applicable, and reduces the probability of
 
fuel damage.
REFERENCES1.UFSAR, Section 3.1.6.2.UFSAR, Section 7.2.
North Anna Units 1 and 2B 2.1.2-1Revision 20 RCS Pressure SL B 2.1.2 B 2.1  SAFETY LIMITS (SLs)B 2.1.2Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS
 
against overpressurization. In the event of fuel cladding
 
failure, fission products are released into the reactor
 
coolant. The RCS then serves as the primary barrier in
 
preventing the release of fission products into the
 
atmosphere. By establishing an upper limit on RCS pressure
 
during operating conditions, the continued integrity of the
 
RCS is ensured. According to GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref.
1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during
 
normal operation and anticipated operational occurrences (AOOs). Also, in accordance with GDC 28, "Reactivity Limits" (Ref. 1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local
 
yielding.The design pressure of the RCS is 2500 psia. During normal operation and AOOs, RCS pressure is limited from exceeding
 
the design pressure by more than 10%, in accordance with
 
Section III of the ASME Code (Ref.
2). To ensure system integrity, all RCS components are hydrostatically tested at
 
125% of design pressure, according to the ASME Code
 
requirements prior to initial operation when there is no
 
fuel in the core. Following inception of unit operation, RCS
 
components shall be pressure tested, in accordance with the
 
requirements of ASME Code, Section XI (Ref. 3).Overpressurization of the RCS could result in a breach of the
 
RCPB. If such a breach occurs in conjunction with a fuel
 
cladding failure, fission products could enter the
 
containment atmosphere, raising concerns relative to limits
 
on radioactive releases specified in 10 CFR 50.67 (Ref.
4).APPLICABLE
 
SAFETY ANALYSES The RCS pressurizer safety valves, the main steam safety
 
valves (MSSVs), and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded.(continued)
North Anna Units 1 and 2B 2.1.2-2Revision 0 RCS Pressure SL B 2.1.2 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The RCS pressurizer safety valves are sized to prevent
 
system pressure from exceeding the design pressure by more
 
than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref.
2). The transient that establishes the required relief capacity, and hence valve
 
size requirements and lift settings, is a complete loss of
 
external load without a direct reactor trip. During the
 
transient, no control actions are assumed, except that the
 
safety valves on the secondary plant are assumed to open when
 
the steam pressure reaches the secondary plant safety valve
 
settings, and nominal feedwater supply is maintained.
The Reactor Trip System allowable values (Ref.
5), together with the settings of the MSSVs, provide pressure protection
 
for normal operation and AOOs. The reactor high pressure
 
trip allowable value is specifically determined to provide
 
protection against overpressurization (Ref.
5). The safety analyses for both the high pressure trip and the RCS
 
pressurizer safety valves are performed using conservative
 
assumptions relative to pressure control devices.
More specifically, no credit is taken for operation of the
 
following:a.Pressurizer power operated relief valves (PORVs);b.Steam Generator PORVs;c.Steam Dump System;d.Reactor Control System;e.Pressurizer Level Control System; orf.Pressurizer spray valve.
SAFETY LIMITS The maximum transient pressure allowed in the RCS pressure
 
vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowed in the RCS
 
piping, valves, and fittings under USAS, Section B31.1 (Ref. 6) is 120% of design pressure. The most limiting of these two allowances is the 110% of design pressure;
 
therefore, the SL on maximum allowable RCS pressure is
 
2735 psig.
RCS Pressure SL B 2.1.2 BASESNorth Anna Units 1 and 2B 2.1.2-3Revision 20 APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to
 
overpressurization events. The SL is not applicable in
 
MODE 6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCS can be
 
pressurized.
SAFETY LIMIT
 
VIOLATIONS If the RCS pressure SL is violated when the reactor is in
 
MODE 1 or 2, the requirement is to restore compliance and be in MODE 3 within 1 hour.Exceeding the RCS pressure SL may cause immediate RCS
 
failure and create a potential for radioactive releases in
 
excess of 10 CFR 50.67 limits (Ref.
4).The allowable Completion Time of 1 hour recognizes the importance of reducing power level to a MODE of operation
 
where the potential for challenges to safety systems is
 
minimized.
If the RCS pressure SL is exceeded in MODE 3, 4, or 5, RCS pressure must be restored to within the SL value within
 
5 minutes. Exceeding the RCS pressure SL in MODE 3, 4, or 5 is more severe than exceeding this SL in MODE 1 or 2, since the reactor vessel temperature may be lower and the vessel
 
material, consequently, less ductile. As such, pressure must
 
be reduced to less than the SL within 5 minutes. The action does not require reducing MODES, since this would require
 
reducing temperature, which would compound the problem by
 
adding thermal gradient stresses to the existing pressure
 
stress.REFERENCES1.UFSAR, Sections 3.1.10, 3.1.11, and 3.1.24.2.ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000.3.ASME, Boiler and Pressure Vessel Code, Section XI, Article IWX-5000.4.10 CFR 50.67.5.UFSAR, Section 7.2.6.USAS B31.1, Standard Code for Pressure Piping, American Society of Mechanical Engineers, 1967.
Intentionally Blank North Anna Units 1 and 2B 3.0-1Revision44 LCO Applicability B 3.0B 3.0LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.9 establish the general requirements applicable to all Specifications and apply at
 
all times, unless otherwise stated.
LCO  3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the
 
MODES or other specified conditions of the Applicability
 
statement of each Specification).
LCO  3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The
 
Completion Time of each Required Action for an ACTIONS
 
Condition is applicable from the point in time that an
 
ACTIONS Condition is entered. The Required Actions establish
 
those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met.
 
This Specification establishes that:a.Completion of the Required Actions within the specified Completion Times constitutes compliance with a
 
Specification; andb.Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.There are two basic types of Required Actions. The first type
 
of Required Action specifies a time limit in which the LCO
 
must be met. This time limit is the Completion Time to
 
restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this
 
type of Required Action is not completed within the
 
specified Completion Time, a shutdown may be required to
 
place the unit in a MODE or condition in which the
 
Specification is not applicable. (Whether stated as a
 
Required Action or not, correction of the entered Condition
 
is an action that may always be considered upon entering
 
ACTIONS.) The second type of Required Action specifies the
 
remedial measures that permit continued operation of the (continued)
North Anna Units 1 and 2B 3.0-2Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.2 (continued) unit that is not further restricted by the Completion Time.
 
In this case, compliance with the Required Actions provides
 
an acceptable level of safety for continued operation.
Completing the Required Actions is not required when an LCO
 
is met or is no longer applicable, unless otherwise stated in
 
the individual Specifications.
The nature of some Required Actions of some Conditions
 
necessitates that, once the Condition is entered, the
 
Required Actions must be completed even though the
 
associated Conditions no longer exist. The individual LCO's
 
ACTIONS specify the Required Actions where this is the case.
An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits."
The Completion Times of the Required Actions are also
 
applicable when a system or component is removed from
 
service intentionally. The reasons for intentionally relying
 
on the ACTIONS include, but are not limited to, performance
 
of Surveillances, preventive maintenance, corrective
 
maintenance, or investigation of operational problems.
 
Entering ACTIONS for these reasons must be done in a manner
 
that does not compromise safety. Intentional entry into
 
ACTIONS should not be made for operational convenience.
 
Additionally, if intentional entry into ACTIONS would result
 
in redundant equipment being inoperable, alternatives should
 
be used instead. Doing so limits the time both
 
subsystems/trains of a safety function are inoperable and
 
limits the time conditions exist which may result in
 
LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is
 
removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable
 
when this time limit expires, if the equipment remains
 
removed from service or bypassed.
When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter
 
a MODE or other specified condition in which another
 
Specification becomes applicable. In this case, the
 
Completion Times of the associated Required Actions would
 
apply from the point in time that the new Specification
 
becomes applicable, and the ACTIONS Condition(s) are
 
entered.
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-3Revision 0 LCO  3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:a.An associated Required Action and Completion Time is not met and no other Condition applies; orb.The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination
 
of Conditions stated in the ACTIONS can be made that
 
exactly corresponds to the actual condition of the unit.
 
Sometimes, possible combinations of Conditions are such
 
that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to
 
such combinations and also that LCO 3.0.3 be entered immediately.
This Specification delineates the time limits for placing
 
the unit in a safe MODE or other specified condition when
 
operation cannot be maintained within the limits for safe
 
operation as defined by the LCO and its ACTIONS. It is not
 
intended to be used as an operational convenience that
 
permits routine voluntary removal of redundant systems or
 
components from service in lieu of other alternatives that
 
would not result in redundant systems or components being
 
inoperable.
Upon entering LCO 3.0.3, 1 hour is allowe d to prepare for an orderly shutdown before initiating a change in unit
 
operation. This includes time to permit the operator to
 
coordinate the reduction in electrical generation with the
 
load dispatcher to ensure the stability and availability of
 
the electrical grid. The time limits specified to reach
 
lower MODES of operation permit the shutdown to proceed in a
 
controlled and orderly manner that is well within the
 
specified maximum cooldown rate and within the capabilities
 
of the unit, assuming that only the minimum required
 
equipment is OPERABLE. This reduces thermal stresses on
 
components of the Reactor Coolant System and the potential
 
for a unit upset that could challenge safety systems under
 
conditions to which this Specification applies. The use and
 
interpretation of specified times to complete the actions of
 
LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.(continued)
North Anna Units 1 and 2B 3.0-4Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.3 (continued)
A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:a.The LCO is now met.b.A Condition exists for which the Required Actions have now been performed.c.ACTIONS exist that do not have expired Completion Times.
These Completion Times are applicable from the point in
 
time that the Condition is initially entered and not from
 
the time LCO 3.0.3 is exited.
The time limits of Specification 3.0.3 allow 37 hours for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the
 
next lower MODE applies. If a lower MODE is reached in less
 
time than allowed, however, the total allowable time to
 
reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours, then the time allowed for reaching MODE 4 is the next 11 hours, because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation
 
in less than the total time allowed.
In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The
 
requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive
 
Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or
: 4) because the ACTIONS of individual Specifications sufficiently define the
 
remedial measures to be taken.
Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the
 
associated condition of the unit. An example of this is in
 
LCO 3.7.16, "Fuel Storage Pool Water Level." LCO 3.7.16 has an Applicability of "During movement of irradiated fuel
 
assemblies in the fuel storage pool." Therefore, this LCO (continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-5Revision 0 LCO  3.0.3 (continued) can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.16 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of
 
LCO 3.7.16 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool" is the appropriate
 
Required Action to complete in lieu of the actions of
 
LCO 3.0.3. These exceptions are addressed in the individual Specifications.
LCO  3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing th e unit in a MODE or other specified condition stated in that Applicability (e.g.,
Applicability desired to be entered) when the following
 
exist:a.Unit conditions are such that the requirements of the LCO would not be met in the Applicability desired to be
 
entered; andb.Continued noncompliance with the LCO requirements, if the Applicability were entered, would result in the unit
 
being required to exit the Applicability desired to be
 
entered to comply with the Required Actions.
Compliance with Required Actions that permit continued
 
operation of the unit for an unlimited period of time in a
 
MODE or other specified condition provides an acceptable
 
level of safety for continued operation. This is without
 
regard to the status of the unit before or after the MODE
 
change. Therefore, in such cases, entry into a MODE or other
 
specified condition in the Applicability may be made in
 
accordance with the provisions of the Required Actions.
When an LCO is not met, LCO 3.0.4 also allows entering MODES or other specified conditions in the Applicability following
 
assessment of the risk impact and determination that the
 
impact can be managed. The risk evaluation may use
 
quantitative, qualitative, or blended approaches, and the
 
risk evaluation will be conducted using the plant program, procedures, and criteria in place to implement
 
10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk
 
evaluations will be conducted using the procedures and (continued)
North Anna Units 1 and 2B 3.0-6Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.4 (continued) guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power
 
Plants."The results of the risk evaluation shall be considered in
 
determining the acceptability of entering the MODE or other
 
specified condition in the Applicability, and any
 
corresponding risk management actions. Consideration will be
 
given to the probability of completing restoration such that
 
the requirements of the LCO would be met prior to the
 
expiration of ACTIONS Completion Times that would require
 
exiting the Applicability.
A risk assessment and establishment of risk management
 
actions, as appropriate, are required for determination of
 
acceptable risk for entering MODES or other specified
 
conditions in the Applicability when an LCO is not met. The
 
elements of the risk assessment and risk management actions
 
are included in Regulatory Guide 1.182 which addresses general guidance for conduct of the risk evaluation, quantitative and qualitative guidelines for establishing
 
risk management actions, and example risk management
 
actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize
 
the magnitude of risk increases (establishment of backup
 
success paths or compensatory measures), and determination
 
that the proposed MODE change is acceptable.
A quantitative, qualitative, or blended risk evaluation must
 
be performed to assess the risk impact of entering the MODE
 
or other specified condition in the Applicability, based on
 
the specific plant configuration at that time and the risk
 
impacts must be managed in accordance with the assessment
 
results.From generic evaluations, systems/components can be
 
identified which are equally or more important to risk in
 
MODE 1 than in the transition MODES. The Technical Specifications allow continued operation with this equipment
 
unavailable during MODE 1 operation for the duration of the Completion Time. Since this is allowable, and since the risk impact bounds the risk of transitioning up in MODE and entering the Conditions and Required Actions, the use of the LCO 3.0.4 allowance for these systems should be generally acceptable, as long as the risk is assessed and managed as (continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-7Revision 0 LCO  3.0.4 (continued) stated above. However, there is a small subset of systems/components that have been generically determined to
 
be more important to risk in MODES 2-5 and do not have the LCO 3.0.4 allowance. These system/components are listed below.The Applicability should be reviewed with respect to the
 
actual plant configuration at that time. Each individual
 
application of LCO 3.0.4.b, whether due to one or more than one LCO 3.0.4.b allowance at the same time, is required to be evaluated under the auspices of 10 CFR 50.65(a)(4) and consideration of risk management actions discussed in
 
Regulatory Guide 1.182. For those cases where the risk of the MODE change may be greater (i.e., the systems and
 
components listed below), prior NR C review and approval of a specific LCO 3.0.4 allowance is required.
The LCO 3.0.4.b allowance typically only applies to systems and components. The values and parameters of the Technical
 
Specifications (e.g., Containment Air Temperature, Containment Pressure, Moderator Temperature Coefficient, etc.) are typically not addressed by this LCO 3.0.4.b allowance. These values and parameters are addressed by the
 
LCO 3.0.4.c allowance.
A list of the LCO 3.0.4.c specific value and parameter allowances approved by the NRC is provided below.
LCO 3.4.16, RCS Specific Activity In order to support the conduct of the appropriate
 
assessments, each Owners Group has performed an evaluation
 
to identify plant systems or components which are more important to risk in the transition MODES than in MODE
: 1. To apply the LCO 3.0.4 allowance to these systems and components, prior NRC review and approval is required. These systems are listed in the following table.(continued)
North Anna Units 1 and 2B 3.0-8Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.4 (continued)
NUMARC 93-01, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"
 
states that the rigor of the risk analysis should be
 
commensurate with the risk impact of the proposed
 
configuration. For unavailable plant systems or components
 
listed on the above table, a plant MODE change has been
 
determined, through generic evaluation, to result in a
 
potential risk increase. Therefore, prior NRC review and
 
approval is required to apply the LCO 3.0.4 allowance to these systems and components.
For unavailable plant s ystems or components not appearing in the above table, proposed plant MODE changes will generally not involve a risk increase greater than the system or component being unavailable in MODE
: 1. The risk assessment performed to support use of LCO 3.0.4.b for systems or components not appearing on the above table must meet all
 
considerations of NUMARC 93-01, but need not be documented.
LCO 3.0.4.b may be used with single, or multiple systems or components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of
 
multiple systems or components.
The provisions of this Specification should not be
 
interpreted as endorsing the failure to exercise the good
 
practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.(continued)
System*MODE or Other Specified Condition in the Applicability RCS Loops (RHR) 5 LTOP System 4, 5 ECCS Shutdown (ECCS High
 
Head Subsystem) 4 AFW System 1 AC Sources (Diesel
 
Generators) 1, 2, 3, 4, 5, 6*Including systems supporting the OPERABILITY of the listed systems.
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-9Revision 0 LCO  3.0.4 (continued)
The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability
 
that are required to comply with ACTIONS. In addition, the
 
provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that
 
result from any unit shutdown.
LCO 3.0.4 is only applicable when entering MODE 4 from
 
MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2. Furthermore, LCO 3.0.4 is applicable when
 
entering any other specified condition in the Applicability
 
only while operating in MODES 1, 2, 3, or 4. The requirements
 
of LCO 3.0.4 do not apply in MODES 5 and 6, or in other
 
specified conditions of the Applicability (unless in MODES
 
1, 2, 3, or
: 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to
 
be taken.Surveillances do not have to be performed on the associated
 
inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, in compliance with LCO 3.0.4, is not a violation of SR 3.0.1 or SR 3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment.
 
However, SRs must be met to ensure OPERABILITY prior to
 
declaring the associated equipment OPERABLE (or variable
 
within limits) and restoring compliance with the affected
 
LCO.LCO  3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been
 
removed from service or declared inoperable to comply with
 
ACTIONS. The sole purpose of this Specification is to
 
provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance
 
of required testing to demonstrate:a.The OPERABILITY of the equipment being returned to service; orb.The OPERABILITY of other equipment.(continued)
North Anna Units 1 and 2B 3.0-10Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.5 (continued)
The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the
 
ACTIONS is limited to the time absolutely necessary to
 
perform the required testing to demonstrate OPERABILITY.
 
This Specification does not provide time to perform any
 
other preventive or corrective maintenance.
An example of demonstrating the OPERABILITY of the equipment
 
being returned to service is reopening a containment
 
isolation valve that has been closed to comply with Required
 
Actions and must be reopened to perform the required
 
testing.An example of demonstrating the OPERABILITY of other
 
equipment is taking an inoperable channel or trip system out
 
of the tripped condition to prevent the trip function from
 
occurring during the performance of required testing on
 
another channel in the other trip system. A similar example
 
of demonstrating the OPERABILITY of other equipment is
 
taking an inoperable channel or trip system out of the
 
tripped condition to permit the logic to function and
 
indicate the appropriate response during the performance of
 
required testing on another channel in the same trip system.
LCO  3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical
 
Specifications (TS). This exception is provided because
 
LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be
 
entered solely due to the inoperability of the support
 
system. This exception is justified because the actions that
 
are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the
 
supported system's Conditions and Required Actions or may
 
specify other Required Actions.
When a support system is inoperable and there is an LCO
 
specified for it in the TS, the supported system(s) are
 
required to be declared inoperable if determined to be
 
inoperable as a result of the support system inoperability.
 
However, it is not necessary to enter into the supported
 
systems' Conditions and Required Actions unless directed to
 
do so by the support system's Required Actions. The
 
potential confusion and inconsistency of requirements
 
related to the entry into multiple support and supported (continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-11Revision 0 LCO  3.0.6 (continued) systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary
 
to ensure the unit is maintained in a safe condition in the
 
support system's Required Actions.
However, there are instances where a support system's
 
Required Action may either direct a supported system to be
 
declared inoperable or direct entry into Conditions and
 
Required Actions for the supported system. This may occur
 
immediately or after some specified delay to perform some
 
other Required Action. Regardless of whether it is immediate
 
or after some delay, when a support system's Required Action
 
directs a supported system to be declared inoperable or
 
directs entry into Conditions and Required Actions for a
 
supported system, the applicable Conditions and Required
 
Actions shall be entered in accordance with LCO 3.0.2.Specification 5.5.14, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and
 
appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety
 
function exists. Additionally, other limitations, remedial
 
actions, or compensatory actions may be identified as a
 
result of the support system inoperability and corresponding
 
exception to entering supported system Conditions and
 
Required Actions. The SFDP implements the requirements of
 
LCO 3.0.6.Cross train checks to ide ntify a loss of safety function for those support systems that support multiple and redundant
 
safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and:a.A required system redundant to system(s) supported by the inoperable support system is also inoperable; or (EXAMPLE
 
B 3.0.6-1)b.A required system redundant to system(s) in turn supported by the inoperable supported system is also
 
inoperable; or (EXAMPLE B 3.0.6-2)(continued)
North Anna Units 1 and 2B 3.0-12Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.6 (continued)c.A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable.
(EXAMPLE B 3.0.6-3)EXAMPLE B 3.0.6-1 If System 2 of Train A is inoperable, and System 5 of Train B is inoperable, a loss of safety function exists in supported
 
System 5.EXAMPLE B 3.0.6-2 If System 2 of Train A is inoperable, and System 11 of Train
 
B is inoperable, a loss of safety function exists in System
 
11 which is in turn supported by System 5.
EXAMPLE B 3.0.6-3 If System 2 of Train A is inoperable, and System 1 of Train B
 
is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.If this evaluation determines that a loss of safety function
 
exists, the appropriate Conditions and Required Actions of
 
the LCO in which the loss of safety function exists are
 
required to be entered.(continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-13Revision 0 LCO  3.0.6 (continued)(continued)TRAIN ATRAIN BSystem 8System 8System 4System 4System 9System 9System 2System 2System 10System 10System 5System 5System 11System 11System 1System 1System 12System 12System 6System 6System 13System 13System 3System 3System 14System 14System 7System 7System 15System 15 North Anna Units 1 and 2B 3.0-14Revision 0 LCO Applicability B 3.0 BASES LCO  3.0.6 (continued)
This loss of safety function does not require consideration
 
of additional single failures or loss of offsite power.
 
Since operation is being restricted in accordance with the
 
ACTIONS of the support system, this accounts for any
 
temporary loss of redundancy or single failure protection.
 
Similarly, the ACTIONS for inoperable offsite circuit(s) and
 
inoperable diesel generator(s) provide the necessary
 
restriction for cross train inoperabilities. This explicit
 
cross train verification for inoperable AC electrical power
 
sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the
 
definition of OPERABILITY).
When a loss of safety function is determined to exist, and
 
the SFDP requires entry into the appropriate Conditions and
 
Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely
 
due to a single Technical Specification support system (e.g., loss of automatic start due to inoperable
 
instrumentation, or loss of pump suction source due to low
 
tank level) the appropriate LCO is the LCO for the support
 
system. The ACTIONS for a support system LCO adequately
 
addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the
 
appropriate LCO is the LCO for the supported system.
LCO  3.0.7 There are certain special tests and operations required to
 
be performed at various times over the life of the unit.
 
These special tests and operations are necessary to
 
demonstrate select unit performance characteristics, to
 
perform special maintenance activities, and to perform
 
special evolutions. Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical Specification (TS) requirements to be changed to permit performances of these special tests and
 
operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless
 
otherwise specified, all the other TS requirements remain
 
unchanged. This will ensure all appropriate requirements of
 
the MODE or other specified condition not directly
 
associated with or required to be changed to perform the
 
special test or operation will remain in effect.(continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-15Revision 32 LCO  3.0.7 (continued)
The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal
 
requirements of the TS. Compliance with Test Exception LCOs
 
is optional. A special operation may be performed either
 
under the provisions of the appropriate Test Exception LCO
 
or under the other applicable TS requirements. If it is
 
desired to perform the special operation under the
 
provisions of the Test Exception LCO, the requirements of
 
the Test Exception LCO shall be followed.
LCO  3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended
 
safety function when associated snubbers are not capable of
 
providing their associated support function(s). This LCO
 
states that the supported system is not considered to be
 
inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is
 
appropriate because a limited length of time is allowed for
 
maintenance, testing, or repair of one or more snubbers not
 
capable of performing their associated support function(s)
 
and appropriate compensatory measures are specified in the
 
snubber requirements, which are located outside of the
 
Technical Specifications (TS) under licensee control. The
 
snubber requirements do not meet the criteria in
 
10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.
If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected
 
supported system's LCO(s) must be declared not met and the
 
Conditions and Required Actions entered in accordance with
 
LCO 3.0.2.LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem
 
supported system or to a single train or subsystem supported
 
system. LCO 3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable.
The 72 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that
 
would require operation of the supported system occurring
 
while the snubber(s) are not capable of performing their
 
associated support function and due to the availability of
 
the redundant train of the supported system.(continued)
North Anna Units 1 and 2B 3.0-16Revision 38 LCO Applicability B 3.0 BASES LCO  3.0.8 (continued)
LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to
 
more than one train or subsystem of a multiple train or
 
subsystem supported system. LCO 3.0.8.b allows 12 hours to restore the snubber(s) before declaring the supported system
 
inoperable. The 12 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system
 
occurring while the snu bber(s) are not capable of performing their associated support function.
In order to use LCO 3.0.8 for an inoperable snubber(s) the following conditions required by the NRC must be satisfied:When applying LCO 3.0.8.a, at least one train of Auxiliary Feedwater (AFW) System must be OPERABLE during MODES when
 
AFW is required to be OPERABLE. When applying LCO 3.0.8.a during MODES when AFW is not required to be OPERABLE, at least one train of the mode specific credited core cooling
 
method (i.e., Residual Heat Removal System) must be OPERABLE. Reliance on the availability of credited core cooling source during modes where AFW is not required to be
 
OPERABLE, provides an equivalent safety margin for plant operations and meets the intent of Technical Specification Task Force (TSTF) 372.When applying LC0 3.0.8.b, at least one AFW train (including a minimum set of supporting equipment required for its successful operation) not associated with the
 
inoperable snubber(s) shall be OPERABLE, or some alternative means of core cooling (e.g., feed and bleed, fire water system, or "aggressive secondary cooldown" using the steam generators) must be available.Confirm that at least one train (or subsystem) of systems supported by the inoperable snubbers would remain capable of performing their required safety or support functions for postulated design loads other than seismic loads.
 
LCO 3.0.8 does not apply to non-seismic snubbers.
In addition, LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of
 
10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 should be considered with respect to other plant maintenance activities, and
 
integrated into the exi sting Maintenance Rule process to the extent possible so that maintenance on any unaffected train
 
or subsystem is properly controlled, and emergent issues are
 
properly addressed. The risk assessment need not be
 
quantified, but may be a qualitative awareness of the
 
vulnerability of systems and components when one or more
 
snubbers are not able to perform their associated support
 
function.
North Anna Units 1 and 2B 3.0-17Revision44 LCO Applicability B 3.0 LCO  3.0.9 LCO 3.0.9 establishes conditions which under which systems described in the Technical Specifications are considered to
 
remain OPERABLE when required barriers are not capable of
 
providing their related support function(s).
Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not
 
explicitly described in Technical Specifications, that
 
support the performance of the safety function of systems
 
described in Technical Specifications. This LCO states that
 
the supported system is not considered to be inoperable
 
solely due to required barriers not capable of performing
 
their related support function(s) under the described
 
conditions. LCO 3.0.9 allows 30 days before declaring the supported system(s) inoperable and the LCO(s) associated
 
with the supported system(s) not met. A maximum time is
 
placed on each use of this allowance to ensure that as
 
required barriers are found or are otherwise made
 
unavailable, they are restored. However, the allowable duration may be less than the specified maximum time based on
 
risk assessment.
If the allowed time expires and the barriers are unable to
 
perform their related support function(s), the supported
 
system's LCO(s) must be declared not met and the Conditions
 
and Required Actions entered in accordance with LCO 3.0.2.This provision can be applied to barriers that protect
 
against the initiating events listed below. The provision
 
can not be applied to the TS ventilation systems since
 
specific Conditions are provided for an inoperable barrier.
 
The provision cannot be applied to a fire barrier. However, if the barrier performs multiple functions (e.g., fire and
 
HELB) and if the fire barrier program requirements can be
 
satisfied then LCO 3.0.9 can be applied to the barrier for the HELB function. This provision does not apply to barriers
 
which are not required to support system OPERABILITY (see
 
NRC Regulatory Issue Summary 2001-09, "Control of Hazard
 
Barriers," dated April 2, 2001).The provisions of LCO 3.0.9 are justified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is
 
based on consideration of the following uniting event
 
categories:Loss of coolant accidents;(continued)
North Anna Units 1 and 2B 3.0-18Revision44 LCO Applicability B 3.0 BASES LCO  3.0.9 (continued)High energy line breaks;Feedwater line breaks;Internal flooding;External flooding;Turbine missile ejection; andTornado or high wind The risk impact of the barriers which cannot perform their
 
related support function(s) must be addressed pursuant to
 
the risk assessment and management provision of the
 
Maintenance Rule, 10 CFR 50.65(a)(4), and the associated implementation guidance, Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear
 
Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power
 
Plants." This guidance provides for the consideration of
 
dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These
 
considerations may result in risk management and other
 
compensatory actions being required during the period that
 
barriers are unable to perform their related support
 
function(s).The resultant risk mana gement actions may impose time limits for barrier removal. In addition, other considerations, such
 
as the administrative provisions for controlling fire
 
barriers and the plant technical specifications, may place
 
limitations on continued reactor operation with a hazard
 
barrier removed. It may be possible to take compensatory
 
measures to maintain SSC operability and avoid entering the
 
technical specifications action statement for shutting down
 
the reactor (e.g., installing a temporary barrier that
 
provides equivalent protection or establishing
 
administrative controls). Also, if the hazard does not exist
 
at the time, the SSC would remain operable.
LCO 3.0.9 may be applied to one or more trains or subsystems of a system supported by barriers that cannot provide their (continued)
LCO Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-19Revision44 LCO  3.0.9 (continued) related support function(s), provided that risk is assessed and managed (including consideration of the effects on Large Early Release and from external events.) LCO 3.0.9 cannot be applied concurrently to more than one train or subsystem of a multiple train or subsystem supported system, if the barrier supporting each of these trains or subsystems provides it
 
related support function(s) for same category of initiating
 
events. If applied concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting each of these trains or subsystems
 
must provide their related support function(s) for different
 
categories of initiating events. For example, LCO 3.0.9 may be applied for up to 30 days for more than one train of a multiple train supported system if the affected barrier for
 
one train protects against internal flooding and the
 
affected barrier for the other train protects against
 
tornado missiles. In this example, the affected barrier may
 
be the same physical barrier but serve different protection
 
functions for each train.If during the time that LCO 3.0.9 is being used, the required OPERABLE train or subsystem becomes inoperable, it must be
 
restored to OPERABLE status within 24 hours. Otherwise, the train(s) or subsystem(s) supported by barriers that cannot
 
perform their related support function(s) must be declared
 
inoperable and the associated LCOs declared not met. This
 
24 hour period provides time to respond to emergent conditions that would likely lead to entry into LCO 3.0.3 and a rapid plant shutdown, which is not justified given the
 
low probability of an initiating event which would require
 
the barrier(s) not capable of performing their related
 
support function(s). During this 24 hour period, the plant risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).
North Anna Units 1 and 2B 3.0-20Revision44 SR Applicability B 3.0 BASES B 3.0  SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.
SR  3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the
 
Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This
 
Specification is to ensure that Surveillances are performed
 
to verify the OPERABILITY of systems and components, and
 
that variables are within specified limits. Failure to meet
 
a Surveillance within the specified Frequency, in accordance
 
with SR 3.0.2, constitutes a failure to meet an LCO.
Surveillances may be performed by means of any series of
 
sequential, overlapping, or total steps provided the entire
 
Surveillance is performed within the specified Frequency.
Systems and components are assumed to be OPERABLE when the
 
associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or
 
components are OPERABLE when:a.The systems or components are known to be inoperable, although still meeting the SRs; orb.The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.
Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the
 
requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test
 
exception are only applicable when the test exception is
 
used as an allowable exception to the requirements of a
 
Specification.
Unplanned events may satisfy the requirements (include
 
applicable acceptance criteria) for a given SR. In this
 
case, the unplanned event may be credited as fulfilling the
 
performance of the SR. This allowance includes those SRs
 
whose performance is normally precluded in a given MODE or
 
other specified condition.(continued)
SR Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-21Revision44 SR  3.0.1 (continued)
Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define th e remedial measures that apply.
Surveillances have to be met and performed in accordance
 
with SR 3.0.2, prior to returning equipment to OPERABLE status.Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This
 
includes ensuring applicable Surveillances are not failed
 
and their most recent performance is in accordance with
 
SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the
 
Applicability due to the necessary unit parameters not
 
having been established. In these situations, the equipment
 
may be considered OPERABLE provided testing has been
 
satisfactorily completed to the extent possible and the
 
equipment is not otherwise believed to be incapable of
 
performing its function. This will allow operation to
 
proceed to a MODE or other specified condition where other
 
necessary post maintenance tests can be completed.
SR  3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required
 
Action with a Completion Time that requires the periodic
 
performance of the Required Action on a "once per..."
 
interval.SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance
 
scheduling and considers unit operating conditions that may
 
not be suitable for conducting the Surveillance (e.g.,
transient conditions or other ongoing Surveillance or
 
maintenance activities).
The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at
 
its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the
 
SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the
 
Frequency does not apply. These exceptions are stated in the
 
individual Specifications. The requirements of regulations
 
take precedence over the TS. An example of where SR 3.0.2 does not apply is the Containment Leakage Rate Testing (continued)
North Anna Units 1 and 2B 3.0-22Revision44 SR Applicability B 3.0 BASES SR  3.0.2 (continued)
Program. This program establishes testing requirements and
 
Frequencies in accordance with the requirements of
 
regulations.
As stated in SR 3.0.2, the 25%
extension also does not apply to the initial portion of a periodic Completion Time that
 
requires performance on a "once per..." basis. The 25%
 
extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25%
 
extension to this Completion Time is that such an action
 
usually verifies that no loss of function has occurred by
 
checking the status of redundant or diverse components or
 
accomplishes the function of the inoperable equipment in an
 
alternative manner.
The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend
 
Surveillance intervals (other than those consistent with
 
refueling intervals) or periodic Completion Time intervals
 
beyond those specified.
SR  3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable
 
outside the specified limits when a Surveillance has not
 
been completed within the specified Frequency. A delay
 
period of up to 24 hours or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been
 
performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.
This delay period provides adequate time to complete
 
Surveillances that have been missed. This delay period
 
permits the completion of a Surveillance before complying
 
with Required Actions or other remedial measures that might
 
preclude completion of the Surveillance.
The basis for this delay period includes consideration of
 
unit conditions, adequate planning, availability of
 
personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the
 
required Surveillance, and the recognition that the most
 
probable result of any particular Surveillance being (continued)
SR Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-23Revision44 SR  3.0.3 (continued) performed is the verification of conformance with the requirements.
When a Surveillance with a Frequency based not on time
 
intervals, but upon specified unit conditions, operating
 
situations, or requirements of regulations (e.g., prior to
 
entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.
 
However, since there is not a time interval specified, the
 
missed Surveillance should be performed at the first
 
reasonable opportunity.
SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a
 
consequence of MODE changes imposed by Required Actions.
Failure to comply with specified Frequencies for SRs is
 
expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed
 
Surveillance, it is expected that the missed Surveillance
 
will be performed at the first reasonable opportunity. The
 
determination of the first reasonable opportunity should
 
include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required to perform the Surveillance or shutting the plant down to perform the Surveillance) and impact on any
 
analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required
 
to perform the Surveillance. This risk impact should be
 
managed through the program in place to implement
 
10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This
 
Regulatory Guide addresses consideration of temporary and
 
aggregate risk impacts, determination of risk management
 
action thresholds, and risk management action up to and
 
including plant shutdown. The missed Surveillance should be
 
treated as an emergent condition as discussed in the
 
Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and
 
rigor of the evaluation should be commensurate with the (continued)
North Anna Units 1 and 2B 3.0-24Revision44 SR Applicability B 3.0 BASES SR  3.0.3 (continued) importance of the component. Missed Surveillances for
 
important components should be analyzed quantitatively. If
 
the results of the risk evaluation determine the risk
 
increase is significant, this evaluation should be used to
 
determine the safest course of action. All missed
 
Surveillances will be placed in the licensee's Corrective
 
Action Program.
If a Surveillance is not completed within the allowed delay
 
period, then the equipment is considered inoperable or the
 
variable is considered outside the specified limits and the
 
Completion Times of the Required Actions for the applicable
 
LCO Conditions begin immediately upon expiration of the
 
delay period. If a Surveillance is failed within the delay
 
period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin
 
immediately upon the failure of the Surveillance.
Completion of the Surveillance within the delay period
 
allowed by this Specification, or within the Completion Time
 
of the ACTIONS, restores compliance with SR 3.0.1.SR  3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified
 
condition in the Applicability.
This Specification ensures that system and component
 
OPERABILITY requirements and variable limits are met before
 
entry into MODES or other specified conditions in the
 
Applicability for which these systems and components ensure
 
safe operation of the unit.
The provisions of this Specification should not be
 
interpreted as endorsing the failure to exercise the good
 
practice of restoring systems or component to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
A provision is included to allow entry into a MODE or other
 
specified condition in the Applicability:a.When the associated ACTIONS to be entered permit continued operation in the MODE or other specific
 
condition in the Applicability for an unlimited period of
 
time, (continued)
SR Applicability B 3.0 BASESNorth Anna Units 1 and 2B 3.0-25Revision44 SR  3.0.4 (continued)b.After performance of a risk evaluation, consideration of the results, determination of the acceptability of the
 
MODE change, and establishment of risk management
 
actions, if appropriate, orc.When a specific value or parameter allowance has been approved by the NRC.
However, in certain circumstances, failing to meet an SR
 
will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or
 
outside its specified limits, the associated SR(s) are not
 
required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable
 
equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the
 
SR(s) to be performed is removed. Therefore, failing to
 
perform the Surveillance(s) within the specified Frequency
 
does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE
 
or other specified condition changes.
The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability
 
that are required to comply with ACTIONS. In addition, the
 
provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that
 
result from any unit shutdown.
The precise requirements for performance of SRs are
 
specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary
 
for meeting the SRs are specified in the Frequency, in the
 
Surveillance, or both. This allows performance of
 
Surveillances when the prerequisite condition(s) specified
 
in a Surveillance procedure require entry into the MODE or
 
other specified condition in the Applicability of the
 
associated LCO prior to the performance or completion of a
 
Surveillance. A Surveillance that could not be performed
 
until after entering the LCO Applicability, would have its
 
Frequency specified such that it is not "due" until the
 
specific conditions needed are met. Alternately, the
 
Surveillance may be stated in the form of a Note as not (continued)
North Anna Units 1 and 2B 3.0-26Revision44 SR Applicability B 3.0 BASES SR  3.0.4 (continued) required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of
 
the specific formats of SRs' annotation is found in
 
Section 1.4, Frequency.
SR 3.0.4 is only applicable when entering MODE 4 from MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2. Furthermore, SR 3.0.4 is applicable when entering any other specified condition in the Applicability only while operating in MODES 1, 2, 3, or
: 4. The requirements of SR 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in
 
MODES 1, 2, 3, or
: 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to
 
be taken.
North Anna Units 1 and 2B 3.1.1-1Revision 0 SDM B 3.1.1 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.1SHUTDOWN MARGIN (SDM)
BASES BACKGROUND According to GDC 26 (Ref. 1), the reactivity control systems must be independent and one must be capable of holding the
 
reactor core subcritical when shut down under cold
 
conditions. Maintenance of the SDM ensures that postulated
 
reactivity events will not damage the fuel.
SDM requirements provide sufficient reactivity margin to
 
ensure that acceptable fuel design limits will not be
 
exceeded for normal shutdown and anticipated operational
 
occurrences (AOOs). As such, the SDM defines the degree of
 
subcriticality that would be obtained immediately following
 
the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest
 
reactivity worth is fully withdrawn.
The system design requires that two independent reactivity
 
control systems be provided, and that one of these systems be
 
capable of maintaining the core subcritical under cold
 
conditions. These requirements are provided by the use of
 
movable control assemblies and soluble boric acid in the
 
Reactor Coolant System (RCS). The Rod Control System can
 
compensate for the reactivity effects of the fuel and water
 
temperature changes accompanying power level changes over
 
the range from full load to no load. In addition, the Rod
 
Control System, together with the boration system, provides
 
the SDM during power operation and is capable of making the
 
core subcritical rapidly enough to prevent exceeding
 
acceptable fuel damage limits, assuming that the rod of
 
highest reactivity worth remains fully withdrawn. The
 
soluble boron system can compensate for fuel depletion
 
during operation and all xenon burnout reactivity changes
 
and maintain the reactor subcritical under cold conditions.
During power operation, SDM control is ensured by operating
 
with the shutdown banks fully withdrawn and the control
 
banks within the limits of LCO 3.1.6, "Control Bank Insertion Limits." When the unit is in the shutdown and
 
refueling modes, the SDM requirements are met by means of
 
adjustments to the RCS boron concentration.
North Anna Units 1 and 2B 3.1.1-2Revision 0 SDM B 3.1.1 BASES APPLICABLE
 
SAFETY ANALYSES The minimum required SDM is assumed as an initial condition in safety analyses. The safety analysis (Ref.
: 2) establishes an SDM that ensures specified acceptable fuel design limits
 
are not exceeded for normal operation and AOOs, with the
 
assumption of the highest worth rod stuck out on scram.
The acceptance criteria for the SDM requirements are that
 
specified acceptable fuel design limits are maintained. This
 
is done by ensuring that:a.The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;b.The reactivity transients associated with postulated accident conditions are controllable within acceptable
 
limits (departure from nucleate boiling ratio (DNBR),
fuel centerline temperature limits for AOOs, and 225 cal/gm energy deposition to unirradiated fuel and  200 cal/gm energy deposition to irradiated fuel for the rod ejection accident); andc.The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown
 
condition.
The most limiting accident for the SDM requirements is based
 
on a main steam line break (MSLB), as described in the
 
accident analysis (Ref.
2). The increased steam flow resulting from a pipe break in the main steam system causes
 
an increased energy removal from the affected steam
 
generator (SG), and consequently the RCS. This results in a
 
reduction of the reactor coolant temperature. The resultant
 
coolant shrinkage causes a reduction in pressure. In the
 
presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As RCS
 
temperature decreases, the severity of an MSLB decreases
 
until the MODE 5 value is reached. The most limiting MSLB, with respect to potential fuel damage before a reactor trip
 
occurs, is a guillotine break of a main steam line inside
 
containment initiated at the end of core life. The positive
 
reactivity addition from the moderator temperature decrease
 
will terminate when the affected SG boils dry, thus
 
terminating RCS heat removal and cooldown. Following the MSLB, a post trip return to power may occur; however, no fuel (continued)
SDM B 3.1.1 BASESNorth Anna Units 1 and 2B 3.1.1-3Revision 0 APPLICABLE SAFETY ANALYSES (continued) damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL)
 
requirement of SL 2.1.1.In addition to the limiting MSLB transient, the SDM
 
requirement must also protect against:a.An uncontrolled rod withdrawal from subcritical or low power condition;b.Startup of an inactive reactor coolant pump (RCP); andc.Rod ejection.
Each of these events is discussed below.
Depending on the system initial conditions and reactivity insertion rate, the uncontrolled rod withdrawal transient is
 
terminated by either a high s ource range trip or a high power range neutron flux trip, an intermediate range neutron flux
 
trip, a high pressurizer pressure or water level trip, or an
 
OTT. In all cases, power level, RCS pressure, linear heat rate, and the DNBR do not exceed allowable limits.
The startup of an inactive loop event is defined as an uncontrolled reduction in SHUTDOWN MARGIN resulting from the
 
startup of an RCP on an idle loop containing a reduced
 
coolant temperature or boron concentration. Adherence to
 
LCO 3.4.18, "RCS Isolated Loop Startup," ensures that the preconditions necessary for significant reactivity insertion
 
during the startup of an inactive loop (i.e., reduced
 
coolant temperature or boron concentration on an idle and
 
unisolated loop) cannot be achieved under credible
 
circumstances. Recirculation of reactor coolant in an isolated loop through a l oop stop valve bypass line prior to loop unisolation when performed in accordance with
 
LCO 3.4.18 does not constitute an uncontrolled boron dilution event. The accident analysis demonstrates that
 
sufficient time exists for corrective operator action in response to a postulated reactivity insertion resulting from
 
the recirculation activity.(continued)
North Anna Units 1 and 2B 3.1.1-4Revision 20 SDM B 3.1.1 BASES APPLICABLE
 
SAFETY ANALYSES (continued)The ejection of a control ro d rapidly adds reactivity to the reactor core, causing both the core power level and heat flux
 
to increase with corresponding increases in reactor coolant
 
temperatures and pressure. The ejection of a rod also
 
produces a time dependent redistribution of core power.
SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed from the control room, SDM
 
is considered an initial condition process variable because
 
it is periodically monitored to ensure that the unit is
 
operating within the bounds of accident analysis
 
assumptions.
LCO SDM is a core design condition that can be ensured during
 
operation through control rod positioning (control and
 
shutdown banks) and through the soluble boron concentration.
The MSLB (Ref.
: 2) accident is the most limiting analysis that establishes the SDM value of the LCO. For MSLB
 
accidents, if the LCO is violated, there is a potential to
 
exceed the DNBR limit and to exceed Regulatory Guide 1.183 limits (Ref.
3).APPLICABILITY In MODE 2 with k eff < 1.0 and in MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative
 
reactivity to meet the assumptions of the safety analyses
 
discussed above. In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration."
In MODES 1 and 2 with k eff > 1.0, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits."
ACTIONS A.1 If the SDM requirements are not met, boration must be
 
initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and co mponents. It is assumed that boration will be continued until the SDM requirements are met.In the determination of the required combination of boration flow rate and boron concentration, there is no unique
 
requirement that must be satisfied. Since it is imperative
 
to raise the boron concentration of the RCS as soon as (continued)
SDM B 3.1.1 BASESNorth Anna Units 1 and 2B 3.1.1-5Revision 0 ACTIONS A.1 (continued) possible, the boron concentration should be a highly concentrated solution, such as that normally found in the
 
boric acid storage tank, or the Refueling Water Storage
 
Tank. The operator should borate with the best source
 
available for the unit conditions.
In determining the boration flow rate, the time in core life must be considered. For instance, the most difficult time in
 
core life to increase the RCS boron concentration is at the beginning of cycle when the boron concentration may approach or exceed 2000 ppm. Assuming that a value of 1%
k/k must be recovered and a borat ion flow rate of 10 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in approximately 59 minutes. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the
 
SDM by 1% k/k. These boration parameters of 10 gpm and 12,950 ppm represent typical values and are provided for the purpose of offering a specific example.
SURVEILLANCE
 
REQUIREMENTS SR  3.1.1.1 In MODES 1 and 2 with k eff  1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a rod is known to be untrippable, however, SDM verification must account for the worth of the
 
untrippable rod as well as another rod of maximum worth.
In MODE 2 with k eff < 1.0 and MODES 3, 4, and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:a.RCS boron concentration;b.Control and shutdown bank position;c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration;f.Samarium concentration; andg.Isothermal temperature coefficient (ITC).
North Anna Units 1 and 2B 3.1.1-6Revision 46 SDM B 3.1.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.1.1.1 (continued)
Using the ITC accounts for Doppler reactivity in this
 
calculation because the reactor is subcritical, and the fuel
 
temperature will be changing at the same rate as the RCS.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 3.1.22.2.UFSAR, Chapter 15.3.Regulatory Guide 1.183, July 2000.
North Anna Units 1 and 2B 3.1.2-1Revision 0 Core Reactivity B 3.1.2 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.2Core Reactivity BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable, such that subcriticality is
 
maintained under cold conditions, and acceptable fuel design
 
limits are not exceeded during normal operation and
 
anticipated operational occurrences. Therefore, reactivity
 
balance is used as a measure of the predicted versus measured
 
core reactivity during power operation. The periodic
 
confirmation of core reactivity is necessary to ensure that
 
Design Basis Accident (DBA) and transient safety analyses
 
remain valid. A large reactivity difference could be the
 
result of unanticipated changes in fuel, control rod worth, or operation at conditions no t consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel
 
design limits. Comparing predicted versus measured core
 
reactivity validates the nuclear methods used in the safety
 
analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be
 
brought safely to cold, subcritical conditions.
When the reactor core is critical or in normal power
 
operation, a reactivity balance exists and the net
 
reactivity is zero. A comparison of predicted and measured
 
reactivity is convenient under such a balance, since
 
parameters are being maintained relatively stable under
 
steady state power conditions. The positive reactivity
 
inherent in the core design is balanced by the negative
 
reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb
 
neutrons, such as burnable absorbers producing zero net
 
reactivity. Excess reactivity can be inferred from the boron
 
letdown curve (or critical boron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic
 
measurement of the RCS boron concentration for comparison
 
with the predicted value with other variables fixed (such as
 
rod height, temperature, pressure, and power), provides a
 
convenient method of en suring that core reactivity is within design expectations and that the calculational models used
 
to generate the safety analysis are adequate.(continued)
North Anna Units 1 and 2B 3.1.2-2Revision 0 Core Reactivity B 3.1.2 BASES BACKGROUND (continued)
In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the
 
fuel remaining from the previous cycle, provides excess
 
positive reactivity beyond that required to sustain steady
 
state operation throughout the cycle. When the reactor is
 
critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if
 
any), control rods, whatever neutron poisons (mainly xenon
 
and samarium) are present in the fuel, and the RCS boron
 
concentration.
When the core is producing THERMAL POWER, the fuel is being
 
depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The
 
boron letdown curve is based on steady state operation at
 
RTP. Therefore, deviations from the predicted boron letdown
 
curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core
 
conditions, and must be evaluated.
APPLICABLE
 
SAFETY ANALYSES The acceptance criteria for core reactivity are that the
 
reactivity balance limit ensures unit operation is
 
maintained within the assumptions of the safety analyses.Accurate prediction of core reactivity is either an explicit
 
or implicit assumption in the accident analysis evaluations.
 
Every accident evaluation (Ref.
: 2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod
 
withdrawal accidents or rod ejection accidents, are very
 
sensitive to accurate prediction of core reactivity. These
 
accident analysis evaluations rely on computer codes that
 
have been qualified against available test data, operating
 
unit data, and analytical benchmarks. Monitoring reactivity
 
balance additionally ensures that the nuclear methods
 
provide an accurate representation of the core reactivity.
Design calculations and safety analyses are performed for
 
each fuel cycle for the purpose of predetermining reactivity
 
behavior and the RCS boron concentration requirements for
 
reactivity control during fuel depletion.
The comparison between measured and predicted initial core
 
reactivity provides a normalization for the calculational
 
models used to predict core reactivity. If the measured and (continued)
Core Reactivity B 3.1.2 BASESNorth Anna Units 1 and 2B 3.1.2-3Revision 0 APPLICABLE SAFETY ANALYSES (continued) predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the
 
assumptions used in the reload cycle design analysis or the
 
calculational models used to predict soluble boron
 
requirements may not be accurate. If reasonable agreement
 
between measured and predicted core reactivity exists at
 
BOC, then the prediction may be normalized to the measured
 
boron concentration. Thereafter, any significant deviations
 
in the measured boron concentration from the predicted boron
 
letdown curve that develop during fuel depletion may be an
 
indication that the calculational model is not adequate for
 
core burnups beyond BOC, or that an unexpected change in core
 
conditions has occurred.
The normalization of predicted RCS boron concentration to the measured value is typical ly performed after reaching RTP following startup from a refueling outage, with the control
 
rods in their normal positions for power operation. The
 
normalization is performed at BOC conditions, so that core
 
reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Long term core reactivity behavior is a result of the core
 
physics design and cannot be easily controlled once the core
 
design is fixed. During operation, therefore, the LCO can
 
only be ensured through measurement and tracking, and
 
appropriate actions taken as necessary. Large differences
 
between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no
 
longer valid, or that the uncertainties in the Nuclear
 
Design Methodology are larger than expected. A limit on the
 
reactivity balance of +/-
1% k/k has been established based on engineering judgment. A 1% deviation in reactivity from
 
that predicted is larger than expected for normal operation
 
and should therefore be evaluated.
When measured core reactivity is within 1%
k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design
 
limits. Since deviations from the limit are normally
 
detected by comparing predicted and measured steady state
 
RCS critical boron concentrations, the difference between (continued)
North Anna Units 1 and 2B 3.1.2-4Revision 0 Core Reactivity B 3.1.2 BASES LCO (continued)measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached.
 
These values are well within the uncertainty limits for
 
analysis of boron concentration samples, so that spurious
 
violations of the limit due to uncertainty in measuring the
 
RCS boron concentration are unlikely.
APPLICABILITY The limits on core reactivity must be maintained during
 
MODES 1 and 2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the
 
fuel depletes, core conditions are changing, and
 
confirmation of the reactivity balance ensures the core is
 
operating as designed. This Specification does not apply in
 
MODES 3, 4, and 5 because the reactor is shut down and the reactivity balance is not changing.
In MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, "Boron Concentration") ensure that fuel movements are performed within the bounds of the safety
 
analysis. An SDM demonstration is required during the first
 
startup following operations that could have altered core
 
reactivity (e.g., fuel movement, control rod replacement, control rod shuffling).
ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted
 
core reactivity, an evaluation of the core design and safety analysis must be perfor med. Core conditions are evaluated to determine their consistency with input to design
 
calculations. Measured core and process parameters are
 
evaluated to determine that they are within the bounds of the
 
safety analysis, and safety analysis calculational models
 
are reviewed to verify that they are adequate for
 
representation of the core conditions. The required
 
Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient
 
time to assess the physical condition of the reactor and
 
complete the evaluation of the core design and safety
 
analysis.Following evaluations of the core design and safety
 
analysis, the cause of the reactivity anomaly may be
 
resolved. If the cause of the reactivity anomaly is a (continued)
Core Reactivity B 3.1.2 BASESNorth Anna Units 1 and 2B 3.1.2-5Revision 0 ACTIONS A.1 and A.2 (continued) mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS
 
boron concentration requirements may be performed to
 
demonstrate that core r eactivity is behaving as expected. If an unexpected physical change in the condition of the core
 
has occurred, it must be evaluated and corrected, if
 
possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be
 
revised to provide more accurate predictions. If any of
 
these results are demonstrated, and it is concluded that the
 
reactor core is acceptable fo r continued operation, then the boron letdown curve may be renormalized and power operation
 
may continue. If operational restriction or additional SRs
 
are necessary to ensure the reactor core is acceptable for
 
continued operation, then they must be defined.
The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances
 
that may be required to allow continued reactor operation.
B.1 If the core reactivity cannot be restored to within the
 
1% k/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must
 
be brought to at least MODE 3 within 6 hours. If the SDM for MODE 3 is not met, then the boration required by SR 3.1.1.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.1.2.1 Core reactivity is verified by periodic comparisons of
 
measured and predicted RCS boron concentrations. The
 
comparison is made, considering that other core conditions
 
are fixed or stable, including control rod position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The
 
Surveillance is performed prior to entering MODE 1 as an initial check on core conditions and design calculations at
 
BOC. The SR is modified by a Note. The Note indicates that
 
any normalization of predicted core reactivity to the (continued)
North Anna Units 1 and 2B 3.1.2-6Revision 46 Core Reactivity B 3.1.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.1.2.1 (continued)measured value must take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows
 
sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle
 
without establishing a benchmark for the design
 
calculations. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.REFERENCES1.UFSAR, Sections 3.1.22, 3.1.24, and 3.1.25.2.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.1.3-1Revision 0 MTC B 3.1.3 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.3Moderator Temperature Coefficient (MTC)
BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be
 
designed for inherently stable power operation, even in the
 
possible event of an accident. In particular, the net
 
reactivity feedback in the system must compensate for any
 
unintended reactivity increases.
The MTC relates a change in core reactivity to a change in
 
reactor coolant temperature (a positive MTC means that
 
reactivity increases with increasing moderator temperature;
 
conversely, a negative MTC means that reactivity decreases
 
with increasing moderator temperature). The reactor is
 
designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so
 
that the coolant temperature tends to return toward its
 
initial value. Reactivity increases that cause a coolant
 
temperature increase will thus be self limiting, and stable
 
power operation will result.
MTC values are predicted at selected burnups during the
 
safety evaluation analysis and are confirmed to be
 
acceptable by measurements. Both initial and reload cores
 
are designed so that the beginning of cycle (BOC) MTC is less than or equal to zero when THERMAL POWER is at RTP. The
 
actual value of the MTC is dependent on core
 
characteristics, such as fuel loading and reactor coolant
 
soluble boron concentration. The core design may require
 
additional fixed distributed poisons to yield an MTC at BOC
 
within the range analyzed in the unit accident analysis. The
 
end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles are evaluated to ensure
 
that the MTC does not exceed the EOC limit.
The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions
 
assumed in the UFSAR accident and transient analyses.(continued)
North Anna Units 1 and 2B 3.1.3-2Revision 0 MTC B 3.1.3 BASES BACKGROUND (continued)
If the LCO limits are not met, the unit response during
 
transients may not be as predicted. For example, the core
 
could violate criteria that prohibit a return to
 
criticality, or the departure from nucleate boiling ratio
 
criteria of the approved correlation may be violated, which
 
could lead to a loss of the fuel cladding integrity.
The SRs for measurement of the MTC at the beginning and near
 
the end of the fuel cycle are adequate to confirm that the
 
MTC remains within its limits, since this coefficient
 
changes slowly, due principally to the reduction in RCS
 
boron concentration associated with fuel burnup.
APPLICABLE
 
SAFETY ANALYSES The acceptance criteria for the specified MTC are:a.The MTC values must remain within the bounds of those used in the accident analysis (Ref.
2); andb.The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.
The UFSAR, Chapter 15 (Ref. 2), contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters
 
for core reactivity in these accidents. Both the most
 
positive value and most negative value of the MTC are
 
important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref.
3).The consequences of accidents that cause core overheating
 
must be evaluated when the MTC is positive. Such accidents
 
include the rod withdrawal transient from either zero or
 
RTP, loss of main feedwater flow, and loss of forced reactor
 
coolant flow. The consequences of accidents that cause core
 
overcooling must be evaluated when the MTC is negative. Such accidents include sudden feedwater flow increase and sudden
 
decrease in feedwater temperature.
In order to ensure a bounding accident analysis, the MTC is
 
assumed to be its most limiting value for the analysis
 
conditions appropriate to each accident. The bounding value is determined by considering rodded and unrodded conditions, whether the reactor is at full or zero power, and whether it (continued)
MTC B 3.1.3 BASESNorth Anna Units 1 and 2B 3.1.3-3Revision 0 APPLICABLE SAFETY ANALYSES (continued) is the BOC or EOC life. The most conservative combination
 
appropriate to the accident is then used for the analysis (Ref. 2).MTC values are bounded in reload safety evaluations assuming
 
steady state conditions at BOC and EOC. An EOC measurement is
 
conducted at conditions when the RCS boron concentration
 
reaches approximately 300 ppm. The measured value may be extrapolated to project the EOC value, in order to confirm
 
reload design predictions.
MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed and controlled from the control room, MTC is considered an initial condition process variable because of its dependence on boron concentration.
LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure that the core operates within the assumptions of the acci dent analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its
 
values remain within the bounds of the original accident
 
analysis during operation.
Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positive than
 
a given lower bound. The MTC is most positive at BOC; this
 
upper bound must not be exceeded. This maximum upper limit
 
occurs at BOC, all rods out (ARO), hot zero power conditions.
 
At EOC the MTC takes on its most negative value, when the
 
lower bound becomes important. This LCO exists to ensure
 
that both the upper and lower bounds are not exceeded.
During operation, therefore, the conditions of the LCO can only be ensured through measurement. The Surveillance checks
 
at BOC and EOC on MTC provide confirmation that the MTC is
 
behaving as anticipated so that the acceptance criteria are
 
met.The LCO establishes a maximum positive value that cannot be
 
exceeded. The upper limit and the lower limit are
 
established in the COLR to allow specifying limits for each
 
particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating
 
schedule.
North Anna Units 1 and 2B 3.1.3-4Revision 0 MTC B 3.1.3 BASES APPLICABILITY Technical Specifications place both LCO and SR values on
 
MTC, based on the safety analysis assumptions described
 
above.In MODE 1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation
 
will not violate the design assumptions of the accident
 
analysis. In MODE 2 with the reactor critical, the upper limit must also be maintained to ensure that startup and
 
subcritical accidents (such as the uncontrolled control rod
 
assembly or group withdrawal) will not violate the
 
assumptions of the accident analysis. The lower MTC limit
 
must be maintained in MODES 2 and 3, in addition to MODE 1, to ensure that cooldown accidents will not violate the
 
assumptions of the accident analysis. In MODES 4, 5, and 6, this LCO is not applicable, since no Design Basis Accidents
 
using the MTC as an analysis assumption are initiated from
 
these MODES.
ACTIONS A.1 If the upper MTC limit is violated, administrative
 
withdrawal limits for control banks must be established to
 
maintain the MTC within its limits. The MTC becomes more
 
negative with control bank insertion and decreased boron
 
concentration. A Completion Time of 24 hours provides enough time for evaluating the MTC measurement and computing the
 
required bank withdrawal limits.
As cycle burnup is increased, the RCS boron concentration
 
will be reduced. The reduced boron concentration causes the MTC to become more negative.
Using physics calculations, the time in cycle life at which the calculated MTC will meet the LCO requirement can be determined. At this point in core life
 
Condition A no longer exists. The unit is no longer in the Required Action, so the administrative withdrawal limits are
 
no longer in effect.
B.1 If the required administrative withdrawal limits at BOC are
 
not established within 24 hours, the uni t must be brought to MODE 2 with keff < 1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.(continued)
MTC B 3.1.3 BASESNorth Anna Units 1 and 2B 3.1.3-5Revision 0 ACTIONS B.1 (continued)
The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from
 
full power conditions in an orderly manner and without
 
challenging unit systems.
C.1 Exceeding the lower MTC limit means that the safety analysis
 
assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is
 
exceeded, the unit must be brought to a MODE or condition in
 
which the LCO requirements are not applicable. To achieve
 
this status, the unit must be brought to at least MODE 4 within 12 hours.The allowed Completion Time is reasonable, based on
 
operating experience, for reaching the required MODE from
 
full power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.1.3.1 This SR requires measurement of the MTC at BOC prior to
 
entering MODE 1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering
 
MODE 1 ensures that the limit will also be met at higher power levels.
The BOC MTC value for ARO will be inferred from isothermal
 
temperature coefficient measurements obtained during the physics tests after refueling. The ARO value can be directly
 
compared to the upper MTC limit of the LCO. If required, measurement results and predicted design values can be used
 
to establish administrative withdrawal limits for control
 
banks.SR  3.1.3.2 In similar fashion, the LCO demands that the MTC be less
 
negative than the specified value for EOC full power
 
conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated to the conditions of RTP and all banks withdrawn in order to make a
 
proper comparison with the LCO value. Because the RTP MTC (continued)
North Anna Units 1 and 2B 3.1.3-6Revision 9 MTC B 3.1.3 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.1.3.2 (continued) value will gradually become more negative with further core
 
depletion and boron concentration reduction, a 300 ppm SR value of MTC should necessarily be less negative than the
 
lower LCO limit. The 300 ppm SR value is sufficiently less negative than the lower LCO limit value to ensure that the
 
LCO limit will be met when the 300 ppm Surveillance criterion is met.
SR 3.1.3.2 is modified by three Notes that include the following requirements:a.The SR is not required to be performed until 7 Effective Full Power Days (EFPDs) after reaching the equivalent of an equilibrium RTP all rods out (ARO) boron concentration of 300 ppm.b.If the 300 ppm Surveillance limit is exceeded, it is possible that the lower limit on MTC could be reached
 
before the planned EOC. Because the MTC changes slowly
 
with core depletion, the Frequency of 14 EFPDs is sufficient to avoid exceeding the EOC limit.c.The Surveillance limit for RTP boron concentration of 60 ppm is conservative. If the measured MTC at 60 ppm is more positive than the 60 ppm Surveillance limit, the lower limit will not be exceeded because of the gradual
 
manner in which MTC changes with core burnup.
REFERENCES1.UFSAR, Section 3.1.7.2.UFSAR, Chapter 15.3.VEP-FRD-42-A, "Reload Nuclear Design Methodology."
North Anna Units 1 and 2B 3.1.4-1Revision 0 Rod Group Alignment Limits B 3.1.4 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.4Rod Group Alignment Limits BASES BACKGROUND The OPERABILITY (i.e., trippability) of the shutdown and
 
control rods is an initial assumption in all safety analyses
 
that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and
 
assumptions of available SDM.
The applicable criteria for these reactivity and power
 
distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Capability" (Ref.
1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear
 
Power Plants" (Ref.
2).Mechanical or electrical failures may cause a control or
 
shutdown rod to become inoperable or to become misaligned
 
from its group. Rod inoperability or misalignment may cause
 
increased power peaking, due to the asymmetric reactivity
 
distribution and a reduction in the total available rod
 
worth for reactor shutdown. Therefore, rod alignment and
 
OPERABILITY are related to core operation in design power
 
peaking limits and the core design requirement of a minimum
 
SDM.Limits on rod alignment have been established, and all rod
 
positions are monitored and controlled during power
 
operation to ensure that the power distribution and
 
reactivity limits defined by the design power peaking and
 
SDM limits are preserved.
Rod cluster control assemblies (RCCAs), or rods, are moved
 
by their control rod drive mechanisms (CRDMs). Each CRDM
 
moves its RCCA one step (approximately 5/8 inch) at a time, but at varying rates (steps per minute) depending on the
 
signal output from the Rod Control System.
The RCCAs are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to
 
provide for precise reactivity control. A group consists of
 
four RCCAs that are electrically paralleled to step
 
simultaneously. If a bank of RCCAs consists of two groups, (continued)
North Anna Units 1 and 2B 3.1.4-2Revision 0 Rod Group Alignment Limits B 3.1.4 BASES BACKGROUND (continued) the groups are moved in a staggered fashion, but always
 
within one step of each other. There are four control banks
 
and two shutdown banks.
The shutdown banks are maintained either in the fully
 
inserted or fully withdrawn position. The control banks are
 
moved in an overlap pattern, using the following withdrawal
 
sequence: When control bank A reaches a predetermined height in the core, control bank B begins to move out with control bank A. Control bank A stops at the position of maximum withdrawal, and control bank B continues to move out. When control bank B reaches a predetermined height, control bank C begins to move out with control bank B. This sequence continues until control banks A, B, and C are at the fully withdrawn position, and control bank D is approximately halfway withdrawn. The insertion sequence is the opposite of
 
the withdrawal sequence. The control rods are arranged in a radially symmetric pattern, so that control bank motion does
 
not introduce radial asymmetries in the core power
 
distributions.
The axial position of shutdown rods and control rods is
 
indicated by two separate an d independent systems, which are the Bank Demand Position Indication System (commonly called
 
group step counters) and the Rod Position Indication (RPI)
 
System.The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter for each group of rods. Individual rods in a
 
group all receive the same signal to move and should, therefore, all be at the same position indicated by the group
 
step counter for that group. The Bank Demand Position
 
Indication System is considered highly precise (+/-
1 step or +/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and
 
incorrectly reflect the position of the rod.
The RPI System provides a highly accurate indication of
 
actual rod position, but at a lower precision than the step
 
counters. This system is based on inductive analog signals
 
from a series of coils spaced along a hollow tube. The RPI
 
system is capable of monitoring rod position within at least
 
+/- 12 steps.
Rod Group Alignment Limits B 3.1.4 BASESNorth Anna Units 1 and 2B 3.1.4-3Revision 0 APPLICABLE SAFETY ANALYSES Rod misalignment accidents are analyzed in the safety
 
analysis (Ref.
3). The acceptance criteria for addressing rod inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System (RCS) pressure boundary integrity; andb.The core remains subcritical after accident transients.
Two types of misalignment are distinguished. During movement
 
of a rod group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive
 
power peaking. The second type of misalignment occurs if one
 
rod fails to insert upon a reactor trip and remains stuck
 
fully withdrawn. This condition requires an evaluation to
 
determine that sufficient reactivity worth is held in the
 
rods to meet the SDM requirement, with the maximum worth rod
 
stuck fully withdrawn.
Two types of analysis are performed in regard to static rod
 
misalignment (Ref.
4). With control and shutdown banks at their insertion limits, one type of analysis considers the
 
case when any one rod is completely inserted into the core.
 
The second type of analysis considers the case of a
 
completely withdrawn single rod from a bank inserted to its
 
insertion limit. Satisfying limits on departure from
 
nucleate boiling ratio in both of these cases bounds the
 
situation when a rod is misaligned from its group by
 
12 steps.Another type of misalignment occurs if one RCCA fails to
 
insert upon a reactor trip and remains stuck fully
 
withdrawn. This condition is assumed in the evaluation to
 
determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref.
5).The Required Actions in this LCO ensure that either
 
deviations from the alignment limits will be corrected or
 
that THERMAL POWER will be adjusted so that excessive local
 
linear heat rates (LHRs) will not occur, and that the
 
requirements on SDM and ejected rod worth are preserved.(continued)
North Anna Units 1 and 2B 3.1.4-4Revision 0 Rod Group Alignment Limits B 3.1.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
Continued operation of the reactor with a misaligned rod is
 
allowed if power is reduced or if the heat flux hot channel
 
factor (F Q (Z)) and the nuclear enthalpy rise hot channel factor  are verified to be within their limits in the COLR and the safety analysis is verified to remain valid.
 
When a rod is misaligned, the assumptions that are used to determine the rod inser tion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits
 
may not preserve the design peaking factors, and F Q (Z) and  must be verified directly by incore mapping. Bases Section 3.2 (Power Distribution Limits) contains more complete discussions of the relation of F Q (Z) and  to the operating limits.
Shutdown and control rod OPERABILITY and alignment are
 
directly related to power distributions and SDM, which are
 
initial conditions assumed in safety analyses. Therefore
 
they satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The limits on shutdown or control rod alignments ensure that
 
the assumptions in the safety analysis will remain valid.
The requirements on rod OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be
 
inserted. The rod OPERABILITY requirements (i.e.,
trippability) are separate from the alignment requirements
 
which ensure that the RCCAs and banks maintain the correct
 
power distribution and rod alignment. The rod OPERABILITY
 
requirement is satisfied provided the rod will fully insert
 
in the required rod drop time assumed in the safety analysis.
 
Rod control malfunctions that result in the inability to
 
move a rod (e.g., rod lift coil failures), but that do not
 
impact trippability, do not result in rod inoperability.The requirement to maintain the rod alignment to within plus
 
or minus 12 steps is conservative. The minimum misalignment assumed in safety analysis is 24 steps (15 inches), and in some cases a total misalignment from fully withdrawn to
 
fully inserted is assumed.
Failure to meet the requirements of this LCO may produce
 
unacceptable power peaking factors and LHRs, or unacceptable
 
SDMs, all of which may constitute initial conditions
 
inconsistent with the safety analysis.(continued)
FH N ()FH N FH N Rod Group Alignment Limits B 3.1.4 BASESNorth Anna Units 1 and 2B 3.1.4-5Revision 0 LCO (continued)
The LCO has been modified by a Note. The Note permits a wider tolerance on indicated rod position for a maximum of one hour
 
in every 24 hours to allow stabilization of known thermal drift in the individual rod position indicator channels.
 
This thermal soak time is available both for a continuous one
 
hour period or several discrete intervals as long as the
 
total time does not exceed 1 hour in any 24 hour period and the indicated rod position does not exceed 24 steps from the group step counter demand position. This allowance applies
 
to the indicated position of the rod, not its actual position. If the actual position is known to be greater than 12 steps from the group step counter demand position, the Conditions and Required Actions of the specification must be followed.APPLICABILITY The requirements on RCCA OPERABILITY and alignment are
 
applicable in MODES 1 and 2 because these are the only MODES in which neutron (or fission) power is generated, and the
 
OPERABILITY (i.e., trippability) and alignment of rods have
 
the potential to affect the safety of the unit. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the rods are normally bottomed and the reactor is shut down and
 
not producing fission power. In the shutdown MODES, the
 
OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of
 
the RCS. See LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES 3, 4, and 5 and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during refueling.
ACTIONS A.1.1 and A.1.2 When one or more rods are inoperable (i.e., untrippable),
there is a possibility that the required SDM may be adversely
 
affected. Under these conditions, it is important to
 
determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The
 
Completion Time of 1 hour is adequate for determining SDM and, if necessary, for initiating emergency boration and
 
restoring SDM.
In this situation, SDM verification must include the worth
 
of the untrippable rod, as well as a rod of maximum worth.
North Anna Units 1 and 2B 3.1.4-6Revision 0 Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued)
A.2 If the inoperable rod(s) cannot be restored to OPERABLE
 
status, the unit must be brought to a MODE or condition in
 
which the LCO requirements are not applicable. To achieve
 
this status, the unit must be brought to at least MODE 3 within 6 hours.The allowed Completion Time is reasonable, based on
 
operating experience, for reaching MODE 3 from full power conditions in an orderly man ner and without challenging unit systems.B.1.1 and B.1.2 With a misaligned rod, SDM must be verified to be within limit or boration must be initiated to restore SDM to within limit.In many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bank C to a rod that is misaligned 15 steps from the top of the core would require a significant power reduction, since control bank D must be moved in significantly to meet the overlap requirements.
Power operation may continue with one RCCA OPERABLE but
 
misaligned, provided that SDM is verified within 1 hour. The Completion Time of 1 hour represents the time necessary for determining the actual unit SDM and, if necessary, aligning
 
and starting the necessary systems and components to initiate boration. Since the core conditions can change with
 
time, periodic verification of SDM is required. A Frequency
 
of 12 hours is sufficient to ensure this requirement continues to be met.
B.2.1, B.2.2.1, B.2.2.2, and B.3 For continued operation with a misaligned rod, RTP must be
 
reduced or hot channel factors (F Q (Z) and ) must be verified within limits, and the safety analyses must be
 
re-evaluated to confirm continued operation is permissible.
Reduction of power to 75%
RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core
 
design criteria to be exceeded (Ref.
4). The Completion Time (continued)
FH N Rod Group Alignment Limits B 3.1.4 BASESNorth Anna Units 1 and 2B 3.1.4-7Revision 0 ACTIONS B.2.1, B.2.2.1, B.2.2.2, and B.3 (continued) of 2 hours gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor
 
Protection System.
Alternatively, verifying that F Q (Z) and  are within the required limits ensures that current operation with a rod
 
misaligned does not result in power distributions that may
 
invalidate safety analysis assumptions. The Completion Time
 
of 72 hours allows sufficient time to obtain flux maps of the core power distribution using the incore flux mapping system
 
and to calculate F Q (Z) and .Once current conditions have been verified acceptable, time
 
is available to perform evaluations of accident analysis to
 
determine that core limits will not be exceeded during a
 
Design Basis Event for the duration of operation under these
 
conditions. The accident analyses presented in UFSAR, Chapter 15 (Ref. 3) that may be adversely affected will be evaluated to ensure that the analysis results remain valid
 
for the duration of continued operation under these
 
conditions. A Completion Time of 5 days is sufficient time to obtain the required input data and to perform the
 
analysis.C.1 When Required Actions cannot be completed within their
 
Completion Time, the unit must be brought to a MODE or
 
Condition in which the LCO requirements are not applicable.
To achieve this status, the unit must be brought to at least
 
MODE 3 within 6 hours, which obviates concerns about the development of undesirable xenon or power distributions. The
 
allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging the
 
unit systems.
D.1.1 and D.1.2 More than one rod becoming misaligned from its group average
 
position is not expected, and has the potential to reduce
 
SDM. Therefore, SDM must be evaluated. One hour allows the
 
operator adequate time to determine SDM. Restoration of the
 
required SDM, if necessary, requires increasing the RCS
 
boron concentration to provide negative reactivity, as (continued)
FH N FH N North Anna Units 1 and 2B 3.1.4-8Revision 46 Rod Group Alignment Limits B 3.1.4 BASES ACTIONS D.1.1 and D.1.2 (continued) described in the Bases or LCO 3.1.1. The required Completion Time of 1 hour for initiating boration is reasonable, based on the time required for potentia l xenon redistribution, the low probability of an accident occurring, and the steps
 
required to complete the action. This allows the operator
 
sufficient time to align the required valves and start the
 
boric acid pumps. Boration will continue until the required
 
SDM is restored.
D.2 If more than one rod is found to be misaligned or becomes
 
misaligned because of bank movement, the unit conditions
 
fall outside of the accident analysis assumptions. Since
 
automatic bank sequencing would continue to cause
 
misalignment, the unit must be brought to a MODE or Condition
 
in which the LCO requirements are not applicable. To achieve
 
this status, the unit must be brought to at least MODE 3 within 6 hours.The allowed Completion Time is reasonable, based on
 
operating experience, for reaching MODE 3 from full power conditions in an orderly man ner and without challenging unit systems.SURVEILLANCE
 
REQUIREMENTS SR  3.1.4.1 Verification that individual rod positions are within
 
alignment limits provides a history that allows the operator
 
to detect a rod that is beginning to deviate from its
 
expected position. If an individual rod position is not
 
within the alignment limit of the group step counter demand
 
position, a determination must be made whether the problem is the actual rod position or the indicated rod position. If the actual rod position is not within the alignment limit, follow the Conditions and Required Actions in
 
Specification 3.1.4. If the indicated, not actual, rod position is not within the alignment limit, follow the
 
Conditions and Required Actions of Specification 3.1.7, Rod Position Indication. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
Rod Group Alignment Limits B 3.1.4 BASESNorth Anna Units 1 and 2B 3.1.4-9Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.1.4.2 Verifying each rod is OPERABLE would require that each rod be
 
tripped. However, in MODES 1 and 2, tripping each rod would result in radial or axial power tilts, or oscillations.
 
Exercising each individual rod provides increased confidence
 
that all rods continue to be OPERABLE without exceeding the
 
alignment limit, even if they are not regularly tripped.
 
Moving each rod by 10 steps will not cause radial or axial power tilts, or oscillations, to occur. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program. Between required
 
performances of SR 3.1.4.2 (determination of rod OPERABILITY by movement), if a rod(s) is discovered to be immovable, but remains trippable, the rod(s) is considered to be OPERABLE.
 
At any time, if a rod(s) is immovable, a determination of the
 
trippability (OPERABILITY) of the rod(s) must be made, and
 
appropriate action taken.
SR  3.1.4.3 Verification of rod drop times allows the operator to
 
determine that the maximum rod drop time permitted is
 
consistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor
 
criticality, after reactor vessel head removal, ensures that
 
the reactor internals and rod drive mechanism will not
 
interfere with rod motion or rod drop time, and that no
 
degradation in these systems has occurred that would
 
adversely affect rod motion or drop time. This testing is
 
performed with all RCPs operating and the average moderator
 
temperature  500&deg;F to simulate a reactor trip under actual conditions. For this surveillance, a fully withdrawn position of 230 steps is used in order to provide consistent test conditions to faci litate trending. This rod position is not necessarily the same as the cycle-dependent fully
 
withdrawn rod position specified in the COLR and will yield
 
conservative drop times relative to the COLR position. The
 
surveillance procedure limits for rod drop time ensure that
 
the Surveillance Requirement criterion and the Safety
 
Analysis Limit are met.
This Surveillance is performed during a unit outage, due to
 
the unit conditions needed to perform the SR and the
 
potential for an unplanned unit transient if the
 
Surveillance were performed with the reactor at power.
North Anna Units 1 and 2B 3.1.4-10Revision 3 Rod Group Alignment Limits B 3.1.4 BASES REFERENCES1.UFSAR, Sections 3.1.6 and 3.1.22.2.10 CFR 50.46.3.UFSAR, Chapter 15.4.UFSAR, Section 15.2.3.5.UFSAR, Section 4.3.1.5.
North Anna Units 1 and 2B 3.1.5-1Revision 0 Shutdown Bank Insertion Limits B 3.1.5 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.5Shutdown Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are
 
initial assumptions in all safety analyses that assume rod
 
insertion upon reactor trip. The insertion limits directly
 
affect core power and fuel burnup distributions and
 
assumptions of available ejected rod worth, SDM and initial
 
reactivity insertion rate.
The applicable criteria for these reactivity and power
 
distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Protection," GDC 28, "Reactivity Limits" (Ref.
1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and
 
controlled during power operation to ensure that the power
 
distribution and reactivity limits defined by the design
 
power peaking and SDM limits are preserved.The rod cluster control assemblies (RCCAs) are divided among
 
control banks and shutdown banks. Each bank is further
 
subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are
 
electrically paralleled to step simultaneously. A bank of
 
RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod
 
OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.
The control banks are used for precise reactivity control of
 
the reactor. The positions of the control banks are normally
 
automatically controlled by the Rod Control System, but they
 
can also be manually controlled. They are capable of adding negative reactivity very quickly (compared to borating). The
 
control banks must be maintained above designed insertion
 
limits and are typically near the fully withdrawn position
 
during normal full power operations.(continued)
North Anna Units 1 and 2B 3.1.5-2Revision 0 Shutdown Bank Insertion Limits B 3.1.5 BASES BACKGROUND (continued)
Hence, they are not capable of adding a large amount of
 
positive reactivity. Boration or dilution of the Reactor
 
Coolant System (RCS) compensates for the reactivity changes
 
associated with large c hanges in RCS temperature. The design calculations are performed with the assumption that the
 
shutdown banks are withdrawn first. The shutdown banks can
 
be fully withdrawn without the core going critical. This
 
provides available negative reactivity in the event of
 
boration errors. The shutdown banks are controlled manually
 
by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully
 
inserted. The shutdown banks must be completely withdrawn
 
from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left
 
in this position until the reactor is shut down. They add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.
APPLICABLE
 
SAFETY ANALYSES On a reactor trip, all RCCAs (shutdown banks and control banks), except the most reactive RCCA, are assumed to insert
 
into the core. The shutdown banks shall be at or above their
 
insertion limits and available to insert the maximum amount
 
of negative reactivity on a reactor trip signal. The control
 
banks may be partially inserted in the core, as allowed by
 
LCO 3.1.6, "Control Bank Insertion Limits." The shutdown bank and control bank insertion limits are established to
 
ensure that a sufficient amount of negative reactivity is
 
available to shut down the reactor and maintain the required
 
SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of control
 
banks and shutdown banks (less the most reactive RCCA, which
 
is assumed to be fully withdrawn) is sufficient to take the
 
reactor from full power conditions at rated temperature to
 
zero power, and to maintain the required SDM at rated no load
 
temperature (Ref.
3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.
The acceptance criteria for addressing shutdown rod bank
 
insertion limits and inoperability or misalignment is that:a.There be no violations of:1.specified acceptable fuel design limits, or2.RCS pressure boundary integrity; andb.The core remains subcritical after accident transients.
Shutdown Bank Insertion Limits B 3.1.5 BASESNorth Anna Units 1 and 2B 3.1.5-3Revision 0 APPLICABLE SAFETY ANALYSES (continued)
As such, the shutdown bank insertion limits affect safety
 
analysis involving core reactivity and SDM (Ref.
3).The shutdown bank insertion limits preserve an initial
 
condition assumed in the safety analyses and, as such, satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The shutdown banks must be within their insertion limits any
 
time the reactor is critical or approaching criticality.
 
This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the
 
required SDM following a reactor trip.
The shutdown bank insertion limits are defined in the COLR.
APPLICABILITY The shutdown banks must be within their insertion limits, with the reactor in MODES 1 and 2. This ensures that a sufficient amount of negative reactivity is available to
 
shut down the reactor and maintain the required SDM
 
following a reactor trip. The shutdown banks do not have to
 
be within their insertion limits in MODE 3, unless an approach to criticality is being made. In MODE 3, 4, or 5, the shutdown banks are fully inserted in the core and
 
contribute to the SDM. Refer to LCO 3.1.1 for SDM requirements in MODES 3, 4, and 5. LCO 3.9.1, "Boron Concentration," ensures adequate SDM in MODE 6.The Applicability requirements have been modified by a Note
 
indicating the LCO requirement is suspended during
 
SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the shutdown bank to move below the LCO limits, which would normally violate the LCO. Should the SR testing
 
be suspended due to equipment malfunction with a rod bank
 
below the insertion limit, the applicable Condition should
 
be entered.
ACTIONS A.1.1, A.1.2 and A.2 When one or more shutdown banks is not within insertion
 
limits, except as allowed by Condition B, 2 hours is allowed to restore the shutdown banks to within the insertion
 
limits. This is necessary because the available SDM may be
 
significantly reduced, with one or more of the shutdown
 
banks not within their insertion limits. Also, verification (continued)
North Anna Units 1 and 2B 3.1.5-4Revision 0 Shutdown Bank Insertion Limits B 3.1.5 BASES ACTIONS A.1.1, A.1.2 and A.2 (continued) of SDM or initiation of boration within 1 hour is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1).If shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance
 
calculation, considering the effects listed in the BASES for
 
SR 3.1.1.1.The allowed Completion Time of 2 hours provides an acceptable time for evaluating and repairing minor problems
 
without allowing the unit to remain in an unacceptable
 
condition for an extended period of time.
B.1 and B.2 If a shutdown bank is inserted below the insertion limits, power operation may continue for up to 72 hours provided that the bank is not inserted more than 18 steps below the insertion limits, the control and shutdown rods are within
 
the operability and rod group alignment requirements
 
provided in LCO 3.1.4, and the control banks are within the insertion limits provided in LCO 3.1.6. The requirement to be in compliance with LCO 3.1.4 and LCO 3.1.6 ensures that the rods are trippable, and power distribution is acceptable during the time allowed to restore the inserted rod. If any
 
of these Conditions are not met, Condition A must be applied.
The Completion Time of 72 hours is based on operating experience and provides an acceptable time for evaluating
 
and repairing problems with the rod control system.
C.1 If the Required Action and associated Completion Time of
 
Conditions A or B are not met, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion
 
Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly man ner and without challenging unit systems.
Shutdown Bank Insertion Limits B 3.1.5 BASESNorth Anna Units 1 and 2B 3.1.5-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.1.5.1 Verification that the shutdown banks are within their
 
insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown banks will be available to shut down the reactor, and the required SDM will be maintained following a
 
reactor trip. This SR and Frequency ensure that the shutdown
 
banks are withdrawn before the control banks are withdrawn
 
during a unit startup.
Since the shutdown banks are positioned manually by the
 
control room operator, a verification of shutdown bank
 
position, after the reactor is taken critical, is adequate
 
to ensure that they are within their insertion limits. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Sections 3.1.6, 3.1.22, and 3.1.24.2.10 CFR 50.46.3.UFSAR, Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.1.6-1Revision 0 Control Bank Insertion Limits B 3.1.6 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.6Control Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are
 
initial assumptions in all safety analyses that assume rod
 
insertion upon reactor trip. The insertion limits directly
 
affect core power and fuel burnup distributions and
 
assumptions of available SDM, and initial reactivity
 
insertion rate.
The applicable criteria for these reactivity and power
 
distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Protection," GDC 28, "Reactivity Limits" (Ref.
1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and
 
controlled during power operation to ensure that the power
 
distribution and reactivity limits defined by the design
 
power peaking and SDM limits are preserved.The rod cluster control assemblies (RCCAs) are divided among
 
control banks and shutdown banks. Each bank is further
 
subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are
 
electrically paralleled to step simultaneously. A bank of
 
RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod
 
OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.The control bank insertion limits are specified in the COLR.
 
An example is provided for information only in
 
Figure B 3.1.6-1. The control banks are required to be at or above the insertion limit lines.
Figure B 3.1.6-1 also indicates how the control banks are sequenced and moved in an overlap pattern. Overlap is the distance travelled together by two control banks. Sequencing
 
is the order in which the banks are moved. For example, if
 
the fully withdrawn position is 231 steps, as in (continued)
North Anna Units 1 and 2B 3.1.6-2Revision 0 Control Bank Insertion Limits B 3.1.6 BASES BACKGROUND (continued)
Figure B 3.1.6-1, control bank D will begin to move with bank C on a withdrawal when control bank C is at 128 steps. The fully withdrawn position, as well as proper overlap and
 
sequence, are defined in the COLR.
The control banks are used for precise reactivity control of
 
the reactor. The positions of the control banks are normally
 
controlled automatically by the Rod Control System, but can
 
also be manually controlled. They are capable of adding
 
reactivity very quickly (compared to borating or diluting).
The power density at any point in the core must be limited, so that the fuel design criteria are maintained. Together, LCO 3.1.4, LCO 3.1.5, "Shutdown Bank Insertion Limits,"
LCO 3.1.6, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," provide limits on control component operation and on monitored
 
process variables, which ensure that the core operates
 
within the fuel design criteria.
The shutdown and control bank insertion and alignment
 
limits, AFD, and QPTR are process variables that together
 
characterize and control the three dimensional power
 
distribution of the reactor core. Additionally, the control
 
bank insertion limits control the reactivity that could be
 
added in the event of a rod ejection accident, and the
 
shutdown and control bank insertion limits ensure the
 
required SDM is maintained.
Operation within the subject LCO limits will limit fuel
 
cladding failures that would breach the primary fission
 
product barrier and release fission products to the reactor
 
coolant to within acceptable limits in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.
APPLICABLE
 
SAFETY ANALYSES The shutdown and control bank insertion limits, AFD, and
 
QPTR LCOs are required to maintain power distributions that
 
limit fuel cladding failures to within acceptable limits in
 
the event of a LOCA, loss of flow, ejected rod, or other
 
accident requiring termination by an RTS trip function.(continued)
Control Bank Insertion Limits B 3.1.6 BASESNorth Anna Units 1 and 2B 3.1.6-3Revision 0 APPLICABLE SAFETY ANALYSES (continued)
The acceptance criteria for addressing control bank
 
insertion limits and inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System pressure boundary integrity; andb.The core remains subcritical after accident transients.
As such, the shutdown and control bank insertion limits
 
affect safety analysis involving core reactivity and power
 
distributions (Ref.
3).The SDM requirement is ensured by limiting the control bank
 
insertion limits so that allowable inserted worth of the
 
RCCAs is such that sufficient reactivity is available in the
 
rods to shut down the reactor to hot zero power with a
 
reactivity margin that assumes the maximum worth RCCA
 
remains fully withdrawn upon trip (Ref.
3).Operation at the insertion limits or AFD limits may approach
 
the maximum allowable linear heat generation rate or peaking
 
factor with the allowed QPTR present. Operation at the
 
insertion limit may also indicate the maximum ejected RCCA
 
worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected RCCA worths.
The control bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power
 
distribution peaking factors are preserved (Ref.
3).The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The limits on control banks sequence, overlap, and physical
 
insertion, as defined in the COLR, must be maintained
 
because they serve the function of preserving power
 
distribution, ensuring that the SDM is maintained, ensuring
 
that ejected rod worth is maintained, and ensuring adequate
 
negative reactivity insertion is available on trip. The
 
overlap between control banks provides more uniform rates of (continued)
North Anna Units 1 and 2B 3.1.6-4Revision 0 Control Bank Insertion Limits B 3.1.6 BASES LCO (continued) reactivity insertion and withdrawal and is imposed to
 
maintain acceptable power peaking during control bank
 
motion.APPLICABILITY The control bank sequence, overlap, and physical insertion
 
limits shall be maintained with the reactor in MODES 1 and 2 with k eff  1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions.
 
Applicability in MODE 2 with k eff < 1.0, and MODES 3, 4, and 5 is not required, since neither the power distribution nor ejected rod worth assumptions would be exceeded in these
 
MODES.The applicability requirements have been modified by a Note
 
indicating the LCO requirements are suspended during the
 
performance of SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the LCO. Should the SR
 
testing be suspended due to equipment malfunction with a rod
 
bank below the insertion limits, the applicable Condition
 
should be entered.
ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 If the control banks are found to be out of sequence or in
 
the wrong overlap configuration, they must be restored to meet the limits.
Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the
 
simultaneous occurrence of either a LOCA, loss of flow
 
accident, ejected rod accident, or other accident during
 
this short time period, together with an inadequate power
 
distribution or reactivity capability, has an acceptably low
 
probability.
Also, verification of SDM or initiation of boration to
 
regain SDM is required within 1 hour, since the SDM in MODES 1 and 2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") has been upset. If control banks are not
 
within their limits, then SDM will be verified by performing
 
a reactivity balance calculation, considering the effects
 
listed in the BASES for SR 3.1.1.1.(continued)
Control Bank Insertion Limits B 3.1.6 BASESNorth Anna Units 1 and 2B 3.1.6-5Revision 0 ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 (continued)
When the control banks are outside the acceptable insertion limits, except as allowed by Condition C, they must be restored to within those limits. This restoration can occur
 
in two ways:a.Reducing power to be consistent with rod position; orb.Moving rods to be consistent with power.
The allowed Completion Time of 2 hours for restoring the banks to within the insertion, sequence, and overlaps limits
 
provides an acceptable time for evaluating and repairing
 
minor problems without allowing the unit to remain in an
 
unacceptable condition for an extended period of time.
C.1 and C.2 If Control Banks A, B, or C are inserted below the insertion limits, power operation may continue for up to 72 hours provided that the bank is not inserted more than 18 steps below the insertion limits, the control and shutdown rods
 
are within the operability and rod group alignment
 
requirements provided in LCO 3.1.4, and the shutdown banks are within the insertion limits provided in LCO 3.1.5. The requirement to be in compliance with LCO 3.1.4 and LCO 3.1.5 ensures that the rods are trippable, and power distribution
 
is acceptable during the time allowed to restore the
 
inserted rod. If any of these Conditions are not met, Condition B must be applied.
The Completion Time of 72 hours is based on operating experience and provides an acceptable time for evaluating
 
and repairing problems with the rod control system.
D.1 If Required Actions A.1 and A.2, B.1 and B.2, or C.1 and C.2 cannot be completed within the associated Completion Times, the unit must be brought to MODE 2 with k eff < 1.0, where the LCO is not applicable. The allowed Completion Time of
 
6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an
 
orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.1.6-6Revision 46 Control Bank Insertion Limits B 3.1.6 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.1.6.1 This Surveillance is required to ensure that the reactor
 
does not achieve criticality with the control banks below
 
their insertion limits.
The estimated critical position (ECP) depends upon a number
 
of factors, one of which is xenon concentration. If the ECP
 
was calculated long before criticality, xenon concentration
 
could change to make the ECP substantially in error.
 
Verifying the predicted critical rod bank position within
 
4 hours prior to criticality avoids a large error from changes in xenon concentration, but allows the operator some
 
flexibility to schedule the verification with other startup
 
activities.
SR  3.1.6.2 The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.1.6.3 When control banks are maintained within their insertion
 
limits as checked by SR 3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with
 
requirements provided in the COLR. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Sections 3.1.6, 3.1.22, and 3.1.24.2.10 CFR 50.46.3.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.1.6-7Revision 0 Control Bank Insertion Limits B 3.1.6 Figure B 3.1.6-1 (page 1 of 1)
Control Bank Insertion vs. Percent RTP Intentionally Blank North Anna Units 1 and 2B 3.1.7-1Revision 0 Rod Position Indication B 3.1.7 B 3.1  REACTIVITY CONTROL SYSTEMB 3.1.7Rod Position Indication BASES BACKGROUND According to GDC 13 (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during
 
normal operation, anticipated operational occurrences, and
 
accident conditions must be OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the rod position indicators to
 
determine rod positions and thereby ensure compliance with
 
the rod alignment and insertion limits.
The OPERABILITY, including position indication, of the
 
shutdown and control rods is an initial assumption in all
 
safety analyses that assume rod insertion upon reactor trip.
Maximum rod misalignment is an initial assumption in the
 
safety analysis that directly affects core power
 
distributions and assumptions of available SDM. Rod position
 
indication is required to assess OPERABILITY and
 
misalignment.
Mechanical or electrical failures may cause a rod to become
 
inoperable or to become misaligned from its group. Rod
 
inoperability or misalignment may cause increased power peaking, due to the asymmetri c reactivity distribution and a reduction in the total available rod worth for reactor
 
shutdown. Therefore, rod alignment and OPERABILITY are
 
related to core operation in design power peaking limits and
 
the core design requirement of a minimum SDM.
Limits on rod alignment and OPERABILITY have been
 
established, and all rod positions are monitored and
 
controlled during power operation to ensure that the power
 
distribution and reactivity limits defined by the design
 
power peaking and SDM limits are preserved.
Rod cluster control assemblies (RCCAs), or rods, are moved
 
out of the core (up or withdrawn) or into the core (down or
 
inserted) by their control rod drive mechanisms. The RCCAs
 
are divided among control banks and shutdown banks. Each
 
bank is further subdivided into two groups to provide for
 
precise reactivity control.(continued)
North Anna Units 1 and 2B 3.1.7-2Revision 0 Rod Position Indication B 3.1.7 BASES BACKGROUND (continued)
The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position Indication System (commonly called group
 
step counters) and the Rod Position Indication (RPI) System.
The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one
 
step counter for each group of rods. Individual rods in a
 
group all receive the same signal to move and should, therefore, all be at the same position indicated by the group
 
step counter for that group. The Bank Demand Position
 
Indication System is considered highly precise (+/-
1 step or +/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and
 
incorrectly reflect the position of the rod.
The RPI System provides a highly accurate indication of
 
actual rod position, but at a lower precision than the step
 
counters. This system is based on inductive analog signals
 
from a series of coils spaced along a hollow tube. The RPI
 
System is capable of monitoring rod position within at least
 
+/- 12 steps.APPLICABLE
 
SAFETY ANALYSES Control and shutdown rod position accuracy is essential
 
during power operation. Power peaking, ejected rod worth, or
 
SDM limits may be violated in the event of a Design Basis
 
Accident (Ref.
2), with control or shutdown rods operating outside their limits undetected. Therefore, the acceptance
 
criteria for rod position indication is that rod positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits"). The rod positions must
 
also be known in order to verify the alignment limits are
 
preserved (LCO 3.1.4, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide
 
operators with information that ensures the unit is
 
operating within the bounds of the accident analysis
 
assumptions.
The control rod position indicator channels satisfy
 
Criterion 2 of 10 CFR 50.36(c)(2)(ii).
Rod Position Indication B 3.1.7 BASESNorth Anna Units 1 and 2B 3.1.7-3Revision 0 LCO LCO 3.1.7 specifies that the RPI System and the Bank Demand Position Indication System be OPERABLE for each rod. For the rod position indicators to be OPERABLE requires meeting the
 
SR of the LCO and the following:a.The RPI System indicates within 12 or 24 steps of the group step counter demand position as required by
 
LCO 3.1.4, "Rod Group Alignment Limits";b.For the RPI System there are no failed coils; andc.The Bank Demand Indication System has been calibrated either in the fully inserted position or to the RPI
 
System.The 12 step agreement limit between the Bank Demand Position Indication System and the RPI System indicates that the Bank Demand Position Indication System is adequately calibrated, and can be used for indication of the measurement of rod bank position.A deviation of less than the allowable limit, given in
 
LCO 3.1.4, in position indication for a single rod, ensures high confidence that the position uncertainty of the
 
corresponding rod group is within the assumed values used in the analysis (that specified rod group insertion limits).
These requirements ensure that rod position indication
 
during power operation and PHYSICS TESTS is accurate, and
 
that design assumptions are not challenged.
OPERABILITY of the position indicator channels ensures that
 
inoperable, misaligned, or mispositioned rods can be
 
detected. Therefore, power peaking, ejected rod worth, and
 
SDM can be controlled within acceptable limits.
APPLICABILITY The requirements on the RPI and step counters are only
 
applicable in MODES 1 and 2 (consistent with LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6), because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have th e potential to affect the safety of the unit. In the shutdown MODES, the OPERABILITY of the
 
shutdown and control banks has the potential to affect the
 
required SDM, but this effect can be compensated for by an
 
increase in the boron concentration of the Reactor Coolant
 
System.
North Anna Units 1 and 2B 3.1.7-4Revision 0 Rod Position Indication B 3.1.7 BASES ACTIONS The ACTIONS table is modified by a Note indicating that a
 
separate Condition entry is allowed for each inoperable rod
 
position indicator and each demand position indicator. This
 
is acceptable because the Required Actions for each
 
Condition provide appropriate compensatory actions for each
 
inoperable position indicator.
A.1When one RPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable
 
incore detectors. The Required Action may also be satisfied
 
by ensuring at least once per 8 hours that F Q (Z) satisfies LCO 3.2.1,  satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the
 
nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement
 
of banks. If a bank has been significantly moved, the
 
Required Action of C.1 or C.2 below is required. Therefore, verification of RCCA position within the Completion Time of
 
8 hours is adequate for allowing continued full power operation, since the probability of simultaneously having a
 
rod significantly out of position and an event sensitive to
 
that rod position is small.
A.2Reduction of THERMAL POWER to  50% RTP puts the core into a condition where rod position is not significantly affecting
 
core peaking factors (Ref.
2).The allowed Completion Time of 8 hours is reasonable, based on operating experience, for reducing power to  50% RTP from full power conditions without challenging unit systems
 
and allowing for rod position determination by Required
 
Action A.1 above.
B.1, B.2, B.3, and B.4 When more than one RPI per group fail, additional actions are
 
necessary to ensure that acceptable power distribution
 
limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident
 
analyses are limited. Placing the Rod Control System in
 
manual assures unplanned rod motion will not occur. Together
 
with the indirect position determination available via
 
movable incore detectors will minimize the potential for rod (continued)
FH N Rod Position Indication B 3.1.7 BASESNorth Anna Units 1 and 2B 3.1.7-5Revision 0 ACTIONS B.1, B.2, B.3, and B.4 (continued) misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which
 
unplanned rod motion must be prevented while in this
 
Condition.
Monitoring and recording reactor coolant T avg help assure that significant changes in power distribution and SDM are
 
avoided. The once per hour Completion Time is acceptable
 
because only minor fluctuations in RCS temperature are
 
expected at steady state plant operating conditions.The position of the rods may be determined indirectly by use
 
of the movable incore detectors. The Required Action may
 
also be satisfied by ensuring at least once per 8 hours that F Q (Z) satisfies LCO 3.2.1,  satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved.
 
Verification of control rod position once per 8 hours is adequate for allowing continued full power operation for a
 
limited, 24 hour period, since the probability of simultaneously having a rod significantly out of position
 
and an event sensitive to that rod position is small. The
 
24 hour Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while
 
avoiding the plant challenges associated with a shutdown
 
without full rod position indication.
Based on operating experience, normal power operation does
 
not require excessive rod movement. If one or more rods has
 
been significantly moved, the Required Action of C.1 or C.2 below is required.
C.1 and C.2 These Required Actions clarify that when one or more rods
 
with inoperable position indicators have been moved in
 
excess of 24 steps in one direction, since the position was last determined, the Required Actions of A.1 and A.2, or B.1, as applicable, are still appropriate but must be
 
initiated promptly under Required Action C.1 to begin verifying that these rods are still properly positioned, relative to their group positions.(continued)
FH N North Anna Units 1 and 2B 3.1.7-6Revision 0 Rod Position Indication B 3.1.7 BASES ACTIONS C.1 and C.2 (continued)
If, within 4 hours, the rod positions have not been determined, THERMAL POWER must be reduced to  50% RTP within 8 hours to avoid undesirable power distributions that could result from continued operation at >
50% RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 4 hours provides an acceptable period of time to verify the rod positions.
D.1.1 and D.1.2 With one demand position indicator per bank inoperable, the
 
rod positions can be determined by the RPI System. Since
 
normal power operation does not require excessive movement
 
of rods, verification by administrative means that the rod
 
position indicators are OPERABLE and the most withdrawn rod
 
and the least withdrawn rod are  12 steps apart within the allowed Completion Time of once every 8 hours is adequate.
D.2Reduction of THERMAL POWER to  50% RTP puts the core into a condition where rod position is not significantly affecting
 
core peaking factor limits (Ref.
2). The allowed Completion Time of 8 hours provides an acceptable period of time to verify the rod positions per Required Actions D.1.1 and D.1.2 or reduce power to  50% RTP.E.1 If the Required Actions cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours. The allowed Co mpletion Time is reasonable, based on operating experience, for reaching the required MODE from
 
full power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.1.7.1 Performing a CHANNEL CA LIBRATION on each RPI channel ensures that the RPI electronics are operating properly. This
 
CHANNEL CALIBRATION involves injecting a test signal into
 
the RPI electronics and verifying or adjusting the (continued)
Rod Position Indication B 3.1.7 BASESNorth Anna Units 1 and 2B 3.1.7-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.1.7.1 (continued) calibration from that point forward. The CHANNEL CALIBRATION
 
also verifies all alarms and indications, such as the Rod
 
Bottom lights. The CHANNEL CALIBRATION does not include the
 
coil stack, as it cannot be adjusted. The indicated RPI
 
position is adjusted as needed to compensate for thermal
 
drift. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 3.1.9.2.UFSAR, Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.1.8-1Revision 8 Primary Grade Water Flow Path Isolation Valves B 3.1.8 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.8Primary Grade Water Flow Path Isolation Valves BASES BACKGROUND During MODES 3, 4, and 5 operations, the isolation valves for primary grade water f low paths that are connected to the Reactor Coolant System (RCS) must be closed to prevent
 
unplanned boron dilution of the reactor coolant. The
 
isolation valves must be locked, sealed, or otherwise
 
secured in the closed position.
The Chemical and Volume Control System is capable of
 
supplying borated and unborated water to the RCS through
 
various flow paths. Since a positive reactivity addition made by an uncontrolled reduction of the boron concentration is inappropriate during MODES 3, 4 and 5, isolation of all primary grade water flow paths prevents an unplanned boron
 
dilution.APPLICABLE
 
SAFETY ANALYSES The possibility of an inadvertent boron dilution event (Ref. 1) occurring during MODES 3, 4, or 5 is precluded by adherence to this LCO, which requires that the primary grade
 
water flow path be isolated. Closing the required valves
 
prevents the flow of significant volumes of primary grade
 
water to the RCS. The valves are used to isolate primary
 
grade water flow paths. These valves have the potential to
 
indirectly allow dilution of the RCS boron concentration. By isolating primary grade water flow paths, a safety analysis
 
for an uncontrolled boron dilution accident is not required
 
for MODES 3, 4 or 5.The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that primary grade water be isolated from
 
the RCS to prevent unplanned boron dilution during MODES 3, 4, and 5.For Unit 1, primary grade water flow paths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be
 
used in lieu of 1-CH-217. For Unit 2, primary grade water (continued)
North Anna Units 1 and 2B 3.1.8-2Revision 8 Primary Grade Water Flow Path Isolation Valves B 3.1.8 BASES LCO (continued) flow paths may be isolated from the RCS by closing valve
 
2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be used in lieu of 2-CH-140.
The LCO is modified by a Note which allows the primary grade
 
water flow path isolation valves to be opened under
 
administrative control for planned boron dilution or makeup
 
activities.
APPLICABILITY This LCO is applicable in MODES 3, 4, and 5 to prevent an inadvertent boron dilution event by ensuring closure of all
 
primary grade water flow path isolation valves.
In MODE 6, LCO 3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6," requires all primary grade water
 
isolation valves to be closed to prevent an inadvertent
 
boron dilution.
In MODES 1 and 2, the boron dilution accident was analyzed and was found to be capable of being mitigated.
ACTIONS A.1, A.2, and A.3 Preventing inadvertent dilution of the reactor coolant boron
 
concentration is dependent on maintaining the primary grade
 
water flow path isolation valves locked, sealed, or
 
otherwise secured closed, except as allowed under administrative control by the LCO Note. Because of the possibility of an inadvertent boron dilution, Required
 
Action A.1 prohibits other positive reactivity additions while securing the isolation valves on the primary grade
 
water system. The Completion Time of "Immediately" for
 
suspending positive reactivity additions reflects the
 
importance of preventing known positive reactivity additions
 
so that any boron dilution event can be readily identified
 
and terminated.
The Required Action A.2 Completion Time of 15 minutes for securing the isolation valves provides sufficient time to
 
close and secure the isolation valves on the primary grade
 
water flow paths while minimizing the probability of an
 
unintentional dilution during the Completion Time. Securing
 
the valves in the closed position ensures that the valves
 
cannot be inadvertently opened.(continued)
Primary Grade Water Flow Path Isolation Valves B 3.1.8 BASESNorth Anna Units 1 and 2B 3.1.8-3Revision 8 ACTIONS A.1, A.2, and A.3 (continued)
Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.The performance of Surveillance 3.1.1.1 under Required Action A.3 verifies that the SDM is within the limits provided in the COLR. It is performed to verify that the required SDM still exists and any inadvertent boron dilution that may have occurred has been detected and corrected. The
 
Completion Time of 4 hours is reasonable, based on the time required to request and analyze an RCS water sample to
 
determine the boron concentration and to compute the SDM.
SURVEILLANCE
 
REQUIREMENTS SR  3.1.8.1 The primary grade water f low path isolation valves are to be locked, sealed, or otherwise secured closed to isolate
 
possible dilution paths. The likelihood of a significant
 
reduction in the boron concentration during MODES 3, 4, and 5 is remote due to the large mass of borated water in the RCS and the fact that the specified primary grade water flow
 
paths are isolated, precluding a dilution. The SHUTDOWN
 
MARGIN is verified every 24 hours during MODES 3, 4, and 5 under SR 3.1.1.1. The Frequency is based on the time required to verify that the isolation valves in the utilized
 
flow path are locked, sealed, or otherwise secured in the
 
closed position following a boron dilution or makeup
 
activity.REFERENCES1.UFSAR, Section 15.2.4.
Intentionally Blank North Anna Units 1 and 2B 3.1.9-1Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.9PHYSICS TESTS Exceptions-MODE 2 BASES BACKGROUND The primary purpose of the MODE 2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain
 
PHYSICS TESTS to be performed.
Section XI of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in
 
service. All functions necessary to ensure that the
 
specified design conditions are not exceeded during normal
 
operation and anticipated operational occurrences must be
 
tested. This testing is an integral part of the design, construction, and operation of the unit. Requirements for notification of the NRC, for the purpose of conducting tests
 
and experiments, are specified in 10 CFR 50.59 (Ref.
2).The key objectives of a test program are to (Ref.
3):a.Ensure that the facility has been adequately designed;b.Validate the analytical models used in the design and analysis;c.Verify the assumptions used to predict unit response;d.Ensure that installation of equipment in the facility has been accomplished in accordance with the design; ande.Verify that the operating and emergency procedures are adequate.To accomplish these objectives, testing is performed prior
 
to initial criticality, during startup, during low power
 
operations, during power ascension, at high power, and after
 
each refueling. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the
 
core can be operated as designed (Ref.
4).(continued)
North Anna Units 1 and 2B 3.1.9-2Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES BACKGROUND (continued)
PHYSICS TESTS procedures are written and approved in
 
accordance with established formats. The procedures include
 
all information necessary to permit a detailed execution of
 
the testing required to ensure that the design intent is met.
 
PHYSICS TESTS are performed in accordance with these
 
procedures and test results are approved prior to continued
 
power escalation and long term power operation.
The PHYSICS TESTS required for reload fuel cycles (Ref.
: 5) are listed below:a.Critical Boron Concentration-All Banks Withdrawn;b.Differential Boron Worth;c.Bank Worth;d.Isothermal Temperature Coefficient (ITC); ande.Neutron Flux Symmetry.
The first four tests are performed in MODE 2, and the last test is performed in MODE
: 1. These and other supplementary tests may be required to calibrate the nuclear
 
instrumentation or to diagnose operational problems. These
 
tests may cause the operating controls and process variables
 
to deviate from their LCO requirements during their
 
performance.a.The Critical Boron Concentration-Control Rods Withdrawn Test measures the critical boron concentration at hot zero power (HZP). With all rods out, the lead control bank is at or near its fully withdrawn position. HZP is where
 
the core is critical (k eff = 1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for
 
zero power. Performance of this test should not violate
 
any of the referenced LCOs.b.The Differential Boron Worth Test determines if the measured differential boron worth is consistent with the
 
predicted value. With the core at HZP, the change in
 
equilibrium boron concentration is determined at
 
different rod bank positions. As the rod bank or banks are
 
moved, the reactivity change is measured using a
 
reactivity computer. The measured reactivity change is
 
divided by the difference in measured critical boron (continued)
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASESNorth Anna Units 1 and 2B 3.1.9-3Revision 24 BACKGROUNDb.(continued) concentrations to determine the differential boron worth.
The insertion of the rod bank could result in violation of
 
LCO 3.1.4, "Rod Group Alignment Limits," LOC 3.1.5, "Shutdown Bank Insertion Limits," or LCO 3.1.6, "Control Bank Insertion Limits."c.The Bank Worth Test is used to measure the reactivity worth of selected banks. This test is performed at HZP and
 
has three alternative methods of performance. The first
 
method, the Boron Exchange Method, varies the reactor
 
coolant boron concentration and moves the selected bank
 
in response to the changing boron concentration. The
 
reactivity changes are measured with a reactivity
 
computer. This sequence is repeated for the remaining
 
banks. The second method, the Rod Swap Method, measures
 
the worth of a predetermined reference bank using the
 
Boron Exchange Method above. The reference bank is then nearly fully inserted into the core. The selected bank is
 
then inserted into the core as the reference bank is
 
withdrawn. The HZP critical conditions are then
 
determined with the selected bank fully inserted
 
(0-2 steps withdrawn) into the core. The worth of the selected bank is inferred, based on the position of the
 
reference bank with respect to the selected bank. This
 
sequence is repeated as necessary for the remaining
 
banks. The third method, the Boron Endpoint Method, moves the selected bank over its entire length of travel and then varies the reactor coolant boron concentration to achieve HZP criticality again. The difference in boron
 
concentration is the worth of the selected bank. This sequence is repeated for the remaining banks. Performance
 
of this test could violate LCO 3.1.4, LCO 3.1.5, or LCO 3.1.6.d.The ITC Test measures the IT C of the reactor. This test is performed at HZP and has two methods of performance. The first method, the Slope Method, varies RCS temperature in a slow and continuous manner. The reactivity change is
 
measured with a reactivity computer as a function of the
 
temperature change. The ITC is the slope of the
 
reactivity versus the temperature plot. The test is
 
repeated by reversing the direction of the temperature
 
change, and the final ITC is the average of two or more
 
calculated ITCs. The second method, the Endpoint Method, (continued)
North Anna Units 1 and 2B 3.1.9-4Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES BACKGROUNDd.(continued) changes the RCS temperature and measures the reactivity
 
at the beginning and end of the temperature change. The
 
ITC is the total reactivity change divided by the total
 
temperature change. The test is repeated by reversing the
 
direction of the temperature chan ge, and the final ITC is the average of the two or more calculated ITCs.
 
Performance of this test could violate LCO 3.4.2, "RCS Minimum Temperature for Criticality."e.The Flux Symmetry Test measures the degree of azimuthal symmetry of the neutron flux at as low a power level as
 
practical. The Flux Distribution Method uses the incore
 
flux detectors to measure the azimuthal flux distribution
 
at selected locations with the core at  30% RTP.APPLICABLE SAFETY ANALYSES The fuel is protected by LCOs that preserve the initial
 
conditions of the core assumed during the safety analyses.
 
The methods for development of the LCOs that are excepted by
 
this LCO are described in Reference
: 6. The above mentioned PHYSICS TESTS, and other tests that may be required to
 
calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process
 
variables to deviate from their LCO limitations.
The UFSAR defines requirements for initial testing of the
 
facility, including PHYSICS TESTS. Tables 14.1-1, 14.1-2, and 14.1-3 summarize the zero, low power, and power tests.
Requirements for reload fuel cycle PHYSICS TESTS are defined
 
in ANSI/ANS-19.6.1-1997 (Ref.
4). Although these PHYSICS TESTS are generally accomplished within the limits for all
 
LCOs, conditions may occur when one or more LCOs must be
 
suspended to make completion of PHYSICS TESTS possible or
 
practical. This is acceptable as long as the fuel design
 
criteria are not violated. When one or more of the
 
requirements specified in LCO 3.1.3, "Moderator Temperature Coefficient (MTC)," LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to  5% RTP, the reactor coolant temperature is kept  531&deg;F, and SDM is within the limits provided in the COLR.(continued)
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASESNorth Anna Units 1 and 2B 3.1.9-5Revision 24 APPLICABLE SAFETY ANALYSES (continued)
The PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are
 
AFD and QPTR, which represent initial conditions of the unit
 
safety analyses. Also involved are the movable control
 
components (control and shutdown banks), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR. As described in
 
LCO 3.0.7, compliance with Test Exception LCOs is optional and, therefore, no criteria of 10 CFR 50.36(c)(2)(ii) apply.
Test Exception LCOs provide flexibility to perform certain
 
operations by appropriately modifying requirements of other
 
LCOs. A discussion of the criteria satisfied for the other
 
LCOs is provided in their respective Bases.
Reference 7 allows special test exceptions (STEs) to be included as part of the LCO that they affect. It was decided, however, to retain this STE as a separate LCO because it was
 
less cumbersome and provided additional clarity.
LCO This LCO allows the reactor parameters of MTC and minimum
 
temperature for criticality to be outside their specified limits. In addition, it allow s selected control and shutdown banks to be positioned outside of their specified alignment
 
and insertion limits. One Power Range Neutron Flux channel
 
may be bypassed, reducing the number of required channels
 
from "4" to "3" to provide input to the reactivity computer.
 
Operation beyond specified limits is permitted for the
 
purpose of performing PHYSICS TESTS and poses no threat to
 
fuel integrity, provided the SRs are met.
The requirements of LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 may be suspended during the performance of PHYSICS TESTS provided:a.RCS lowest loop average temperature is  531&deg;F;b.SDM is within the limits provided in the COLR; andc.THERMAL POWER is  5% RTP.APPLICABILITY This LCO is applicable when performing low power PHYSICS TESTS. The Applicability stated as "during PHYSICS TESTS
 
initiated in MODE 2" to ensure that the 5% RTP maximum power (continued)
North Anna Units 1 and 2B 3.1.9-6Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES APPLICABILITY (continued) level is not exceeded. Should the THERMAL POWER exceed
 
5% RTP and, consequently, enter MODE 1, this Applicability statement prevents exiting the Specification and its
 
Required Action.
ACTIONS A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems
 
and components. The operator should begin boration with the
 
best source available for th e unit conditions. Boration will be continued until SDM is within limit.
Suspension of PHYSICS TESTS exceptions requires restoration
 
of each of the applicable LCOs to within specification.
B.1 When THERMAL POWER is >
5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent
 
operation of the reactor beyond its design limits.
 
Immediately opening the RTBs will shut down the reactor and
 
prevent operation of the reactor outside of its design
 
limits.C.1 When the RCS lowest T avg is < 531&deg;F, the appropriate action is to restore T avg to within its specified limit. The allowed Completion Time of 15 minutes provides time for restoring T avg to within limits without allowing the unit to remain in an unacceptable condition for an extended period of time.
 
Operation with the reactor critical and with temperature
 
below 531&deg;F could violate the assumptions for accidents analyzed in the safety analyses.
D.1 If the Required Actions and associated Completion Times
 
cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within an additional 15 minutes. The Completion Time of 15 additional minutes is reasonable, based on operating experience, for reaching MODE 3 in an orderly manner and without challenging unit systems.
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASESNorth Anna Units 1 and 2B 3.1.9-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.1.9.1 The power range and intermediate range neutron detectors
 
must be verified to be OPERABLE in MODE 2 by LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." A CHANNEL
 
OPERATIONAL TEST is performed on each power range and
 
intermediate range channel prior to initiation of the
 
PHYSICS TESTS. This will ensure that the RTS is properly
 
aligned to provide the required degree of core protection
 
during the performance of the PHYSICS TESTS. Performance of
 
the normally scheduled COT is sufficient to ensure the
 
equipment is OPERABLE. LCO 3.3.1 requires a COT on the power range and intermediate range channels every 92 days. These Frequencies have been determined to be sufficient for
 
verification that the equipment is working properly. Because
 
initiation of PHYSICS TESTS does not affect the ability of
 
the equipment to perform its function or the RTS trip
 
capability, and does not invalidate the previous
 
Surveillances, requiring the testing to be performed at a
 
fixed time prior to the initiation of PHYSICS TESTS has no
 
benefit.SR  3.1.9.2 Verification that the RCS lowest loop T avg is  531&deg;F will ensure that the unit is not operating in a condition that
 
could invalidate the safety analyses. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR 3.1.9.3 Verification that the THERMAL POWER is  5% RTP will ensure that the unit is not operating in a condition that could
 
invalidate the safety analyses. The Surveillance Frequency
 
is based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR  3.1.9.4 The SDM is verified by performing a reactivity balance
 
calculation, considering the following reactivity effects:a.RCS boron concentration;b.Rod bank position; North Anna Units 1 and 2B 3.1.9-8Revision 46 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.1.9.4 (continued)c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration;f.Samarium concentration;g.Isothermal temperature coefficient (ITC), when below the point of adding heat (POAH);h.Moderator Defect when above the POAH; andi.Doppler Defect when above the POAH.
Using the ITC accounts for Doppler reactivity in this
 
calculation when the reactor is subcritical or critical but below the POAH, and the fuel temperature will be changing at
 
the same rate as the RCS.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.10 CFR 50, Appendix B, Section XI.2.10 CFR 50.59.3.Regulatory Guide 1.68, Revision 2, August, 1978.4.ANSI/ANS-19.6.1-1997, August 22, 1997.5.Letter from W.L. Stewart to NRC, "Virginia Electric and Power Company, Surry Power Station, Units 1 and 2, North Anna Power Station, Units 1 and 2, Modification of Startup Physics Testing Program Inspector Follow-Up
 
Item 280, 281/88-29-01," dated 12/8/89.6.VEP-FRD-42-A, "Reload Nuclear Design Methodology."7.WCAP-11618, including Addendum 1, April 1989.
North Anna Units 1 and 2B 3.2.1-1Revision 0 F Q (Z)B 3.2.1 B 3.2  POWER DISTRIBUTION LIMITSB 3.2.1Heat Flux Hot Channel Factor (F Q (Z))BASES BACKGROUNDThe purpose of the limits on the values of F Q (Z) is to limit the local (i.e., pellet) peak power density. The value of F Q (Z) varies along the axial height (Z) of the core.
F Q (Z) is defined as the maximum local fuel rod linear power density divided by the average fuel rod linear power
 
density, assuming nominal fuel pellet and fuel rod
 
dimensions. Therefore, F Q (Z) is a measure of the peak fuel pellet power within the reactor core.
During power operation, the global power distribution is
 
limited by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which are directly and continuously measured process variables. These
 
LCOs, along with LCO 3.1.6, "Control Bank Insertion Limits,"
maintain the core limits on power distributions on a
 
continuous basis.
F Q (Z) varies with fuel loading patterns, control bank insertion, fuel burnup, and changes in axial power
 
distribution.
F Q (Z) is measured periodically using the incore detector system. These measurements are generally taken with the core
 
at or near steady state conditions.Using the measured three dimensional power distributions, it
 
is possible to derive a measured value for F Q (Z), (Z). However, because this value represents a steady state condition, it does not encompass the variations in the value
 
of F Q (Z) that are present during nonequilibrium situations, such as load changes.
To account for these possible variations, the steady state
 
limit for F Q (Z) is adjusted by an elevation dependent factor that accounts for the calculated worst case transient
 
conditions.
Core monitoring and control under nonsteady state conditions
 
are accomplished by operating the core within the limits of the appropriate LCOs, including th e limits on AFD, QPTR, and control rod insertion.
F Q M North Anna Units 1 and 2B 3.2.1-2Revision 13 F Q (Z)B 3.2.1 BASES APPLICABLE
 
SAFETY ANALYSESThis LCO precludes core powe r distributions that violate the following fuel design criteria:a.During a loss of coolant accident (LOCA), the peak cladding temperature during a small break LOCA must not
 
exceed 2200&deg;F, and there must be a high level of
 
probability that the peak cladding temperature does not
 
exceed 2200&deg;F for the large breaks (Ref.
1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95%
 
confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a departure from
 
nucleate boiling (DNB) condition;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref.
2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest
 
worth control rod stuck fully withdrawn (Ref.
3).Limits on F Q (Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains
 
valid. Other criteria must also be met (e.g., maximum
 
cladding oxidation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.
F Q (Z) limits assumed in the LOCA analysis are typically limiting relative to (i.e., lower than) the F Q (Z) limit assumed in safety analyses for other postulated accidents.
 
Therefore, this LCO provides conservative limits for other
 
postulated accidents.
F Q (Z) satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
F Q (Z)B 3.2.1 BASESNorth Anna Units 1 and 2B 3.2.1-3Revision 13 LCO The Measured Heat Flux Hot Channel Factor, (Z), shall be limited by the following relationships, as described in Reference 4: (Z) for P > 0.5 (Z) for P  0.5where:CFQ is the F Q (Z) limit at RTP provided in the COLR,  K(Z) is the normalized F Q (Z) as a function of core height provided in the COLR,  N(Z) is a cycle dependent function that accounts
 
for power distribution transients encountered
 
during normal operation. N(Z) is included in the
 
COLR; and  P is the fraction of RATED THERMAL POWER defined
 
as  P = The actual values of CFQ, K(Z), and N(Z) are given in the
 
COLR; however, CFQ is normally approximately 2, K(Z) is a
 
function that looks like the one provided in
 
Figure B 3.2.1-1, and N(Z) is a value greater than 1.0.
An (Z) evaluation requires obtaining an incore flux map in MODE 1. From the incore flux map results we obtain the measured value of F Q (Z). Then, the measured (Z) is increased by 1.03 which is a factor that accounts for fuel
 
manufacturing tolerances and 1.05 which accounts for flux
 
map measurement uncertainty (Ref.
4).The FQ(Z) limits define limiting values for core power
 
peaking that precludes peak cladding temperatures above
 
2200&deg;F during a small break LOCA and assures with a high
 
level of probability that the peak cladding temperature does not exceed 2200&deg;F for large breaks (Ref.
1).This LCO requires operation within the bounds assumed in the
 
safety analyses. Calculations are performed in the core
 
design process to confirm that the core can be controlled in (continued)
F Q M F Q MCFQKZ ()PNZ ()-----------
-----------
-F Q MCFQKZ ()0.5NZ ()-----------
-----------
-THERMAL POWER RTP-------------------------
F Q M F Q M North Anna Units 1 and 2B 3.2.1-4Revision 13 F Q (Z)B 3.2.1 BASES LCO (continued) such a manner during operation that it can stay within the
 
LOCA F Q (Z) limits. If F Q (Z) cannot be maintained within the LCO limits, reduction of the core power is required.
Violating the LCO limits for F Q (Z) produces unacceptable consequences if a design basis event occurs while F Q (Z) is outside its specified limits.
APPLICABILITY The F Q (Z) limits must be maintained in MODE 1 to prevent core power distributions from exceeding the limits assumed in the
 
safety analyses. Applicability in other MODES is not
 
required because there is either insufficient stored energy
 
in the fuel or insufficient energy being transferred to the
 
reactor coolant to require a limit on the distribution of
 
core power.
ACTIONS A.1 If (Z) exceeds its specified limits, reducing the AFD limit by  1% for each 1% by which (Z) exceeds its limit within the allowed Completion Time of 15 minutes, restricts the axial flux distribution such that even if a transient
 
occurred, core peaking factors are not exceeded. The maximum AFD limits initially determined by Required Action A.1 may be affected by subsequent determinations of (Z) and would require AFD reductions with 15 minutes of the (Z) determination, if necessary.
A.2.1 Reducing THERMAL POWER by  1% RTP for each 1% by which (Z) exceeds its limit, maintains an acceptable absolute power density. The percent that (Z) exceeds the limit can be determined from:
for P > 0.5 for P  0.5 (continued)
F Q M F Q M F Q M F Q M F Q M F Q M maximum over z F Q M Z ()CFQKZ ()PNZ ()-------------------
--------------------
-
1.0-100xmaximum over z F Q M Z ()CFQKZ ()0.5NZ ()-------------------
--------------------
-
1.0-100x F Q (Z)B 3.2.1 BASESNorth Anna Units 1 and 2B 3.2.1-5Revision 13 ACTIONS A.2.1 (continued)(Z) is the measured F Q(Z) multiplied by factors accounting for manufacturing tolerances and measurement uncertainties. (Z) is the measured value of F Q (Z). The Completion Time of 15 minutes provides an acceptable time to reduce power in an orderly manner and without allowing the unit to remain in an unacceptable condition for an extended period of time. The
 
maximum allowable power level initially determined by
 
Required Action A.2.1 may be affected by subsequent determinations of (Z) and would require power reductions within 15 minutes of the (Z) determination, if necessary to comply with the decreased maximum allowable power level.
 
Decreases in (Z) would allow increasing the maximum allowable power level and increasing power up to this
 
revised limit.
A.2.2 A reduction of the Power Range Neutron Flux-High trip
 
setpoints by  1% for each 1% by which (Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power
 
distributions. The Completion Time of 72 hours is sufficient considering the small likelihood of a severe transient in
 
this time period and the preceding prompt reduction in
 
THERMAL POWER in accordance with Required Action A.2.1. The maximum allowable Power Range Neutron Flux-High trip
 
setpoints initially determined by Required Action A.2.2 may be affected by subsequent determinations of (Z) and would require Power Range Neutron Flux-High trip setpoint
 
reductions within 72 hours of the (Z) determination, if necessary to comply with the decreased maximum allowable
 
Power Range Neutron Flux-High trip setpoints. Decreases in (Z) would allow increasing the maximum allowable Power Range Neutron Flux-High trip setpoints.
A.2.3 Reduction in the Overpower T trip setpoints (value of K
: 4) by  1% (in T span) for each 1% by which (Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power
 
distributions. The Completion Time of 72 hours is sufficient considering the small likelihood of a severe transient in
 
this time period, and the preceding prompt reduction in
 
THERMAL POWER in accordance with Required Action A.2.1. The (continued)
F Q M F Q M F Q M F Q M F Q M F Q M F Q M F Q M F Q M F Q M North Anna Units 1 and 2B 3.2.1-6Revision 13 F Q (Z)B 3.2.1 BASES ACTIONS A.2.3 (continued) maximum allowable Overpower T trip setpoints initially determined by Required Action A.2.3 may be affected by subsequent determinations of (Z) and would require Overpower T trip setpoint reductions within 72 hours of the (Z) determination, if necessary to comply with the decreased maximum allowable Overpower T trip setpoints.
Decreases in (Z) would allow increasing the maximum Overpower T trip setpoints.
A.2.4 Verification that (Z) has been restored to within its limit, by performing SR 3.2.1.1 prior to increasing THERMAL POWER above the limit imposed by Required Action A.2.1, ensures that core conditions during operation at higher
 
power levels are consistent with safety analyses
 
assumptions.
B.1 If Required Actions A.1, A.2.1, A.2.2, A.2.3, or A.2.4 are not met within their associated Completion Times, the unit
 
must be placed in a MODE or condition in which the LCO
 
requirements are not applicable. This is done by placing the unit in at least MODE 2 within 6 hours.This allowed Completion Time is reasonable based on
 
operating experience regarding the amount of time it takes
 
to reach MODE 2 from full power operation in an orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR 3.2.1.1 is modified by a Note. It states that THERMAL POWER may be increased until a power level for extended
 
operation has been achieved at which a power distribution
 
map can be obtained. This allowance is modified, however, by
 
one of the Frequency conditions that requires verification
 
that (Z) is within its specified limit after a power rise of more than 10%
RTP over the THERMAL POWER at which it was last verified to be within specified limits. In the absence
 
of this Frequency condition, it is possible to increase
 
power to RTP and operate for 31 days without verification of (Z). The Frequency condition is not intended to require verification of these parameters after every 10%
increase in power level above the last verification. It only requires (continued)
F Q M F Q M F Q M F Q M F Q M F Q M F Q (Z)B 3.2.1 BASESNorth Anna Units 1 and 2B 3.2.1-7Revision 46 SURVEILLANCE REQUIREMENTS (continued) verification after a power level is achieved for extended
 
operation that is 10%
higher than that power at which F Q was last measured.
SR  3.2.1.1 The nuclear design process includes calculations performed
 
to determine that the core can be operated within the
 
F Q (Z) limits. Because flux maps are taken in steady state conditions, the variations in power distribution resulting
 
from normal operational maneuvers are not present in the
 
flux map data. These variations are, however, conservatively
 
calculated by considering a wide range of unit maneuvers in
 
normal operation. The maximum peaking factor increase over
 
steady state values, calculated as a function of core
 
elevation, Z, is called N(Z).
The limit with which (Z) is compared varies inversely with power above 50% RTP and N(Z) and directly with a function
 
called K(Z) provided in the COLR.
Performing this Surveillance in MODE 1 prior to exceeding 75% RTP ensures that the (Z) limit is met when RTP is achieved, because peaking factors generally decrease as
 
power level is increased.
If THERMAL POWER has been increased by  10% RTP since the last determination of (Z), another evaluation of this factor is required 12 hours after achieving equilibrium conditions at this h igher power level (to ensure that (Z) values are being reduced sufficiently with power increase to stay within the LCO limits).
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
Flux map data are taken for multiple core elevations. (Z) evaluations are not applicable for the following axial core
 
regions, measured in percent of core height:a.Lower core region, from 0 to 15% inclusive; andb.Upper core region, from 85 to 100% inclusive.
F Q M F Q M F Q M F Q M F Q M North Anna Units 1 and 2B 3.2.1-8Revision 13 F Q (Z)B 3.2.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.2.1.1 (continued)
The top and bottom 15% of the core are excluded from the
 
evaluation because of the low probability that these regions would be more limiting in th e safety analyses and because of the difficulty of making a precise measurement in these
 
regions.This Surveillance has been modified by a Note that may
 
require that more frequent surveillances be performed. An
 
evaluation of the expression below is required to account
 
for any increase to (Z) that may occur and cause the (Z) limit to be exceeded before the next required (Z) evaluation.
If the two most recent (Z) evaluations show an increase in the expression maximum over z
, it is required to meet the (Z) limit with the last (Z) increased by the appropriate factor, or to evaluate (Z) more frequently, each 7 EFPD. These alternative requirements prevent F Q (Z) from exceeding its limit without detection.
REFERENCES1.10 CFR 50.46.2.VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."3.UFSAR, Section 3.1.22.4.VEP-NE-1-A, "VEPCO Relaxed Power Distribution Control Methodology and Associated FQ Surveillance Technical
 
Specifications."
F Q M F Q M F Q M F Q M F Q M Z ()KZ ()---------F Q M F Q M F Q M North Anna Units 1 and 2B 3.2.1-9Revision 13 F Q (Z)B 3.2.1 Figure B 3.2.1-1 (page 1 of 1)
K(Z)-Normalized F Q (Z) as a Function of Core Height(6, 1.0)(12, .925) 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 1.1 1.20123456789101112 CORE HEIGHT (FT)
K(Z)DO NOT OPERATE IN THIS AREATHIS FIGURE FOR ILLUSTRATION ONLY. DO NOT USE FOR OPERATION CORE HEIGHT
* FOR CORE HEIGHT OF 12 FEET FT. (*)%16.633.350.066.783.3100 Intentionally Blank North Anna Units 1 and 2B 3.2.2-1Revision 0 B 3.2.2 FH N B 3.2  POWER DISTRIBUTION LIMITSB 3.2.2Nuclear Enthalpy Rise Hot Channel Factor ()BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design
 
criteria are not exceeded and the accident analysis
 
assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are
 
expressed in terms of hot channel factors. Control of the
 
core power distribution with respect to these factors
 
ensures that local conditions in the fuel rods and coolant
 
channels do not challenge core integrity at any location
 
during either normal operation or a postulated accident
 
analyzed in the safety analyses.
is defined as the ratio of the integral of the linear power along the fuel rod with the highest integrated power to
 
the average integrated fuel rod power. Therefore,  is a measure of the maximum total power produced in a fuel rod.
is sensitive to fuel loading patterns, bank insertion, and fuel burnup.
typically increases with control bank insertion and typically decreases with fuel burnup. is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector
 
system. Specifically, the results of the three dimensional
 
power distribution map are analyzed by a computer to
 
determine . This factor is calculated at least every 31 EFPD. However, during power operation, the global power distribution is monitored by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which address directly and continuously measured
 
process variables.
The COLR provides peaking factor limits that ensure that the
 
design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and any transient condition arising from events of moderate
 
frequency. The DNB design basis precludes DNB and is met by
 
limiting the minimum local DNB heat flux ratio to a value
 
greater than the design limits. All DNB limited transient
 
events are assumed to begin with an value that satisfies the LCO requirements.(continued)
FH N FH N FH N FH N FH N FH N FH N FH N North Anna Units 1 and 2B 3.2.2-2Revision 13 B 3.2.2 BASES FH N BACKGROUND (continued)
Operation outside the LCO limits may produce unacceptable consequences if a DNB limiting event occurs. The DNB design
 
basis ensures that there is no overheating of the fuel that
 
results in possible cladding perforation with the release of
 
fission products to the reactor coolant.
APPLICABLE
 
SAFETY ANALYSES Limits on  preclude core power distributions that exceed the following fuel design limits:a.There must be at least 95% probability at the 95%
confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core does not experience a DNB
 
condition;b.During a loss of coolant accident (LOCA), the peak cladding temperature during a small break LOCA must not
 
exceed 2200&deg;F, and there must be a high level of
 
probability that the peak cladding temperature does not
 
exceed 2200&deg;F for large breaks;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref.
1); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest
 
worth control rod stuck fully withdrawn (Ref.
2).For transients that may be DNB limited, the Reactor Coolant
 
System flow, temperature, and pressure, and are the parameters of most importance. The limits on ensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from
 
events of moderate frequency. The DNB design basis is met by
 
limiting the minimum DNBR to a value which provides a high
 
degree of assurance that the hottest fuel rod in the core
 
does not experience a DNB.
The allowable limit increases with decreasing power level. This functionality in is included in the analyses that provide the Reactor Core Safety Limits (SLs) of
 
SL 2.1.1. Therefore, any DNB events in which the calculation of the core limits is modeled implicitly use this variable
 
value of  in the analyses. Likewise, all transients that (continued)
FH N FH N FH N FH N FH N FH N B 3.2.2 BASES FH NNorth Anna Units 1 and 2B 3.2.2-3Revision 9 APPLICABLE SAFETY ANALYSES (continued)may be DNB limited are assumed to begin with an initial as a function of power level defined by the COLR limit
 
equation.The LOCA safety analysis indirectly models as an input parameter. The Nuclear Heat Flux Hot Channel Factor (F Q (Z)) and the axial peaking factors are inserted directly into the
 
LOCA safety analyses that verify the acceptability of the
 
resulting peak cladding temperature (Ref.
3).The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the
 
safety and accident analyses remain valid. The following
 
LCOs ensure this: LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD),"
LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.2, "Nuclear Enthalpy Rise Hot Channel Factor ()," LCO 3.2.1, "Heat Flux Hot Channel Factor (F Q (Z))," and LCO 3.4.1, "RCS Pressure, Temperature, and Flow DNB Limits."
and F Q (Z) are measured periodically using the movable incore detector system. Measurements are generally taken
 
with the core at, or near, steady state conditions. Core
 
monitoring and control under transient conditions (Condition 1 events) are accomplished by operating the core within the limits of the LCOs on AFD, QPTR, and Bank
 
Insertion Limits.
satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO shall be maintained within the limits of the relationship provided in the COLR.
The  limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the highest
 
probability for a DNB.
The limiting value of , described by the equation contained in the COLR, is the design radial peaking factor
 
used in the unit safety analyses.
A power multiplication factor in this equation includes an
 
additional margin for higher radial peaking from reduced
 
thermal feedback and greater control rod insertion at low
 
power levels.
FH N FH N FH N FH N FH N FH N FH N FH N North Anna Units 1 and 2B 3.2.2-4Revision 0 B 3.2.2 BASES FH N APPLICABILITY The  limits must be maintained in MODE 1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT. Applicability in other modes is not
 
required because there is either insufficient stored energy
 
in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power.
 
The design bases events that are sensitive to in other modes (MODES 2 through 5) have sufficient margin to DNB, and therefore, there is no need to restrict in these modes.
ACTIONS A.1 and A.2 Condition A is modified by a Note that requires that Required Actions A.3 and A.4 must be completed whenever Condition A is entered. Thus, because even if is restored to within limits, Required Action A.3 nevertheless requires another measurement and calculation of within 24 hours in accordance with SR 3.2.2.1.However, if power is reduced below 50%
RTP, Required Action A.4 requires that another determination of must be done prior to exceeding 50%
RTP, prior to exceeding 75% RTP, and within 24 hours after reaching or exceeding 95% RTP. In addition, Required Action A.3 is performed if power ascension is delayed past 24 hours.If the value of is not restored to within its specified limit either by adjusting a misaligned rod or by reducing
 
THERMAL POWER, the alternative option is to reduce THERMAL
 
POWER to <
50% RTP in accordance with Required Action A.1 and reduce the Power Range Neutron Flux-High to  55% RTP in accordance with Required Action A.2. Reducing RTP to
< 50% RTP increases the DNB margin and does not likely cause the DNBR limit to be violated in steady state operation. The reduction in trip setpoints ensures that continuing
 
operation remains at an acceptable low power level with adequate DNBR margin. T he allowed Completion Time of 4 hours for Required Action A.1 provides an acceptable time to reach the required power level from full power operation without allowing the unit to remain in an unacceptable condition for
 
an extended period of time.
The allowed Completion Time of 72 hours to reset the trip setpoints per Required Action A.2 recognizes that, once power is reduced, the safety analysis assumptions are (continued)
FH N FH N FH N FH N FH N FH N FH N B 3.2.2 BASES FH NNorth Anna Units 1 and 2B 3.2.2-5Revision 0 ACTIONS A.1 and A.2 (continued) satisfied and there is no urgent need to reduce the trip setpoints. This is a sensitive operation that may
 
inadvertently trip the Reactor Protection System.
A.3 Once the power level has been reduced to <
50% RTP per Required Action A.1, an incore flux map (SR 3.2.2.1) must be obtained and the measured value of verified not to exceed the allowed limit at the lower power level. The unit
 
is provided 20 additional hours to perform this task over and above the 4 hours allowed by Action A.1. The Completion Time of 24 hours is acceptable because of the increase in the DNB margin, which is obtained at lower power levels, and the
 
low probability of having a DNB limiting event within this
 
24 hour period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain
 
the incore flux map, perform the required calculations, and
 
evaluate .A.4 Verification that is within its specified limits after an out of limit occurrence ensures that the cause that led to the  exceeding its limit is corrected, and that subsequent operation proceeds within the LCO limit. This
 
Action demonstrates that the limit is within the LCO limits prior to exceeding 50%
RTP, again prior to exceeding 75% RTP, and within 24 hours after THERMAL POWER is  95% RTP.This Required Action is modified by a Note that states that
 
THERMAL POWER does not have to be reduced prior to performing this Action.
B.1 When Required Actions A.1 through A.4 cannot be completed within their required Completion Times, the unit must be
 
placed in a mode in which the LCO requirements are not
 
applicable. This is done by placing the unit in at least
 
MODE 2 within 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience regarding the time required to reach MODE 2 from full power conditions in an orderly mann er and without challenging unit systems.FH N FH N FH N FH N FH N North Anna Units 1 and 2B 3.2.2-6Revision 46 B 3.2.2 BASES FH N SURVEILLANCE REQUIREMENTS SR  3.2.2.1 The value of is determined by using the movable incore detector system to obtain a flux distribution map. A data
 
reduction computer program then calculates the maximum value
 
of  from the measured flux distributions. The limit contains an allowance of 1.04 to account for measurement
 
uncertainty.
After each refueling,  must be determined in MODE 1 prior to exceeding 75%
RTP. This requirement ensures that limits are met at the beginning of each fuel cycle.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."2.UFSAR, Section 3.1.22.3.10 CFR 50.46.FH N FH N FH N FH N FH N North Anna Units 1 and 2B 3.2.3-1Revision 0 AFD B 3.2.3 B 3.2  POWER DISTRIBUTION LIMITSB 3.2.3AXIAL FLUX DIFFERENCE (AFD)
BASES BACKGROUNDThe purpose of this LCO is to establish limits on the values
 
of the AFD in order to limit the amount of axial power
 
distribution skewing to either the top or bottom of the core.
 
By limiting the amount of power distribution skewing, core
 
peaking factors are consistent with the assumptions used in
 
the safety analyses. Limiting power distribution skewing
 
over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution
 
control.Relaxed Power Distribution Control (RPDC) is a calculational
 
procedure that defines the allowed operational space of the
 
AFD versus THERMAL POWER. The AFD limits are selected by
 
considering a range of axial xenon distributions that may
 
occur as a result of large variations of the AFD.
 
Subsequently, power peaking factors and power distributions
 
are examined to ensure that the loss of coolant accident (LOCA), loss of flow accident, and anticipated transient
 
limits are met. Violation of the AFD limits invalidate the
 
conclusions of the accident and transient analyses with
 
regard to fuel cladding integrity.
The AFD is monitored on an automatic basis using the unit
 
process computer, which has an AFD monitor alarm. The
 
computer determines the 1 minute average of each of the OPERABLE excore detector outputs and provides an alarm
 
message immediately if the AFD for two or more OPERABLE
 
excore channels is outside its specified limits.
APPLICABLE
 
SAFETY ANALYSES The AFD is a measure of the axial power distribution skewing
 
to either the top or bottom half of the core. The AFD is
 
sensitive to many core related parameters such as control
 
bank positions, core power level, axial burnup, axial xenon
 
distribution, and, to a lesser extent, reactor coolant
 
temperature and boron concentration.
The allowed range of the AFD is used in the nuclear design
 
process to confirm that operation within these limits
 
produces core peaking factors and axial power distributions
 
that meet safety analysis requirements.(continued)
North Anna Units 1 and 2B 3.2.3-2Revision 0 AFD B 3.2.3 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The RPDC methodology (Ref.
: 1) establishes a xenon distribution library with tentatively wide AFD limits. Axial
 
power distribution calculations are then performed to
 
demonstrate that normal operation power shapes are
 
acceptable for the LOCA and loss of flow accident, and for
 
initial conditions of anticipated transients. The tentative
 
limits are adjusted as necessary to meet the safety analysis
 
requirements.
The limits on the AFD ensure that the Heat Flux Hot Channel
 
Factor (F Q (Z)) is not exceeded during either normal operation or in the event of xenon redistribution following power
 
changes. The limits on the AFD also restrict the range of
 
power distributions that are used as initial conditions in
 
the analyses of Condition 2, 3, or 4 events. This ensures that the fuel cladding integrity is maintained for these
 
postulated accidents. The most important Condition 4 event is the LOCA. The most important Condition 3 event is the loss of flow accident. The most important Condition 2 events are uncontrolled rod withdrawal, excessive heat removal, and
 
boration or dilution accidents. Condition 2 accidents simulated to begin from within the AFD limits are used to
 
confirm the adequacy of the Overpower T and Overtemperature T trip setpoints.
The limits on the AFD satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The shape of the power profile in the axial (i.e., the
 
vertical) direction is largely under the control of the
 
operator through the manual operation of the control banks
 
or automatic motion of control banks. The automatic motion
 
of the control banks is in response to temperature
 
deviations resulting from manual operation of the Chemical
 
and Volume Control System to change boron concentration or
 
from power level changes.
Signals are available to the operator from the Nuclear
 
Instrumentation System (NIS) excore neutron detectors (Ref. 2). Separate signals are tak en from the top and bottom detectors. The AFD is defined as the difference in
 
normalized flux signals between the top and bottom excore
 
detectors in each detector well. For convenience, this flux
 
difference is converted to provide flux difference units
 
expressed as a percentage and labeled as % flux or %I.(continued)
AFD B 3.2.3 BASESNorth Anna Units 1 and 2B 3.2.3-3Revision 46 LCO (continued)
The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typical RPDC AFD limits. The AFD limits for RPDC do not
 
depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.
Violating this LCO on the AFD could produce unacceptable
 
consequences if a Condition 2, 3, or 4 event occurs while the AFD is outside its specified limits.
The LCO is modified by a Note which states that AFD shall be
 
considered outside its limit when two or more OPERABLE
 
excore channels indicate AFD to be outside its limit.
APPLICABILITY The AFD requirements are applicable in MODE 1 greater than or equal to 50%
RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety
 
analysis.For AFD limits developed using RPDC methodology, the value
 
of the AFD does not affect the limiting accident
 
consequences with THERMAL POWER <
50% RTP and for lower operating power MODES.
ACTIONS A.1 As an alternative to restoring the AFD to within its specified limits, Required Action A.1 requires a THERMAL POWER reduction to <
50% RTP. This places the core in a condition for which the value of the AFD is not important in
 
the applicable safety analyses. A Completion Time of
 
30 minutes is reasonable, based on operating experience, to reach 50% RTP without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.2.3.1 This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limits. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.2.3-4Revision 9 AFD B 3.2.3 BASES REFERENCES1.VEP-NE-1-A, "VEPCO Relaxed Power Distribution Control Methodology and Associated FQ Surveillance Technical
 
Specifications."2.UFSAR, Chapter
: 7.
North Anna Units 1 and 2B 3.2.3-5Revision 0 AFD B 3.2.3 Figure B 3.2.3-1 (page 1 of 1)
AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER Intentionally Blank North Anna Units 1 and 2B 3.2.4-1Revision 13 QPTR B 3.2.4 B 3.2  POWER DISTRIBUTION LIMITSB 3.2.4QUADRANT POWER TILT RATIO (QPTR)
BASES BACKGROUND The QPTR limit ensures that the gross radial power
 
distribution remains consistent with the design values used
 
in the safety analyses. Precise radial power distribution
 
measurements are made during startup testing, after
 
refueling, and periodically during power operation by using
 
the movable incore detector system to obtain full core flux
 
maps. Between these full core flux maps, the excore neutron
 
detectors are used to monitor QPTR, which is a measure of changes in the radial power distribution. QPTR is defined in
 
Section 1.1 in terms of ratio s of excore detector calibrated output. However, the movable incore detector system can
 
measure changes in the relative power of symmetrically
 
located incore locations or changes in the incore tilt, which can be used to calculate an equivalent QPTR.The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, and LCO 3.1.6, "Control Rod Insertion Limits," provide limits on process variables that characterize and control the three
 
dimensional power distribution of the reactor core. Control
 
of these variables ensures that the core operates within the
 
fuel design criteria and that the power distribution remains within the bounds used in the safety analyses.
APPLICABLE
 
SAFETY ANALYSESThis LCO precludes core power distributions that violate the following fuel design criteria:a.During a loss of coolant accident (LOCA), the peak cladding temperature during a small break LOCA must not
 
exceed 2200&deg;F, and there must be a high level of
 
probability that the peak cladding temperature does not
 
exceed 2200&deg;F for large breaks (Ref.
1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95%
 
confidence level (the 95/95 departure from nucleate
 
boiling (DNB) criterion) that the hot fuel rod in the core
 
does not experience a DNB condition;(continued)
North Anna Units 1 and 2B 3.2.4-2Revision 9 QPTR B 3.2.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued)c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref.
2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest
 
worth control rod stuck fully withdrawn (Ref.
3).The LCO limits on the AFD, the QPTR, the Heat Flux Hot
 
Channel Factor (F Q (Z)), the Nuclear Enthalpy Rise Hot Channel Factor (), and control bank inser tion are established to preclude core power distributions that exceed the safety analyses limits.
The QPTR limits ensure that  and F Q (Z) remain below their limiting values by preventing an undetected change in the
 
gross radial power distribution.
In MODE 1, the  and F Q (Z) limits must be maintained to preclude core power distributions from exceeding design
 
limits assumed in the safety analyses.
The QPTR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The QPTR limit of 1.02, at which corrective action is
 
required, provides a margin of protection for both the DNB
 
ratio and linear heat generation rate contributing to
 
excessive power peaks resulting from X-Y plane power tilts.
A limiting QPTR of 1.02 can be tolerated before the margin for uncertainty in F Q (Z) and () is possibly challenged.
APPLICABILITY The QPTR limit must be maintained in MODE 1 with THERMAL POWER > 50% RTP to prevent core power distributions from exceeding the design limits.
Applicability in MODE 1  50% RTP and in other MODES is not required because there is either insufficient stored energy
 
in the fuel or insufficient energy being transferred to the
 
reactor coolant to require the implementation of a QPTR
 
limit on the distribution of core power. The QPTR limit in
 
these conditions is, th erefore, not important. Note that the and F Q (Z) LCOs still apply, but allow progressively higher peaking factors at 50%
RTP or lower.
FH N FH N FH N FH N FH N QPTR B 3.2.4 BASESNorth Anna Units 1 and 2B 3.2.4-3Revision 0 ACTIONS A.1With the QPTR exceeding its limit, a power level reduction of  3% from RTP for each 1% by which the QPTR exceeds 1.00 is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2 hours allows sufficient time to identify the cause and correct the tilt. Note that the
 
power reduction itself may cause a change in the tilted
 
condition.
The maximum allowable power level initially determined by
 
Required Action A.1 may be affected by subsequent determinations of QPTR. Increases in QPTR would require
 
power reduction within 2 hours of QPTR determination, if necessary to comply with the decreased maximum allowable
 
power level. Decreases in QPTR would allow increasing the
 
maximum allowable power level and increasing power up to the revised limit.
A.2 After completion of Required Action A.1, the QPTR alarm may
 
still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the
 
QPTR once per 12 hours thereafter. A 12 hour Completion Time is sufficient because any additional change in QPTR would be relatively slow.
A.3 The peaking factors and F Q (Z) are of primary importance in ensuring that the power distribution remains consistent
 
with the initial conditions used in the safety analyses.
 
Performing SRs on  and F Q (Z) within the Completion Time of 24 hours after achieving equilibrium conditions from a THERMAL POWER reduction per Required Action A.1 ensures that these primary indicators of power distribution are within
 
their respective limits. Equilibrium conditions are achieved
 
when the core is sufficiently stable at intended operating
 
conditions to support flux mapping. A Completion Time of
 
24 hours after achieving equilibrium conditions from a THERMAL POWER reduction per Required Action A.1 takes into consideration the rate at which peaking factors are likely
 
to change, and the time required to stabilize the unit and
 
perform a flux map. If these peaking factors are not within
 
their limits, the Required Actions of these Surveillances
 
provide an appropriate response for the abnormal condition.(continued)
FH N FH N North Anna Units 1 and 2B 3.2.4-4Revision 0 QPTR B 3.2.4 BASES ACTIONS A.3 (continued)
If the QPTR remains above its specified limit, the peaking
 
factor surveillances are required each 7 days thereafter to evaluate  and F Q (Z) with changes in power distribution.
Relatively small changes are expected due to either burnup
 
and xenon redistribution or correction of the cause for
 
exceeding the QPTR limit.
A.4 Although  and F Q (Z) are of primary importance as initial conditions in the safety analyses, other changes in the
 
power distribution may occur as the QPTR limit is exceeded
 
and may have an impact on the validity of the safety
 
analysis. A change in the power distribution can affect such
 
reactor parameters as bank worths and peaking factors for
 
rod malfunction accidents. When the QPTR exceeds its limit, it does not necessarily mean a safety concern exists. It does
 
mean that there is an indication of a change in the gross
 
radial power distribution that requires an investigation and
 
evaluation that is accomplished by examining the incore
 
power distribution. Specifically, the core peaking factors and the quadrant tilt must be evaluated because they are the factors that best characterize the core power distribution.
 
This re-evaluation is required to ensure that, before
 
increasing THERMAL POWER to above the limit of Required
 
Action A.1, the reactor core conditions are consistent with the assumptions in the safety analyses.
A.5 If the QPTR has exceeded the 1.02 limit and a re-evaluation
 
of the safety analysis is completed and shows that safety
 
requirements are met, the excore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL
 
POWER to above the limit of Required Action A.1. Normalization is accomplished in such a manner that the
 
indicated QPTR following normalization is near 1.00. This is done to detect any subsequent significant changes in QPTR.
Required Action A.5 is modified by two Notes. Note 1 states that the QPTR is not restored to within limits until after
 
the re-evaluation of the saf ety analysis has determined that core conditions at RTP are within the safety analysis
 
assumptions (i.e., Required Action A.4). Note 2 states that (continued)
FH N FH N QPTR B 3.2.4 BASESNorth Anna Units 1 and 2B 3.2.4-5Revision 0 ACTIONS A.5 (continued) if Required Action A.5 is performed, the Required Action A.6 shall be performed. Required Action A.5 normalizes the excore detectors to restore QPTR to within limits, which
 
restores compliance with LCO 3.2.4. Thus, Note 2 prevents exiting the Actions prior to completing flux mapping to
 
verify peaking factors, per Required Action A.6. These notes are intended to prevent any ambiguity about the required
 
sequence of actions.
A.6 Once the flux tilt is restored to within limits (i.e.,
Required Action A.5 is performed), it is acceptable to
 
return to full power operation. However, as an added check
 
that the core power distribution is consistent with the
 
safety analysis assumptions, Required Action A.6 requires verification that F Q (Z) and  are within their specified limits within 24 hours of reaching equilibrium conditions at RTP. As an added precaution, if the core power does not reach
 
equilibrium conditions at RTP within 24 hours, but is increased slowly, then the peaking factor surveillances must
 
be performed within 48 hours after increasing power above the limit of Required Action A.1. These Completion Times are intended to allow adequate time to increase THERMAL POWER to
 
above the limit of Required Action A.1, while not permitting the core to remain with unconfirmed power distributions for
 
extended periods of time.
Required Action A.6 is modified by a Note that states that the peaking factor surveillances may only be done after the
 
excore detectors have been normalized to restore QPTR to
 
within limits (i.e., Required Action A.5). The intent of this Note is to have the peaking factor surveillances
 
performed at operating power levels, which can only be
 
accomplished after the excore detectors are normalized to
 
restore QPTR to within limits and the core returned to power.
B.1 If Required Actions A.1 through A.6 are not completed within their associated Completion Times, the unit must be brought
 
to a MODE or condition in which the requirements do not
 
apply. To achieve this status, THERMAL POWER must be reduced
 
to  50% RTP within 4 hours. The allowed Completion Time of (continued)
FH N North Anna Units 1 and 2B 3.2.4-6Revision 46 QPTR B 3.2.4 BASES ACTIONS B.1 (continued) 4 hours is reasonable, based on operating experience regarding the amount of time required to reach the reduced
 
power level without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.2.4.1 SR 3.2.4.1 is modified by two Notes. Note 1 allows QPTR to be calculated with three power range channels if THERMAL POWER
 
is  75% RTP and the input from one Power Range Neutron Flux channel is inoperable. Note 2 allows performance of SR
 
3.2.4.2 in lieu of SR 3.2.4.1.
This Surveillance verifies that the QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is
 
within its limits. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.For those causes of QPT that occur quickly (e.g., a dropped
 
rod), there typically are other indications of abnormality
 
that prompt a verification of core power tilt.
SR  3.2.4.2 This Surveillance verifies that the QPTR, as determined
 
using the movable incore detectors, is within its limits.
This Surveillance may be performed in lieu of SR 3.2.4.1, as provided by a SR 3.2.4.1 Note. SR 3.2.4.2 is modified by a Note, which states that it is not required until 12 hours after the inputs from one or more Power Range Neutron Flux
 
channels are inoperable and the THERMAL POWER is >
75% RTP. Therefore, this Surveillance is only required to be performed when one or more Power Range Neutron Flux channels
 
are inoperable, but may be performed to satisfy the routine
 
monitoring of QPTR.
With an NIS power range channel inoperable, tilt monitoring
 
for a portion of the reactor core becomes degraded. Large
 
tilts are likely detected with the remaining channels, but
 
the capability for detection of small power tilts in some
 
quadrants is decreased. Performing SR 3.2.4.2 provides an accurate alternative means for ensuring that any tilt
 
remains within its limits.(continued)
QPTR B 3.2.4 BASESNorth Anna Units 1 and 2B 3.2.4-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.2.4.2 (continued)
QPTR is determined using the movable incore detectors
 
performing a full core incore flux map or by monitoring two
 
sets of four thimble locations with quarter core symmetry.
 
The two sets of four symmetric thimbles is a set of eight
 
unique detector locations. These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, and N-8. The symmetric thimble flux map can be used to generate symmetric thimble tilt. This
 
can be compared to a reference symmetric thimble tilt, taken from the most recent full core flux map used to normalize the excore detectors, to calculate QPTR. If a full core flux map
 
is used to determine QPTR, the measured incore tilt values
 
from the full core flux map are compared to those from the
 
most recent full core flux map used to normalize the excore
 
detectors. The difference between these tilt values is the
 
QPTR for the current core conditions. Therefore, the movable
 
incore detectors can be used to confirm that QPTR is within
 
limits.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.10 CFR 50.46.2.VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."3.UFSAR, Section 3.1.22.
Intentionally Blank North Anna Units 1 and 2B 3.3.1-1Revision 0 RTS Instrumentation B 3.3.1 B 3.3  INSTRUMENTATIONB 3.3.1Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of
 
selected unit parameters, to protect against violating the
 
core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF)
 
Systems in mitigating accidents.
The protection and monitoring systems have been designed to
 
assure safe operation of the reactor. This is achieved by
 
specifying limiting safety system settings (LSSS) in terms
 
of parameters directly monitored by the RTS, as well as
 
specifying LCOs on other reactor system parameters and
 
equipment performance.
Technical specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "- settings for
 
automatic protective devices - so chosen that automatic
 
protective action will correct the abnormal situation before
 
a Safety Limit (SL) is exceeded." The Analytic Limit is the
 
limit of the process variable at which a safety action is
 
initiated, as established by the safety analysis, to ensure
 
that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analyt ic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual
 
settings for automatic protective devices must be chosen to
 
be more conservative than the Analytic Limit to account for
 
instrument loop uncertainties related to the setting at
 
which the automatic protective action would actually occur.
The Trip Setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior
 
to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the Trip Setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point
 
of action of the device over time (e.g., drift during
 
surveillance intervals), and any other factors which may
 
influence its actual performance (e.g., harsh accident
 
environments). In this manner, the Trip Setpoint plays an
 
important role in ensuring the SLs are not exceeded. As such, (continued)
North Anna Units 1 and 2B 3.3.1-2Revision 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) the Trip Setpoint meets the definition of an LSSS (Ref.
: 9) and could be used to meet the requirement that they be
 
contained in the technical specifications.
Technical specifications contain values related to the
 
OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in technical specifications as
 
"- being capable of performing its safety function(s)." For
 
automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS
 
as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the Trip Setpoint to
 
define OPERABILITY in technical specifications and its
 
corresponding designation as the LSSS required by
 
10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as found"
 
value of a protective device setting during a surveillance.
 
This would result in technical specification compliance
 
problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For
 
example, an automatic protective device with a setting that has been found to be different from the Trip Setpoint due to
 
some drift of the setting may still be OPERABLE since drift
 
is to be expected. This expected drift would have been
 
specifically accounted for in the setpoint methodology for
 
calculating the Trip Setpoint and thus the automatic
 
protective action would still have ensured that the SL would not be exceeded with the "as found" setting of the protective
 
device. Therefore, the device would still be OPERABLE since
 
it would have performed its safety function and the only
 
corrective action required would be to reset the device to
 
the Trip Setpoint to account for further drift during the
 
next surveillance interval.Use of the Trip Setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and technical specifications that are clearly not
 
warranted. However, there is also some point beyond which
 
the device would have not been able to perform its function
 
due, for example, to greater than expected drift. This value
 
needs to be specified in the technical specifications in order to define OPERABILITY of the devices and is designated
 
as the Allowable Value which, as stated above, is the same as
 
the LSSS.(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-3Revision 20 BACKGROUND (continued)The Allowable Value specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is
 
found not to exceed the Allowable Value during the CHANNEL
 
OPERATIONAL TEST (COT). As su ch, the Allowable Value differs from the Trip Setpoint by an amount primarily equal to the
 
expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual
 
setting of the device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point
 
of time as long as the device has not drifted beyond that
 
expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable
 
Value the device would be considered inoperable for a
 
technical specification perspective. This requires
 
corrective action including those actions required by
 
10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is
 
"OPERABLE" under these circumstances, the trip setpoint
 
should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with
 
uncertainty assumptions stated in the referenced set point
 
methodology (as-left criteria), and confirmed to be
 
operating within the statistical allowances of the
 
uncertainty terms assigned.During AOOs, which are th ose events expected to occur one or more times during the unit life, the acceptable limits are:1.The Departure from Nucl eate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent
 
departure from nucleate boiling (DNB);2.Fuel centerline melt shall not occur; and 3.The RCS pressure SL of 2750 psia shall not be exceeded.
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures
 
that offsite dose will be within the 10 CFR 50 criteria during AOOs.
Accidents are events that are analyzed even though they are
 
not expected to occur during the unit life. The acceptable
 
limit during accidents is that offsite dose shall be
 
maintained within an acceptable fraction of 10 CFR 50.67 limits. Different accident categories are allowed a
 
different fraction of these limits, based on probability of (continued)
North Anna Units 1 and 2B 3.3.1-4Revision 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) occurrence. Meeting the acceptable dose limit for an
 
accident category is considered having acceptable
 
consequences for that event.
The RTS instrumentation is segmented into four distinct but
 
interconnected modules as described in UFSAR, Chapter 7 (Ref. 1), and as identified below:1.Field transmitters or process sensors: provide a measurable electronic signal based upon the physical
 
characteristics of the parameter being measured;2.Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets:
 
provides signal conditioning, bistable setpoint
 
comparison, process algorithm actuation, compatible
 
electrical signal output to protection system devices, and control board/control room/miscellaneous indications;3.Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown
 
and/or ESF actuation in accordance with the defined
 
logic, which is based on the bistable outputs from the
 
signal process control and protection system; and4.Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to
 
interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to trip, or de-energize, and fall
 
into the core and shut down the reactor. The bypass
 
breakers allow testing of the RTBs at power.
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account
 
for the calibration tolerances and instrument drift, which
 
are assumed to occur between calibrations, statistical
 
allowances are provided in the trip setpoints and Allowable
 
Values. The OPERABILITY of each transmitter or sensor is
 
determined by either "as-found" calibration data evaluated
 
during the CHANNEL CALIBRATION or by qualitative assessment
 
of field transmitter or sensor as related to the channel
 
behavior during performance of CHANNEL CHECK.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-5Revision 0 BACKGROUND (continued)
Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit
 
parameters measured by the field instruments. The process
 
control equipment provides signal conditioning, comparable
 
output signals for instruments located on the main control
 
board, and comparison of measured input signals with
 
setpoints established by safety analyses. These setpoints
 
are defined in UFSAR, Chapter 7 (Ref. 1), Chapter 6 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and
 
through the input bays. However, not all unit parameters
 
require four channels of sensor measurement and signal
 
processing. Some unit parameters provide input only to the
 
SSPS, while others provide input to the SSPS, the main
 
control board, the unit computer, and one or more control
 
systems.When a parameter is used only for input to the protection
 
circuits, three channels with a two-out-of-three logic are
 
sufficient to provide the required reliability and
 
redundancy. If one channel fails in a direction that would
 
not result in a partial Function trip, the Function is still
 
OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not
 
occur and the Function is still OPERABLE with a
 
one-out-of-two logic.
When a parameter is used for input to the SSPS and a control
 
function, four channels with a two-out-of-four logic are
 
sufficient to provide the required reliability and
 
redundancy. The circuit must be able to withstand both an
 
input failure to the control system, which may then require
 
the protection function actuation, and a single failure in
 
the other channels providing the protection function
 
actuation. Again, a single failure will neither cause nor
 
prevent the protection function actuation. These
 
requirements are described in IEEE-279-1971 (Ref.
4). The actual number of channels required for each unit parameter
 
is specified in Reference 1.Two logic channels are required to ensure no single random
 
failure of a logic channel will disable the RTS. The logic
 
channels are designed such that testing required while the (continued)
North Anna Units 1 and 2B 3.3.1-6Revision 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued) reactor is at power may be accomplished without causing
 
trip. Provisions to allow removing logic channels from
 
service during maintenance are unnecessary because of the
 
logic system's designed reliability.
Allowable Values and RTS Setpoints The trip setpoints used in the bistables are based on the
 
analytical limits cited in Reference
: 3. The selection of these trip setpoints is such that adequate protection is
 
provided when all sensor and processing time delays are
 
taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe
 
environment errors for those RTS channels that must function
 
in harsh environments as defined by 10 CFR 50.49 (Ref.
5), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the
 
analytical limits. The methodology used to calculate the
 
trip setpoints and Allowable Values, including their
 
explicit uncertainties, is cited in the "RTS/ESFAS Setpoint
 
Methodology Study" (Ref.
: 6) which incorporates all of the known uncertainties applicable to each channel. The
 
magnitudes of these uncertainties are factored into the
 
determination of each trip setpoint and corresponding
 
Allowable Value. The tr ip setpoint entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by
 
the COT. The Allowable Value serves as the Technical
 
Specification OPERABILITY limit for the purpose of the COT.
 
One example of such a change in measurement error is drift
 
during the surveillance interval. If the measured setpoint
 
does not exceed the Allowable Value, the bistable is
 
considered OPERABLE.
The trip setpoint is the value at which the bistable is set
 
and is the expected value to be achieved during calibration.
 
The trip setpoint value ensures the LSSS and the safety
 
analysis limits are met for surveillance interval selected
 
when a channel is adjusted based on stated channel
 
uncertainties. Any bistable is considered to be properly adjusted when the "as left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/-
rack calibration + comparator setting uncertainties). The trip (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-7Revision 0 BACKGROUND Allowable Values and RTS Setpoints (continued) setpoint value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the
 
purposes of COT and CHANNEL CALIBRATION.
Trip setpoints consistent with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of Design Basis Accidents (DBAs)
 
will be acceptable, providing the unit is operated from
 
within the LCOs at the onset of the AOO or DBA and the
 
equipment functions as designed).
Each channel of the process control equipment can be tested
 
on line to verify that the signal or setpoint accuracy is
 
within the specified allowance requirements of
 
Table 3.3.1-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place
 
of the field instrument signal. The process equipment for
 
the channel in test is then tested, verified, and
 
calibrated. SRs for the channels are specified in the SRs
 
section.Solid State Protection System The SSPS equipment is used for the decision logic processing
 
of outputs from the signal processing equipment bistables.
 
To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one
 
train is taken out of service for maintenance or test
 
purposes, the second train will provide reactor trip and/or
 
ESF actuation for the unit. If both trains are taken out of
 
service or placed in test, a reactor trip will result. Each
 
train is packaged in its own cabinet for physical and
 
electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the
 
event of a loss of power, directing the unit to a safe
 
shutdown condition.
The SSPS performs the decision logic for actuating a reactor
 
trip or ESF actuation, generates the electrical output
 
signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output
 
signals to the main control room of the unit.(continued)
North Anna Units 1 and 2B 3.3.1-8Revision 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND Solid State Protection System (continued)
The bistable outputs from the signal processing equipment
 
are sensed by the SSPS equipment and combined into logic
 
matrices that represent combinations indicative of various
 
unit upset and accident transients. If a required logic
 
matrix combination is completed, the system will initiate a
 
reactor trip or send actuation signals via master and slave
 
relays to those components whose aggregate Function best
 
serves to alleviate the condition and restore the unit to a
 
safe condition. Examples are given in the Applicable Safety
 
Analyses, LCO, and Applicability sections of this Bases.
Reactor Trip Switchgear The RTBs are in the electrical power supply line from the
 
control rod drive motor generator set power supply to the
 
CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass
 
breaker to allow testing of the RTB while the unit is at
 
power. During normal operation the output from the SSPS is a
 
voltage signal that energizes the undervoltage coils in the
 
RTBs and bypass breakers, if in use. When the required logic
 
matrix combination is completed, the SSPS output voltage
 
signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized
 
undervoltage coil, and the RTBs and bypass breakers are
 
tripped open. This allows the shutdown rods and control rods
 
to fall into the core. In addition to the de-energization of the undervoltage coils, each RTB is also equipped with a
 
shunt trip attachment device that is energized to trip the
 
breaker open upon receipt of a reactor trip signal from the
 
SSPS. Either the undervoltage coil or the shunt trip
 
mechanism is sufficient by itself, thus providing a diverse
 
trip mechanism.The logic Functions are desc ribed in the functional diagrams included in Reference
: 2. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive
 
interlocks" that are associated with unit conditions. Each
 
train has a built in testing device that can automatically
 
test the logic Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit
 
monitoring and protection until the testing has been
 
completed. The testing device is semiautomatic to minimize
 
testing time.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-9Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The RTS functions to maintain the SLs during all AOOs and
 
mitigates the consequences of DBAs in all MODES in which the Rod Control System is capable of rod withdrawal or one or
 
more rods are not fully inserted.
Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis
 
described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in
 
the accident analysis are qualitatively credited in the
 
safety analysis and the NRC staff approved licensing basis
 
for the unit. These RTS trip Functions may provide
 
protection for conditions that do not require dynamic
 
transient analysis to demonstrate Function performance. They
 
may also serve as backups to RTS trip Functions that were
 
credited in the accident analysis.
The LCO requires all instrumentation performing an RTS
 
Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE with a trip setpoint
 
value outside its calibration tolerance band provided the
 
trip setpoint "as-found" value does not exceed its
 
associated Allowable Value and provided the trip setpoint
 
"as-left" value is adjusted to a value within the "as-left"
 
calibration tolerance band of the nominal trip setpoint. A
 
trip setpoint may be set more conservative than the nominal
 
trip setpoint as necessary in response to the unit
 
conditions. Failure of any instrument renders the affected
 
channel(s) inoperable and reduces the reliability of the
 
affected Functions.
The LCO generally requires OPERABILITY of four or three
 
channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in
 
each Automatic Trip Logic Function. Four OPERABLE
 
instrumentation channels in a two-out-of-four configuration
 
are required when one RTS channel is also used as a control
 
system input. This configuration accounts for the
 
possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this
 
case, the RTS will still provide protection, even with
 
random failure of one of the other three protection and
 
channels. Three OPERABLE instrumentation channels in a
 
two-out-of-three configuration are generally required when
 
there is no potential for control system and protection
 
system interaction that could simultaneously create a need
 
for RTS trip and disable one RTS channel. The (continued)
North Anna Units 1 and 2B 3.3.1-10Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY (continued) two-out-of-three and two-out-of-four configurations allow
 
one channel to be tripped during maintenance or testing
 
without causing a reactor trip. Specific exceptions to the
 
above general philosophy exist and are discussed below.
Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable
 
to each RTS Function are discussed below:1.Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using
 
either of two reactor trip switches in the control room.
 
A Manual Reactor Trip accomplishes the same results as
 
any one of the automatic trip Functions. It is used by
 
the reactor operator to shut down the reactor whenever
 
any parameter is rapidly trending toward its trip
 
setpoint.The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip
 
breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure
 
will disable the Manual Reactor Trip Function.In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown
 
rods and/or control rods are partially or fully
 
withdrawn from the core. In MODE 3, 4, or 5, the manual
 
initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod
 
Control System is capable of withdrawing the shutdown
 
rods or the control rods. In this condition, inadvertent
 
control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be
 
OPERABLE if the Rod Control System is not capable of
 
withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn
 
from the core, or all of the rods are inserted, there is
 
no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are
 
permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the
 
manual initiation Function is not required.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-11Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)2.Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and meas ure neutrons leaking from the core. The NIS power range detectors provide input to the
 
Rod Control System and the Steam Generator (SG) Water
 
Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function
 
actuation, and a single failure in the other channels
 
providing the protection function actuation. Note that
 
this Function also provides a signal to prevent
 
automatic and manual rod withdrawal prior to initiating
 
a reactor trip. Limiting further rod withdrawal may
 
terminate the transient and eliminate the need to trip
 
the reactor.a.Power Range Neutron Flux-High The Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power
 
levels, against a positive reactivity excursion
 
leading to DNB during power operations. These can be
 
caused by rod withdrawal or reductions in RCS
 
temperature.
The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.
In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip
 
must be OPERABLE. This Function will terminate the
 
reactivity excursion and shut down the reactor prior
 
to reaching a power level that could damage the fuel.
 
In MODE 3, 4, 5, or 6, the NIS power range detectors
 
cannot detect neutron levels in this range. In these
 
MODES, the Power Range Neutron Flux-High does not
 
have to be OPERABLE because the reactor is shut down
 
and reactivity excursions into the power range are
 
extremely unlikely. Other RTS Functions and
 
administrative controls provide protection against
 
reactivity additions when in MODE 3, 4, 5, or 6.
North Anna Units 1 and 2B 3.3.1-12Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY2.Power Range Neutron Flux (continued)b.Power Range Neutron Flux-Low The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protection is provided against a positive reactivity excursion from
 
low power conditions.
The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.
In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron
 
Flux-Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately
 
10% RTP (P-10 setpoint). This Function is
 
automatically unblocked when three out of four power
 
range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are
 
mitigated by the Power Range Neutron Flux-High trip
 
Function.In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE
 
because the reactor is shut down and the NIS power
 
range detectors cannot detect neutron levels in this
 
range. Other RTS trip Functions and administrative
 
controls provide protection against positive
 
reactivity additions or power excursions in MODE 3, 4, 5, or 6.3.Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trips use the same channels as discussed for Function 2 above.a.Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against
 
rapid increases in neutron flux that are
 
characteristic of an RCCA drive rod housing rupture
 
and the accompanying ejection of the RCCA. This
 
Function compliments the Power Range Neutron (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-13Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)a.Power Range Neutron Flux-High Positive Rate (continued)
Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.
The LCO requires all four of the Power Range Neutron Flux-High Positive Rate channels to be OPERABLE.
In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod
 
ejection accident (REA), the Power Range Neutron
 
Flux-High Positive Rate trip must be OPERABLE. In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-High
 
Positive Rate trip Function does not have to be
 
OPERABLE because other RTS trip Functions and
 
administrative controls will provide protection
 
against positive reactivity additions. Also, since
 
only the shutdown banks may be fully withdrawn in
 
MODE 3, 4, or 5, the remaining complement of control
 
bank (partial withdrawal allowed) worth ensures a
 
sufficient degree of SDM in the event of an REA. In
 
MODE 6, no rods are withdrawn and the SDM is
 
increased during refueling operations. The reactor
 
vessel head is also removed or the closure bolts are
 
detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect
 
neutron levels present in this mode.b.Power Range Neutron Flux-High Negative Rate The Power Range Neutron Flux-High Negative Rate trip Function ensures that protection is provided for
 
multiple rod drop accidents. At high power levels, a
 
multiple rod drop accident could cause local flux
 
peaking that would result in an unconservative local
 
DNBR. DNBR is defined as the ratio of the heat flux
 
required to cause a DNB at a particular location in
 
the core to the local heat flux. The DNBR is
 
indicative of the margin to DNB. No credit is taken
 
for the operation of this Function for those rod drop
 
accidents in which the local DNBRs will be greater
 
than the limit.(continued)
North Anna Units 1 and 2B 3.3.1-14Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)b.Power Range Neutron Flux-High Negative Rate (continued)
The LCO requires all four Power Range Neutron Flux-High Negative Rate channels to be OPERABLE.
In MODE 1 or 2, when there is potential for a multiple rod drop accident to occur, the Power Range
 
Neutron Flux-High Negative Rate trip must be
 
OPERABLE. In MODE 3, 4, 5, or 6, the Power Range
 
Neutron Flux-High Negative Rate trip Function does
 
not have to be OPERABLE because the core is not
 
critical and DNB is not a concern. Also, since only
 
the shutdown banks may be fully withdrawn in MODE 3, 4, or 5, the remaining complement of control bank (partial withdrawal allowed) worth ensures a
 
sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn and the required SDM is
 
increased during refueling operations. In addition, the NIS power range detectors cannot detect neutron
 
levels present in this MODE.4.Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an
 
uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron
 
Flux-Low Setpoint trip Function. The NIS intermediate
 
range detectors are located external to the reactor
 
vessel and measure neutrons leaking from the core. Note
 
that this Function also provides a signal to prevent
 
automatic and manual rod withdrawal prior to initiating
 
a reactor trip. Limiting further rod withdrawal may
 
terminate the transient and eliminate the need to trip
 
the reactor.
The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are
 
sufficient to ensure no single random failure will
 
disable this trip Function.(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-15Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY4.Intermediate Range Neutron Flux (continued)
Because this trip Function is important only during startup, there is generally no need to disable channels
 
for testing while the Function is required to be
 
OPERABLE. Therefore, a third channel is unnecessary.
In MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an
 
uncontrolled RCCA bank rod withdrawal accident during
 
reactor startup, the Intermediate Range Neutron Flux
 
trip must be OPERABLE. Above the P-10 setpoint, the
 
Power Range Neutron Flux-High Setpoint trip and the
 
Power Range Neutron Flux-High Positive Rate trip provide
 
core protection for a rod withdrawal accident. In MODE 2 below the P-6 setpoint, the Source Range Neutron Flux
 
Trip provides the core protection for reactivity
 
accidents. In MODE 3, 4, or 5, the Intermediate Range
 
Neutron Flux trip does not have to be OPERABLE because
 
Source Range Instrumentation channels provide the
 
required reactor trip protection. The core also has the
 
required SDM to mitigate the consequences of a positive
 
reactivity addition accident. In MODE 6, all rods are
 
fully inserted and the core has a required increased
 
SDM. Also, the NIS intermediate range detectors cannot
 
detect neutron levels present in this MODE.5.Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided
 
against an uncontrolled RCCA bank rod withdrawal
 
accident from a subcritical condition during startup.
 
This trip Function provides redundant protection to the
 
Power Range Neutron Flux-Low trip Function. In MODES 3, 4, and 5, administrative controls also prevent the
 
uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source
 
range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic
 
protection function required in MODES 3, 4, and 5 when
 
rods are capable of withdrawal or one or more rods are
 
not fully inserted. Therefore, the functional capability
 
at the trip setpoint is assumed to be available.(continued)
North Anna Units 1 and 2B 3.3.1-16Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY5.Source Range Neutron Flux (continued)
The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution and control rod ejection events.In MODE 2 when below the P-6 setpoint and in MODES 3, 4, and 5 when there is a potential for an uncontrolled RCCA
 
bank rod withdrawal accident, the Source Range Neutron
 
Flux trip must be OPERABLE. Two OPERABLE channels are
 
sufficient to ensure no single random failure will
 
disable this trip Function. Above the P-6 setpoint, the
 
Intermediate Range Neutron Flux trip and the Power Range
 
Neutron Flux-Low Setpoint trip will provide core
 
protection for reactivity accidents. Above the P-6
 
setpoint, the NIS source range detectors are
 
de-energized and inoperable.In MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE 6, the outputs of the Function to RTS logic are not
 
required OPERABLE. The requirements for the NIS source
 
range detectors to monitor core neutron levels and
 
provide indication of reactivity changes that may occur as a result of events like a boron dilution are addressed
 
in LCO 3.9.3, "Nuclear Instrumentation," for MODE 6.6.Overtemperature T The Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip
 
Function also limits the range over which the Overpower T trip Function must provide protection. The inputs to the Overtemperature T trip include pressurizer pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow. Protection from violating the DNBR
 
limit is assured for those transients that are slow with
 
respect to delays from the core to the measurement
 
system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-17Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY6.Overtemperature T (continued)
Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is
 
automatically varied with the following parameters:reactor coolant average temperature-the trip setpoint
 
is varied to correct for changes in coolant density
 
and specific heat capacity with changes in coolant
 
temperature;pressurizer pressure-the trip setpoint is varied to
 
correct for changes in system pressure; andaxial power distribution-f(I), the trip setpoint is varied to account for imbalances in the axial power
 
distribution as detected by the NIS upper and lower
 
power range detectors. If axial peaks are greater than
 
the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the trip setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.
Dynamic compensation is included for system piping delays from the core to the temperature measurement
 
system.The Overtemperature T trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. Trip
 
occurs if Overtemperature T is indicated in two loops.
The pressure and temperature signals are used for other
 
control functions. The actuation logic must be able to
 
withstand an input failure to the control system, which
 
may then require the protection function actuation, and
 
a single failure in the other channels providing the
 
protection function actuation. Note that this Function
 
also provides a signal to generate a turbine runback
 
prior to reaching the trip setpoint. A turbine runback
 
will reduce turbine power and reactor power.
 
Additionally, the turbine runback setpoint blocks
 
automatic and manual rod withdrawal. A reduction in
 
power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.
The LCO requires all three channels of the Overtemperature T trip Function to be OPERABLE. Note that the Overtemperature T Function receives input from (continued)
North Anna Units 1 and 2B 3.3.1-18Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY6.Overtemperature T (continued) channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the
 
Conditions applicable to all affected Functions.
In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip
 
Function does not have to be OPERABLE because the
 
reactor is not operating and there is insufficient heat
 
production to be concerned about DNB.7.Overpower T The Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no
 
fuel pellet melting and less than 1% cladding strain)
 
under all possible overpower conditions. This trip
 
Function also limits the required range of the
 
Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip. The
 
Overpower T trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not
 
exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically
 
varied with the following parameters:reactor coolant average temperature-the trip setpoint
 
is varied to correct for changes in coolant density
 
and specific heat capacity with changes in coolant
 
temperature; andrate of change of reactor coolant average
 
temperature-including dynamic compensation for the
 
delays between the core and the temperature measurement system. The function generated by the rate
 
lag controller for T avg dynamic compensation is represented by the expression: 3 s/1 + 3 s. The time constant utilized in the rate lag controller for T avg is 3.The Overpower T trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if
 
Overpower T is indicated in two loops. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power.(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-19Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY7.Overpower T (continued)
Additionally, the turbine runback setpoint blocks automatic and manual rod withdrawal. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.
The LCO requires three channels of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other
 
RTS Functions. Failures that affect multiple Functions
 
require entry into the Conditions applicable to all
 
affected Functions.
In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is
 
generated in the fuel to be concerned about the heat
 
generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be
 
OPERABLE because the reactor is not operating and there
 
is insufficient heat production to be concerned about
 
fuel overheating and fuel damage.8.Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure-High and -Low trips and the Overtemperature T trip.a.Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the
 
DNBR limit due to low pressure.
The LCO requires three channels of Pressurizer Pressure-Low to be OPERABLE.
In MODE 1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OPERABLE. This
 
trip Function is automatically enabled on increasing
 
power by the P-7 interlock (NIS power range P-10 or
 
turbine impulse pressure greater than approximately
 
10% of full power equivalent (P-13)). On decreasing
 
power, this trip Function is automatically blocked
 
below P-7. Below the P-7 setpoint, no conceivable
 
power distributions can occur that would cause DNB
 
concerns.
North Anna Units 1 and 2B 3.3.1-20Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY8.Pressurizer Pressure (continued)b.Pressurizer Pressure-High The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing
 
the RCS. This trip Function operates in conjunction
 
with the pressurizer relief and safety valves to
 
prevent RCS overpressure conditions.
The LCO requires three channels of the Pressurizer Pressure-High to be OPERABLE.
The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuation pressure
 
and above the power operated relief valve (PORV)
 
setting. This setting minimizes challenges to safety
 
valves while avoiding unnecessary reactor trip for
 
those pressure increases that can be controlled by
 
the PORVs.
In MODE 1 or 2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS
 
overpressurization and minimize challenges to the
 
relief and safety valves. In MODE 3, 4, 5, or 6, the
 
Pressurizer Pressure-High trip Function does not have
 
to be OPERABLE because transients that could cause an
 
overpressure condition will be slow to occur.
 
Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions.
 
Additionally, low temperature overpressure protection
 
systems provide overpressure protection when below
 
MODE 4.9.Pressurizer Water Level-High The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip
 
and also provides protection against water relief
 
through the pressurizer safety valves. These valves are
 
designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to
 
the pressurizer becoming water solid. The LCO requires
 
three channels of Pressurizer Water Level-High to be
 
OPERABLE. The pressurizer level channels are used as
 
input to the Pressurizer Level Control System. A fourth
 
channel is not required to address control/protection (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-21Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY9.Pressurizer Water Level-High (continued) interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is
 
set below the safety valve setting. Therefore, with the
 
slow rate of charging available, pressure overshoot due
 
to level channel failure cannot cause the safety valve
 
to lift before reactor high pressure trip.In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enabled
 
on increasing power by the P-7 interlock. On decreasing
 
power, this trip Function is automatically blocked below
 
P-7. Below the P-7 setpoint, transients that could raise
 
the pressurizer water level will be slow and the
 
operator will have sufficient time to evaluate unit
 
conditions and take corrective actions.10.Reactor Coolant Flow-Low The Reactor Coolant Flow-Low trip Function ensures that protection is provided against violating the DNBR limit
 
due to low flow in one or more RCS loops, while avoiding
 
reactor trips due to normal variations in loop flow.
 
Above the P-7 setpoint, the reactor trip on low flow in
 
two or more RCS loops is automatically enabled. Above
 
the P-8 setpoint, which is approximately 30% RTP, a loss
 
of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The
 
flow signals are not used for any control system input.The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE 1 above P-7.
In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core
 
because of the higher power level. In MODE 1 below the
 
P-8 setpoint and above the P-7 setpoint, a loss of flow
 
in two or more loops is required to actuate a reactor
 
trip because of the lower power level and the greater
 
margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked
 
since there is insufficient heat production to generate
 
DNB conditions.
North Anna Units 1 and 2B 3.3.1-22Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY (continued)11.Reactor Coolant Pump (RCP) Breaker Position Both RCP Breaker Position trip Functions operate from three pairs of auxiliary contacts, with one pair on each
 
RCP breaker with one contact supplying each train. These
 
Functions anticipate the Reactor Coolant Flow-Low trips to avoid RCS heatup that would occur before the low flow trip actuates.
The RCP Breaker Position (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The
 
position of each RCP breaker is monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is
 
initiated. This trip Function will generate a reactor
 
trip before the Reactor Coolant Flow-Low (Single Loop)
 
trip setpoint is reached.
The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient
 
for this trip Function because the RCS Flow-Low trip
 
alone provides sufficient protection of unit SLs for
 
loss of flow events. The RCP Breaker Position trip
 
serves only to anticipate the low flow trip, minimizing
 
the thermal transient associated with loss of a pump.
This Function measures only the discrete position (open or closed) of the RCP breaker. Therefore, the Function
 
has no adjustable trip setpoint with which to associate
 
an LSSS.In MODE 1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be
 
OPERABLE. In MODE 1 below the P-8 setpoint, a loss of
 
flow in two or more loops is required to actuate a
 
reactor trip because of the lower power level and the
 
greater margin to the design limit DNBR.
The RCP Breaker Position (Two Loops) trip Function ensures that protection is provided against violating
 
the DNBR limit due to a loss of flow in two or more RCS
 
loops. The position of each RCP breaker is monitored.
 
Above the P-7 setpoint and below the P-8 setpoint, a loss
 
of flow in two or more loops will initiate a reactor (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-23Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY11.Reactor Coolant Pump (RCP) Breaker Position (continued) trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) trip
 
setpoint is reached.
The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient
 
for this Function because the RCS Flow-Low trip alone
 
provides sufficient protection of unit SLs for loss of
 
flow events. The RCP Breaker Position trip serves only
 
to anticipate the low flow trip, minimizing the thermal
 
transient associated with loss of an RCP.
This Function measures only the discrete position (open or closed) of the RCP breaker. Therefore, the Function
 
has no adjustable trip setpoint with which to associate
 
an LSSS.In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips
 
on loss of flow are automatically blocked since no
 
conceivable power distributions could occur that would
 
cause a DNB concern at this low power level. Above the
 
P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor
 
trip because of the higher power level and the reduced
 
margin to the design limit DNBR.12.Undervoltage Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit
 
due to a loss of flow in two or more RCS loops. The
 
voltage to each RCP bus is monitored. Above the P-7
 
setpoint, a loss of voltage detected on two or more RCP
 
buses will initiate a reactor trip. This trip Function
 
will generate a reactor trip before the Reactor Coolant
 
Flow-Low (Two Loops) trip setpoint is reached. Time
 
delays are incorporated into the Undervoltage RCPs
 
channels to prevent reactor trips due to momentary
 
electrical power transients.(continued)
North Anna Units 1 and 2B 3.3.1-24Revision 8 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY12.Undervoltage Reactor Coolant Pumps (continued)
The LCO requires three Undervoltage RCPs channels to be OPERABLE. Each channel monitors one RCP bus voltage with two sensors. One sensor monitors from A to B phases, while the other sensor senses from the B to C phases.
In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all
 
reactor trips on loss of flow are automatically blocked
 
since no conceivable power distributions could occur
 
that would cause a DNB concern at this low power level.
 
Above the P-7 setpoint, the reactor trip on loss of flow
 
in two or more RCS loops is automatically enabled.13.Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from
 
a major network frequency disturbance. An underfrequency
 
condition will slow down the pumps, thereby reducing
 
their coastdown time following a pump trip. The proper
 
coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss
 
of frequency detected on two or more RCP buses will
 
initiate a reactor trip. This trip Function will
 
generate a reactor trip before the Reactor Coolant
 
Flow-Low (Two Loops) trip setpoint is reached. Time
 
delays are incorporated into the Underfrequency RCPs
 
channels to prevent reactor trips due to momentary
 
electrical power transients.
The LCO requires three Underfrequency RCPs channels to be OPERABLE with each channel monitoring one bus.
In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all
 
reactor trips on loss of flow are automatically blocked
 
since no conceivable power distributions could occur
 
that would cause a DNB concern at this low power level.
 
Above the P-7 setpoint, the reactor trip on loss of flow
 
in two or more RCS loops is automatically enabled.Regarding RCP Underfrequency Testing, it should be noted that test circuits have not been installed on Unit 1, therefore, such testing can only be performed on Unit 2.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-25Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)14.Steam Generator Water Level-Low Low The SG Water Level-Low Low trip Function ensures that
 
protection is provided against a loss of heat sink and
 
actuates the Auxiliary Feedwater (AFW) System prior to
 
uncovering the SG tubes. The SGs are the heat sink for
 
the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low
 
level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the
 
SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function
 
actuation, and a single failure in the other channels
 
providing the protection function actuation. This
 
Function also performs the ESFAS function of starting
 
the AFW pumps on low low SG level.
The LCO requires three channels of SG Water Level-Low Low per SG to be OPERABLE. These channels for the SGs
 
measure level with a narrow range span.
In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water f or the SGs is the Main Feedwater (MFW) System (not safety related). The AFW System is the safety related backup source of water to ensure that the
 
SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG Water Level-Low Low Function does not
 
have to be OPERABLE because the reactor is not operating
 
or even critical. Decay heat removal is normally
 
accomplished by Main Feedwater System or AFW System in
 
MODE 3 and by the Residual Heat Removal (RHR) System in
 
MODE 4, 5, or 6.15.Steam Generator Water Level-Low, Coincident With Steam Flow/Feedwater Flow Mismatch SG Water Level-Low, in conjunction with the Steam Flow/Feedwater Flow Mismatch, ensures that protection is provided against a loss of heat sink. In addition to a
 
decreasing water level in t he SG, the difference between feedwater flow and steam flow is evaluated to determine
 
if feedwater flow is significantly less than steam flow.
 
With less feedwater flow than steam flow, SG level will
 
decrease at a rate dependent upon the magnitude of the
 
difference in flow rates. There are two SG level (continued)
North Anna Units 1 and 2B 3.3.1-26Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY15.Steam Generator Water Level-Low, Coincident With Steam Flow/Feedwater Flow Mismatch (continued) channels and two Steam Flow/Feedwater Flow Mismatch channels per SG. One narrow range level channel sensing
 
a low level coincident with one Steam Flow/Feedwater
 
Flow Mismatch channel sensing flow mismatch (steam flow
 
greater than feed flow) will actuate a reactor trip.
The LCO requires two channels of SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.
In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low coincident with Steam
 
Flow/Feedwater Flow Mismatch trip must be OPERABLE. The
 
normal source of water for the SGs is the MFW System (not
 
safety related). The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG
 
Water Level-Low coincident with Steam Flow/Feedwater
 
Flow Mismatch Function does not have to be OPERABLE
 
because the reactor is not operating or even critical.
 
Decay heat removal is normally accomplished by Main
 
Feedwater System or AFW System in MODE 3 and by the RHR
 
System in MODE 4, 5, or 6.16.Turbine Tripa.Turbine Trip-Low Auto Stop Oil Pressure The Turbine Trip-Low Auto Stop Oil Pressure trip Function anticipates the loss of heat removal
 
capabilities of the secondary system following a
 
turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any
 
turbine trip from a power level below the P-8
 
setpoint, approximately 30% power, will not actuate a
 
reactor trip. Three pressure switches monitor the
 
Auto Stop oil pressure which interfaces with the
 
Turbine Electrohydraulic Control System. A low
 
pressure condition sensed by two-out-of-three
 
pressure switches will actuate a reactor trip. These
 
pressure switches do not provide any input to the
 
turbine control system. The unit is designed to
 
withstand a complete loss of load and not sustain
 
core damage or challenge the RCS pressure
 
limitations. Core protection is provided by the (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-27Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY16.Turbine Trip (continued)a.Turbine Trip-Low Auto Stop Oil Pressure (continued)
Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety
 
valves.The LCO requires three channels of Turbine Trip-Low Auto Stop Oil Pressure to be OPERABLE in MODE 1 above
 
P-8.Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the
 
Turbine Trip-Low Auto Stop Oil Pressure trip Function
 
does not need to be OPERABLE.b.Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal
 
capabilities of the secondary system following a
 
turbine trip. Any turbine trip from a power level
 
below the P-8 setpoint, approximately 30% power, will
 
not actuate a reactor trip. The trip Function
 
anticipates the loss of secondary heat removal
 
capability that occurs when the stop valves close.
 
Tripping the reactor in anticipation of loss of
 
secondary heat removal acts to minimize the pressure
 
and temperature transient on the reactor. This trip
 
Function will not and is not required to operate in
 
the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not
 
sustain core damage or challenge the RCS pressure
 
limitations. Core protection is provided by the
 
Pressurizer Pressure-High trip Function, and RCS
 
integrity is ensured by the pressurizer safety
 
valves. This trip Function is diverse to the Turbine
 
Trip-Low Auto Stop Oil Pressure trip Function. Each
 
turbine stop valve is equipped with one limit switch
 
that inputs to the RTS. If all four limit switches
 
indicate that the stop valves are all closed, a
 
reactor trip is initiated.(continued)
North Anna Units 1 and 2B 3.3.1-28Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY16.Turbine Trip (continued)b.Turbine Trip-Turbine Stop Valve Closure (continued)
The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is
 
completely closed.
The LCO requires four Turbine Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in
 
MODE 1 above P-8. All four channels must trip to
 
cause reactor trip.
Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load
 
rejection, and the Turbine Trip-Stop Valve Closure
 
trip Function does not need to be OPERABLE.17.Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS
 
automatic actuation logic will initiate a reactor trip
 
upon any signal that initiates SI. This is a condition of acceptability for the LOCA. However, other transients
 
and accidents take credit for varying levels of ESF
 
performance and rely upon rod insertion, except for the
 
most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is
 
initiated every time an SI signal is present.
Allowable Values are not applicable to this Function.
The SI input is provided by logic in the ESFAS.
 
Therefore, there is no measurement signal with which to
 
associate an LSSS.The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.
A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be
 
shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip
 
Function does not need to be OPERABLE.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-29Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)18.Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure
 
reactor trips are in the correct configuration for the
 
current unit status. They back up operator actions to
 
ensure protection system Functions are not bypassed
 
during unit conditions under which the safety analysis
 
assumes the Functions are not bypassed. Therefore, the
 
interlock Functions do not need to be OPERABLE when the
 
associated reactor trip functions are outside the
 
applicable MODES. These are:a.Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes
 
approximately one decade above the minimum channel
 
reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The
 
LCO requirement for the P-6 interlock ensures that
 
the following Functions are performed:on increasing power, the P-6 interlock allows the
 
manual block of the NIS Source Range, Neutron Flux
 
reactor trip. This prevents a premature block of
 
the source range trip and allows the operator to
 
ensure that the intermediate range is OPERABLE
 
prior to leaving the source range. When the source
 
range trip is blocked, the high voltage to the
 
detectors is also removed; andon decreasing power, the P-6 interlock
 
automatically energizes the NIS source range
 
detectors and enables the NIS Source Range Neutron
 
Flux reactor trip.
The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2
 
when below the P-6 interlock setpoint.
Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and
 
this Function will no longer be necessary.In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is
 
providing core protection.
North Anna Units 1 and 2B 3.3.1-30Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY18.Reactor Trip System Interlocks (continued)b.Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13
 
interlock. The LCO requirement for the P-7 interlock
 
ensures that the following Functions are performed:(1)on increasing power, the P-7 interlock automatically enables reactor trips on the
 
following Functions:Pressurizer Pressure-Low;Pressurizer Water Level-High;Reactor Coolant Flow-Low (low flow in two or
 
more RCS loops);RCPs Breaker Open (Two Loops);Undervoltage RCPs; andUnderfrequency RCPs.
These reactor trips are only required when operating above the P-7 setpoint (approximately
 
10% power). The reactor trips provide protection
 
against violating the DNBR limit. Below the P-7
 
setpoint, the RCS is capable of providing
 
sufficient natural circulation without any RCP
 
running.(2)on decreasing power, the P-7 interlock automatically blocks reactor trips on the
 
following Functions:Pressurizer Pressure-Low;Pressurizer Water Level-High;Reactor Coolant Flow-Low (low flow in two or
 
more RCS loops);RCP Breaker Position (Two Loops);(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-31Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY18.Reactor Trip System Interlocks (continued)b.Low Power Reactor Trips Block, P-7 (continued)(2)(continued)Undervoltage RCPs; andUnderfrequency RCPs.
Allowable Value is not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.
The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one
 
channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.
The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to
 
be OPERABLE because the interlock performs its
 
Function when power level increases above 10% power, which is in MODE 1.c.Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at approximately 30% power as determined by
 
two-out-of-four NIS power range detectors. The P-8
 
interlock automatically enables the Reactor Coolant
 
Flow-Low and RCP Breaker Position (Single Loop) reactor trips on low flow in one or more RCS loops on
 
increasing power. The LCO requirement for this
 
Function ensures that the Turbine Trip-Low Auto Stop
 
Oil Pressure and Turbine Trip-Turbine Stop Valve
 
Closure reactor trips are enabled above the P-8 setpoint. Above the P
-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the
 
Steam Dump System. A reactor trip is automatically
 
initiated on a turbine trip when it is above the P-8
 
setpoint, to minimize the transient on the reactor.
 
The LCO requirement for this trip Function ensures
 
that protection is provided agai nst a loss of flow in any RCS loop that could result in DNB conditions in (continued)
North Anna Units 1 and 2B 3.3.1-32Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY18.Reactor Trip System Interlocks (continued)c.Power Range Neutron Flux, P-8 (continued) the core when greater than approximately 30% power.
On decreasing power, the reactor trip on low flow in
 
any one loop is automatically blocked.The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE
 
because the core is not producing sufficient power to
 
be concerned about DNB conditions.d.Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by
 
two-out-of-four NIS power range detectors. If power
 
level falls below approximately 10% RTP on 3 of
 
4 channels, the nuclear instrument low power trips
 
will be automatically unblocked. The LCO requirement
 
for the P-10 interlock ensures that the following
 
Functions are performed:on increasing power, the P-10 interlock allows the
 
operator to manually block the Intermediate Range
 
Neutron Flux reactor trip. Note that blocking the
 
reactor trip also blocks the signal to prevent
 
automatic and manual rod withdrawal;on increasing power, the P-10 interlock allows the
 
operator to manually block the Power Range Neutron
 
Flux-Low reactor trip;on increasing power, the P-10 interlock
 
automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to
 
de-energize the NIS source range detectors;the P-10 interlock provides one of the two inputs
 
to the P-7 interlock; and (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-33Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY18.Reactor Trip System Interlocks (continued)d.Power Range Neutron Flux, P-10 (continued)on decreasing power, the P-10 interlock automatically enables the Power Range Neutron
 
Flux-Low reactor trip and the Intermediate Range
 
Neutron Flux reactor trip (and rod stop).The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.
OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions
 
in the event of a reactor shutdown. This Function
 
must be OPERABLE in MODE 2 to ensure that core
 
protection is provided during a startup or shutdown
 
by the Power Range Neutron Flux-Low and Intermediate
 
Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE
 
because the reactor is not at power and the Source
 
Range Neutron Flux reactor trip provides core
 
protection.e.Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of the
 
high pressure turbine is greater than approximately
 
10% of the rated full power pressure. This is
 
determined by one-out-of-two pressure detectors. The
 
LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.
The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE 1.
The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is
 
operating. The interlock Function is not required to
 
be OPERABLE in MODE 2, 3, 4, 5, or 6 because the
 
turbine generator is not operating.
North Anna Units 1 and 2B 3.3.1-34Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, and APPLICABILITY (continued)19.Reactor Trip Breakers This trip Function applies to the RTBs exclusive of
 
individual trip mechanisms. The LCO requires two
 
OPERABLE trains of trip breakers. A trip breaker train
 
consists of all trip breakers associated with a single
 
RTS logic train that are racked in, closed, and capable
 
of supplying power to the Rod Control System. Thus, the
 
train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the
 
system configuration. Two OPERABLE trains ensure no
 
single random failure can disable the RTS trip
 
capability.
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these
 
RTS trip Functions must be OPERABLE when the Rod Control
 
System is capable of rod withdrawal or one or more rods
 
are not fully inserted.20.Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in
 
service. The trip mechanisms are not required to be
 
OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 19 above.
 
OPERABILITY of both trip mechanisms on each breaker
 
ensures that no single trip mechanism failure will
 
prevent opening any breaker on a valid signal.
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these
 
RTS trip Functions must be OPERABLE when the Rod Control
 
System is capable of rod withdrawal or one or more rods
 
are not fully inserted.21.Automatic Trip Logic The LCO requirement for the RTBs (Functions 19 and 20) and Automatic Trip Logic (Function 21) ensures that
 
means are provided to interrupt the power to allow the
 
rods to fall into the reactor core. Each RTB is equipped
 
with an undervoltage coil and a shunt trip coil to trip
 
the breaker open when needed. Each RTB is equipped with a (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-35Revision 0 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY21.Automatic Trip Logic (continued) bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals
 
generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures
 
that random failure of a single logic channel will not
 
prevent reactor trip.
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these
 
RTS trip Functions must be OPERABLE when the Rod Control
 
System is capable of rod withdrawal or one or more rods
 
are not fully inserted.
The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this
 
Specification may be entered independently for each Function
 
listed in Table 3.3.1-1. When the Required Channels in Table 3.3.1-1 are specified (e.g., on a per loop, per RCP, per SG, per train, etc., basis), then the Condition may be
 
entered separately for each loop, RCP, SG, train, etc., as
 
appropriate.
In the event a channel's trip setpoint is found
 
nonconservative with respect to the Allowable Value, or the
 
transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, t hen all affected Functions provided by that channel must be declared inoperable and the
 
LCO Condition(s) entered for the protection Function(s)
 
affected.When the number of inoperable channels in a trip Function
 
exceed those specified in one or other related Conditions
 
associated with a trip Function, then the unit is outside the
 
safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.
North Anna Units 1 and 2B 3.3.1-36Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
A.1 Condition A applies to all RTS protection Functions.
Condition A addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are
 
those from the referenced Conditions and Required Actions.
B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the
 
inoperable channel must be restored to OPERABLE status
 
within 48 hours. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.
The Completion Time of 48 hours is reasonable considering that there are two automatic actuation trains and another
 
manual initiation channel OPERABLE, and the low probability
 
of an event occurring during this interval.
If the Manual Reactor Trip Function cannot be restored to
 
OPERABLE status within the allowed 48 hour Completion Time, the unit must be brought to a MODE in which the requirement
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within 6 additional hours (54 hours total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in
 
MODE 3, Action C would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is capable of
 
rod withdrawal or one or more rods are not fully inserted.
C.1 and C.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted:Manual Reactor Trip;RTBs;(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-37Revision 0 ACTIONS C.1 and C.2 (continued)RTB Undervoltage and Shunt Trip Mechanisms; andAutomatic Trip Logic.
This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the
 
inoperable channel or train must be restored to OPERABLE
 
status within 48 hours. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour Completion Time, the unit must be placed in a MODE in which
 
the requirement does not apply. To achieve this status, action must be initiated within 48 hours to ensure that all rods are fully inserted, and the Rod Control System must be
 
placed in a condition incapable of rod withdrawal within the
 
next hour. The additional hour provides sufficient time to
 
accomplish the action in an orderly manner. With rods fully
 
inserted and the Rod Control System incapable of rod
 
withdrawal, these Functions are no longer required.
The Completion Time is reasonable considering that in this
 
Condition, the remaining OPERABLE train is adequate to
 
perform the safety function, and given the low probability
 
of an event occurring during this interval.
D.1.1, D.1.2, D.2.1, D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux-High Function.The NIS power range detectors provide input to the Rod
 
Control System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known
 
inoperable channel must be placed in the tripped condition.
 
This results in a partial trip condition requiring only
 
one-out-of-three logic for actuation. The 72 hours allowed to place the inoperable channel in the tripped condition is
 
justified in Reference 7.In addition to placing the inoperable channel in the tripped
 
condition, THERMAL POWER must be reduced to  75% RTP within 78 hours. Reducing the power level prevents operation of the core with radial power distributions beyond the design
 
limits. With one of the NIS power range detectors
 
inoperable, 1/4 of the radial power distribution monitoring
 
capability is lost.(continued)
North Anna Units 1 and 2B 3.3.1-38Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS D.1.1, D.1.2, D.2.1, D.2.2, and D.3 (continued)
As an alternative to the above actions, the inoperable
 
channel can be placed in the tripped condition within
 
72 hours and the QPTR monitored once every 12 hours as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows
 
continued unit operation at power levels  75% RTP. The 72 hour Completion Time and the 12 hour Frequency are consistent with LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)" for the long term monitoring requirement.
As an alternative to the above Actions, the unit may be
 
placed in a MODE where this Function is no longer required
 
OPERABLE. Seventy-eight hours are allowed to place the unit
 
in MODE 3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. If Required
 
Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.The Required Actions have been modified by a Note that allows
 
placing the inoperable channel in the bypass condition for
 
up to 12 hours while performing routine surveillance testing of other channels. The Note also allows placing the
 
inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the
 
setpoint in accordance with other Technical Specifications.
 
The 12 hour time limit is justified in Reference 7.Required Action D.2.2 has been modified by a Note which only
 
requires SR 3.2.4.2 to be performed if the Power Range
 
Neutron Flux input to QPTR becomes inoperable. Failure of a
 
component in the Power Range Neutron Flux Channel which
 
renders the High Flux Trip Function inoperable may not
 
affect the capability to monitor QPTR. As such, determining QPTR using the movable incore detectors once per 12 hours may
 
not be necessary.
E.1 and E.2 Condition E applies to the following reactor trip Functions:Power Range Neutron Flux-Low;Overtemperature T;(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-39Revision 0 ACTIONS E.1 and E.2 (continued)Overpower T;Power Range Neutron Flux-High Positive Rate;Power Range Neutron Flux-High Negative Rate;Pressurizer Pressure-High;SG Water Level-Low Low; andSG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.
A known inoperable channel must be placed in the tripped
 
condition within 72 hours. Placing the channel in the tripped condition results in a partial trip condition
 
requiring only one-out-of-two logic for actuation of the
 
two-out-of-three trips and one-out-of-three logic for
 
actuation of the two-out-of-four trips. The 72 hours allowed to place the inoperable channel in the tripped condition is
 
justified in Reference 7.If the inoperable channel cannot be placed in the trip
 
condition within the specified Completion Time, the unit
 
must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours is allowed to place the unit in MODE
: 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit
 
systems.The Required Actions have been modified by a Note that allows
 
placing the inoperable channel in the bypassed condition for
 
up to 12 hours while performing routine surveillance testing of the other channels. The 12 hour time limit is justified in Reference 7.F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below
 
the P-10 setpoint and one channel is inoperable. Above the
 
P-6 setpoint and below the P-10 setpoint, the NIS
 
intermediate range detector performs both monitoring and
 
protection Functions. If THERMAL POWER is greater than the (continued)
North Anna Units 1 and 2B 3.3.1-40Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS F.1 and F.2 (continued)
P-6 setpoint but less than the P-10 setpoint, 24 hours is allowed to reduce THERMAL POWER below the P-6 setpoint or
 
increase to THERMAL POWER above the P-10 setpoint. The NIS
 
Intermediate Range Neutron Flux channels must be OPERABLE
 
when the power level is above the capability of the source
 
range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the
 
NIS power range detectors perform the monitoring and
 
protection functions and the intermediate range protection
 
function is not required. The Completion Times allow for a
 
slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by
 
the redundant OPERABLE channel, and the low probability of
 
its failure during this period. This action does not require
 
the inoperable channel to be tripped because the Function
 
uses one-out-of-two logic. Tripping one channel would trip
 
the reactor. Thus, the Required Actions specified in this
 
Condition are only applicable when channel failure does not
 
result in reactor trip.
G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required
 
Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6
 
setpoint and below the P-10 setpoint, the NIS intermediate
 
range detector performs both monitoring and protection
 
Functions. With no intermediate range channels OPERABLE, suspending the introduction into the RCS of reactivity more positive than required to meet the SDM is required to assure continued safe operation. Introduction of coolant inventory
 
must be from sources that have a boron concentration greater
 
than what would be required in the RCS for minimum SDM. This
 
may result in an overall reduction in RCS boron
 
concentration, but provides acceptable margin to maintaining
 
subcritical operation. Introduction of temperature changes, including temperature increases when operating with a
 
positive MTC, must also be evaluated to not result in
 
reducing core reactivity below the required SDM. This will
 
preclude any power level increase since there are no
 
OPERABLE Intermediate Range Neutron Flux channels. The
 
operator must also reduce THERMAL POWER below the P-6
 
setpoint within two hours. Below P-6, the Source Range (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-41Revision 0 ACTIONS G.1 and G.2 (continued)Neutron Flux channels will be able to monitor the core power level and provides a protection function. The Completion
 
Time of 2 hours will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during
 
this period that may require the protection afforded by the
 
NIS Intermediate Range Neutron Flux trip.
Required Action G is modified by a Note to indicate that normal plant control operations that individually add
 
limited positive reactivity (e.g., temperature or boron
 
fluctuations associated with RCS inventory management or
 
temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.
H.1 Condition H applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this
 
Condition, below P-6, the NIS source range performs the
 
monitoring and protection functions. With one of the two
 
channels inoperable, operations involving positive
 
reactivity additions shall be suspended immediately.
This will preclude any power escalation. With only one
 
source range channel OPERABLE, core protection is severely
 
reduced and any actions that add positive reactivity to the
 
core must be suspended immediately.
Required Action H is modified by a Note to indicate that normal plant control operations that individually add
 
limited positive reactivity (e.g., temperature or boron
 
fluctuations associated with RCS inventory management or
 
temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.
I.1 Condition I applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rod not fully inserted. With
 
the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both (continued)
North Anna Units 1 and 2B 3.3.1-42Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS I.1 (continued) source range channels inoperable, the RTBs must be opened
 
immediately. With the RTBs open, the core is in a more stable condition.
J.1 and J.2 Condition J applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the
 
unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours is allowed to restore it to an OPERABLE status. If the channel cannot be
 
returned to an OPERABLE status, action must be initiated
 
within the same 48 hours to ensure that all rods are fully inserted, and the Rod Control System must be placed in a
 
condition incapable of rod withdrawal within the next hour.
 
The allowance of 48 hours to restore the channel to OPERABLE status, and the additional hour, are justified in
 
Reference 7.K.1 and K.2 Condition K applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODES 3, 4, or 5 with the Rod Control System is not capable of rod withdrawal. With the unit in this Condition, the NIS source
 
range performs the monitoring function only. With less than
 
the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be
 
suspended immediately.
The SDM must be verified within 1 hour and once every
 
12 hours thereafter as per SR 3.1.1.1, SDM verification.
With no source range channels OPERABLE, the ability to
 
monitor the core is severely reduced. Verifying the SDM
 
within 1 hour allows sufficient time to perform the calculations and determine that the SDM requirements are
 
met. The SDM must also be verified once per 12 hours thereafter to ensure that the core reactivity has not
 
changed. Required Action K.1 precludes any positive reactivity additions; therefore, core reactivity should not
 
be increasing, and a 12 hour Frequency is adequate. The Completion Time of within 1 hour and once per 12 hours are (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-43Revision 0 ACTIONS K.1 and K.2 (continued) based on operating experience in performing the Required Actions and the knowledge that unit conditions will change
 
slowly.Required Action K is modified by a Note which permits unit temperature changes provided the temperature change is
 
accounted for in the calculated SDM. Introduction of
 
temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM.
L.1 and L.2 Condition L applies to the following reactor trip Functions:Pressurizer Pressure-Low;Pressurizer Water Level-High;Reactor Coolant Flow-Low;Undervoltage RCPs; andUnderfrequency RCPs.
With one channel inoperable, the inoperable channel must be
 
placed in the tripped condition within 72 hours. For the Pressurizer Pressure-Low, Pressurizer Water Level-High, Undervoltage RCPs, and Underfrequency RCPs trip Functions, placing the channel in the tripped condition when above the
 
P-7 setpoint results in a partial trip condition requiring
 
only one additional channel to initiate a reactor trip. For
 
the Reactor Coolant Flow-Low and RCP Breaker Position (Two
 
Loops) trip Functions, placing the channel in the tripped
 
condition results in a partia l trip condition requiring only one additional channel in the same loop to initiate a reactor
 
trip. For the latter two trip Functions, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint.
 
These Functions do not have to be OPERABLE below the P-7
 
setpoint because there are no loss of flow trips below the
 
P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours allowed to place the channel in the tripped condition is
 
justified in Reference
: 7. An additional 6 hours is allowed (continued)
North Anna Units 1 and 2B 3.3.1-44Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS L.1 and L.2 (continued) to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in
 
trip within the specified Completion Time.
Allowance of this time inter val takes into consideration the redundant capability provided by the remaining redundant
 
OPERABLE channel, and the low probability of occurrence of
 
an event during this period that may require the protection
 
afforded by the Functions associated with Condition K.The Required Actions have been modified by a Note that allows
 
placing the inoperable channel in the bypassed condition for
 
up to 12 hours while performing routine surveillance testing of the other channels. The 12 hour time limit is justified in Reference 7.M.1 and M.2 Condition M applies to the R CP Breaker Position reactor trip Function. There is one breaker position device per RCP breaker. With one channel inoperable, the inoperable channel
 
must be restored to OPERABLE status within 72 hours. If the channel cannot be restored to OPERABLE status within the
 
72 hours, then THERMAL POWER must be reduced below the P-7 setpoint within the next 6 hours.This places the unit in a MODE where the LCO is no longer
 
applicable. This Function does not have to be OPERABLE below the P-7 setpoint because other RTS Functions provide core
 
protection below the P-8 setpoint. The 72 hours allowed to restore the channel to OPERABLE status and the 6 additional hours allowed to reduce THERMAL POWER to below the P-7
 
setpoint are justified by a plant-specific risk assessment
 
consistent with Reference 7.The Required Actions have been modified by a Note that allows
 
placing the inoperable channel in the bypassed condition for
 
up to 12 hours while performing routine surveillance testing of the other channels. The 12 hour time limit is justified by a plant-specific risk assessment consistent with
 
Reference 7.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-45Revision 0 ACTIONS (continued)
N.1 and N.2 Condition N applies to Turbine Trip on Low Auto Stop Oil Pressure or on Turbine Stop Valve Closure. With one channel
 
inoperable, the inoperable channel must be placed in the
 
trip condition within 72 hours. If placed in the tripped condition, this results in a partial trip condition
 
requiring only one additional channel to initiate a reactor
 
trip. If the channel cannot be restored to OPERABLE status or
 
placed in the trip condition, then power must be reduced
 
below the P-8 setpoint within the next 4 hours. The 72 hours allowed to place the inoperable channel in the tripped
 
condition and the 4 hours allowed for reducing power are justified in Reference 7.The Required Actions have been modified by a Note that allows
 
placing the inoperable channel in the bypassed condition for
 
up to 12 hours while performing routine surveillance testing of the other channels. The 12 hour time limit is justified in Reference 7.O.1 and O.2 Condition O applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these
 
Functions. With one train inoperable, 24 hours are allowed to restore the train to OPERABLE status (Required
 
Action O.1) or the unit must be placed in MODE 3 within the next 6 hours. The Completion Time of 24 hours (Required Action O.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to
 
perform the safety function and given the low probability of
 
an event during this interval. The Completion Time of
 
6 hours (Required Action O.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.
The Required Actions have been modified by a Note that allows
 
bypassing one train up to 4 hours for surveillance testing, provided the other train is OPERABLE.
P.1 and P.2 Condition P applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the
 
RTBs. With one train inoperable, 1 hour is allowed to (continued)
North Anna Units 1 and 2B 3.3.1-46Revision 0 RTS Instrumentation B 3.3.1 BASES ACTIONS P.1 and P.2 (continued) restore the train to OPERABLE status or the unit must be
 
placed in MODE 3 within the next 6 hours. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour and 6 hour Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function. Placing the unit in MODE 3 results in Action C entry while RTB(s) are inoperable.
The Required Actions have been modified by three Notes.
 
Note 1 allows one channel to be bypassed for up to 2 hours for surveillance testing, provided the other channel is
 
OPERABLE. Note 1 applies to RTB testing that is performed independently from the corresponding logic train testing.
 
For simultaneous testing of logic and RTBs, the 4 hour test time limit of Condition O applies. Note 2 allows one RTB to be bypassed for up to 2 hours for maintenance on undervoltage or shunt trip mechanisms if the other RTB train is OPERABLE. The 2 hour time limit is justified in Reference 7. Note 3 applies to RTB testing that is performed concurrently with the corresponding logic train testing. For
 
concurrent testing of the logic and RTB, the 4 hour test time limit of Condition O applies. The 4 hour time limit is justified in Reference 7.Q.1 and Q.2 Condition Q applies to the P-6 and P-10 interlocks. With one or more channels inoperable for one-out-of-two or
 
two-out-of-four coincidence logic, the associated interlock
 
must be verified to be in its required state for the existing unit condition within 1 hour or the unit must be placed in MODE 3 within the next 6 hours. Verifying the interlock status manually accomplishes the interlock's Function. The
 
Completion Time of 1 hour is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The
 
1 hour and 6 hour Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-47Revision 0 ACTIONS (continued)
R.1 and R.2 Condition R applies to the P-7, P-8, and P-13 interlocks.
With one or more channels inoperable for one-out-of-two or
 
two-out-of-four coincidence logic, the associated interlock
 
must be verified to be in its required state for the existing unit condition within 1 hour or the unit must be placed in MODE 2 within the next 6 hours. These actions are conservative for the case where power level is being raised.
 
Verifying the interlock status manually accomplishes the
 
interlock's Function. The Completion Time of 1 hour is based on operating experience and the minimum amount of time
 
allowed for manual operator actions. The Completion Time of
 
6 hours is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.
S.1 and S.2 Condition S applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be
 
restored to an OPERABLE status within 48 hours or the unit must be placed in a MODE where the requirement does not
 
apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours (54 hours total time). The Completion Time of 6 hours is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.
With the unit in MODE 3, Action C would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the diverse features is inoperable
 
except for the time required to perform maintenance to one of
 
the diverse features. The allowable time for performing
 
maintenance of the diverse features is 2 hours for the reasons stated under Condition P.The Completion Time of 48 hours for Required Action S.1 is reasonable considering that in this Condition there is one
 
remaining diverse feature for the affected RTB, and one
 
OPERABLE RTB capable of performing the safety function and
 
given the low probability of an event occurring during this
 
interval.
North Anna Units 1 and 2B 3.3.1-48Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS The SRs for each RTS Function are identified by the SRs
 
column of Table 3.3.1-1 for that Function.
A Note has been added to the SR Table stating that
 
Table 3.3.1-1 determines which SRs apply to which RTS Functions.
Note that each channel of process protection supplies both
 
trains of the RTS. When testing Channel I, Train A and Train B must be examined. Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in
 
analytically calculating the required channel accuracies.
SR  3.3.1.1 Performance of the CHANNEL CHECK ensures that gross failure
 
of instrumentation has not occurred. A CHANNEL CHECK is
 
normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based
 
on the assumption that instrument channels monitoring the
 
same parameter should read approximately the same value.
 
Significant deviations between the two instrument channels
 
could be an indication of excessive instrument drift in one
 
of the channels or of something even more serious. A CHANNEL
 
CHECK will detect gross channel failure; thus, it is key to
 
verifying that the instrumentation continues to operate
 
properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is
 
outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its
 
limit.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-49Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the
 
calorimetric heat balance calculation results exceeds the
 
power range channel output by more than +2%
RTP, the power range channel is not declared inoperable, but must be
 
adjusted. The power range channel output shall be adjusted
 
consistent with the calorimetric heat balance calculation
 
results if the calorimetric calculation exceeds the power
 
range channel output by more than +2% RTP. If the power range
 
channel output cannot be properly adjusted, the channel is
 
declared inoperable.
If the calorimetric is performed at part power (<
85% RTP), adjusting the power range channel indication in the
 
increasing power direction will assure a reactor trip below
 
the safety analysis limit (<
118% RTP). Making no adjustment to the power range channel in the decreasing power direction
 
due to a part power calorimetric assures a reactor trip
 
consistent with the safety analyses.
This allowance does not preclude making indicated power
 
adjustments, if desired, when the calorimetric heat balance
 
calculation power is less than the power range channel
 
output. To provide close agreement between indicated power
 
and to preserve operating margin, the power range channels
 
are normally adjusted when operating at or near full power
 
during steady-state conditions. However, discretion must be
 
exercised if the power range channel output is adjusted in
 
the decreasing power direction due to a part power
 
calorimetric (<
85% RTP). This action may introduce a non-conservative bias at higher power levels which may
 
result in an NIS reactor trip above the safety analysis limit
 
(> 118% RTP). The cause of the non-conservative bias is the decreased accuracy of the calorimetric at reduced power
 
conditions. The primary error contributor to the instrument
 
uncertainty for a secondary side power calorimetric
 
measurement is the feedwater flow measurement, which is
 
typically a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty
 
increases as a square term. Thus a 1% flow error at 100%
 
power can approach a 10% flow error at 30% RTP even though
 
the P error has not changed. The ultrasonic flow meter provides more accurate feedwater flow measurement than the
 
existing venturis. Feedwater flow measurement from the (continued)
North Anna Units 1 and 2B 3.3.1-50Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.2 (continued) ultrasonic flow meter may be used to compute the secondary
 
side power calorimetric. If feedwater ultrasonic flow meter
 
data is used for the calorimetric at reduced flow, the
 
accuracy is also reduced however not as significantly as
 
with the feedwater venturi data. An evaluation of extended operation at part power conditions would conclude that it is prudent to administratively adjust the setpoint of the Power
 
Range Neutron Flux-High bistables when: (1) the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below 85% RTP; or (2) for a post refueling startup. The evaluation of extended operation
 
at part power conditions would also conclude that the
 
potential need to adjust the indication of the Power Range
 
Neutron Flux in the decreasing power direction is quite
 
small, primarily to address operation in the intermediate
 
range about P-10 (nominally 10% RTP) to allow the enabling of the Power Range Neutron Flux-Low Setpoint and the
 
Intermediate Range Neutron Flux reactor trips. Before the
 
Power Range Neutron Flux-High bistables are reset to  109% RTP, a calorimetric must be performed and the power range
 
channels must be adjusted such that the high flux bistables
 
will trip at &#xa3; 109% RTP. Consideration must be given to calorimetric uncertainty, and its impact on decalibration of
 
the power range channels.
The Note clarifies that this Surveillance is required only
 
if reactor power is  15% RTP and that 12 hours are allowed for performing the first Surveillance after reaching
 
15% RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and
 
turbine generator synchronized to the grid.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
In addition, control room operators periodically monitor
 
redundant indications and alarms to detect deviations in
 
channel outputs.
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-51Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference is  3%, the NIS channel is still OPERABLE, but it must be readjusted. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is  3%. The adjustment is a recalibration of the upper and lower Power Range detectors
 
to incorporate the results of the flux map.
If the NIS channel cannot be properly readjusted, the
 
channel is declared inoperable. This Surveillance is
 
performed to verify the f(I) input to the overtemperature T Function.
A Note clarifies that the Surveillance is required only if reactor power is  15% RTP and that 72 hours is allowed for performing the first Surveillance after reaching 15%
RTP.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.4 SR 3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices. A
 
successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what
 
is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified
 
by other Technical Specifications and non-Technical
 
Specifications tests at least once per refueling interval
 
with applicable extensions.
The RTB test shall include separate verification of the
 
undervoltage and shunt trip mechanisms. Independent
 
verification of RTB undervoltage and shunt trip Function is
 
not required for the bypass breakers. No capability is
 
provided for performing such a test at power. The
 
independent test for bypass breakers is included in
 
SR 3.3.1.14. The test of the bypass breaker is a local shunt trip actuation. A Note has been added to indicate that this (continued)
North Anna Units 1 and 2B 3.3.1-52Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.4 (continued) test must be performed on the bypass breaker. The local
 
manual shunt trip of the RTB bypass shall be conducted
 
immediately after placing the bypass breaker into service.
This test must be conducted prior to the start of testing on
 
the RTS or maintenance on a RTB. This checks the mechanical
 
operation of the bypass breaker.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST.
The SSPS is tested using the semiautomatic tester. The train
 
being tested is placed in the bypass condition, thus
 
preventing inadvertent actuation. Through the semiautomatic
 
tester, all possible logic combinations, with and without
 
applicable permissives, are tested for each protection
 
function, including operation of the P-7 permissive which is
 
a logic function only. The Surveillance Frequency is based
 
on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
SR  3.3.1.6 SR 3.3.1.6 is the performance of a TADOT. A successful test of the required contact(s) of a channel relay may be
 
performed by the verification of the change of state of a
 
single contact of the relay. This clarifies what is an
 
acceptable TADOT of a relay. This is acceptable because all
 
of the other required contacts of the relay are verified by
 
other Technical Specifications and non-Technical
 
Specifications tests at least once per refueling interval
 
with applicable extensions.(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-53Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.1.6 (continued)
The SR is modified by a Note that excludes verification of
 
setpoints from the TADOT. Since this SR applies to RCP
 
undervoltage and underfrequency relays, setpoint
 
verification requires elaborate bench calibration and is
 
accomplished during the CHANNEL CALIBRATION.
Regarding RCP Underfrequency Testing, it should be noted
 
that test circuits have not been installed on Unit 1, therefore, such testing can only be performed on Unit 2.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.7 A COT is performed on each required channel to ensure the
 
entire channel will perform the intended Function. A
 
successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions.
The nominal trip setpoints must be within the Allowable
 
Values specified in Table 3.3.1-1.The difference between the current "as found" values and the
 
previous test "as left" values must be consistent with the
 
drift allowance used in the setpoint methodology. The
 
setpoint shall be left set consistent with the assumptions
 
of the current unit specific setpoint methodology.
SR 3.3.1.7 is modified by a Note that provides a 4 hour delay in the requirement to perform this Surveillance for source
 
range instrumentation when entering MODE 3 from MODE
: 2. This Note allows a normal shutdown to proceed without a delay for
 
testing in MODE 2 and for a short time in MODE 3 until the
 
RTBs are open and SR 3.3.1.7 is no longer required to be
 
performed. If the unit is to be in MODE 3 with the RTBs
 
closed for > 4 hours this Surveillance must be performed
 
prior to 4 hours after entry into MODE 3.(continued)
North Anna Units 1 and 2B 3.3.1-54Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.7 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in
 
SR 3.3.1.7, except it is modified by a Note that this test
 
shall include verification that the P-6 and P-10 interlocks
 
are in their required state for the existing unit condition.
 
A successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what
 
is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions. The Frequency
 
is modified by a Note that allows this surveillance to be
 
satisfied if it has been performed within the frequency
 
specified in the Surveillance Frequency Control Program of
 
the Frequencies prior to reactor startup and four hours
 
after reducing power below P-10 and P-6. The Frequency of
 
"prior to startup" ensures this surveillance is performed
 
prior to critical operations and applies to the source, intermediate and power range low instrument channels. The
 
Frequency of "12 hours after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours after reducing power below P-6" (applicable to
 
source range channels) allows a normal shutdown to be
 
completed and the unit removed from the MODE of
 
Applicability for this surveillance without a delay to
 
perform the testing required by this surveillance. The
 
Frequency applies if the unit remains in the MODE of
 
Applicability after the initial performances of prior to
 
reactor startup and twelve and four hours after reducing
 
power below P-10 or P-6, respectively. The MODE of
 
Applicability for this surveillance is < P-10 for the power
 
range low and intermediate range channels and < P-6 for the
 
source range channels. Once the unit is in MODE 3, this
 
surveillance is no longer required. If power is to be
 
maintained < P-10 for more than 12 hours or < P-6 for more than 4 hours, then the testing required by this surveillance must be performed prior to the expiration of the time limit.(continued)
 
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-55Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.1.8 (continued)
Twelve hours and four hours are reasonable times to complete the required testing or place the unit in a MODE where this
 
surveillance is no longer required. This test ensures that
 
the NIS source, intermediate, and power range low channels
 
are OPERABLE prior to taking the reactor critical and after
 
reducing power into the applicable MODE (< P-10 or < P-6)
 
for periods > 12 and 4 hours, respectively. Verification of
 
the surveillance is accomplished by observing the permissive
 
annunciator windows on the Main Control board. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.9 SR 3.3.1.9 is a comparison of the excore channels to the incore channels. If the measurements do not agree, the
 
excore channels are not declared inoperable but must be
 
calibrated to agree with the incore detector measurements.
If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to
 
verify the f(I) input to the overtemperature T Function.
Two notes modify SR 3.3.1.9. Note 1 indicates that the excore NIS channels shall be adjusted if the absolute
 
difference between the incore and excore is  3%. Note 2 states that this Surveillance is required only if reactor
 
power is  50% RTP and that 72 hours is allowed for performing the first surveillance after reaching 50% RTP.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.10 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrum ent loop, including the sensor.
The test verifies that the channel responds to a measured
 
parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the
 
assumptions of the unit specific setpoint methodology. The
 
difference between the current "as found" values and the
 
previous test "as left" values must be consistent with the
 
drift allowance used in the setpoint methodology.(continued)
North Anna Units 1 and 2B 3.3.1-56Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.10 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are
 
adjusted to the prescribed values where applicable.
SR  3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL
 
CALIBRATION. The CHANNEL CALIBRATION for the power range
 
neutron detectors consists of a normalization of the
 
detectors based on a power calorimetric and flux map
 
performed above 15% RTP. The CHANNEL CALIBRATION for the
 
source range and intermediate range neutron detectors
 
consists of obtaining the detector plateau or preamp
 
discriminator curves, evaluating those curves, and comparing
 
those curves to the manufacturer's data. This Surveillance
 
is not required for the NIS power range detectors for entry
 
into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the
 
resistance temperature detector (RTD) sensors is
 
accomplished by an inplace cross calibration that compares
 
the other sensing elements with the recently installed
 
sensing element.
This test will verify the dynamic compensation for flow from
 
the core to the RTDs. The OTT function is lead/lag compensated and the OPT function is rate/lag compensated.(continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-57Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.1.12 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks. A successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from
 
ESFAS. A successful test of the required contact(s) of a
 
channel relay may be performed by the verification of the
 
change of state of a single contact of the relay. This
 
clarifies what is an acceptable TADOT of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions. The test
 
shall independently verify the OPERABILITY of the
 
undervoltage and shunt trip mechanisms for the Manual
 
Reactor Trip Function for the Reactor Trip Breakers and
 
undervoltage trip mechanism for the Reactor Trip Bypass Breakers. The Reactor T rip Bypass Breaker test shall include testing of the automatic undervoltage trip.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
North Anna Units 1 and 2B 3.3.1-58Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.14 (continued)
The SR is modified by a Note that excludes verification of
 
setpoints from the TADOT. The Functions affected have no
 
setpoints associated with them.
SR  3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip
 
Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the
 
change of state of a single contact of the relay. This
 
clarifies what is an acceptable TADOT of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is
 
performed prior to exceeding the P-8 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the frequency specified in the
 
Surveillance Frequency Control program. Verification of the
 
trip setpoint does not have to be performed for this
 
Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-8
 
interlock.
SR  3.3.1.16 SR 3.3.1.16 verifies that the individual channel/train
 
actuation response times are less than or equal to the
 
maximum values assumed in the accident analysis. Response
 
time testing acceptance criteria are included in Technical
 
Requirements Manual (Ref. 8). Individual component response
 
times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint
 
value at the sensor to the point at which the equipment
 
reaches the required functional state (i.e., control and
 
shutdown rods fully inserted in the reactor core).
For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the tr ansfer Function set to one, with the resulting measured response time compared to the appropriate
 
UFSAR response time as listed in the TRM. Alternately, the
 
response time test can be performed with the time constants
 
set to their nominal value, provided the required response (continued)
RTS Instrumentation B 3.3.1 BASESNorth Anna Units 1 and 2B 3.3.1-59Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.1.16 (continued) time is analytically calculated assuming the time constants
 
are set at their nominal values. The response time may be
 
measured by a series of overlapping tests such that the
 
entire response time is measured.
Response time may be verified by actual response time tests
 
in any series of sequential, overlapping or total channel
 
measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with
 
actual response time tests on the remainder of the channel.
 
Allocations for sensor response times may be obtained from:
 
(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications.
WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" (Ref.
: 10) provides the basis and methodology for using allocated sensor response
 
times in the overall verification of the channel response
 
time for specific sensors identified in the WCAP. Response
 
time verification for other sensor types must be
 
demonstrated by test.
WCAP-14036-P-A Revision 1 "Elimination of Periodic Protection Channel Response Time Tests" (Ref.
: 11) provides the basis and the methodology for using allocated signal
 
processing and actuation logic response times in the overall verification of the protection system channel response time.
 
The allocations for sensor, signal conditioning and
 
actuation logic response times must be verified prior to placing the component in operational service and re-verified
 
following maintenance that may adversely affect response
 
time. In general, electrical repair work does not impact
 
response time provided the parts used for repair are of the
 
same type and value. Specific components identified in the
 
WCAP may be replaced without verification testing. One
 
example where response time could be affected is replacing
 
the sensing assembly of a transmitter.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
North Anna Units 1 and 2B 3.3.1-60Revision 46 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.1.16 (continued)
SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This
 
Note is necessary because of the difficulty in generating an
 
appropriate detector input signal. Response of neutron flux
 
signal portion of the channel time shall be measured from the
 
detector or input of the first electronic component in the
 
channel. Excluding the detectors is acceptable because the
 
principles of detector operation ensure a virtually
 
instantaneous response.
REFERENCES1.UFSAR, Chapter 7.2.UFSAR, Chapter 6.3.UFSAR, Chapter 15.4.IEEE-279-1971.5.10 CFR 50.49.6.RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).7.WCAP-10271-P-A, Supplement 1, Rev. 1, June 1990 and WCAP-14333-P-A, Rev.
1, October 1998.8.Technical Requirements Manual.9.Regulatory Guide 1.105, Revision 3, "Setpoints for Safety Related Instrumentation."10.WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements,"
 
January 1996.11.WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.
North Anna Units 1 and 2B 3.3.2-1Revision 0 ESFAS Instrumentation B 3.3.2 B 3.3  INSTRUMENTATIONB 3.3.2Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the
 
values of selected unit parameters, to protect against
 
violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.
The ESFAS instrumentation is segmented into three distinct
 
but interconnected modules as identified below:Field transmitters or process sensors and instrumentation:
 
provide a measurable electronic signal based on the
 
physical characteristics of the parameter being measured;Signal processing equipment including analog protection
 
system, field contacts, and protection channel sets:
 
provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal
 
output to protection system devices, and control
 
board/control room/miscellaneous indications; andSolid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown
 
or engineered safety feature (ESF) actuation in accordance
 
with the defined logic and based on the bistable outputs
 
from the signal process control and protection system.
The Allowable Value in conjunction with the trip setpoint
 
and LCO establishes the threshold for ESFAS action to
 
prevent exceeding acceptable limits such that the
 
consequences of Design Basis Accidents (DBAs) will be
 
acceptable. The Allowable Value is considered a limiting
 
value such that a channel is OPERABLE if the setpoint is
 
found not to exceed the Allowable Value during the CHANNEL
 
OPERATIONAL TEST (COT). Note that, although a channel is
 
"OPERABLE" under these circumstances, the ESFAS setpoint
 
must be left adjusted to within the established calibration
 
tolerance band of the ESFAS setpoint in accordance with the
 
uncertainty assumptions stated in the referenced setpoint
 
methodology, (as-left criteria) and confirmed to be
 
operating within the statistical allowances of the
 
uncertainty terms assigned.
North Anna Units 1 and 2B 3.3.2-2Revision 0 ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To
 
account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical
 
allowances are provided in the Allowable Values. The
 
OPERABILITY of each transmitter or sensor is determined by
 
either "as-found" calibration data evaluated during the
 
CHANNEL CALIBRATION or by qualitative assessment of field
 
transmitter or sensor, as related to the channel behavior
 
observed during performance of the CHANNEL CHECK.
Signal Processing Equipment Generally, three or four channels of process control
 
equipment are used for the signal processing of unit
 
parameters measured by the field instruments. The process
 
control equipment provides signal conditioning, comparable
 
output signals for instruments located on the main control
 
board, and comparison of measured input signals with
 
setpoints established by safety analyses. These setpoints
 
are defined in UFSAR, Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision
 
evaluation. Channel separation is maintained up to and
 
through the input bays. However, not all unit parameters
 
require four channels of sensor measurement and signal
 
processing. Some unit parameters provide input only to the
 
SSPS, while others provide input to the SSPS, the main
 
control board, the unit computer, and one or more control
 
systems.These requirements are described in IEEE-279-1971 (Ref.
4). The actual number of channels required for each unit
 
parameter is specified in Reference
: 2.
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-3Revision 0 BACKGROUND (continued)
Allowable Values and ESFAS Setpoints The trip setpoints used in the bistables are summarized in Reference 6. The selection of these trip setpoints is such that adequate protection is provided when all sensor and
 
processing time delays are taken into account. To allow for
 
calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those
 
ESFAS channels that must function in harsh environments as
 
defined by 10 CFR 50.49 (Ref.
5), the Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A
 
detailed description of the methodology used to calculate
 
the Allowable Value and ESFAS setpoints including their
 
explicit uncertainties, is provided in the unit specific
 
setpoint methodology study (Ref.
: 6) which incorporates all of the known uncertainties applicable to each channel. The
 
magnitudes of these uncertainties are factored into the
 
determination of each ESFAS setpoint and corresponding
 
Allowable Value. The no minal ESFAS setpoint entered into the bistable is more conservative than that specified by the
 
Allowable Value to account for measurement errors detectable
 
by the COT. The Allowable Value serves as the Technical
 
Specification OPERABILITY limit for the purpose of the COT.
 
One example of such a change in measurement error is drift
 
during the surveillance interval. If the measured setpoint
 
does not exceed the Allowable Value, the bistable is
 
considered OPERABLE.The ESFAS setpoints are the values at which the bistables are
 
set and is the expected value to be achieved during
 
calibration. The ESFAS setpoint value ensures the safety
 
analysis limits are met for the surveillance interval
 
selected when a channel is adjusted based on stated channel
 
uncertainties. Any bistable is considered to be properly
 
adjusted when the "as-left" setpoint value is within the
 
band for CHANNEL CALIBRATION uncertainty allowance (i.e.,
calibration tolerance uncertainties). The ESFAS setpoint
 
value is therefore considered a "nominal" value (i.e.,
expressed as a value without inequalities) for the purposes
 
of the COT and CHANNEL CALIBRATION.
Setpoints adjusted consistent with the requirements of the
 
Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the
 
equipment functions as designed.(continued)
North Anna Units 1 and 2B 3.3.2-4Revision 0 ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Allowable Values and ESFAS Setpoints (continued)
Each channel can be tested on line to verify that the signal
 
processing equipment and setpoint accuracy is within the
 
specified allowance requirements of Table 3.3.2-1. Once a designated channel is taken out of service for testing, a
 
simulated signal is injected in place of the field
 
instrument signal. The process equipment for the channel in
 
test is then tested, verified, and calibrated. SRs for the
 
channels are specified in the SR section.
Solid State Protection System The SSPS equipment is used for the decision logic processing
 
of outputs from the signal processing equipment bistables.
 
To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one
 
train is taken out of service for maintenance or test
 
purposes, the second train will provide ESF actuation for
 
the unit. If both trains are taken out of service or placed
 
in test, a reactor trip will result. Each train is packaged
 
in its own cabinet for physical and electrical separation to
 
satisfy separation and independence requirements.
The SSPS performs the decision logic for most ESF equipment
 
actuation; generates the electrical output signals that
 
initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main
 
control room of the unit.
The bistable outputs from the signal processing equipment
 
are sensed by the SSPS equipment and combined into logic
 
matrices that represent combinations indicative of various
 
transients. If a required logic matrix combination is
 
completed, the system will send actuation signals via master and slave relays to those components whose aggregate
 
Function best serves to alleviate the condition and restore
 
the unit to a safe condition. Examples are given in the
 
Applicable Safety Analyses, LCO, and Applicability sections
 
of this Bases.
Each SSPS train has a built in testing device that can
 
automatically test the decision logic matrix functions and
 
the actuation devices while the unit is at power. When any
 
one train is taken out of service for testing, the other (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-5Revision 0 BACKGROUND Solid State Protection System (continued)train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is
 
semiautomatic to minimize testing time.
The actuation of ESF components is accomplished through
 
master and slave relays. The SSPS energizes the master
 
relays appropriate for the condition of the unit. Each
 
master relay then energizes one or more slave relays, which
 
then cause actuation of the end devices. The master and slave
 
relays are routinely tested to ensure operation. The test of
 
the master relays energizes the relay, which then operates
 
the contacts and applies a low voltage to the associated
 
slave relays. The low voltage is not sufficient to actuate
 
the slave relays but only demonstrates signal path
 
continuity. The SLAVE RELAY TEST actuates the devices if
 
their operation will not interfere with continued unit
 
operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay
 
contact operation is verified by a continuity check of the
 
circuit containing the slave relay.
APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY Each of the analyzed accidents can be detected by one or more
 
ESFAS Functions. One of the ESFAS Functions is the primary
 
actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of
 
accident. An ESFAS Function may also be a secondary, or
 
backup, actuation signal for one or more other accidents.
 
For example, Pressurizer Pressure-Low Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs)
 
outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the
 
NRC staff approved licensing basis for the unit. These
 
Functions may provide protection for conditions that do not
 
require dynamic transient analysis to demonstrate Function
 
performance. These Functions may also serve as backups to
 
Functions that were credited in the accident analysis (Ref. 3).The LCO requires all instrumentation performing an ESFAS
 
Function to be OPERABLE. A channel is OPERABLE with a trip
 
setpoint value outside its calibration tolerance band
 
provided the trip setpoint "as-found" value does not exceed (continued)
North Anna Units 1 and 2B 3.3.2-6Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY (continued) its associated Allowable Value and provided the trip
 
setpoint "as-left" value is adjusted to a value within the
 
calibration tolerance band of the nominal trip setpoint. A
 
trip setpoint may be set more conservative than the nominal
 
trip setpoint as necessary in response to unit conditions.
 
Failure of any instrument renders the affected channel(s)
 
inoperable and reduces the reliability of the affected
 
Functions.
The LCO generally requires OPERABILITY of four or three
 
channels in each instrumentation function and two channels
 
in each logic and manual initiation function. The
 
two-out-of-three and the two-out-of-four configurations
 
allow one channel to be tripped or bypassed during
 
maintenance or testing without causing an ESFAS initiation.
 
Two logic or manual initiation channels are required to
 
ensure no single random failure disables the ESFAS.
The required channels of ESFAS instrumentation provide unit
 
protection in the event of any of the analyzed accidents.
 
ESFAS protection functions are as follows:1.Safety Injection Safety Injection (SI) provides two primary functions:1.Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of
 
the active fuel for heat removal, clad integrity, and
 
for limiting peak clad temperature to <
2200&deg;F); and2.Boration to ensure recovery and maintenance of SDM.
These functions are ne cessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside
 
of containment. The SI signal is also used to initiate
 
other Functions such as:Phase A Isolation;Reactor Trip;Turbine Trip;Feedwater Isolation;Start of all auxiliary feedwater (AFW) pumps; ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-7Revision 0 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)Control room ventilation isolation; andEnabling automatic switchover of Emergency Core
 
Cooling Systems (ECCS) suction to containment sump.
These other functions ensure:Isolation of nonessential systems through containment penetrations;Trip of the turbine and reactor to limit power
 
generation;Isolation of main feedwater (MFW) to limit secondary
 
side mass losses;Start of AFW to ensure secondary side cooling
 
capability;Isolation of the control room to ensure habitability;
 
andEnabling ECCS suction from the refueling water storage tank (RWST) switchover on low low RWST level to ensure
 
continued cooling via use of the containment sump.a.Safety Injection-Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room.
 
This action will cause actuation of all components in
 
the same manner as any of the automatic actuation
 
signals.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the
 
manual ESFAS actuation circuitry to ensure the
 
operator has manual ESFAS initiation capability.
Each channel consists of one switch and the interconnecting wiring to the actuation logic
 
cabinet. Each switch actuates both trains. This
 
configuration does not allow testing at power.
North Anna Units 1 and 2B 3.3.2-8Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)b.Safety Injection-Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE.
Actuation logic consists of all circuitry housed
 
within the actuation subsystems, including the
 
initiating relay contacts responsible for actuating
 
the ESF equipment.
Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there
 
is sufficient energy in the primary and secondary
 
systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4
 
even though automatic actuation is not required.
 
Automatic actuation logic and actuation relays must
 
be OPERABLE in MODE 4 to support system manual
 
initiation. In this MODE, adequate time is available
 
to manually actuate required components in the event
 
of a DBA, but because of the large number of
 
components actuated on a SI, actuation is simplified
 
by the use of the manual actuation switches.
These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the
 
operator to evaluate unit conditions and respond by
 
manually starting individual systems, pumps, and
 
other equipment to mitigate the consequences of an
 
abnormal condition or accident. Unit pressure and
 
temperature are very low and many ESF components are
 
administratively locked out or otherwise prevented
 
from actuating to prevent inadvertent
 
overpressurization of unit systems.c.Safety Injection-Containment Pressure-HighThis signal provides protection against the following accidents:SLB inside containment;LOCA; andFeed line break inside containment.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-9Revision 0 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)c.Safety Injection-Containment Pressure-High (continued)
Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are
 
sufficient to satisfy protective requirements with a
 
two-out-of-three logic. The transmitters (d/p cells)
 
and electronics are located outside of containment
 
with the sensing line (high pressure side of the
 
transmitter) located inside containment.
Thus, the high pressure Function will not experience any adverse environmental conditions and the trip
 
setpoint reflects only steady state instrument
 
uncertainties.
Containment Pressure-High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in
 
the primary and secondary systems to pressurize the
 
containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or
 
secondary systems to pressurize the containment.d.Safety Injection-Pressurizer Pressure-Low LowThis signal provides protection against the following accidents:Inadvertent opening of a steam generator (SG)
 
relief or safety valve;SLB;A spectrum of rod cluster control assembly ejection
 
accidents (rod ejection);Inadvertent opening of a pressurizer relief or
 
safety valve;LOCAs; andSG Tube Rupture.(continued)
North Anna Units 1 and 2B 3.3.2-10Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)d.Safety Injection-Pressurizer Pressure-Low Low (continued)
Three channels are required to satisfy the requirements with a two-out-of-three logic. North Anna design utilizes dedicated protection and control
 
channels, and only three protection channels are
 
necessary to satisfy the protective requirements.
The transmitters are located inside containment, with the taps in the vapor space region of the
 
pressurizer, and thus possibly experiencing adverse
 
environmental conditions (LOCA, SLB inside
 
containment, rod ejection). Therefore, the trip
 
setpoint reflects the inclusion of both steady state
 
and adverse environmental instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB
 
inside containment. This signal may be manually
 
blocked by the operator below the P-11 setpoint.
 
Automatic SI actuation below this pressure setpoint
 
is then performed by the Containment Pressure-High
 
signal.This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions
 
are used to detect accident conditions and actuate
 
the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection
 
and mitigation.e.Steam Line Pressure-High Differential Pressure Between Steam Lines Steam Line Pressure-High Differential Pressure Between Steam Lines provides protection against the
 
following accidents:SLB;Feed line break; andInadvertent opening of an SG relief or an SG safety valve.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-11Revision 0 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)e.Steam Line Pressure-High Differential Pressure Between Steam Lines (continued)
Steam Line Pressure-High Differential Pressure Between Steam Lines provides no input to any control
 
functions. Thus, three OPERABLE channels on each
 
steam line are sufficient to satisfy the
 
requirements, with a two-out-of-three logic on each
 
steam line.
With the transmitters located away from the steam lines, it is not possible for them to experience
 
adverse environmental conditions during an SLB event.
 
The trip setpoint reflects only steady state
 
instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve
 
could result in the rapid depressurization of the
 
steam line(s). This Function is not required to be
 
OPERABLE in MODE 4, 5, or 6 because there is not
 
sufficient energy in the secondary side of the unit
 
to cause an accident.f. g.Safety Injection-High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low These Functions (1.f and 1.g) provide protection against the following accidents:SLB; andthe inadvertent opening of an SG relief or an SG
 
safety valve.
Two steam line flow channels per steam line are required OPERABLE for these Functions. The steam line
 
flow channels are combined in a one-out-of-two logic
 
to indicate high steam flow in one steam line. The
 
steam flow transmitters provide control inputs, but
 
the control function cannot cause the events that the
 
Function must protect against. Therefore, two
 
channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows
 
online testing because trip of one high steam flow (continued)
North Anna Units 1 and 2B 3.3.2-12Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low (continued) channel is not sufficient to cause initiation. High steam flow in two steam lines is acceptable in the
 
case of a single steam line fault due to the fact that
 
the remaining intact steam lines will pick up the
 
full turbine load. The increased steam flow in the
 
remaining intact lines will actuate the required
 
second high steam flow trip. Additional protection is
 
provided by Function 1.e, High Differential Pressure
 
Between Steam Lines.
One channel of T avg per loop and one channel of low steam line pressure per steam line are required
 
OPERABLE. For each parameter, the channels for all
 
loops or steam lines are combined in a logic such that
 
two channels tripped will cause a trip for the
 
parameter. The low steam line pressure channels are
 
combined in two-out-of-three logic. Thus, the
 
Function trips on one-out-of-two high flow in any
 
two-out-of-three steam lines if there is
 
one-out-of-one low low T avg trip in any two-out-of-three RCS loops, or if there is a
 
one-out-of-one low pressure trip in any
 
two-out-of-three steam lines. Since the accidents
 
that this event protects against cause both low steam
 
line pressure and low low Tavg , provision of one channel per loop or steam line ensures no single
 
random failure can disable both of these Functions.
 
The steam line pressure channels provide no control
 
inputs. The T avg channels provide control inputs, but the control function cannot initiate events that the
 
Function acts to mitigate.
The Allowable Value for high steam flow is a linear function that varies with power level. The function
 
is a P corresponding to 42% of full steam flow between 0% and 20% load to 111% of full steam flow at
 
100% load. The nominal trip setpoint is similarly
 
calculated.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-13Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low (continued)
With the transmitters located inside the containment (T avg) or near the steam lines (High Steam Flow), it is possible for them to experience adverse steady
 
state environmental conditions during an SLB event.
 
The trip setpoint reflects only steady state
 
instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-12) when a secondary side break or stuck
 
open valve could result in the rapid depressurization
 
of the steam line(s). This signal may be manually
 
blocked by the operator wh en below the P-12 setpoint. Above P-12, this Function is automatically unblocked.
This Function is not required OPERABLE below P-12
 
because the reactor is not critical, so steam line
 
break is not a concern. SLB may be addressed by
 
Containment Pressure High (inside containment) or by
 
High Steam Flow in Two Steam Lines coincident with
 
Steam Line Pressure-Low, for Steam Line Isolation, followed by High Differential Pressure Between Two
 
Steam Lines, for SI. This Function is not required to
 
be OPERABLE in MODE 4, 5, or 6 because there is
 
insufficient energy in the secondary side of the unit
 
to cause an accident.2.Containment Spr ay Systems The Containment Spray Systems (Quench Spray (QS) and Recirculation Spray (RS)) provide four primary
 
functions:1.Lowers containment pressure and temperature after an HELB in containment;2.Reduces the amount of radioactive iodine in the containment atmosphere;3.Adjusts the pH of the water in the containment sump after a large break LOCA; and4.Remove heat from containment.
North Anna Units 1 and 2B 3.3.2-14Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY2.Containment Spray Systems (continued)
These functions are necessary to:Ensure the pressure boundary integrity of the containment structure;Limit the release of radioactive iodine to the
 
environment in the event of a failure of the
 
containment structure; andMinimize corrosion of the components and systems
 
inside containment following a LOCA.
The containment spray actuation signal starts the QS pumps and aligns the discharge of the pumps to the
 
containment spray nozzle headers in the upper levels of
 
containment. Water is initially drawn from the RWST by
 
the QS pumps and mixed with a sodium hydroxide solution
 
from the chemical addition tank. When the RWST level
 
reaches the low setpoint coincident with Containment
 
Pressure-High High, the RS pumps receive a start signal.
 
The outside RS pumps start immediately and the inside RS
 
pumps start after a 120-second delay. Water is drawn
 
from the containment sump through heat exchangers and
 
discharged to the RS nozzle headers. When the RWST
 
reaches the low low level setpoint, the Low Head Safety
 
Injection pump suctions are shifted to the containment
 
sump. Containment spray is actuated manually or by
 
Containment Pressure-High High signal. RS is actuated
 
manually or by RWST Level-Low coincident with
 
Containment Pressure-High High.a.Containment Spray-Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning
 
two containment spray actuation switches in the same
 
train. Because an inadvertent actuation of
 
containment spray could have such serious
 
consequences, two switches must be turned
 
simultaneously to initiate containment spray. There
 
are two sets of two switches each in the control room.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-15Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY2.Containment Spray Systems (continued)a.Containment Spray-Manual Initiation (continued)
Simultaneously turning the two switches in either set will actuate containment spray in both trains in the
 
same manner as the automatic actuation signal. Two
 
Manual Initiation switches in each train are required
 
to be OPERABLE to ensure no single failure disables
 
the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B
 
containment isolation.b.Containment Spray-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same
 
manner as described for ESFAS Function 1.b.
Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient
 
energy exists in the primary or secondary systems to
 
pose a threat to containment integrity due to
 
overpressure conditions. Manual initiation is also
 
required in MODE 4, even though automatic actuation
 
is not required. In this MODE, adequate time is
 
available to manually actuate required components in
 
the event of a DBA. However, because of the large
 
number of components actuated on a containment spray, actuation is simplified by the use of the manual
 
actuation switches. Automatic actuation logic and
 
actuation relays must be OPERABLE in MODE 4 to
 
support system manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and
 
secondary systems to result in containment
 
overpressure. In MODES 5 and 6, there is also
 
adequate time for the operators to evaluate unit
 
conditions and respond, to mitigate the consequences
 
of abnormal conditions by manually starting
 
individual components.
North Anna Units 1 and 2B 3.3.2-16Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY2.Containment Spray Systems (continued)c.Containment Spray-Containment Pressure This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells)
 
are located outside of containment with the sensing
 
line (high pressure side of the transmitter) located
 
inside containment. The transmitters and electronics
 
are located outside of containment. Thus, they will
 
not experience any adverse environmental conditions
 
and the Allowable Value reflects only steady state
 
instrument uncertainties.
This is one of few Functions that requires the bistable output to energize to perform its required
 
action. It is not desirable to have a loss of power
 
actuate containment spray, since the consequences of
 
an inadvertent actuation of containment spray could
 
be serious. Note that this Function also has the
 
inoperable channel placed in bypass rather than trip
 
to decrease the probability of an inadvertent
 
actuation.
North Anna uses four channels in a two-out-of-four logic configuration and the Containment Pressure-High
 
High Setpoint Actuates Containment Spray Systems.
 
Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy
 
requirements. Additional redundancy is warranted
 
because this Function is energize to trip.
 
Containment Pressure-High High must be OPERABLE in
 
MODES 1, 2, and 3 when there is sufficient energy in
 
the primary and secondary sides to pressurize the
 
containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary
 
and secondary sides to pressurize the containment and
 
reach the Containment Pressure-High High setpoints.d.RWST Level-Low Coincident with Containment Pressure-High High This signal starts the RS system to provide protection against a LOCA inside containment. The
 
Containment Pressure-High High (ESFAS Function 2.c)
 
signal aligns the RS system for spray flow delivery (e.g., opens isolation valves) but does not start the (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-17Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY2.Containment Spray Systems (continued)d.RWST Level-Low Coincident with Containment Pressure-High High (continued)
RS pumps. The RWST Level-Low coincident with Containment Pressure-High High provides the automatic
 
start signal for the inside RS and outside RS pumps.
 
Once the coincidence trip is satisfied, the outside
 
RS pumps start immediately and the inside RS pumps
 
start after a 120-second delay. The delay time is
 
sufficient to avoid simultaneous starting of the RS
 
pumps on the same emergency diesel generator. This
 
ESFAS function ensures that adequate water inventory is present in the containment sump to meet the RS sump
 
strainer functional requirements following a LOCA.
 
The RS system is not required for SLB mitigation.
Automatic initiation of RS must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident
 
to occur, and sufficient energy exists in the primary and secondary systems to p ose a threat to containment integrity due to overpressure conditions. The
 
requirement for automatic initiation of RWST
 
Level-Low to be operable in MODES 1, 2, and 3 is
 
consistent with the operability requirements for
 
Containment Pressure-High High. Manual initiation of
 
the RS system is required in MODE 4, even though
 
automatic initiation is not required. In this MODE, adequate time is available to manually actuate
 
required components in the event of a DBA. In MODES 5
 
and 6, there is insufficient energy in the primary
 
and secondary systems to result in containment
 
overpressure. In MODES 5 and 6, there is also
 
adequate time for the operators to evaluate unit
 
conditions and respond to mitigate the consequences
 
of abnormal conditions by manually starting individual components. An operator can initiate RS at
 
any time from the control room by using the pump
 
control switch. The manual function would be used
 
only when adequate water inventory is present in the
 
containment sump to meet the RS sump strainer
 
functional requirements.
North Anna Units 1 and 2B 3.3.2-18Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY (continued)3.Containment Isolation Containment Isolation provides isolation of the
 
containment atmosphere, and all process systems that
 
penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.
There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all
 
automatically isolable process lines, except component
 
cooling water (CC) and instrument air (IA), at a
 
relatively low containment pressure indicative of primary or secondary system leak
: s. A list of the process lines is provided in the Technical Requirements Manual (Ref. 9). For these types of events, forced circulation
 
cooling using the reactor coolant pumps (RCPs) and SGs
 
is the preferred (but not required) method of decay heat
 
removal. Since CC is required to support RCP operation, not isolating CC on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CC on the low
 
pressure signal may force the use of feed and bleed
 
cooling, which could prove more difficult to control.
Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic.
 
All process lines penetrating containment, with the exception of CC and IA, are isolated. CC is not isolated at this time to permit continued operation of the RCPs
 
with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not
 
equipped with remote operated isolation valves are
 
manually closed, or otherwise isolated, prior to
 
reaching MODE 4.
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either
 
switch actuates both trains.
The Phase B signal isolates CC and IA. This occurs at a relatively high containment pressure that is indicative
 
of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable.
 
Isolating the CC at the higher pressure does not pose a
 
challenge to the containment boundary because the CC (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-19Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY3.Containment Isolation (continued)
System is a closed loop inside containment. Although some system components do not meet all of the ASME Code
 
requirements applied to the containment itself, the
 
system is continuously pressurized to a pressure greater
 
than the Phase B setpoint. Thus, routine operation
 
demonstrates the integrity of the system pressure
 
boundary for pressures exceeding the Phase B setpoint.
Furthermore, because system pressure exceeds the Phase B
 
setpoint, any system leakage prior to initiation of
 
Phase B isolation would be into containment. Therefore, the combination of CC and IA Systems design and Phase B
 
isolation ensures the CC System is not a potential path
 
for radioactive release from containment.Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic
 
actuation logic, as previously discussed. For
 
containment pressure to reach a value high enough to
 
actuate Containment Pressure-High High, a large break
 
LOCA or SLB must have occurred. RCP operation will no
 
longer be required and CC to the RCPs is, therefore, no
 
longer necessary. The RCPs can be operated with seal
 
injection flow alone and without CC flow to the thermal
 
barrier heat exchanger.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When
 
the two switches in either set are turned
 
simultaneously, Phase B Containment Isolation and
 
Containment Spray will be actuated in both trains.a.Containment Isolation-Phase A Isolation(1)Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room.
 
Either switch actuates both trains.(2)Phase A Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the
 
same manner as described for ESFAS Function 1.b.
North Anna Units 1 and 2B 3.3.2-20Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY3.Containment Isolation (continued)a.Containment Isolation-Phase A Isolation (continued)
Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to
 
occur. Manual initiation is also required in MODE 4
 
even though automatic actuation is not required. In
 
this MODE, adequate time is available to manually
 
actuate required components in the event of a DBA, but because of the large number of components
 
actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual
 
actuation switches. Automatic actuation logic and
 
actuation relays must be OPERABLE in MODE 4 to
 
support system manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or
 
secondary systems to pressurize the containment to
 
require Phase A Containment Isolation. There also is
 
adequate time for the operator to evaluate unit
 
conditions and manually actuate individual isolation
 
valves in response to abnormal or accident
 
conditions.(3)Phase A Isolation-Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A
 
Containment Isolation requirements for these
 
Functions are the same as the requirements for
 
their SI function. Therefore, the requirements
 
are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating
 
Functions and requirements.b.Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and
 
Actuation Relays, and by Containment Pressure
 
channels (the same channels that actuate Containment
 
Spray Systems, Function 2). The Containment Pressure trip of Phase B Containment Isolation is energized to
 
trip in order to minimize the potential of spurious
 
trips that may damage the RCPs.(1)Phase B Isolation-Manual Initiation ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-21Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY3.Containment Isolation (continued)b.Containment Isolation-Phase B Isolation (continued)(2)Phase B Isolation-Automatic Actuation Logic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in
 
MODES 1, 2, and 3, when there is a potential for
 
an accident to occur. Manual initiation is also
 
required in MODE 4 even though automatic actuation is not required. In this MODE, adequate
 
time is available to manually actuate required
 
components in the event of a DBA. However, because of the large number of components
 
actuated on a Phase B containment isolation, actuation is simplified by the use of the
 
Containment Spray manual actuation switches.
Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system
 
manual initiation. In MODES 5 and 6, there is
 
insufficient energy in the primary or secondary
 
systems to pressurize the containment to require
 
Phase B containment isolation. There also is
 
adequate time for the operator to evaluate unit
 
conditions and manually actuate individual
 
isolation valves in response to abnormal or
 
accident conditions.(3)Phase B Isolation-Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS
 
Function 2.c above.4.Steam Line IsolationIsolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid
 
isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam trip valves (MSTVs), inside
 
or outside of containment, closure of the MSTVs limits
 
the accident to the blowdown from only the affected SG.
For an SLB downstream of th e MSTVs, closure of the MSTVs terminates the accident.
North Anna Units 1 and 2B 3.3.2-22Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY4.Steam Line Isolation (continued)a.Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches for each MSTV in the control room and either
 
switch can initiate action to immediately close that
 
MSTV. Following a SG tube rupture, the operator will
 
isolate the main steam side (close the MSTV) of the
 
ruptured SG. The LCO requires two channels to be
 
OPERABLE for each MSTV.b.Steam Line Isolation-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same
 
manner as described for ESFAS Function 1.b.
Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is
 
sufficient energy in the RCS and SGs to have an SLB or
 
other accident. This could result in the release of
 
significant quantities of energy and cause a cooldown of
 
the primary system. The St eam Line Isolation Function is required in MODES 2 and 3 unless all MSTVs are closed
 
and de-activated. In MODES 4, 5, and 6, there is
 
insufficient energy in the RCS and SGs to experience an
 
SLB or other accident releasing significant quantities
 
of energy.c.Steam Line Isolation-Containment Pressure-Intermediate High High This Function actuates closure of the MSTVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release
 
to containment. The transmitters (d/p cells) are
 
located outside containment with the sensing line (high pressure side of the transmitter) located
 
inside containment. Containment Pressure-Intermediate High High provides no input to any control functions.
 
Thus, two OPERABLE channels are sufficient to satisfy
 
protective requirements with one-out-of-two logic.
 
However, for enhanced reliability, this Function was (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-23Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY4.Steam Line Isolation (continued)c.Steam Line Isolation-Containment Pressure-Intermediate High High (continued) designed with three channels and a two-out-of-three logic. The transmitters and electronics are located
 
outside of containment. Thus, they will not
 
experience any adverse environmental conditions, and
 
the trip setpoint reflects only steady state
 
instrument uncertainties.
Containment Pressure-Intermediate High High must be OPERABLE in MODES 1, 2, and 3, when there is
 
sufficient energy in the primary and secondary side
 
to pressurize the containment following a pipe break.
This would cause a significant increase in the containment pressure, thus allowing detection and
 
closure of the MSTVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all
 
MSTVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and
 
secondary sides to pressurize the containment to the
 
Containment Pressure-Intermediate High High setpoint.d. e.Steam Line Isolation-High Steam Flow in Two Steam Lines Coincident with T avg-Low Low or Coincident With Steam Line Pressure-Low These Functions (4.d and 4.e) provide closure of the MSTVs during an SLB or inadvertent opening of an SG
 
relief or a safety valve, to maintain at least one
 
unfaulted SG as a heat sink for the reactor and to
 
limit the mass and energy release to containment.
These Functions were discussed previously as Functions 1.f. and 1.g.
These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck
 
open valve could result in the rapid depressurization
 
of the steam lines unless all MSTVs are closed and
 
de-activated. These Functions are not required to be
 
OPERABLE in MODES 4, 5, and 6 because there is
 
insufficient energy in the secondary side of the unit
 
to have an accident.
North Anna Units 1 and 2B 3.3.2-24Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY (continued)5.Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater
 
Isolation signals are to prevent damage to the turbine
 
due to water in the steam lines, and to stop the
 
excessive flow of feedwater into the SGs. These
 
Functions are necessary to mitigate the effects of a
 
high water level in the SGs, which could result in
 
carryover of water into the steam lines and excessive
 
cooldown of the primary system. The SG high water level
 
is due to excessive feedwater flows.The Function is actuated when the level in any SG exceeds the high high setpoint, and performs the following
 
functions:Trips the main turbine;Trips the MFW pumps;Initiates feedwater isolation by closing the Main
 
Feedwater Isolation Valves (MFIVs); andShuts the MFW regulating valves and their associated
 
bypass valves.
This Function is actuated by SG Water Level-High High, or by an SI signal. In the event of SI, the MFW System is
 
automatically secured and isolated and the AFW System is
 
automatically started. The SI signal was discussed
 
previously.a.Turbine Trip and Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same
 
manner as described for ESFAS Function 1.b.b.Turbine Trip and Feedwater Isolation-Steam Generator Water Level-High High (P-14)
This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments
 
provide input to the SG Water Level Control System.
 
The SG Water Level-High High trip is provided from
 
the narrow range instrumentation span from each SG.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-25Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY5.Turbine Trip and Feedwater Isolation (continued)b.Turbine Trip and Feedwater Isolation-Steam Generator Water Level-High High (P-14) (continued)
North Anna has only three channels that are shared between protection and control functions and
 
justification is provided in NUREG-1218 (Ref. 7).
The transmitters (d/p cells) are located inside containment. However, the events that this Function protects against cannot cause a severe environment in
 
containment. Therefore, the trip setpoint reflects
 
only steady state instrument uncertainties.c.Turbine Trip and Feedwater Isolation-Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The
 
Feedwater Isolation Function requirements for these
 
Functions are the same as the requirements for their
 
SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is
 
referenced for all initiating functions and
 
requirements.
Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1, 2, and 3 when the MFW System is in operation and the turbine generator may be in operation.
These functions are not required to be OPERABLE in
 
MODES 2 and 3 when all MFW pump discharge valves or all
 
MFIVs, MFRVs, and associated bypass valves are closed
 
and de-activated or isolated by a closed manual valve.
 
In MODES 4, 5, and 6, the MFW System and the turbine
 
generator are not in service and this Function is not
 
required to be OPERABLE.6.Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW
 
System is not available. The system has two motor driven
 
pumps and a turbine driven pump, making it available
 
during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.
 
The normal source of water for the AFW System is the (continued)
North Anna Units 1 and 2B 3.3.2-26Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)
Emergency condensate storage tank (ECST). The AFW System is aligned so that upon a pump start, flow is initiated
 
to the respective SG immediately.a.Auxiliary Feedwater-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same
 
manner as described for ESFAS Function 1.b.b.Auxiliary Feedwater-Steam Generator Water Level-Low Low SG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or
 
outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low
 
Low provides input to the SG Level Control System.
 
Three protection channels are necessary to satisfy
 
the protective requirements. These channels are
 
shared between protection and control functions and
 
justification is provided in Reference 7.
With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse
 
environmental conditions (feed line break), the trip
 
setpoint reflects the inclusion of both steady state
 
and adverse environmental instrument uncertainties.c.Auxiliary Feedwater-Safety Injection An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are
 
the same as the requirements for their SI function.
 
Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced
 
for all initiating functions and requirements.d.Auxiliary Feedwater-Loss of Offsite Power A loss of offsite power to the transfer buses may be accompanied by a loss of reactor coolant pumping
 
power and the subsequent need for some method of
 
decay heat removal. The loss of offsite power is (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-27Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)d.Auxiliary Feedwater-Loss of Offsite Power (continued) detected by a voltage drop on each transfer bus. Loss of power to the transfer b us will start all AFW pumps to ensure that at least one SG contains enough water
 
to serve as the heat sink for reactor decay heat and
 
sensible heat removal following the reactor trip.
Functions 6.a through 6.d must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level-Low Low in any SG will cause
 
all AFW pumps to start. The system is aligned so that
 
upon a start of the pump, water immediately begins to
 
flow to the SGs. These Functions do not have to be
 
OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be
 
OPERABLE because either RCS Loop(s) or residual heat
 
removal (RHR) will already be in operation to remove
 
decay heat or sufficient time is available to manually
 
place either system in operation.e.Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay
 
heat and sensible heat removal to bring the reactor
 
back to no load temperature and pressure. Motor
 
driven MFW pumps are equipped with a breaker position
 
sensing device. An open supply breaker indicates that
 
the pump is not running. Two OPERABLE channels per
 
pump satisfy redundancy requirements with
 
one-out-of-two logic on each MFW pump. A trip of all
 
MFW pumps starts the motor driven and turbine driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.
Function 6.e must be OPERABLE in MODES 1 and 2. This ensures that at least one SG is provided with water to
 
serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition
 
requiring automatic AFW initiation.
North Anna Units 1 and 2B 3.3.2-28Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY (continued)7.Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST
 
will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the
 
containment sump. The low head safety injection (LHSI)
 
pumps and inside and outside recirculation spray pumps
 
draw the water from the containment sump, the LHSI pumps pump the water back into th e RCS. The Inside and Outside Recirculation Spray pumps circulate water through the
 
heat exchangers to the spray rings and supplies water to
 
the containment sump. Switchover from the RWST to the
 
containment sump must occur before the RWST empties to
 
prevent damage to the LHSI pumps and a loss of core cooling capability. For similar reasons, switchover must
 
not occur before there is sufficient water in the
 
containment sump to support ESF pump suction.
 
Furthermore, early switchover must not occur to ensure
 
that sufficient borated water is injected from the RWST.
 
This ensures the reactor remains shut down in the
 
recirculation mode.a.Automatic Switchover to Containment Sump-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same
 
manner as described for ESFAS Function 1.b.b.Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST) Level-Low Low Coincident With Safety Injection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in
 
the RWST coincident with an SI signal provides
 
protection against a loss of water for the ECCS pumps
 
and indicates the end of the injection phase of the
 
LOCA. The RWST is equipped with four level
 
transmitters. These transmitters provide no control
 
functions. Therefore, a two-out-of-four logic is
 
adequate to initiate the protection function
 
actuation. Although only three channels would be
 
sufficient, a fourth channel has been added for
 
increased reliability.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-29Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY7.Automatic Switchover to Containment Sump (continued)b.Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST) Level-Low Low Coincident With Safety Injection (continued)
The RWST-Low Low Allowable Value has both upper and lower limits. The lower limit is selected to ensure
 
switchover occurs before the RWST empties, to prevent
 
ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the
 
reactor remains shut down. The high limit also
 
ensures adequate water inventory in the containment
 
sump to provide ECCS pump suction.
The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they
 
will not experience any adverse environmental
 
conditions and the Allowable Value reflects only
 
steady state instrument uncertainties.
Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents
 
accidental switchover during normal operation.
 
Accidental switchover could damage ECCS pumps if they
 
are attempting to take suction from an empty sump.
 
The automatic switchover Function requirements for
 
the SI Functions are the same as the requirements for
 
their SI function. Therefore, the requirements are
 
not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and
 
requirements.
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS
 
pumps. These Functions are not required to be
 
OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and
 
respond by manually starting systems, pumps, and
 
other equipment to mitigate the consequences of an
 
abnormal condition or accident. System pressure and
 
temperature are very low and many ESF components are
 
administratively locked out or otherwise prevented
 
from actuating to prevent inadvertent
 
overpressurization of unit systems.
North Anna Units 1 and 2B 3.3.2-30Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY (continued)8.Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several
 
interlocks are included as part of the ESFAS. These
 
interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions
 
from occurring, and cause other actions to occur. The
 
interlock Functions back up manual actions to ensure
 
bypassable functions are in operation under the
 
conditions assumed in the safety analyses.a.Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, automatic SI reinitiation is blocked after a 60 second time delay.
 
This Function allows operators to take manual control
 
of SI systems after the initial phase of injection is
 
complete. Once SI is blocked, automatic actuation of
 
SI cannot occur until the RTBs have been manually
 
closed, resetting the P-4 interlock. The functions of
 
the P-4 interlock are: (continued)FunctionPurposeRequired MODES Isolate MFW regulating valves
 
with coincident
 
low T avg Feedwater
 
isolation 1, 2 Trip the main turbine Prevents excessive cooldown, thereby Condition II event
 
does not propagate
 
to Condition III
 
event 1, 2 ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-31Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 (continued)(continued)FunctionPurposeRequired MODES Prevent automatic reactuation of SI
 
after a manual
 
reset of SI Allows alignment of ECCS for
 
recirculation
 
mode, prevents
 
subsequent
 
inadvertent
 
alignment to
 
injection mode by
 
auto SI 1, 2, 3 North Anna Units 1 and 2B 3.3.2-32Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 (continued)(continued)
Function Purpose Required MODES Reset high steam flow setpoint to
 
no-load value1.SI-High Steam flow in Two
 
Steam Lines
 
Coincident With
 
Steam Line
 
Pressure-Low2.SI-High Steam Flow in Two
 
Steam Lines
 
Coincident With
 
T avg-Low Low3.Steam Line Isolation-High Steam Flow in Two Steam
 
Lines Coincident With
 
Steam Line
 
Pressure-Low4.Steam Line Isolation-High Steam Flow
 
in Two Steam
 
Lines Coincident With
 
T avg-Low Low Ensures setpoint
 
is reset to
 
low/zero power
 
reference value
 
following plant
 
trip, regardless
 
of turbine first
 
stage pressure
 
indication 1, 2, 3 (function
 
not required if
 
MSTVs are closed
 
and deactivated)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-33Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 (continued)
Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS
 
following a reactor trip. An excessive cooldown of
 
the RCS following a reactor trip could cause an
 
insertion of positive reactivity with a subsequent
 
increase in core power. Addition of feedwater to a
 
steam generator associated with a steamline or
 
feedline break could result in excessive containment
 
building pressure. To avoid such a situation, the
 
noted Functions have been interlocked with P-4 as
 
part of the design of the unit control and protection
 
system.The turbine trip Function is explicitly assumed in the non-LOCA analysis since it is an immediate
 
consequence of the reactor trip Function. Block of
 
the auto SI signals is required to support long-term
 
ECCS operation in the post-LOCA recirculation mode.
The RTB position switches that provide input to the P-4 interlock only function to energize or
 
de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with
 
which to associate an Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3, as noted above, when the reactor may be critical or
 
approaching criticality or support of the (continued)FunctionPurposeRequired MODES Prevent opening of the MFW regulating
 
valves if they
 
were closed on SI
 
or SG Water Level
-High High Seal-in feedwater isolation to
 
prevent inadvertent
 
feeding of
 
depressurized SG 1, 2, 3 North Anna Units 1 and 2B 3.3.2-34Revision 31 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE
 
SAFETY ANALYSES, LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 (continued) auto SI block function is required. This Function does not have to be OPERABLE in MODES 4, 5, or 6
 
because the main turbine and the MFW System are not
 
required to be in operation.b.Engineered Safety Feature Actuation System Interlocks-Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI. With
 
two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer
 
Pressure-Low Low SI signal. Additionally, the P-11
 
signal blocks the automatic opening of the
 
pressurizer power operated relief valves (PORVs).
With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure-Low
 
Low SI signal is automatically enabled. The operator
 
can also enable this function by use of the
 
respective manual reset switches. The automatic
 
opening capability for the pressurizer PORVs is
 
reinstated above the P-11 setpoint. The ECCS
 
accumulator isolation valves will receive an
 
automatic open signal when pressurizer pressure
 
exceeds the P-11 setpoint. The Allowable Value
 
reflects only steady state instrument uncertainties.
 
This Function must be OPERABLE in MODES 1, 2, and 3
 
to allow an orderly cooldown and depressurization of
 
the unit without the actuation of SI. This Function
 
does not have to be OPERABLE in MODE 4, 5, or 6
 
because system pressure must already be below the
 
P-11 setpoint for the requirements of the heatup and
 
cooldown curves to be met.c.Engineered Safety Feature Actuation System Interlocks-T avg-Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock reinstates SI on High Steam Flow Coincident (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-35Revision 31 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)c.Engineered Safety Feature Actuation System Interlocks-T avg-Low Low, P-12 (continued)
With Steam Line Pressure-Low or Coincident With T avg-Low Low. On decreasing reactor coolant temperature, the P-12 interlock allows the operator
 
to manually block SI on High Steam Flow Coincident
 
With Steam Line Pressure-Low or Coincident with
 
T avg-Low Low. On a decreasing temperature, the P-12 interlock also provides a blocking signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.
Since T avg is used as an indication of bulk RCS temperature, this Function meets redundancy
 
requirements with one OPERABLE channel in each loop.
 
These channels are used in two-out-of-three logic.
This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could
 
result in the rapid depressurization of the steam
 
lines. This Function does not have to be OPERABLE in
 
MODE 4, 5, or 6 because there is insufficient energy
 
in the secondary side of the unit to have an accident.
The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this
 
Specification may be entered independently for each Function
 
listed on Table 3.3.2-1.In the event a channel's trip setpoint is found
 
nonconservative with respect to the Allowable Value, or the
 
transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, t hen all affected Functions provided by that channel must be declared inoperable and the
 
LCO Condition(s) entered for the protection Function(s)
 
affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for
 
each steam line, loop, SG, etc., as appropriate.(continued)
North Anna Units 1 and 2B 3.3.2-36Revision 31 ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
When the number of inoperable channels in a trip function
 
exceed those specified in one or other related Conditions
 
associated with a trip function, then the unit is outside the
 
safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable
 
at the same time. The Required Action is to refer to
 
Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are
 
those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:SI;Containment Spray; andPhase A Isolation.
This action addresses the train orientation of the SSPS for
 
the functions listed above. If a channel or train is
 
inoperable, 48 hours is allowed to return it to an OPERABLE status. Note that for containment spray isolation, failure
 
of one or both channels in one train renders the train
 
inoperable. The manual initiation for Phase B Containment isolation is provided by the containment spray manual
 
switches. Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable
 
considering that there are two automatic actuation trains
 
and another manual initiation train OPERABLE for each
 
Function, and the low probability of an event occurring
 
during this interval. If the train cannot be restored to
 
OPERABLE status, the unit must be placed in a MODE in which
 
the LCO does not apply. This is done by placing the unit in
 
at least MODE 3 within an additional 6 hours (54 hours total time) and in MODE 5 within an additional 30 hours (84 hours total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems.
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-37Revision 31 ACTIONS (continued)
C.1, C.2.1, and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:SI;Containment Spray;Phase A Isolation;Phase B Isolation; andAutomatic Switchover to Containment Sump.
This action addresses the train orientation of the SSPS and
 
the master and slave relays. If one train is inoperable, 24 hours are allowed to restore the train to OPERABLE status. The specified Completion Time is reasonable
 
considering that there is another train OPERABLE, and the
 
low probability of an event occurring during this interval.
If the train cannot be restored to OPERABLE status, the unit
 
must be placed in a MODE in which the LCO does not apply.
This is done by placing the unit in at least MODE 3 within an additional 6 hours (30 hours total time) and in MODE 5 within an additional 30 hours (60 hours total time). The Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
The Required Actions are modified by a Note that allows one
 
train to be bypassed for up to 4 hours for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of Reference 8 that 4 hours is the average time required to perform channel surveillance.
D.1, D.2.1, and D.2.2 Condition D applies to:Containment Pressure-High;Pressurizer Pressure-Low Low;Steam Line Differential Pressure-High; North Anna Units 1 and 2B 3.3.2-38Revision 31 ESFAS Instrumentation B 3.3.2 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low;Containment Pressure-Intermediate High High;SG Water Level-Low Low;SG Water Level-High High (P-14); andRWST Level-Low Coincident With Containment Pressure
 
High High.If one channel is inoperable, 72 hours are allowed to restore the channel to OPERABLE status or to place it in the
 
tripped condition. Generally this Condition applies to
 
functions that operate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to
 
place the Function in a one-out-of-two configuration that
 
satisfies redundancy requirements.Failure to restore the inoperable channel to OPERABLE status
 
or place it in the tripped condition within 72 hours requires the unit be placed in MODE 3 within the following 6 hours and MODE 4 within the next 6 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the
 
inoperable channel to be bypassed for up to 12 hours for surveillance testing of other channels. The 72 hours allowed to restore the channel to OPERABLE status or to place the
 
inoperable channel in the tripped condition, and the
 
12 hours allowed for testing, are justified in Reference 8.E.1, E.2.1, and E.2.2 Condition E applies to:Containment Spray Containment Pressure-High High; and ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-39Revision 31 ACTIONS E.1, E.2.1, and E.2.2 (continued)Containment Phase B Isolation Containment Pressure-High High.None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable
 
protective requirements. However, a two-out-of-three design would require tripping a fail ed channel. This is undesirable because a single failure would then cause spurious
 
containment spray initiation. Spurious spray actuation is
 
undesirable because of the cleanup problems presented.
 
Therefore, these channels are designed with two-out-of-four
 
logic so that a failed channel may be bypassed rather than
 
tripped. Note that one channel may be bypassed and still
 
satisfy the single failure criterion. Furthermore, with one
 
channel bypassed, a single instrumentation channel failure
 
will not spuriously initiate containment spray.
To avoid the inadvertent actuation of containment spray and
 
Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is
 
bypassed. Restoring the channel to OPERABLE status, or
 
placing the inoperable channel in the bypass condition
 
within 72 hours, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function
 
may be in a partial trip condition (assuming the inoperable
 
channel has failed high). The Completion Time is further justified based on the low probability of an event occurring
 
during this interval. Failure to restore the inoperable
 
channel to OPERABLE status, or place it in the bypassed
 
condition within 72 hours, requires the unit be placed in MODE 3 within the following 6 hours and MODE 4 within the next 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows one
 
additional channel to be bypassed for up to 12 hours for surveillance testing. Placing a second channel in the bypass
 
condition for up to 12 hours for testing purposes is acceptable based on the results of Reference
: 8.
North Anna Units 1 and 2B 3.3.2-40Revision 31 ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
F.1, F.2.1, and F.2.2 Condition F applies to:Manual Initiation of Steam Line Isolation;Loss of Offsite Power; andP-4 Interlock.
For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For
 
the Loss of Offsite Power Function, this action recognizes the lack of manual trip provision for a failed channel. If a
 
train or channel is inoperable, 48 hours is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the
 
available redundancy, and the low probability of an event
 
occurring during this interval. If the Function cannot be
 
returned to OPERABLE status, the unit must be placed in
 
MODE 3 within the next 6 hours and MODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power in an orderly
 
manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions
 
that require the explicit use of the protection functions
 
noted above.
G.1, G.2.1, and G.2.2 Condition G applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Turbine Trip
 
and Feedwater Isolation, and AFW actuation Functions.
The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train
 
is inoperable, 24 hours are allowed to restore the train to OPERABLE status. The Completion Time for restoring a train
 
to OPERABLE status is reasonable considering that there is
 
another train OPERABLE, and the low probability of an event
 
occurring during this interval. If the train cannot be
 
returned to OPERABLE status, the unit must be brought to
 
MODE 3 within the next 6 hours and MODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-41Revision 31 ACTIONS G.1, G.2.1, and G.2.2 (continued) orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this
 
MODE, the unit does not have analyzed transients or
 
conditions that require the explicit use of the protection
 
functions noted above.
The Required Actions are modified by a Note that allows one
 
train to be bypassed for up to 4 hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref.
: 8) assumption that 4 hours is the average time required to perform channel surveillance.
H.1 and H.2 Condition H applies to the AFW pump start on trip of all MFW pumps.This action addresses the train orientation of the SSPS for
 
the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by
 
allowing automatic start of the AFW System pumps. If a
 
channel is inoperable, 48 hours are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6 hours are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without
 
challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the
 
explicit use of the protection function noted above. The
 
allowance of 48 hours to return the train to an OPERABLE status is justified in Reference 8.I.1, I.2.1, and I.2.2 Condition I applies to:RWST Level-Low Low Coincident with Safety Injection.
RWST Level-Low Low Coincident With SI provides actuation of switchover to the containment sump. Note that this Function requires the bistables to ene rgize to perform their required action. The failure of up to two channels will not prevent (continued)
North Anna Units 1 and 2B 3.3.2-42Revision 31 ESFAS Instrumentation B 3.3.2 BASES ACTIONS I.1, I.2.1, and I.2.2 (continued) the operation of this Function. However, placing a failed
 
channel in the tripped condition could result in a premature
 
switchover to the sump, prior to the injection of the minimum
 
volume from the RWST. Placing the inoperable channel in
 
bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure
 
without disabling actuation of the switchover when required.
Restoring the channel to OPERABLE status or placing the
 
inoperable channel in the bypass condition within 72 hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial
 
trip condition (assuming the inoperable channel has failed
 
high). The 72 hour Completion Time is justified in a plant-specific risk assessment, consistent with Reference
: 8. If the channel cannot be returned to OPERABLE status or
 
placed in the bypass condition within 72 hours, the unit must be brought to MODE 3 within the following 6 hours and MODE 5 within the next 30 hours. The allowed Completion Times are reasonable, based on operating experience, to
 
reach the required unit conditions from full power conditions in an orderly man ner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of
 
the protection functions noted above.
The Required Actions are modified by a Note that allows
 
placing a second channel in the bypass condition for up to
 
12 hours for surveillance testing. The total of 78 hours to reach MODE 3 and 12 hours for a second channel to be bypassed is acceptable based on the results of a plant-specific risk
 
assessment, consistent with Reference 8.J.1, J.2.1, and J.2.2 Condition J applies to the P-11 and P-12 interlocks.
With one or more channels inoperable, the operator must
 
verify that the interlock is in the required state for the
 
existing unit condition. The verification that the
 
interlocks are in their proper state may be performed via the
 
Control Room permissive status lights. This action manually
 
accomplishes the function of the interlock. Determination
 
must be made within 1 hour. The 1 hour Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown (continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-43Revision46 ACTIONS J.1, J.2.1, and J.2.2 (continued) actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the
 
required state) for the existing unit condition, the unit
 
must be placed in MODE 3 within the next 6 hours and MODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems. Placing
 
the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.
SURVEILLANCE
 
REQUIREMENTS The SRs for each ESFAS Function are identified by the SRs
 
column of Table 3.3.2-1.A Note has been added to the SR Table to clarify that
 
Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.
Note that each channel of process protection supplies both
 
trains of the ESFAS. When testing channel I, train A and train B must be examined. Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the
 
assumptions used in analytically calculating the required
 
channel accuracies.
SR  3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross
 
failure of instrumentation has not occurred. A CHANNEL CHECK
 
is normally a comparison of the parameter indicated on one
 
channel to a similar parameter on other channels. It is based
 
on the assumption that instrument channels monitoring the
 
same parameter should read approximately the same value.
 
Significant deviations between the two instrument channels
 
could be an indication of excessive instrument drift in one
 
of the channels or of something even more serious. A CHANNEL
 
CHECK will detect gross channel failure; thus, it is key to
 
verifying the instrumentation continues to operate properly
 
between each CHANNEL CALIBRATION.(continued)
North Anna Units 1 and 2B 3.3.2-44Revision46 ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.2.1 (continued)
Agreement criteria are determined by the unit staff, based
 
on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is
 
outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its
 
limit.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST.
The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the
 
semiautomatic tester, all possible logic combinations, with
 
and without applicable permissives, are tested for each
 
protection function. This verifies that the logic modules
 
are OPERABLE. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.3.2.3 SR 3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity
 
check of the slave relay coil. Upon master relay contact
 
operation, a low voltage is injected to the slave relay coil.
This voltage is insufficient to pick up the slave relay, but
 
large enough to demonstrate signal path continuity. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.2.4 SR 3.3.2.4 is the performance of a COT.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-45Revision46 SURVEILLANCE REQUIREMENTS SR  3.3.2.4 (continued)
A COT is performed on each required channel to ensure the
 
entire channel will perform the intended Function. Setpoints
 
must be found within the Allowable Values specified in
 
Table 3.3.2-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of
 
the change of state of a single contact of the relay. This
 
clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical
 
Specifications and non-Technical Specifications tests at
 
least one per refueling interval with applicable extensions.The difference between the current "as found" values and the
 
previous test "as left" values must be consistent with the
 
drift allowance used in the setpoint methodology. The
 
setpoint shall be left set consistent with the assumptions
 
of the current unit specific setpoint methodology.
The COT for the Containment Pressure Channel includes
 
exercising the transmitter by applying either a vacuum or
 
pressure to the appropriate side of the transmitter.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.2.5 SR 3.3.2.5 is the performance of a SLAVE RELAY TEST. The
 
SLAVE RELAY TEST is the energizing of the slave relays.
 
Contact operation is verified in one of two ways. Actuation
 
equipment that may be operated in the design mitigation MODE
 
is either allowed to function, or is placed in a condition
 
where the relay contact operation can be verified without
 
operation of the equipment.
Actuation equipment that may not be operated in the design mitigation MODE is prevented from
 
operation by the SLAVE RELAY TEST circuit. For this latter
 
case, contact operation is verified by a continuity check of
 
the circuit containing the slave relay. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
This SR is modified by a Note that allows an exception for
 
testing of relays which could induce a unit transient, an
 
inadvertent reactor trip or ESF actuation, or cause the
 
inoperability of two or more ESF components.
North Anna Units 1 and 2B 3.3.2-46Revision46 ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.3.2.6 SR 3.3.2.6 is the performance of a TADOT. This test is a check of the Loss of Offsite Power Function. The Function is tested up to, and including, the master relay coils. A
 
successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what
 
is an acceptable TADOT of a relay. This is acceptable because
 
all of the other required contacts of the relay are verified
 
by other Technical Specifications and non-Technical
 
Specifications tests at least one per refueling interval
 
with applicable extensions.
The SR is modified by a Note that excludes verification of
 
setpoints for relays. Relay setpoints require elaborate
 
bench calibration and are verified during CHANNEL
 
CALIBRATION. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the Manual Actuation Functions, AFW pump start on
 
trip of all MFW pumps and the P-4 interlock Function, including turbine trip, automatic SI block, and seal-in of
 
feedwater isolation by SI.
Each Manual Actuation Function is tested up to, and
 
including, the master relay coils. A successful test of the
 
required contact(s) of a channel relay may be performed by
 
the verification of the change of state of a single contact
 
of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required
 
contacts of the relay are verified by other Technical
 
Specifications and non-Technical Specifications tests at
 
least one per refueling interval with applicable extensions.
 
In some instances, the test includes actuation of the end
 
device (i.e., pump starts, valve cycles, etc.). The turbine
 
trip (P-4) is independently verified for both trains. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. However, the P-4 input signals to SSPS actuation logic are normally tested in conjunction with RTB testing under SR 3.3.1.4 on a 31-day staggered test basis.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-47Revision46 SURVEILLANCE REQUIREMENTS SR  3.3.2.7 (continued)
The SR is modified by a Note that excludes verification of
 
setpoints during the TADOT for manual initiation or interlock Functions. The manual initiation Functions have no
 
associated setpoints.
SR  3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.
CHANNEL CALIBRATION is a complete check of the instrument
 
loop, including the sensor. The test verifies that the
 
channel responds to measured parameter within the necessary
 
range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the
 
assumptions of the unit specific setpoint methodology. The
 
difference between the current "as found" values and the
 
previous test "as left" values must be consistent with the
 
drift allowance used in the setpoint methodology. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note stating that this test should
 
include verification that the time constants are adjusted to
 
the prescribed values where applicable.
SR  3.3.2.9 This SR ensures the individual channel ESF RESPONSE TIMES
 
are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria
 
are included in the Technical Requirements Manual (Ref.
9).Individual component response times are not modeled in the
 
analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the
 
equipment in both trains reaches the required functional
 
state (e.g., pumps at rated discharge pressure, valves in
 
full open or closed position).(continued)
North Anna Units 1 and 2B 3.3.2-48Revision 31 ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.2.9 (continued)
For channels that include dynamic transfer functions (e.g.,
lag, lead/lag, rate/lag, etc.), the response time test may be performed with the tr ansfer functions set to one with the resulting measured response time compared to the appropriate
 
UFSAR response time. Al ternately, the response time test can be performed with the time constants set to their nominal
 
value provided the required response time is analytically
 
calculated assuming the time constants are set at their
 
nominal values. The response time may be measured by a series
 
of overlapping tests such that the entire response time is
 
measured.Response time may be verified by actual response time tests
 
in any series of sequential, overlapping or total channel
 
measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with
 
actual response time tests on the remainder of the channel.
 
Allocations for sensor response times may be obtained from:
 
(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications.
WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" (Ref.
: 10) provides the basis and methodology for using allocated sensor response
 
times in the overall verification of the channel response
 
time for specific sensors identified in the WCAP. Response
 
time verification for other sensor types must be
 
demonstrated by test.
WCAP-14036-P-A Revision 1 "Elimination of Periodic Protection Channel Response Time Tests" (Ref.
: 11) provides the basis and the methodology for using allocated signal
 
processing and actuation logic response times in the overall verification of the protection system channel response time.
 
The allocations for sensor, signal conditioning and
 
actuation logic response times must be verified prior to
 
placing the component in operational service and re-verified
 
following maintenance that may adversely affect response
 
time. In general, electrical repair work does not impact
 
response time provided the parts used for repair are of the
 
same type and value. Specific components identified in the
 
WCAP may be replaced without verification testing. One
 
example where response time could be affected is replacing
 
the sensing assembly of a transmitter.(continued)
ESFAS Instrumentation B 3.3.2 BASESNorth Anna Units 1 and 2B 3.3.2-49Revision46 SURVEILLANCE REQUIREMENTS S R  3.3.2.9 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.This SR is modified by a Note that clarifies that the turbine
 
driven AFW pump is tested within 24 hours after reaching 1005 psig in the SGs.
REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter 7.3.UFSAR, Chapter 15.4.IEEE-279-1971.5.10 CFR 50.49.6.RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).7.NUREG-1218, April 1988.8.WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990 and WCAP-14333-P-A, Rev.
1, October 1998.9.Technical Requirements Manual.10.WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements,"
 
January 1996.11.WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.
Intentionally Blank North Anna Units 1 and 2B 3.3.3-1Revision 0 PAM Instrumentation B 3.3.3 B 3.3  INSTRUMENTATIONB 3.3.3Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display
 
unit variables that provide information required by the
 
control room operators during accident situations. This
 
information provides the necessary support for the operator
 
to take the manual actions for which no automatic control is provided and that are required for safety systems to
 
accomplish their safety functions for Design Basis Accidents (DBAs).The OPERABILITY of the accident monitoring instrumentation
 
ensures that there is sufficient information available on
 
selected unit parameters to monitor and to assess unit
 
status and behavior following an accident.
The availability of accident monitoring instrumentation is
 
important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions
 
can be determined. These essential instruments are
 
identified by Reference 1 addressing the recommendations of Regulatory Guide 1.97 (Ref.
: 2) as required by Supplement 1 to NUREG-0737 (Ref.
3).The instrument channels required to be OPERABLE by this LCO
 
include two classes of parameters identified during unit
 
specific implementation of Regulatory Guide 1.97 as Type A and Category I variables.
Type A variables are included in this LCO because they provide the primary information required for the control
 
room operator to take specific manually controlled actions
 
for which no automatic control is provided, and that are
 
required for safety systems to accomplish their safety
 
functions for DBAs. Primary information is defined as
 
information that is essential for the direct accomplishment
 
of the specific safety functions; it does not include those
 
variables that are associated with contingency actions that
 
may also be identified in written procedures.(continued)
North Anna Units 1 and 2B 3.3.3-2Revision 0 PAM Instrumentation B 3.3.3 BASES BACKGROUND (continued)
Category I variables are the key variables deemed risk significant because they are needed to:Determine whether other systems important to safety are
 
performing their intended functions;Provide information to the operators that will enable them
 
to determine the likelihood of a gross breach of the
 
barriers to radioactivity release; andProvide information regarding the release of radioactive
 
materials to allow for early indication of the need to
 
initiate action necessary to protect the public, and to
 
estimate the magnitude of any impending threat.
These key variables are identified by the plant specific
 
Regulatory Guide 1.97 analyses (Ref.
1). This report identifies the plant specific Type A and Category I variables and provides justification for deviating from the
 
NRC proposed list of Category I variables.
The specific instrument Functions listed in Table 3.3.3-1 are discussed in the LCO section.
APPLICABLE
 
SAFETY ANALYSES The PAM instrumentation ensures the operability of
 
Regulatory Guide 1.97 Type A and Category I variables so that the control room operating staff can:Perform the diagnosis specified in the emergency operating
 
procedures (these variables are restricted to pre-planned
 
actions for the primary success path of DBAs), e.g., loss
 
of coolant accident (LOCA);Take the specified, pre-planned, manually controlled
 
actions, for which no automatic control is provided, and
 
that are required for safety systems to accomplish their
 
safety function;Determine whether systems important to safety are
 
performing their intended functions;Determine the likelihood of a gross breach of the barriers to radioactivity release;Determine if a gross breach of a barrier has occurred; and (continued)
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-3Revision 0 APPLICABLE SAFETY ANALYSES (continued)Initiate action necessary to protect the public and to
 
estimate the magnitude of any impending threat.
PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii). Category I, non-Type A, instrumentation must be retained in TS because it is intended to assist
 
operators in minimizing the consequences of accidents.
 
Therefore, Category I, non-Type A, variables are important for reducing public risk.
LCO The PAM instrumentation LCO provides OPERABILITY
 
requirements for Regulatory Guide 1.97 Type A monitors, which provide information required by the control room
 
operators to perform ce rtain manual actions specified in the plant Emergency Operating Procedures. These manual actions
 
ensure that a system can accomplish its safety function, and
 
are credited in the safety analyses. Additionally, this LCO
 
addresses Regulatory Guide 1.97 instruments that have been designated Category I, non-Type A.The OPERABILITY of the PAM instrumentation ensures there is
 
sufficient information available on selected unit parameters to monitor and assess unit status following an accident.
 
This capability is consistent with Reference 1.LCO 3.3.3 requires two OPERABLE channels for most Functions.
Two OPERABLE channels ensure no single failure prevents
 
operators from getting the information necessary for them to determine the safety status of the unit, and to bring the
 
unit to and maintain it in a safe condition following an
 
accident.Furthermore, OPERABILITY of two channels allows a CHANNEL
 
CHECK during the post accident phase to confirm the validity
 
of displayed information.
The exception to the two channel requirement is Containment
 
Isolation Valve (CIV) Position. In this case, the important
 
information is the status of the containment penetrations.
 
The LCO requires one position indicator for each active CIV.
 
This is sufficient to redundantly verify the isolation
 
status of each isolable penetration either via indicated
 
status of the active valve and prior knowledge of a passive
 
valve, or via system boundary status. If a normally active
 
CIV is known to be closed and deactivated, position (continued)
North Anna Units 1 and 2B 3.3.3-4Revision 40 PAM Instrumentation B 3.3.3 BASES LCO (continued)indication is not needed to determine status. Therefore, the position indication for val ves in this state is not required to be OPERABLE.
Table 3.3.3-1 lists all Type A and Category I variables identified by the plant specific Regulatory Guide 1.97 analyses (Ref.
1).Reference 1, Technical Report PE-0013, North Anna Power Station Response to Regulatory Guide 1.97 and Reference 4, Technical Requirements Manual (TRM) Section 3.3.9 - Regulatory Guide (RG) 1.97 Instrumentation, provide specific
 
design and qualification requirements for RG 1.97 instrumentation.
Listed below are discussions of the specified instrument
 
Functions listed in Table 3.3.3-1.1, 2.Power Range and Source Range Neutron Flux Power Range and Source Range Neutron Flux indication is
 
provided to verify reactor shutdown. This indication is provided by the Gammametric channels. The two ranges are necessary to cover the full range of flux that may occur post accident.
Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of
 
positive reactivity insertion.3, 4.Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Ranges)
RCS Hot and Cold Leg Temperature wide range indications are Category I variables provided for verification of
 
core cooling and long term surveillance.
The RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions
 
necessary to establish natural circulation in the RCS.
The channels provide indication over a range of 0&deg;F to 700&deg;F.
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-5Revision 0 LCO (continued)5.Reactor Coolant System Pressure (Wide Range)
RCS wide range pressure is a Category I variable provided for verification of core cooling and RCS
 
integrity long term surveillance.
RCS pressure is used to verify closure of spray line valves and pressurizer power operated relief valves (PORVs).In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling
 
margin will allow termination of safety injection (SI),
if still in progress, or reinitiation of SI if it has
 
been stopped. RCS pressure can also be used:to determine whether to terminate actuated SI or to
 
reinitiate stopped SI;to determine when to re set SI and shut off low head SI;to manually restart low head SI;to make a decision on operation of reactor coolant pumps (RCPs); andto make a determination on the nature of the accident
 
in progress and where to go next in the procedure.
RCS subcooling margin is also used for unit stabilization and cooldown control.
RCS pressure is also related to three decisions about depressurization. They are:to determine whether to proceed with primary system
 
depressurization;to verify termination of depressurization; andto determine whether to close accumulator isolation
 
valves during a controlled cooldown/depressurization.
Another use of RCS pressure is to determine whether to operate the pressurizer heaters.(continued)
North Anna Units 1 and 2B 3.3.3-6Revision 0 PAM Instrumentation B 3.3.3 BASES LCO5.Reactor Coolant System Pressure (Wide Range) (continued)
RCS pressure is a Type A variable because the operator uses this indication to monitor subcooling margin during
 
the cooldown of the RCS following a steam generator tube
 
rupture (SGTR) or small break LOCA. Operator actions to
 
maintain a controlled cooldown, such as adjusting steam
 
generator (SG) pressure or level, would use this
 
indication.6.Inadequate Core Cooling Monitoring (ICCM) System The ICCM consists of three functional subsystems. Each subsystem is composed of two instrumentation trains. The
 
three subsystems of ICCM are: the Reactor Vessel Level
 
Instrumentation System (RVLIS); Core Exit Temperature
 
Monitoring (CETM); and Subcooling Margin Monitor (SMM).
 
The functions provided by the subsystems are discussed
 
below.6.aReactor Vessel Level Instrumentation System RVLIS is provided for verification and long term surveillance of core cooling. It is also used to
 
determine reactor coolant inventory adequacy.
The RVLIS provides a measurement of the collapsed liquid level above the upper core plate. The collapsed level
 
represents the amount of liquid mass that is in the
 
reactor vessel above the core. Measurement of the
 
collapsed water level is selected because it is an
 
indication of the water inventory.6.bReactor Coolant System Subcooling Margin Monitor The RCS SMM is a Category I variable provided for verification of core cooling. The SMM subsystem
 
calculates the margin to saturation for the RCS from
 
inputs of wide range RCS pressure transmitters and the
 
average of the five highest temperature core exit
 
thermocouples. The two trains of SMM receive inputs from
 
separate trains of pressure transmitters and core exit
 
thermocouples (CETs).(continued)
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-7Revision 0LCO6.bReactor Coolant System Subcooling Margin Monitor (continued)
The SMM indicators are redundant to the information provided by the RCS hot and cold leg temperature and RCS wide range pressure indicators. RCS subcooling margin
 
will allow termination of SI, if still in progress, or
 
reinitiating of SI if it has been secured. RCS
 
subcooling margin is also used for unit stabilization, cooldown control, and RCP trip criteria. The SMM
 
indicates the degree of subcooling from -35
&deg;F (superheated) to +200
&deg;F (subcooled).6.cCore Exit Temperature Monitoring CETM is provided for verification and long term surveillance of core cooling. Two OPERABLE CETs per
 
channel are required in each core quadrant to provide
 
indication of radial distribution of the coolant
 
temperature rise across representative regions of the
 
core. Two sets of two thermocouples ensure a single
 
failure will not disable the ability to determine the
 
radial temperature gradient. Monitoring of the CETs is
 
available through the Inadequate Core Cooling Monitor.
 
Different CETs are connected to their respective
 
channel, so a single CET failure does not affect both
 
channels. The following CET indication is provided in
 
the control room:Five hottest thermocouples (ranked from highest to
 
lowest);Maximum, Average, and Minimum temperatures for each
 
quadrant; andAverage of the five high thermocouples.7.Containment Sump Water Level (Wide Range)
Containment Sump Water Level is provided for verification and long term surveillance of RCS
 
integrity.
Containment Sump Water Level is used for accident diagnosis.
North Anna Units 1 and 2B 3.3.3-8Revision 0 PAM Instrumentation B 3.3.3 BASESLCO8, 9.Containment Pressure and Containment Pressure Wide Range (continued)
Containment Pressure and Containment Pressure Wide Range
 
are provided for verification of RCS and containment
 
OPERABILITY.
Containment Pressure channels are used to verify Safety Injection (SI) initiation and Phase A isolation on a
 
Containment Pressure-High signal. These channels are also used to verify closure of the Main Steam Trip Valves
 
on a Containment Pressure-Intermediate High High signal.
 
The Containment Pressure channels are also used to
 
verify initiation of Containment Spray and Phase B
 
isolation on a Containment Pressure-High High signal.10.Penetration Flow Path Containment Isolation Valve Position CIV Position is provided for verification of Containment OPERABILITY, and Phase A and Phase B isolation.
When used to verify Phase A and Phase B isolation, the important information is the isolation status of the
 
containment penetrations. The LCO requires one channel
 
of valve position indication in the control room to be
 
OPERABLE for each active CIV in a containment
 
penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two
 
active valves. For containment penetrations with only
 
one active CIV having control room indication, Note (b)
 
requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify
 
the isolation status of each isolable penetration either via indicated status of th e active valve, as applicable, and prior knowledge of a passive valve, or via system boundary status. If a n ormally active CIV is known to be closed and deactivated, position indication is not
 
needed to determine status. Therefore, the position indication for valves in this state is not required to be
 
OPERABLE. Note (a) to the Required Channels states that
 
the Function is not required for isolation valves whose
 
associated penetration is isolated by at least one
 
closed and deactivated automatic valve, closed manual
 
valve, blind flange, or check valve with flow through
 
the valve secured. Each penetration is treated
 
separately and each penetration flow path is considered a separate function. Therefore, separate Condition entry
 
is allowed for each inoperable penetration flow path.
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-9Revision 17 LCO (continued)11.Containment Area Radiation (High Range)
Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to
 
provide release assessment for use by operators in
 
determining the need to invoke site emergency plans.
 
Containment radiation level is used to determine if
 
adverse containment conditions exist.12.Deleted 13.Pressurizer Level Pressurizer Level is used to determine whether to terminate SI, if still in progress, or to reinitiate SI
 
if it has been stopped. Knowledge of pressurizer water
 
level is also used to verify the unit conditions
 
necessary to establish natural circulation in the RCS
 
and to verify that the unit is maintained in a safe
 
shutdown condition.14, 15.Steam Generator Water Level (Wide and Narrow Ranges)
SG Water Level is provided to monitor operation of decay heat removal via the SGs. Both wide and narrow ranges are Category I indications of SG level. The wide range level
 
covers a span of +7 to -41 feet from nominal full load
 
water level. The narrow range instrument covers from +7
 
to -5 feet of nominal full load water level.
The level signals are inputs to the unit computer, control room indicators, and the Auxiliary Feedwater
 
System.SG Water Level is used to:identify the affected SG following a tube rupture;verify that the intact SGs are an adequate heat sink for the reactor;determine the nature of the accident in progress (e.g., verify a SGTR); andverify unit conditions for termination of SI.
North Anna Units 1 and 2B 3.3.3-10Revision 17 PAM Instrumentation B 3.3.3 BASESLCO14, 15.Steam Generator Water Level (Wide and Narrow Ranges)
(continued)
Operator action is based on the control room indication of SG level. The RCS response during a design basis small break LOCA depends on the break size. For a certain range
 
of break sizes, a secondary heat sink is necessary to
 
remove decay heat. Narrow range level is a Type A
 
variable because the operator must manually raise and
 
control SG level.16.Emergency Condensate Storage Tank (ECST) Level ECST Level is provided to ensure water supply for auxiliary feedwater (AFW). The ECST provides the ensured
 
safety grade water supply for the AFW System. Inventory
 
is monitored by a 0% to 100% level indication and ECST
 
Level is displayed on a control room indicator.
The DBAs that require AFW are the loss of offsite electric power, loss of normal feedwater, SGTR, steam
 
line break (SLB), and small break LOCA.
The ECST is the initial source of water for the AFW System. However, as the ECST is depleted, manual
 
operator action is necessary to replenish the ECST.17.Steam Generator Pressure SG pressure is a Category I variable and provides an indication of the integrity of a steam generator. This
 
indication can provide important information in the
 
event of a faulted or ruptured steam generator.18.High Head Safety Injection (HHSI) FlowTotal HHSI flow to the RCS cold legs is a Type A variable and provides an indication of the total borated water supplied to the RCS. For the sm all break LOCA, HHSI flow may be the only source of borated water that is injected
 
into the RCS. Total HHSI flow is a Type A variable
 
because it provides an indication to the operator for
 
the RCP trip criteria.
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-11Revision 8 APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3. These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The
 
applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM
 
instrumentation is low; therefore, the PAM instrumentation
 
is not required to be OPERABLE in these MODES.
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this
 
Specification may be entered independently for each Function
 
listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked
 
separately for each Function starting from the time the
 
Condition was entered for that Function.
A.1 Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status
 
within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only
 
one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive
 
nature of the instrument (no critical automatic action is
 
assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during
 
this interval.
B.1 Condition B applies when the Required Action and associated Completion Time for Condition A are not met. This Required Action specifies immediate initiation of actions in
 
Specification 5.6.6, which requires a written report to be
 
submitted to the NRC within the following 14 days. This report discusses the results of the root cause evaluation of
 
the inoperability and identifies proposed restorative
 
actions. This action is appropriate in lieu of a shutdown
 
requirement since alternative actions are identified before
 
loss of functional capability, and given the likelihood of
 
unit conditions that would require information provided by
 
this instrumentation.
North Anna Units 1 and 2B 3.3.3-12Revision 46 PAM Instrumentation B 3.3.3 BASES ACTIONS (continued)
C.1 Condition C applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable
 
in the same Function). Required Action C.1 requires restoring one channel in the Function(s) to OPERABLE status
 
within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means
 
to obtain the required information. Continuous operation
 
with two required channels inoperable in a Function is not
 
acceptable because the alternate indications may not fully
 
meet all performance qualification requirements applied to
 
the PAM instrumentation. Therefore, requiring restoration of
 
one inoperable channel of the Function limits the risk that
 
the PAM Function will be in a degraded condition should an
 
accident occur.
D.1 and D.2 If the Required Action and associated Completion Time of
 
Condition D is not met the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve
 
this status, the unit must be brought to at least MODE 3 within 6 hours and MODE 4 within 12 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power in an orderly manner and without challenging
 
unit systems.
SURVEILLANCE
 
REQUIREMENTS A Note has been added to the SR Table to clarify that
 
SR 3.3.3.1 and SR 3.3.3.3 apply to each PAM instrumentation Function in Table 3.3.3-1 with the exception that SR 3.3.3.3 is not required to be performed on containment isolation
 
valve position indication. SR 3.3.3.4 is required for the containment isolation valve position indication.
SR  3.3.3.1 Performance of the CHANNEL CHECK ensures that a gross
 
instrumentation failure has not occurred. A CHANNEL CHECK is
 
normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based
 
on the assumption that instrument channels monitoring the
 
same parameter should read (continued)
PAM Instrumentation B 3.3.3 BASESNorth Anna Units 1 and 2B 3.3.3-13Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.3.1 (continued) approximately the same value. Significant deviations between
 
the two instrument channels could be an indication of
 
excessive instrument drift in one of the channels or of
 
something even more serious. A CHANNEL CHECK will detect
 
gross channel failure; thus, it is key to verifying the
 
instrumentation continues to operate properly between each
 
CHANNEL CALIBRATION. The high radiation instrumentation
 
should be compared to similar unit instruments located
 
throughout the unit.
Agreement criteria are determined by the unit staff, based
 
on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a
 
channel is outside the criteria, it may be an indication that
 
the sensor or the signal processing equipment has drifted
 
outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.As specified in the SR, a CHANNEL CHECK is only required for
 
those channels that are normally energized.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.3.2 Not Used SR  3.3.3.3 CHANNEL CALIBRATION is a complete check of the instrument
 
loop, including the sensor. The test verifies that the
 
channel responds to measured parameter with the necessary
 
range and accuracy. This SR is modified by a Note that
 
excludes neutron detectors. Whenever a sensing element is
 
replaced, the next required CHANNEL CALIBRATION of the CET sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently
 
installed sensing element. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
North Anna Units 1 and 2B 3.3.3-14Revision 46 PAM Instrumentation B 3.3.3 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.3.3.4 SR 3.3.3.4 is the performance of a TADOT of containment isolation valve position indication. This TADOT is performed
 
every 18 months. The test shall independently verify the OPERABILITY of containment isolation valve position
 
indication against the actual position of the valves.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.Technical Report PE-0013.2.Regulatory Guide 1.97, May 1983.3.NUREG-0737, Supplement 1, "TMI Action Items."4.Technical Requirements Manual North Anna Units 1 and 2B 3.3.4-1Revision 0 Remote Shutdown System B 3.3.4 B 3.3  INSTRUMENTATIONB 3.3.4Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room
 
operator with sufficient instrumentation and controls to
 
maintain the unit in a safe shutdown condition from a
 
location other than the control room. This capability is
 
necessary to protect against the possibility that the
 
control room becomes inaccessible. A safe shutdown condition
 
is defined as MODE
: 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator (SG) power
 
operated relief valves (PORVs) can be used to remove core
 
decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate
 
the Reactor Coolant System (RCS) from outside the control
 
room allows extended operation in MODE 3.If the control room becomes inaccessible, the operators can
 
establish control at the auxiliary shutdown panel, and
 
maintain the unit in MODE
: 3. Not all controls and necessary transfer switches are located at the auxiliary shutdown
 
panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in
 
MODE 3 for an extended period of time.
The OPERABILITY of the remote shutdown control and
 
instrumentation functions ensures there is sufficient
 
information available on selected unit parameters to
 
maintain the unit in MODE 3 should the control room become inaccessible.
APPLICABLE
 
SAFETY ANALYSES The Remote Shutdown System is required to provide equipment
 
at appropriate locations outside the control room with a
 
capability to maintain the unit in a safe condition in
 
MODE 3.The criteria governing the design and specific system
 
requirements of the Remote Shutdown System are located in
 
Reference 1.The Remote Shutdown System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.3.4-2Revision 0 Remote Shutdown System B 3.3.4 BASES LCO The Remote Shutdown System LCO provides the OPERABILITY
 
requirements of the instrumentation and controls necessary
 
to maintain the unit in MODE 3 from a location other than the control room. The instrumentation and controls required are
 
listed in Table B 3.3.4-1.The controls, instrumentation, and transfer switches are
 
required for:*Core reactivity control (long term);*RCS pressure control;*Decay heat removal via the AFW System and the SG PORVs; and*RCS inventory control via charging flow.
A Function of a Remote Shutdown System is OPERABLE if all
 
instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table B 3.3.4-1 may indicate that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control
 
sources is OPERABLE.
The remote shutdown instrument and control circuits covered
 
by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPE RABLE if unit conditions require that the Remote Shutdown System be placed in operation.
APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3. This is required so that the unit can be maintained in MODE 3 for an extended period of time from a location other than the control room.
This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a
 
condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary
 
instrument control functions if control room instruments or
 
controls become unavailable.
Remote Shutdown System B 3.3.4 BASESNorth Anna Units 1 and 2B 3.3.4-3Revision 46 ACTIONS A Remote Shutdown System function is inoperable when the function is not accomplished by at least one designed Remote
 
Shutdown System channel that satisfies the OPERABILITY
 
criteria for the channel's Function. These criteria are
 
outlined in the LCO section of the Bases.
A Note has been added to the ACTIONS to clarify the
 
application of Completion Time rules. Separate Condition
 
entry is allowed for each Function. The Completion Time(s)
 
of the inoperable channel(s)/train(s) of a Function will be
 
tracked separately for each Function starting from the time
 
the Condition was entered for that Function.
A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are
 
inoperable. This includes the control and transfer switches
 
for any required function.
The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event
 
that would require evacuation of the control room.
B.1 and B.2 If the Required Action and associated Completion Time of
 
Condition A is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the
 
unit must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.3.4.1 Performance of the CHANNEL CHECK ensures that a gross
 
failure of instrumentation has not occurred. A CHANNEL CHECK
 
is normally a comparison of the parameter indicated on one
 
channel to a similar parameter on other channels. It is based
 
on the assumption that instrument channels monitoring the
 
same parameter should read approximately the same value.
 
Significant deviations between the two instrument channels
 
could be an indication of (continued)
North Anna Units 1 and 2B 3.3.4-4Revision 46 Remote Shutdown System B 3.3.4 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.4.1 (continued) excessive instrument drift in one of the channels or of
 
something even more ser ious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the
 
instrumentation continues to operate properly between each
 
CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff, based
 
on a combination of the channel instrument uncertainties, including indication and readability. If the channels are
 
within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing
 
equipment has drifted outside its limit.
As specified in the Surveillance, a CHANNEL CHECK is only
 
required for those channels which are normally energized.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.4.2 SR 3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended
 
function. This verification is performed from the remote shutdown panel and loca lly, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary.
 
The Surveillance can be satisfied by performance of a
 
continuity check. This will ensure that if the control room
 
becomes inaccessible, the unit can be maintained in MODE 3 from the remote shutdown panel and the local control
 
stations. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
Remote Shutdown System B 3.3.4 BASESNorth Anna Units 1 and 2B 3.3.4-5Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.3.4.3 CHANNEL CALIBRATION is a complete check of the instrument
 
loop and the sensor. The test verifies that the channel
 
responds to a measured parameter within the necessary range
 
and accuracy.
Whenever a sensing element is replaced, the next required
 
CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross
 
calibration that compares the other sensing elements with
 
the recently installed sensing element.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter
: 3.
North Anna Units 1 and 2B 3.3.4-6Revision 0 Remote Shutdown System B 3.3.4 Table B 3.3.4-1 (page 1 of 1)Remote Shutdown System Instrumentation and Controls FUNCTION/INSTRUMENT OR CONTROL PARAMETER REQUIRED NUMBER OF FUNCTIONS
: 1. Reactivity Control
: a. Boric Acid Pump controls 1 2. Reactor Coolant System (RCS) Pressure Control
: a. Pressurizer Pressure indications 1 b. Pressurizer Heater controls 1 3. Decay Heat Removal via Steam Generators (SGs)
: a. RCS T avg Temperature indication 1 loop b. AFW Pump and Valve controls 1 c. SG Pressure indication 1 d. SG Level (Wide Range) indication 1 e. SG Power Operated Relief Valve controls 1 f. AFW Discharge Header Pressure indication 1 g. Emergency Condensate Storage Tank Level indication 1 4. RCS Inventory Control
: a. Pressurizer Level indication 1 b. Charging Pump controls 1 c. Charging Flow control 1
North Anna Units 1 and 2B 3.3.5-1Revision 0 LOP EDG Start Instrumentation B 3.3.5 B 3.3  INSTRUMENTATIONB 3.3.5Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation BASES BACKGROUND The EDGs provide a source of emergency power when offsite
 
power is either unavailable or is insufficiently stable to
 
allow safe unit operation. Undervoltage protection will
 
generate an LOP start if a loss of voltage or degraded
 
voltage condition occurs on the emergency buses. There are
 
two required LOP start signals for each 4.16 kV emergency bus.Undervoltage relays are provided on each 4160 V Class 1E bus for detecting a loss of bus voltage or a sustained degraded
 
voltage condition. The relays are combined in a
 
two-out-of-three logic to generate a LOP signal. A loss of
 
voltage start of the EDG is initiated when the voltage is
 
less than 74% of rated voltage and lasts for approximately
 
2 seconds. A degraded voltage start of the EDG is produced when the voltage is less than 90% of rated voltage sustained for approximately 56 seconds. The time delay for the degraded voltage start signal is reduced to approximately
 
7.5 seconds with the presence of a Safety Injection signal for the H and J bus on this unit.
One 4160 VAC bus from the other unit is needed to support operation of each required Service Water (SW) pump, Main
 
Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency
 
Ventilation System (EVS) fan, Auxiliary Building central
 
exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and
 
CC are shared systems.
The Allowable Value in conjunction with the trip setpoint
 
and LCO establishes the threshold for Engineered Safety
 
Features Actuation System (ESFAS) action to prevent
 
exceeding acceptable limits such that the consequences of
 
Design Basis Accidents (DBAs) will be acceptable. The
 
Allowable Value is considered a limiting value such that a
 
channel is OPERABLE if the setpoint is found not to exceed
 
the Allowable Value during the CHANNEL CALIBRATION. Note
 
that, although a channel is OPERABLE under these
 
circumstances, the setpoint must be left adjusted to within
 
the established calibration tolerance band of the setpoint (continued)
North Anna Units 1 and 2B 3.3.5-2Revision 0 LOP EDG Start Instrumentation B 3.3.5 BASES BACKGROUND (continued) in accordance with uncertainty assumptions stated in the
 
referenced setpoint methodology, (as-left-criteria) and
 
confirmed to be operating wi th the statistical allowances of the uncertainty terms assigned.
Allowable Values and LOP EDG Start Instrumentation Setpoints The trip setpoints are summarized in Reference
: 3. The selection of the Allowable Values is such that adequate
 
protection is provided when all sensor and processing time
 
delays are taken into account.
Setpoints adjusted consistent with the requirement of the
 
Allowable Value ensure that the consequences of accidents
 
will be acceptable, providing the unit is operated from
 
within the LCOs at the onset of the accident and that the
 
equipment functions as designed.
Allowable Values are specified for each Function in
 
SR 3.3.5.2. Nominal trip setpoints are also specified in the unit specific setpoint calculations and listed in the
 
Technical Requirements Manual (TRM) (Ref.
2). The trip setpoints are selected to ensure that the setpoint measured
 
by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured
 
setpoint does not exceed the Allowable Value, the relay is
 
considered OPERABLE. Operation with a trip setpoint less
 
conservative than the nominal trip setpoint, but within the
 
Allowable Value, is acceptable provided that operation and
 
testing is consistent with the assumptions of the unit
 
specific setpoint calculation (Ref.
3).APPLICABLE
 
SAFETY ANALYSES The LOP EDG start instrumentation is required for the
 
Engineered Safety Features (ESF) Systems to function in any
 
accident with a loss of offsite power. Its design basis is
 
that of the ESFAS.Accident analyses credit the loading of the EDG based on the
 
loss of offsite power during a loss of coolant accident (LOCA). The actual EDG start has historically been
 
associated with the ESFAS actuation. The EDG loading has
 
been included in the delay time associated with each safety
 
system component requiring EDG supplied power following a
 
loss of offsite power. The analyses assume a non-mechanistic (continued)
LOP EDG Start Instrumentation B 3.3.5 BASESNorth Anna Units 1 and 2B 3.3.5-3Revision 0 APPLICABLE SAFETY ANALYSES (continued)
EDG loading, which does not explicitly account for each
 
individual component of loss of power detection and
 
subsequent actions.
The required channels of LOP EDG start instrumentation, in
 
conjunction with the ESF systems powered from the EDGs, provide unit protection in the event of any of the analyzed
 
accidents discussed in Reference 5, in which a loss of offsite power is assumed.
The delay times assumed in the safety analysis for the ESF
 
equipment include the 10 second EDG start delay, and the appropriate sequencing delay, if applicable. The response
 
times for ESFAS actuated equipment in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"
include the appropriate EDG loading and sequencing delay if
 
applicable.
The LOP EDG start instrumentation channels satisfy
 
Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO for LOP EDG start instrumentation requires that
 
three channels per bus of both the loss of voltage and
 
degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP EDG start instrumentation supports safety systems associated with the ESFAS. This is associated
 
with the requirement of LCO 3.3.5.a for this unit's H and J buses. LCO 3.3.5.b specifies that for a required H and/or J bus on the other unit that is needed to support a required
 
shared component for this unit, the LOP EDG start
 
instrumentation for the required bus must be OPERABLE. The
 
other unit's required H and/or J bus are required to be OPERABLE to support the SW, MCR/ESGR EVS, Auxiliary Building central exhaust, and CC functions needed for this unit.
 
These Functions share components, pumps, or fans, which are
 
electrically powered from both units. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance
 
band provided the trip setpoint "as-found" value does not
 
exceed its associated Allowable Value and provided the trip
 
setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the trip setpoint. A
 
trip setpoint may be set more conservative than the trip
 
setpoint specified in the TRM (Ref.
: 2) as necessary in response to unit conditions. In MODES 5 or 6, the three channels must be OPERABLE whenever the associated EDG is required to be OPERABLE to ensure that the automatic start of (continued)
North Anna Units 1 and 2B 3.3.5-4Revision 0 LOP EDG Start Instrumentation B 3.3.5 BASES LCO (continued) the EDG is available when needed. Loss of the LOP EDG Start
 
Instrumentation Function could result in the delay of safety
 
systems initiation when required. This could lead to
 
unacceptable consequences during accidents. During the loss
 
of offsite power the EDG powers the motor driven auxiliary
 
feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased
 
potential for a loss of decay heat removal through the
 
secondary system.
APPLICABILITY The LOP EDG Start Instrumentation Functions are required in
 
MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5 or 6 is required whenever the required EDG must be OPERABLE so
 
that it can perform its function on a LOP or degraded power
 
to the emergency bus.
ACTIONS In the event a channel's trip setpoint is found
 
nonconservative with respect to the Allowable Value, or the
 
channel is found inoperable, then the function that channel
 
provides must be declared inoperable and the LCO Condition
 
entered for the particular protection function affected.
Because the required channels are specified on a per bus
 
basis, the Condition may be entered separately for each bus
 
as appropriate.
A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this
 
Specification may be entered independently for each Function
 
listed in the LCO and for each emergency bus. The Completion
 
Time(s) of the inoperable channel(s) of a Function will be
 
tracked separately for each Function starting from the time
 
the Condition was entered for that Function for the
 
associated emergency bus.
A.1 Condition A applies to the LOP EDG start Function with one loss of voltage or degraded voltage channel per bus
 
inoperable.
If one channel is inoperable, Required Action A.1 requires that channel to be placed in trip within 72 hours. A plant-specific risk assessment, consistent with Reference 4, (continued)
LOP EDG Start Instrumentation B 3.3.5 BASESNorth Anna Units 1 and 2B 3.3.5-5Revision 0 ACTIONS A.1 (continued) was performed to justify the 72 hour Completion Time. With a channel in trip, the LOP EDG start instrumentation channels
 
are configured to provide a one-out-of-two logic to initiate a trip of the incoming offsite power.
A Note is added to allow bypassing an inoperable channel for up to 12 hours for surveillance testing of other channels. A plant-specific risk assessment, consistent with Reference 4, was performed to justify the 12 hour time limit. This allowance is made where bypassing the channel does not cause
 
an actuation and where normally, excluding required testing, two other channels are monitoring that parameter.The specified Completion Time and time allowed for bypassing
 
one channel are reasonable considering the Function remains
 
fully OPERABLE on every bus and the low probability of an
 
event occurring during these intervals.
B.1 Condition B applies when more than one loss of voltage or more than one degraded voltage channel on an emergency bus is
 
inoperable.
Required Action B.1 requires restoring all but one channel to OPERABLE status. The 1 hour Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring
 
during this interval.
C.1 Condition C applies to each of the LOP EDG start Functions when the Required Action and associated Completion Time for
 
Condition A or B are not met.
In these circumstances the Conditions specified in
 
LCO 3.8.1, "AC Sources-Operating," or LCO 3.8.2, "AC Sources-Shutdown," for the EDG made inoperable by failure of
 
the LOP EDG start instrumentation are required to be entered
 
immediately. The actions of those LCOs provide for adequate
 
compensatory actions to assure unit safety.
North Anna Units 1 and 2B 3.3.5-6Revision 46 LOP EDG Start Instrumentation B 3.3.5 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.3.5.1 SR 3.3.5.1 is the performance of a TADOT for channels required by LCO 3.3.5.a and LCO 3.3.5.b. A successful test of the required contact(s) of a channel relay may be
 
performed by the verification of the change of state of a
 
single contact of the relay. This clarifies what is an
 
acceptable TADOT of a relay. This is acceptable because all
 
of the other required contacts of the relay are verified by
 
other Technical Specifications and non-Technical
 
Specifications tests at an 18 month frequency with
 
applicable extensions. The test checks trip devices that
 
provide actuation signals directly, bypassing the analog
 
process control equipment.
The SR is modified by a Note that excludes verification of
 
setpoints from the TADOT. Since this SR applies to the loss
 
of voltage and degraded voltage relays for the 4160 VAC emergency buses, setpoint verification requires elaborate
 
bench calibration and is accomplished during the CHANNEL
 
CALIBRATION. Each train or logic channel shall be
 
functionally tested up to and including input coil
 
continuity testing of the ESF slave relay. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.3.5.2 SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION for channels required by LCO 3.3.5.a and LCO 3.3.5.b.The setpoints, as well as the response to a loss of voltage
 
and a degraded voltage test, shall include a single point
 
verification that the trip occurs within the required time
 
delay, as shown in Reference 1.CHANNEL CALIBRATION is a complete check of the instrument
 
loop, including the sensor. The test verifies that the
 
channel responds to a measured parameter within the
 
necessary range and accuracy. The verification of degraded
 
voltage with a SI signal is not required by LCO 3.3.5.b.(continued)
LOP EDG Start Instrumentation B 3.3.5 BASESNorth Anna Units 1 and 2B 3.3.5-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.3.5.2 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.3.5.3 This SR ensures the individual channel ESF RESPONSE TIMES
 
are less than or equal to the maximum values assumed in the
 
accident analysis for channels required by LCO 3.3.5.a and LCO 3.3.5.b. Response Time testing acceptance criteria are included in the TRM (Ref.
2).Individual component response times are not modeled in the
 
analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the
 
equipment in both trains reaches the required functional
 
state (e.g., pumps at rated discharge pressure, valves in
 
full open or closed position).
For channels that include dynamic transfer functions (e.g.,
lag, lead/lag, rate/lag, etc.), the response time test may be performed with the tra nsfer functions set to one with the resulting measured response time compared to the appropriate
 
TRM response time. Alternately, the response time test can
 
be performed with the time constants set to their nominal
 
value provided the required response time is analytically
 
calculated assuming the time constants are set at their
 
nominal values. The response time may be measured by a series
 
of overlapping tests such that the entire response time is
 
measured.Response time may be verified by actual response time test in
 
any series of sequential, overlapping or total channel
 
measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with
 
actual response time tests on the remainder of the channel.
Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each
 
channel.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.3.5-8Revision 46 LOP EDG Start Instrumentation B 3.3.5 BASES REFERENCES1.UFSAR, Section 8.3.2.Technical Requirements Manual.3.RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).4.WCAP 14333-P-A, Rev.
1, October 1998.5.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.3.6-1Revision 39 MCR/ESGR Envelope Isolation Actuation Instrumentation B 3.3.6 B 3.3  INSTRUMENTATIONB 3.3.6Main Control Room/Emergency Switchgear Room (MCR/ESGR) Envelope Isolation Actuation Instrumentation BASES BACKGROUND The MCR/ESGR Envelope Isolation function provides a
 
protected environment from which operators can control the
 
unit following an uncontrolled release of radioactivity.
 
During normal operation, the MCR and Relay Room Air
 
Condition System provides unfiltered makeup air and cooling.
 
Upon receipt of an MCR/ESGR Envelope Isolation actuation
 
signal from either unit Safety Injection (SI), High
 
Radiation or manual, the Unit 1 and 2 control room normal ventilation intake and exhaust ducts are isolated to prevent
 
unfiltered makeup air from entering the control room. In
 
addition to MCR/ESGR envelope isolation, an SI signal also
 
automatically starts the affected units MCR/ESGR EVS fans to
 
provide filtered recirculated air within the MCR/ESGR
 
envelope. The Fuel Building High Radiation or manual
 
initiation starts both units' available EVS train fans in
 
the recirculation mode. Manual operator action is required
 
to align the MCR/ESGR EVS to provided filtered makeup air.
 
The MCR/ESGR EVS is described in the Bases for LCO 3.7.10, "Main Control Room/Emergency Switchgear Room Emergency
 
Ventilation System."
There are four independent and redundant trains of manual
 
actuation instrumentation for the MCR/ESGR Envelope
 
Isolation. Each manual actuation train consists of two
 
actuation switches (channels), and the interconnecting wiring to the actuation circuitry. Only one switch (channel)
 
per train and two of the four trains are required for the
 
system to maintain independence and redundancy.
The MCR/ESGR Envelope Isolation is actuated on a SI signal
 
from either unit, a Fuel building High Radiation signal or manual switches in the MCR. The Safety Injection Function is discussed in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation."
APPLICABLE
 
SAFETY ANALYSES The control room must be kept habitable for the operators
 
stationed there during accident recovery and post accident
 
operations. The MCR/ESGR Envelope Isolation actuation on a
 
SI signal acts to automatically terminate the supply of (continued)
North Anna Units 1 and 2B 3.3.6-2Revision 39 MCR/ESGR Envelope Isolation Actuation Instrumentation B 3.3.6 BASES APPLICABLE
 
SAFETY ANALYSES (continued) unfiltered outside air to the control room and initiate
 
filtration in the recirculation mode. Manual actions are
 
required to align the MCR/ESGR EVS to provide filtered make
 
up air to the MCR/ESGR envelope.
The safety analysis for a loss of coolant accident in
 
MODES 1-4 assumes automatic isolation of the MCR/ESGR envelope on a SI signal and manual initiation of filtered
 
outside air flow within 1 hour. No credit is taken for filtered recirculation or pressurization provided by the
 
MCR/ESGR EVS. The safety analysis for a fuel handling
 
accident (FHA) assumed manual isolation of the MCR/ESGR
 
envelope and manual initiation or positioning of the
 
MCR/ESGR EVS to supply filtered air flow within 1 hour. For the remaining design basis accidents, MCR/ESGR envelope
 
isolation is not assumed. Normal ventilation inflow with
 
500 cfm of additional unfiltered inleakage is assumed.
The accident analysis assumes normal ventilation during a toxic gas or smoke incident.
The MCR/ESGR envelope isolation is not required to mitigate the consequences of these
 
events.The MCR/ESGR EVS actuation instrumentation satisfies
 
Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requirements ensure that instrumentation necessary
 
to initiate isolation of the MCR/ESGR envelope is OPERABLE.1.Manual Initiation The LCO requires one channel per train and two trains
 
OPERABLE. The operator can initiate the MCR/ESGR
 
isolation at any time by using any one of the two switches in a train from the control room. This action
 
will cause actuation of components in the same manner
 
as the automatic actuation signal.
The LCO for Manual Initiation ensures the proper
 
amount of redundancy is maintained in the manual
 
actuation circuitry to ensure the operator has manual
 
initiation capability.Each train consists of two switches (channels) and the interconnecting wiring to the actuation circuitry.
MCR/ESGR Envelope Isolation Actuation Instrumentation B 3.3.6 BASESNorth Anna Units 1 and 2B 3.3.6-3Revision 39 LCO (continued)2.Safety Injection Refer to LCO
 
====3.3.2 Function====
1 for all initiating Functions and requirements.
APPLICABILITY The MCR/ESGR Envelope Isolation Functions must be operable
 
in MODES 1, 2, 3, and 4 and during the movement of recently irradiated fuel assemblies to provide the required MCR/ESGR
 
envelope isolation initiation assumed in the applicable
 
safety analyses. In MODES 5 and 6, when no fuel movement involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous
 
300 hours) is taking place, there are no requirements for MCR/ESGR EVS instrumentation OPERABILITY consistent with the safety analyses assumptions applicable in these MODES.
In addition, the manual channels are required OPERABLE when
 
moving recently irradiated fuel.
ACTIONSA Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each
 
Function listed in Table 3.3.6-1 in the accompanying LCO.
The Completion Time(s) of the inoperable train(s) of a
 
Function will be tracked separately for each Function
 
starting from the time the Condition was entered for that
 
Function A.1.A.1 Condition A applies to the Manual Function of the MCR/ESGR EVS.If one train is inoperable, in one or more Functions, 7 days are permitted to restore it to OPERABLE status. The 7 day Completion Time is the same as is allowed if one train of the MCR/ESGR EVS is inoperable. The basis for this Completion
 
Time is the same as provided in LCO 3.7.10. If the train cannot be restored to OPERABLE status, the normal
 
ventilation to the MCR/ESGR envelope must be isolated. This
 
accomplishes the actuation instrumentation Function and
 
places the unit in a conservative mode of operation.
North Anna Units 1 and 2B 3.3.6-4Revision 39 MCR/ESGR Envelope Isolation Actuation Instrumentation B 3.3.6 BASES ACTIONS (continued)
B.1 Condition B applies to the failure of two MCR/ESGR Envelope Isolation actuation trains, or two manual trains. The
 
Required Action is to isolate the normal ventilation to the
 
MCR/ESGR envelope immediately. This accomplishes the
 
actuation instrumentation Function that may have been lost
 
and places the unit in a conservative mode of operation.
C.1 and C.2 Condition C applies when the Required Action and associated Completion Time for Condition A or B have not been met and the unit is in MODE 1, 2, 3, or
: 4. The unit must be brought to a MODE in which the LCO requirements are not applicable.
 
To achieve this status, the unit must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
D.1 and D.2 Condition D applies when the Required Action and associated Completion Time for Condition A or B have not been met when recently irradiated fuel assemblies are being moved. Either
 
the normal ventilation to MCR/ESGR envelope must be isolated
 
or movement of recently irradiated fuel assemblies must be
 
suspended immediately to reduce the risk of accidents that
 
would require MCR/ESGR Envelope Isolation actuation.
MCR/ESGR Envelope Isolation Actuation Instrumentation B 3.3.6 BASESNorth Anna Units 1 and 2B 3.3.6-5Revision 46 SURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that
 
Table 3.3.6-1 determines which SRs apply to which MCR/ESGR Envelope Isolation Actuation Functions.
SR  3.3.6.1 SR 3.3.6.1 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual
 
Actuation Function is tested up to, and including, the
 
master relay coils. A successful test of the required
 
contact(s) of a channel relay may be performed by the
 
verification of the change of state of a single contact of
 
the relay. This clarifies what is an acceptable TADOT of a
 
relay. This is acceptable because all of the other required
 
contacts of the relay are verified by other Technical
 
Specifications and non-Technical Specifications tests at
 
least once per refueling interval with applicable
 
extensions. In some instances, the test includes actuation
 
of the end device (i.e., pump starts, valve cycles, etc.).
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
The SR is modified by a Note that excludes verification of
 
setpoints during the TADOT. The Functions tested have no
 
setpoints associated with them.
REFERENCES None Intentionally Blank North Anna Units 1 and 2B 3.4.1-1Revision 0 RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.1RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS
 
pressure, temperature, and flow rate within limits assumed
 
in the safety analyses. The safety analyses (Ref.
: 1) of normal operating conditions and anticipated operational
 
occurrences assume initial conditions within the normal
 
steady state envelope. The limits placed on RCS pressure, temperature, and flow rate ensure that the minimum departure from nucleate boiling ratio (DNBR) will be met for each of
 
the transients analyzed.
The RCS pressure limit is consistent with operation within
 
the nominal operational envelope. Pressurizer pressure indications are compared to the limit. A lower pressure will cause the reactor core to approach DNB limits.The RCS coolant average temperature limit is consistent with
 
full power operation within the nominal operational
 
envelope. RCS loop average temperature is compared to the
 
limit. A higher average temperature will cause the core to
 
approach DNB limits.
The RCS flow rate normally remains constant during an
 
operational fuel cycle with all pumps running. The minimum
 
RCS flow limit corresponds to that assumed for DNB analyses.
 
Flow rate indications are averaged to come up with a value for comparison to the limit. A lower RCS flow will cause the
 
core to approach DNB limits.
Operation for significant periods of time outside these DNB
 
limits increases the likelihood of a fuel cladding failure
 
in a DNB limited event.
APPLICABLE
 
SAFETY ANALYSES The requirements of this LCO represent the initial
 
conditions for DNB limited transients analyzed in the unit
 
safety analyses (Ref.
1). The safety analyses have shown that transients initiated from the limits of this LCO will
 
result in meeting the DNBR criterion. The limits on the DNB
 
related parameters assure that each of the parameters are
 
maintained within the normal steady state envelope of (continued)
North Anna Units 1 and 2B 3.4.1-2Revision 0 RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES APPLICABLE
 
SAFETY ANALYSES (continued) operation assumed in the transient and accident analysis.
 
The limits have been analytically demonstrated to be
 
adequate to maintain a minimum DNBR greater than the design
 
limit throughout each analyzed transient including
 
allowances for measurement uncertainties. Changes to the
 
unit that could impact these parameters must be assessed for
 
their impact on the DNBR criteria. The transients analyzed for include loss of coolant flow events and dropped or stuck
 
rod events. A key assumption for the analysis of these events is that the core power distribution is within the limits of
 
LCO 3.1.6, "Control Bank Insertion Limits"; LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)"; and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."
The pressurizer pressure limit and RCS average temperature
 
limit specified in the COLR equal the analytical limits
 
because of the application of statistical combination of
 
uncertainty.
The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO specifies limits on the monitored process
 
variables-pressurizer pressure, RCS average temperature, and
 
RCS total flow rate-to ensure the core operates within the
 
limits assumed in the safety analyses. These variables are
 
contained in the COLR to provide operating and analysis
 
flexibility from cycle to cycle. However, the minimum RCS
 
flow, usually based on the maximum analyzed steam generator
 
tube plugging, is retained in the LCO. Operating within
 
these limits will result in meeting the DNBR criterion in the
 
event of a DNB limited transient.
The numerical values for pressure, temperature, and flow
 
rate specified in the COLR are given for the measurement
 
location have been adjusted for instrument error.
APPLICABILITY In MODE 1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained
 
during steady state operation in order to ensure DNBR
 
criteria will be met in the event of an unplanned loss of
 
forced coolant flow or other DNB limited transient. The (continued)
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASESNorth Anna Units 1 and 2B 3.4.1-3Revision 0 APPLICABILITY (continued)design basis events that are sensitive to DNB in other MODES (MODE 2 through 5) have sufficient margin to DNB, and therefore, there is no reason to restrict DNB in these MODES.
A Note has been added to indicate the limit on pressurizer
 
pressure is not applicable during short term operational
 
transients such as a THERMAL POWER ramp increase >
5% RTP per minute or a THERMAL POWER step increase >
10% RTP. These conditions represent short term perturbations where actions
 
to control pressure variations might be counterproductive.
 
Also, since they represent transients initiated from power
 
levels < 100% RTP, an increased DNBR margin exists to offset the temporary pressure variations.
The DNBR limit is provided in SL 2.1.1, "Reactor Core SLs."
The conditions which define the DNBR limit are less
 
restrictive than the limits of this LCO, but violation of a
 
Safety Limit (SL) merits a stricter, more severe Required
 
Action. Should a violation of this LCO occur, the operator
 
must check whether or not an SL may have been exceeded.
ACTIONS A.1 RCS pressure and RCS average temperature are controllable
 
and measurable parameters. With one or both of these
 
parameters not within LCO limits, action must be taken to
 
restore parameter(s).
RCS total flow rate is not a controllable parameter and is
 
not expected to vary during steady state operation. If the
 
indicated RCS total flow rate is below the LCO limit, power
 
must be reduced, as required by Required Action B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds.
The 2 hour Completion Time fo r restoration of the parameters provides sufficient time to adjust unit parameters, to
 
determine the cause for the off normal condition, and to
 
restore the readings within limits, and is based on unit
 
operating experience.
North Anna Units 1 and 2B 3.4.1-4Revision 46 RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES ACTIONS (continued)
B.1 If Required Action A.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours. In MODE 2, the reduced power condition eliminates the potential for
 
violation of the accident analysis bounds. The Completion
 
Time of 6 hours is reasonable to reach the required unit conditions in an orderly manner.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.1.1 The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.1.2 The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.1.3 The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASESNorth Anna Units 1 and 2B 3.4.1-5Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.4.1.4 Measurement of RCS total flow rate by performance of a
 
precision calorimetric heat balance allows the installed RCS
 
flow instrumentation to be calibrated and verifies the actual RCS flow rate is greater than or equal to the minimum
 
required RCS flow rate.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in
 
the best condition for performing the SR. The Note states
 
that the SR is not required to be performed until 30 days after  90% RTP. The 30 day period after reaching 90% RTP is reasonable to establish stable operating conditions, install the test equipment, perform the test, and analyze the
 
results. The Surveillance shall be performed within 30 days after reaching 90% RTP.
REFERENCES1.UFSAR, Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.4.2-1Revision 0 RCS Minimum Temperature for Criticality B 3.4.2 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.2RCS Minimum Temperature for Criticality BASES BACKGROUND This LCO is based upon meeting several major considerations
 
before the reactor can be made critical and while the reactor
 
is critical.
The first consideration is moderator temperature coefficient (MTC), LCO 3.1.3, "Moderator Temperature Coefficient (MTC)." In the transient and accident analyses, the MTC is assumed to
 
be in a range from slightly positive to negative and the
 
operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is
 
operated consistent with these assumptions.
The second consideration is the protective instrumentation.
 
Because certain protective instrumentation (e.g., excore
 
neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is chosen to ensure proper indication and response while the
 
reactor is critical.
The third consideration is the pressurizer operating
 
characteristics. The transient and accident analyses assume
 
that the pressurizer is within its normal startup and
 
operating range (i.e., saturated conditions and steam bubble
 
present). It is also assumed that the RCS temperature is
 
within its normal expected range for startup and power
 
operation. Since the density of the water, and hence the
 
response of the pressurizer to transients, depends upon the
 
initial temperature of the moderator, a minimum value for
 
moderator temperature within the nominal operating envelope
 
is chosen.
The fourth consideration is that the reactor vessel is above
 
its minimum nil ductility reference temperature when the
 
reactor is critical.
APPLICABLE
 
SAFETY ANALYSES Although the RCS minimum temperature for criticality is not
 
itself an initial condition assumed in Design Basis
 
Accidents (DBAs), the closely aligned temperature for hot
 
zero power (HZP) is a process variable that is an initial (continued)
North Anna Units 1 and 2B 3.4.2-2Revision 0 RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE
 
SAFETY ANALYSES (continued) condition of DBAs, such as the rod cluster control assembly (RCCA) withdrawal from subcritical, RCCA ejection, boron
 
dilution at startup, feedwater malfunction, main steam
 
system depressurization, and main steam line break accidents
 
performed at zero power that either assumes the failure of, or presents a challenge to, the integrity of a fission
 
product barrier.
All low power safety analyses assume initial RCS loop
 
temperatures  the HZP temperature of 547
&deg;F. The minimum temperature for criticality limitation provides a small
 
band, 6&deg;F, for critical operation below HZP. This band allows critical operation below HZP during unit startup and does not adversely affect any safety analyses since the MTC is not
 
significantly affected by the small temperature difference
 
between HZP and the minimum temperature for criticality.
The RCS minimum temperature for criticality satisfies
 
Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Compliance with the LCO ensures that the reactor will not be
 
made or maintained critical (k eff  1.0) at a temperature less than a small band below the HZP temperature, which is
 
assumed in the safety analysis. Failure to meet the
 
requirements of this LCO may produce initial conditions
 
inconsistent with the initial conditions assumed in the
 
safety analysis.
APPLICABILITY In MODE 1 and MODE 2 with k eff  1.0, LCO 3.4.2 is applicable since the reactor can only be critical (k eff  1.0) in these MODES.The special test exception of LCO 3.1.9, "MODE 2 PHYSICS TESTS Exceptions," permits PHYSICS TESTS to be performed at 5% RTP with RCS loop average temperatures slightly lower than normally allowed so that fundamental nuclear
 
characteristics of the core can be verified. In order for
 
nuclear characteristics to be accurately measured, it may be
 
necessary to operate ou tside the normal restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to
 
fall below T no load , which may cause RCS loop average temperatures to fall below the temperature limit of this
 
LCO.
RCS Minimum Temperature for Criticality B 3.4.2 BASESNorth Anna Units 1 and 2B 3.4.2-3Revision 46 ACTIONS A.1 If the parameters that are outside the limit cannot be restored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be
 
brought to MODE 2 with k eff < 1.0 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved
 
within a 30 minute period. The allowed time is reasonable, based on operating experience, to reach MODE 2 with k eff < 1.0 in an orderly manner and without challenging unit systems.SURVEILLANCE
 
REQUIREMENTS SR  3.4.2.1RCS loop average temperature is required to be verified at or above 541&deg;F. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES None.
Intentionally Blank North Anna Units 1 and 2B 3.4.3-1Revision 0 RCS P/T Limits B 3.4.3 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.3RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects
 
of cyclic loads due to system pressure and temperature
 
changes. These loads are introduced by startup (heatup) and
 
shutdown (cooldown) operations, power transients, and
 
reactor trips. This LCO limits the pressure and temperature
 
changes during RCS heatup and cooldown, within the design
 
assumptions and the stress limits for cyclic operation.
This LCO contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) testing, and data for
 
the maximum rate of change of reactor coolant temperature.
Each P/T limit curve defines an acceptable region for normal
 
operation. The usual use of the curves is operational
 
guidance during heatup or cooldown maneuvering, when
 
pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.
The LCO establishes operating limits that provide a margin
 
to brittle failure of the reactor vessel and piping of the
 
reactor coolant pressure boundary (RCPB). The vessel is the
 
component most subject to brittle failure, and the LCO
 
limits apply mainly to the vessel. The limits do not apply to
 
the pressurizer, which has different design characteristics
 
and operating functions.
10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for specific material fracture toughness
 
requirements of the RCPB materials. Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic
 
tests. It mandates the use of the American Society of
 
Mechanical Engineers (ASME) Code, Section III, Appendix G (Ref. 2).The neutron embrittlement effect on the material toughness
 
is reflected by increasing the nil ductility reference
 
temperature (RT NDT) as exposure to neutron fluence increases.(continued)
North Anna Units 1 and 2B 3.4.3-2Revision 0 RCS P/T Limits B 3.4.3 BASES BACKGROUND (continued)
The actual shift in the RT NDT of the vessel material is established periodically by removing and evaluating the
 
irradiated reactor vessel material specimens, in accordance
 
with ASTM E 185 (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves are adjusted, as necessary, based on the evaluation findings and the
 
recommendations of Regulatory Guide 1.99 (Ref.
5).The P/T limit curves are calculated using the most limiting
 
value of RT NDT corresponding to the limiting beltline region material for the reactor vessel.
The heatup curve represents a different set of restrictions
 
than the cooldown curve because the directions of the
 
thermal gradients through the vessel wall are reversed. The
 
thermal gradient reversal alters the location of the tensile
 
stress between the outer and inner walls.
The consequence of violating the LCO limits is that the RCS
 
has been operated under conditions that can result in
 
brittle failure of the RCPB, possibly leading to a
 
nonisolable leak or loss of coolant accident. In the event
 
these limits are exceeded, an evaluation must be performed
 
to determine the effect on the structural integrity of the
 
RCPB components. The ASME Code, Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the
 
limits.APPLICABLE
 
SAFETY ANALYSES The P/T limits are not derived from Design Basis Accident (DBA) analyses. They are prescribed during normal operation
 
to avoid encountering pressure, temperatur e, and temperature rate of change conditions that might cause undetected flaws
 
to propagate and cause nonductile failure of the RCPB, an
 
unanalyzed condition. Although the P/T limits are not
 
derived from any DBA, the P/T limits are acceptance limits
 
since they preclude operation in an unanalyzed condition.
RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
RCS P/T Limits B 3.4.3 BASESNorth Anna Units 1 and 2B 3.4.3-3Revision 20 LCO The two elements of this LCO are:a.The limit curves for heatup, cooldown, and ISLH testing; andb.Limits on the rate of change of temperature.
The LCO limits apply to all components of the RCS, except the
 
pressurizer. These limits define allowable operating regions
 
and permit a large number of operating cycles while
 
providing a wide margin to nonductile failure.The limits for the rate of change of temperature control the
 
thermal gradient through the vessel wall and are used as
 
inputs for calculating the heatup, cooldown, and ISLH
 
testing P/T limit curves. Thus, the LCO for the rate of
 
change of temperature restricts stresses caused by thermal
 
gradients and also ensures the validity of the P/T limit
 
curves.The reactor vessel beltline is the most limiting region of
 
the reactor vessel for the determination of P/T limit
 
curves. The P/T curves include a correction for the
 
difference between the pressure at the point of measurement (hot leg or pressurizer) and the reactor vessel beltline.
 
The P/T limits include instrument uncertainties for pressure
 
and temperature.
Violating the LCO limits places the reactor vessel outside
 
of the bounds of the stress analyses and can increase
 
stresses in other RCPB components. The consequences depend
 
on several factors, as follow:a.The severity of the departure from the allowable operating P/T regime or the severity of the rate of change
 
of temperature;b.The length of time the limits were violated (longer violations allow the temperature gradient in the thick
 
vessel walls to become more pronounced); andc.The existences, sizes, and orientations of flaws in the vessel material.
North Anna Units 1 and 2B 3.4.3-4Revision 0 RCS P/T Limits B 3.4.3 BASES APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance
 
with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation during
 
heatup or cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times in keeping with the
 
concern for nonductile failure. The limits do not apply to
 
the pressurizer.
During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can
 
supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)
 
Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit 2.1, "Safety Limits," also provide operational restrictions for pressure and
 
temperature and maximum pressure. Furthermore, MODES 1 and 2 are above the temperature range of concern for nonductile
 
failure, and stress analyses have been performed for normal
 
maneuvering profiles, such as power ascension or descent.
ACTIONS A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.
The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most
 
violations will not be severe, and the activity can be
 
accomplished in this time in a controlled manner.
Besides restoring operation within limits, an evaluation is
 
required to determine if RCS operation can continue. The
 
evaluation must verify the RCPB integrity remains acceptable
 
and must be completed before continuing operation. Several
 
methods may be used, including comparison with pre-analyzed
 
transients in the stress analyses, new analyses, or
 
inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to
 
evaluation of the vessel beltline.(continued)
RCS P/T Limits B 3.4.3 BASESNorth Anna Units 1 and 2B 3.4.3-5Revision 0 ACTIONS A.1 and A.2 (continued)
The 72 hour Completion Time is reasonable to accomplish the evaluation. The evaluation for a mild violation is possible
 
within this time, but more severe violations may require
 
special, event specific stress analyses or inspections. A
 
favorable evaluation must be completed before continuing to
 
operate.Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the
 
evaluation of the effects of the excursion outside the
 
allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may
 
have occurred and may have affected the RCPB integrity.
B.1 and B.2 If a Required Action and associated Completion Time of
 
Condition A are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T
 
region for an extended period of increased stress or a
 
sufficiently severe event caused entry into an unacceptable
 
region. Either possibility indicates a need for more careful
 
examination of the event, best accomplished with the RCS at
 
reduced pressure and temperature. In reduced pressure and
 
temperature conditions, the possibility of propagation with
 
undetected flaws is decreased.
If the required restoration activity cannot be accomplished
 
within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.
If the required evaluation fo r continued operation cannot be accomplished within 72 hours or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating
 
pressure and temperature conditions.Pressure and temperature are reduc ed by bringing the unit to MODE 3 within 6 hours and to MODE 5 with RCS pressure
< 500 psig within 36 hours.(continued)
North Anna Units 1 and 2B 3.4.3-6Revision 0 RCS P/T Limits B 3.4.3 BASES ACTIONS B.1 and B.2 (continued)
The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
C.1 and C.2 Actions must be initiated immediately to correct operation
 
outside of the P/T limits at times other than when in MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified by stress analysis.
The immediate Completion Time reflects the urgency of
 
initiating action to restore the parameters to within the
 
analyzed range. Most violations will not be severe, and the
 
activity can be accomplished in this time in a controlled
 
manner.Besides restoring operation within limits, an evaluation is
 
required to determine if RCS operation can continue. The
 
evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE
: 4. Several methods may be used, including comparison with
 
pre-analyzed transients in the stress analyses, or
 
inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to
 
evaluation of the vessel beltline.
Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the
 
evaluation of the effects of the excursion outside the
 
allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may
 
have occurred and may have affected the RCPB integrity.
RCS P/T Limits B 3.4.3 BASESNorth Anna Units 1 and 2B 3.4.3-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.4.3.1 Verification that operation is within limits is required
 
when RCS pressure and temperature conditions are undergoing
 
planned changes. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.Surveillance for heatup, cooldown, or ISLH testing may be
 
discontinued when the definition given in the relevant unit
 
procedure for ending the activity is satisfied.
This SR is modified by a Note that only requires this SR to
 
be performed during system heatup, cooldown, and ISLH
 
testing. No SR is given for criticality operations because
 
LCO 3.4.2 contains a more restrictive requirement.
REFERENCES1.10 CFR 50, Appendix G.2.ASME, Boiler and Pressure Vessel Code, Section III, Appendix G.3.ASTM E 185.4.10 CFR 50, Appendix H.5.Regulatory Guide 1.99, Revision 2, May 1988.6.ASME, Boiler and Pressure Vessel Code, Section XI, Appendix E.
Intentionally Blank North Anna Units 1 and 2B 3.4.4-1Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.4RCS Loops-MODES 1 and 2 BASES BACKGROUND The primary function of the RCS is removal of the heat
 
generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.
The secondary functions of the RCS include:a.Moderating the neutron energy level to the thermal state, to increase the probability of fission;b.Improving the neutron economy by acting as a reflector;c.Carrying the soluble neutron poison, boric acid;d.Providing a second barrier against fission product release to the environment; ande.Removing the heat generated in the fuel due to fission product decay following a unit shutdown.
The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow and
 
temperature instrumentation for both contro l and protection.
The reactor vessel contains the clad fuel. The SGs provide
 
the heat sink to the isolated secondary coolant. The RCPs
 
circulate the coolant through the reacto r vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent
 
fuel damage. This forced circulation of the reactor coolant
 
ensures mixing of the coolant for proper boration and
 
chemistry control.
APPLICABLE
 
SAFETY ANALYSES Safety analyses contain various assumptions for the design
 
bases accident initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and
 
safety system setpoints. The important aspect for this LCO
 
is the reactor coolant forced flow rate, which is
 
represented by the number of RCS loops in service.(continued)
North Anna Units 1 and 2B 3.4.4-2Revision 28 RCS Loops-MODES 1 and 2 B 3.4.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued)Both transient and steady state analyses have been performed to establish the effect of flow on the departure from
 
nucleate boiling (DNB). The transient and accident analyses
 
for the unit have been performed assuming three RCS loops are
 
in operation. The majority of the unit safety analyses are
 
based on initial conditions at high core power or zero power.
 
The accident analyses that are most important to RCP
 
operation are the complete loss of forced reactor flow, single reactor coolant pump locked rotor, partial loss of
 
forced reactor flow, and rod withdrawal events (Ref.
1).The DNB analyses assume normal three loop operation.
 
Uncertainties in key unit operating parameters, nuclear and
 
thermal parameters, and fuel fabrication parameters are
 
considered statistically such that there is at least a 95
 
percent probability that DNB will not occur for the limiting power rod. Key unit parameter uncertainties are used to
 
determine the unit departure from nucleate boiling ratio (DNBR) uncertainty. This DNBR uncertainty, combined with the
 
DNBR limit, establishes a design DNBR value which must be met in unit safety analyses and is used to determine the pressure
 
and temperature Safety Limit (SL). Since the parameter
 
uncertainties are considered in determining the design DNBR
 
value, the unit safety analyses are performed using values
 
of input parameters without uncertainties. Therefore, nominal operating values for reactor coolant flow are used
 
in the accident analyses.
The unit is designed to operate with all RCS loops in operation to maintain DNBR above the limit during all normal
 
operations and anticipated transients. By ensuring heat
 
transfer in the nucleate boiling region, adequate heat
 
transfer is provided between the fuel cladding and the
 
reactor coolant.
RCS Loops-MODES 1 and 2 satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNBR, three pumps
 
are required at rated power.
An OPERABLE RCS loop consists of an OPERABLE RCP in operation
 
providing forced flow for heat transport and an OPERABLE SG.
RCS Loops-MODES 1 and 2 B 3.4.4 BASESNorth Anna Units 1 and 2B 3.4.4-3Revision 46 APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure
 
that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage.
The decay heat production rate is much lower than the full
 
power heat rate. As such, the forced circulation flow and
 
heat sink requirements are reduced for lower, noncritical
 
MODES as indicated by the LCOs for MODES 3, 4, and 5.Operation in other MODES is covered by:
LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";
LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).ACTIONS A.1 If the requirements of the LCO are not met, the Required
 
Action is to reduce power and bring the unit to MODE
: 3. This lowers power level and thus reduces the core heat removal
 
needs and minimizes the possibility of violating DNBR
 
limits.The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging
 
safety systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.4.1 This SR requires verification that each RCS loop is in
 
operation. Verification includes flow rate, temperature, or
 
pump status monitoring, which help ensure that forced flow
 
is providing heat removal while maintaining the margin to
 
the DNBR limit. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.4.4-4Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4 BASES REFERENCES1.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.4.5-1Revision 0 RCS Loops-MODE 3 B 3.4.5 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.5RCS Loops-MODE 3 BASES BACKGROUND In MODE 3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat, via the
 
steam generator (SG), to the secondary plant fluid. The
 
secondary function of the reactor coolant is to act as a
 
carrier for soluble neutron poison, boric acid.
The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for
 
control, protection, and indication. The reactor vessel
 
contains the clad fuel. The SGs provide the heat sink. The
 
RCPs circulate the water through the reactor vessel and SGs
 
at a sufficient rate to ensure proper heat transfer and
 
prevent fuel damage.
In MODE 3, RCPs are used to provide forced circulation for heat removal during heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay
 
heat. However, two RCS loops are required to be OPERABLE to
 
ensure redundant capability for decay heat removal.
APPLICABLE
 
SAFETY ANALYSES Whenever the reactor trip breakers (RTBs) are in the closed
 
position and the control rod drive mechanisms (CRDMs) are
 
energized, an inadvertent rod withdrawal from subcritical, resulting in a power excursion, is possible. Such a
 
transient could be caused by a malfunction of the rod control system.Therefore, in MODE 3 with RTBs in the closed position and Rod Control System capable of rod withdrawal, accidental control
 
rod withdrawal from subcritical is postulated and requires
 
at least one RCS loop to be OPERABLE and in operation to
 
ensure that the accident analyses limits are met.
Failure to provide decay heat removal may result in
 
challenges to a fission product barrier. The RCS loops are
 
part of the primary success path that functions or actuates (continued)
North Anna Units 1 and 2B 3.4.5-2Revision 0 RCS Loops-MODE 3 B 3.4.5 BASES APPLICABLE
 
SAFETY ANALYSES (continued) to prevent or mitigate a Design Basis Accident or transient
 
that either assumes the failure of, or presents a challenge
 
to, the integrity of a fission product barrier.
RCS Loops-MODE 3 satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The purpose of this LCO is to require that at least two RCS
 
loops be OPERABLE and one of those loops be in operation. One RCS loop in operation is necessary to ensure removal of decay
 
heat from the core and homogenous boron concentration
 
throughout the RCS. An a dditional RCS loop is required to be OPERABLE to ensure redundant capability for decay heat
 
removal.The Note permits all RCPs to be removed from operation for 1 hour per 8 hour period. The purpose of the Note is to permit pump swap operations and tests that are designed to
 
validate various accident analyses values. One of these
 
tests is validation of the pump coastdown curve used as input
 
to a number of accident analyses including a loss of flow
 
accident. This test is generally performed in MODE 3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values of the coastdown curve may be
 
revalidated by conducting the test again. Another test that
 
may be performed during the startup testing program is the
 
validation of rod drop times during cold conditions, both
 
with and without flow.
The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of
 
time. The Note permits the stopping of the pumps in order to
 
perform this test and validate the assumed analysis values.
 
As with the validation of the pump coastdown curve, this test
 
should be performed only once unless the flow
 
characteristics of the RCS are changed. The 1 hour time period specified is adequate to perform the pump swap or the desired tests, and oper ating experience has shown that boron stratification is not a problem during this short period
 
with no forced flow.(continued)
RCS Loops-MODE 3 B 3.4.5 BASESNorth Anna Units 1 and 2B 3.4.5-3Revision 28 LCO (continued)
Utilization of the Note is permitted provided the following conditions are met, along with any other conditions imposed
 
by initial startup test procedures:a.No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations
 
less than required to ensure the SDM of LCO 3.1.1, thereby maintaining the margin to criticality. Boron
 
reduction with coolant at boron concentrations less than
 
required to assure the SDM is maintained is prohibited
 
because a uniform concentration distribution throughout
 
the RCS cannot be ensured when in natural circulation;
 
andb.Core outlet temperature is maintained at least 10
&deg;F below saturation temperature, so that no vapor bubble may form
 
and possibly cause a natural circulation flow
 
obstruction.
An OPERABLE RCS loop consists of one OPERABLE RCP and one
 
OPERABLE SG, which has the minimum water level specified in
 
SR 3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.
APPLICABILITY In MODE 3, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to
 
provide proper boron mixing.
Operation in other MODES is covered by:
LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";
LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).ACTIONS A.1 If one required RCS loop is inoperable, redundancy for heat
 
removal is lost. The Required Action is restoration of the
 
required RCS loop to OPERABLE status within the Completion (continued)
North Anna Units 1 and 2B 3.4.5-4Revision 28 RCS Loops-MODE 3 B 3.4.5 BASES ACTIONS A.1 (continued)
Time of 72 hours. This time allowance is a justified period to be without the redundant, nonoperating loop because a
 
single loop in operation has a heat transfer capability
 
greater than that needed to remove the decay heat produced in
 
the reactor core and because of the low probability of a
 
failure in the remaining loop occurring during this period.
B.1 If restoration is not possible within 72 hours, the unit must be brought to MODE
: 4. In MODE 4, the unit may be placed on the Residual Heat Removal System. The additional
 
Completion Time of 12 hours is compatible with required operations to achieve cooldown and depressurization from the
 
existing unit conditions in an orderly manner and without
 
challenging unit systems.
C.1, C.2, and C.3 If two required RCS loops are inoperable or a required RCS
 
loop is not in operation, except as during conditions
 
permitted by the Note in the LCO section, place the Rod
 
Control System in a condition incapable of rod withdrawal (e.g., all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets). All operations involving
 
introduction of coolant into the RCS with boron
 
concentration less than required to meet the minimum SDM of
 
LCO 3.1.1 must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be
 
initiated. Boron dilution requires forced circulation for
 
proper mixing, and opening the RTBs or de-energizing the MG
 
sets removes the possibility of an inadvertent rod
 
withdrawal. Suspending the introduction of coolant into the
 
RCS of coolant with boron concentration less than required
 
to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced
 
circulation, unmixed coolant could be introduced to the
 
core, however coolant added with boron concentration meeting
 
the minimum SDM maintains acceptable margin to subcritical
 
operations. The immediate Completion Time reflects the
 
importance of maintaining operation for heat removal. The
 
action to restore must be continued until one loop is
 
restored to OPERABLE status and operation.
RCS Loops-MODE 3 B 3.4.5 BASESNorth Anna Units 1 and 2B 3.4.5-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.4.5.1This SR requires verification that the required loops are in operation. Verification includes flow rate, temperature, and pump status monitoring, which help ensure that forced flow
 
is providing heat removal. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR  3.4.5.2 SR 3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side
 
narrow range water level is  17% for required RCS loops. If the SG secondary side nar row range water level is <
17%, the tubes may become uncovered and the associated loop may not be
 
capable of providing the heat sink for removal of the decay
 
heat. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.4.5.3 Verification that the required RCP is OPERABLE ensures that
 
safety analyses limits are me
: t. The requirement also ensures that an additional RCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant
 
circulation. Verification is performed by verifying proper
 
breaker alignment and power availability to the required
 
RCP. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not
 
required to be performed until 24 hours after a required pump is not in operation.
REFERENCES None.
Intentionally Blank North Anna Units 1 and 2B 3.4.6-1Revision 0 RCS Loops-MODE 4 B 3.4.6 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.6RCS Loops-MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the
 
component cooling water via the residual heat removal (RHR)
 
heat exchangers. The secondary function of the reactor
 
coolant is to act as a carrier for soluble neutron poison, boric acid.
The reactor coolant is circulated through three RCS loops
 
connected in parallel to the reactor vessel, each loop
 
containing an SG, a reactor coolant pump (RCP), and
 
appropriate flow, pressure, level, and temperature
 
instrumentation for control, protection, and indication. The RCPs circulate the coolant through the reactor vessel and
 
SGs at a sufficient rate to ensure proper heat transfer and
 
to prevent boric acid stratification.
In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide
 
forced flow from at least one RCP or one RHR loop for decay
 
heat removal and transport. The flow provided by one RCP loop
 
or RHR loop is adequate for decay heat removal. The other
 
intent of this LCO is to require that two paths be OPERABLE
 
to provide redundancy for decay heat removal.
APPLICABLE
 
SAFETY ANALYSES In MODE 4, RCS circulation is considered in the determination of the time available for mitigation of the
 
accidental boron dilution event. The RCS and RHR loops
 
provide this circulation.
RCS Loops-MODE 4 satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and
 
RHR loops. Any one loop in operation provides enough flow to (continued)
North Anna Units 1 and 2B 3.4.6-2Revision 0 RCS Loops-MODE 4 B 3.4.6 BASES LCO (continued) remove the decay heat from the core with forced circulation.
 
An additional loop is required to be OPERABLE to provide
 
redundancy for heat removal.
Note 1 permits all RCPs or RHR pumps to be removed from operation for  1 hour per 8 hour period. The purpose of the Note is to permit pump swap operations and tests that are
 
designed to validate various accident analyses values. One
 
of the tests which may be performed during the startup
 
testing program is the validation of rod drop times during
 
cold conditions, both with and without flow. The no flow test
 
may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to perform this test and validate the assumed analysis values. If changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values may be revalidated by conducting the test again. The 1 hour time period is adequate to perform the pump swap or test, and operating experience has shown that boron stratification is not a problem during this short
 
period with no forced flow.
Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed
 
by initial startup test procedures:a.No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations
 
less than required to meet the SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron
 
reduction with coolant at boron concentrations less than
 
required to assure the SDM is maintained is prohibited
 
because a uniform concentration distribution throughout
 
the RCS cannot be ensured when in natural circulation;
 
andb.Core outlet temperature is maintained at least 10
&deg;F below saturation temperature, so that no vapor bubble may form
 
and possibly cause a natural circulation flow
 
obstruction.
Note 2 requires that the secondary side water temperature of each SG be  50&deg;F above each of the RCS cold leg temperatures before the start of an RCP with any RCS cold leg temperature (continued)
RCS Loops-MODE 4 B 3.4.6 BASESNorth Anna Units 1 and 2B 3.4.6-3Revision 28 LCO (continued) 280&deg;F. This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is
 
started.An OPERABLE RCS loop is comprised of an OPERABLE RCP and an
 
OPERABLE SG, which has the minimum water level specified in
 
SR 3.4.6.2.Similarly for the RHR System, an OPERABLE RHR loop is
 
comprised of an OPERABLE RHR pump capable of providing
 
forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR
 
pumps are OPERABLE if they are capable of being powered and
 
are able to provide forced flow if required.
APPLICABILITY In MODE 4, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to
 
provide proper boron mixing. One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS and RHR loops are required to be OPERABLE to provide redundancy for heat
 
removal.Operation in other MODES is covered by:
LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";
LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).ACTIONS A.1 If one required loop is inoperable, redundancy for heat
 
removal is lost. Action must be initiated to restore a second
 
RCS or RHR loop to OPERABLE status. The immediate Completion
 
Time reflects the importance of maintaining the availability
 
of two paths for heat removal.
North Anna Units 1 and 2B 3.4.6-4Revision 0 RCS Loops-MODE 4 B 3.4.6 BASES ACTIONS (continued)
A.2 If restoration is not accomplished and an RHR loop is
 
OPERABLE, the unit must be brought to MODE 5 within 24 hours. Bringing the unit to MODE 5 is a conservative action with regard to decay heat removal. With only one RHR
 
loop OPERABLE, redundancy for decay heat removal is lost
 
and, in the event of a loss of the remaining RHR loop, it
 
would be safer to initiate that loss from MODE 5 rather than MODE 4. The Completion Time of 24 hours is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging unit systems.This Required Action is modified by a Note which indicates that the unit must be placed in MODE 5 only if an RHR loop is
 
OPERABLE. With no RHR loop OPERABLE, the unit is in a
 
condition with only limited cooldown capabilities.
 
Therefore, the actions are to be concentrated on the
 
restoration of an RHR loop, rather than a cooldown of
 
extended duration.
B.1 and B.2 If two required loops are inoperable or a required loop is
 
not in operation, except during conditions permitted by
 
Note 1 in the LCO section, all operations involving introduction of coolant into the RCS with boron
 
concentration less than required to meet the minimum SDM of
 
LCO 3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated.
 
The required margin to criticality must not be reduced in
 
this type of operation. Suspending the introduction of
 
coolant into the RCS of coolant with boron concentration
 
less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant
 
added without forced circulation, unmixed coolant could be
 
introduced to the core, however coolant added with boron
 
concentration meeting the minimum SDM maintains acceptable
 
margin to subcritical operations. The immediate Completion
 
Times reflect the importance of maintaining operation for
 
decay heat removal. The action to restore must be continued
 
until one loop is restored to OPERABLE status and operation.
RCS Loops-MODE 4 B 3.4.6 BASESNorth Anna Units 1 and 2B 3.4.6-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.4.6.1 This SR requires verification that the required RCS or RHR
 
loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.4.6.2 SR 3.4.6.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side
 
narrow range water level is  17%. If the SG secondary side narrow range water level is <
17%, the tubes may become uncovered and the associated loop may not be capable of
 
providing the heat sink necessary for removal of decay heat.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.6.3 Verification that the required pump is OPERABLE ensures that
 
an additional RCS or RHR pump can be placed in operation, if
 
needed, to maintain decay heat removal and reactor coolant
 
circulation. Verification is performed by verifying proper
 
breaker alignment and power available to the required pump.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not
 
required to be performed until 24 hours after a required pump is not in operation.
REFERENCES None.
Intentionally Blank North Anna Units 1 and 2B 3.4.7-1Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.7RCS Loops-MODE 5, Loops Filled BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) secondary side
 
coolant via natural circulation (Ref. 1) or the component
 
cooling water via the residual heat removal (RHR) heat
 
exchangers. While the p rincipal means for decay heat removal is via the RHR System, the SGs via natural circulation (Ref. 1) are specified as a backup means for redundancy.
Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water. As long as the SG secondary side
 
water is at a lower temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is
 
directly proportional to the temperature difference. The
 
secondary function of the reactor coolant is to act as a
 
carrier for soluble neutron poison, boric acid.
In MODE 5 with RCS loops filled, the reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, and appropriate flow and temperature instrumentation for control, protection, and indication. One RHR pump circulates
 
the water through the RCS at a sufficient rate to prevent
 
boric acid stratification.
The number of loops in operation can vary to suit the
 
operational needs. The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and transport. The flow p rovided by one RHR loop is adequate for decay heat removal. The other intent of this LCO is to
 
require that a second path be available to provide
 
redundancy for heat removal.
The LCO provides for redundant paths of decay heat removal
 
capability. The first path can be an RHR loop that must be
 
OPERABLE and in operation. The second path can be another
 
OPERABLE RHR loop or maintaining a SG with secondary side
 
water level of at least 17% using narrow range
 
instrumentation to provide an alternate method for decay
 
heat removal via natural circulation (Ref. 1).
North Anna Units 1 and 2B 3.4.7-2Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES APPLICABLE
 
SAFETY ANALYSES In MODE 5, RCS circulation is considered in the determination of the time available for mitigation of the
 
accidental boron dilution event. The RHR loops provide this
 
circulation.
RCS Loops-MODE 5 (Loops Filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or a SG with secondary side water level 17% using narrow range instrumentation and the associated loop isolation valves open. One RHR loop provides sufficient forced circulation to perform the safety functions of the
 
reactor coolant under these conditions. An additional RHR
 
loop is required to be OPERABLE to provide redundancy for
 
heat removal. However, if the standby RHR loop is not
 
OPERABLE, an acceptable alternate method is a SG with its
 
secondary side water level  17% using narrow range instrumentation. Should the operating RHR loop fail, the SG
 
could be used to remove the decay heat via natural
 
circulation.
Note 1 permits all RHR pumps to be removed from operation  1 hour per 8 hour period. The purpose of the Note is to permit pump swap operations and tests designed to validate
 
various accident analyses values. One of the tests performed
 
during the startup testing program is the validation of rod
 
drop times during cold conditions, both with and without
 
flow. The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of
 
time. The Note permits stopping of the pumps in order to
 
perform this test and validate the assumed analysis values.
 
If changes are made to the RCS that would cause a change to
 
the flow characteristics of the RCS, the input values must be
 
revalidated by conducting the test again. The 1 hour time period is adequate to perform the pump swap or test, and
 
operating experience has shown that boron stratification is
 
not likely during this short period with no forced flow.(continued)
RCS Loops-MODE 5, Loops Filled B 3.4.7 BASESNorth Anna Units 1 and 2B 3.4.7-3Revision 28 LCO (continued)
Utilization of Note 1 is permitted provided the following conditions are met, along with any other conditions imposed
 
by initial startup test procedures:a.No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations
 
less than required to meet the SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron
 
reduction with coolant at boron concentrations less than
 
required to assure the SDM is maintained is prohibited
 
because a uniform concentration distribution throughout
 
the RCS cannot be ensured when in natural circulation;
 
andb.Core outlet temperature is maintained at least 10
&deg;F below saturation temperature, so that no vapor bubble may form
 
and possibly cause a natural circulation flow
 
obstruction.
Note 2 allows one RHR loop to be inoperable for a period of up to 2 hours, provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests
 
to be performed on the inoperable loop during the only time
 
when such testing is safe and possible.
Note 3 requires that the secondary side water temperature of each SG be  50&deg;F above each of the RCS cold leg temperatures before the start of a reactor coolant pump (RCP) with an RCS
 
cold leg temperature  280&deg;F. This restriction is to prevent a low temperature overpressure event due to a thermal
 
transient when an RCP is started.
Note 4 provides for an orderly transition from MODE 5 to MODE 4 during a planned heatup by permitting removal of RHR loops from operation when at least one RCS loop is in
 
operation. This Note provides for the transition to MODE 4 where an RCS loop is permitted to be in operation and
 
replaces the RCS circulation function provided by the RHR
 
loops with circulation provided by an RCP.
RHR pumps are OPERABLE if they are capable of being powered
 
and are able to provide flow if required. A SG can perform as
 
a heat sink via natural circulation when it has an adequate
 
water level and is OPERABLE.
North Anna Units 1 and 2B 3.4.7-4Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES APPLICABILITY In MODE 5 with the unisolated portion of the RCS loops filled, this LCO requires forced circulation of the reactor
 
coolant to remove decay heat from the core and to provide
 
proper boron mixing. One loop of RHR provides sufficient
 
circulation for these purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least one SG is required to be  17% with the associated loop isolation valves open.
Operation in other MODES is covered by:
LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).If all RCS loops are isolated, an SG cannot be used for decay
 
heat removal and RCS water inventory is substantially
 
reduced. In this circumstance, LCO 3.4.8 applies.
ACTIONS A.1, A.2, B.1, and B.2If one RHR loop is OPERABLE and the required SG has secondary side water level <
17%, redundancy for heat removal is lost. Action must be initiated immediately to restore a second RHR
 
loop to OPERABLE status or to restore the required SG
 
secondary side water level. Either Required Action will
 
restore redundant heat removal paths. The immediate
 
Completion Time reflects the importance of maintaining the
 
availability of two paths for heat removal.
C.1 and C.2 If a required RHR loop is not in operation, except during
 
conditions permitted by Note 1 and Note 4, or if no required RHR loop is OPERABLE, all operations involving introduction
 
of coolant into the RCS with boron concentration less than
 
required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RHR loop to OPERABLE
 
status and operation must be initiated. Suspending the
 
introduction of coolant into the RCS of coolant with boron
 
concentration less than required to meet the minimum SDM of (continued)
RCS Loops-MODE 5, Loops Filled B 3.4.7 BASESNorth Anna Units 1 and 2B 3.4.7-5Revision 46 ACTIONS C.1 and C.2 (continued)
LCO 3.1.1 is required to assure continued safe operation.
With coolant added without forced circulation, unmixed
 
coolant could be introduced to the core, however coolant
 
added with boron concentration meeting the minimum SDM
 
maintains acceptable margin to subcritical operations. The
 
immediate Completion Times reflect the importance of
 
maintaining operation for heat removal.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.7.1 This SR requires verification that the required loop is in
 
operation. Verification includes flow rate, temperature, or
 
pump status monitoring, which help ensure that forced flow
 
is providing heat removal. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR  3.4.7.2 Verifying that at least one SG is OPERABLE by ensuring its
 
secondary side narrow range water level is  17% ensures an alternate decay heat removal method via natural circulation
 
in the event that the second RHR loop is not OPERABLE. If
 
both RHR loops are OPERABLE, this Surveillance is not
 
needed. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.4.7.3 Verification that the required RHR pump is OPERABLE ensures
 
that an additional pump can be placed in operation, if
 
needed, to maintain decay heat removal and reactor coolant
 
circulation. Verification is performed by verifying proper
 
breaker alignment and power available to the required RHR
 
pump. If secondary side water level is  17% in at least one SG, this Surveillance is not needed. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not
 
required to be performed until 24 hours after a required pump is not in operation.
North Anna Units 1 and 2B 3.4.7-6Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES REFERENCES
: 1. NRC Information Notice 95-35, Degraded Ability of Steam Generators to Remove Decay Heat by Natural Circulation.
North Anna Units 1 and 2B 3.4.8-1Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.8RCS Loops-MODE 5, Loops Not Filled BASES BACKGROUND In MODE 5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat generated
 
in the fuel, and the transfer of this heat to the component
 
cooling water via the residual heat removal (RHR) heat
 
exchangers. The steam generators (SGs) are not available as
 
a heat sink when the loops are not filled. The secondary
 
function of the reactor coolant is to act as a carrier for
 
the soluble neutron poison, boric acid.
In MODE 5 with loops not filled, only RHR pumps can be used for coolant circulation. The number of pumps in operation
 
can vary to suit the operational needs. The intent of this
 
LCO is to provide forced flow from at least one RHR pump for
 
decay heat removal and transport and to require that two
 
paths be available to provide redundancy for heat removal.
APPLICABLE
 
SAFETY ANALYSES In MODE 5, RCS circulation is considered in the determination of the time available for mitigation of the
 
accidental boron dilution event. The RHR loops provide this
 
circulation. The flow provided by one RHR loop is adequate
 
for heat removal and for boron mixing.
RCS loops in MODE 5 (loops not filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO The purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transferring
 
heat from the reactor coolant at a controlled rate. Heat
 
cannot be removed via the RHR System unless forced flow is
 
used. A minimum of one running RHR pump meets the LCO
 
requirement for one loop in operation. An additional RHR
 
loop is required to be OPERABLE to provide redundancy for
 
heat removal.
Note 1 permits all RHR pumps to be removed from operation for  15 minutes when switching from one loop to another. The circumstances for stopping both RHR pumps are to be limited
 
to situations when the outage time is short and core outlet (continued)
North Anna Units 1 and 2B 3.4.8-2Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASES LCO (continued) temperature is maintained > 10
&deg;F below saturation temperature. The Note prohibits boron dilution with coolant
 
at boron concentrations less than required to assure the SDM of LCO 3.1.1 is maintained or draining operations when RHR forced flow is stopped.
Note 2 allows one RHR loop to be inoperable for a period of  2 hours, provided that the other loop is OPERABLE and in operation. This permits periodic surveillance tests to be
 
performed on the inoperable loop during the only time when
 
these tests are safe and possible.
An OPERABLE RHR loop is comprised of an OPERABLE RHR pump
 
capable of providing forced flow to an OPERABLE RHR heat
 
exchanger. RHR pumps are OPERABLE if they are capable of
 
being powered and are able to provide flow if required.
APPLICABILITY In MODE 5 with the unisolated portion of the loops not filled, this LCO requires core heat removal and coolant
 
circulation by the RHR System.
Operation in other MODES is covered by:
LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";
LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).If all RCS loops are isolated, the RCS water inventory is
 
substantially reduced. In this circumstance, LCO 3.4.8 applies whether or not the isolated loops are filled.
ACTIONS A.1 If one required RHR loop is inoperable, redundancy for RHR is
 
lost. Action must be initiated to restore a second loop to
 
OPERABLE status. The immediate Completion Time reflects the
 
importance of maintaining the availability of two paths for
 
heat removal.
RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASESNorth Anna Units 1 and 2B 3.4.8-3Revision 46 ACTIONS (continued)
B.1 and B.2 If no required loop is OPERABLE or the required loop is not in operation, except during conditions permitted by Note 1, all operations involving introduction of coolant into the
 
RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE
 
status and operation. The required margin to criticality
 
must not be reduced in this type of operation. Suspending the
 
introduction of coolant into the RCS of coolant with boron
 
concentration less than required to meet the minimum SDM of
 
LCO 3.1.1 is required to assure continued safe operation.
With coolant added without forced circulation, unmixed
 
coolant could be introduced to the core, however coolant
 
added with boron concentration meeting the minimum SDM
 
maintains acceptable margin to subcritical operations. The
 
immediate Completion Time reflects the importance of
 
maintaining operation for heat removal. The action to restore must continue until one loop is restored to OPERABLE
 
status and operation.
SURVEILLANCE
 
REQUIREMENTS SR 3.4.8.1 This SR requires verification that the required loop is in
 
operation. Verification includes flow rate, temperature, or
 
pump status monitoring, which help ensure that forced flow
 
is providing heat removal. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR 3.4.8.2 Verification that the required pump is OPERABLE ensures that
 
an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation.
 
Verification is performed by verifying proper breaker
 
alignment and power available to the required pump. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not
 
required to be performed until 24 hours after a required pump is not in operation.
North Anna Units 1 and 2B 3.4.8-4Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASES REFERENCES None.
North Anna Units 1 and 2B 3.4.9-1Revision 0 Pressurizer B 3.4.9 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.9Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and
 
vapor are maintained in equilibrium under saturated
 
conditions for pressure control purposes to prevent bulk
 
boiling in the remainder of the RCS. Key functions include
 
maintaining required primary system pressure during steady
 
state operation, and li miting the pressure changes caused by reactor coolant thermal expansion and contraction during
 
normal load transients.
The pressure control components addressed by this LCO
 
include the pressurizer water level, the required heaters, and their controls and emergency power supplies. Pressurizer
 
safety valves and pressurizer power operated relief valves
 
are addressed by LCO 3.4.10, "Pressurizer Safety Valves," and LCO 3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.
The intent of the LCO is to en sure that a steam bubble exists in the pressurizer prior to power operation to minimize the
 
consequences of potential overpressure transients. The
 
presence of a steam bubble is consistent with analytical
 
assumptions. Relatively small amounts of noncondensible
 
gases can inhibit the condensation heat transfer between the
 
pressurizer spray and the steam, and diminish the spray
 
effectiveness for pressure control.
Electrical immersion heaters, located in the lower section
 
of the pressurizer vessel, keep the water in the pressurizer
 
at saturation temperature and maintain a constant operating
 
pressure. There are 5 groups of pressurizer heaters. Groups
 
1, 2, 4, and 5 are backup heaters. Group 3 consists of
 
proportional heaters. Groups 1 and 4 are powered from the
 
emergency busses and are governed by this Specification. A
 
minimum required available capacity of pressurizer heaters
 
ensures that the RCS pressure can be maintained. The
 
capability to maintain and control system pressure is
 
important for maintaining subcooled conditions in the RCS
 
and ensuring the capability to remove core decay heat by
 
either forced or natural circulation of reactor coolant.
 
Unless adequate heater capacity is available, the hot, high
 
pressure condition cannot be maintained indefinitely and (continued)
North Anna Units 1 and 2B 3.4.9-2Revision 0 Pressurizer B 3.4.9 BASES BACKGROUND (continued) still provide the required subcooling margin in the primary
 
system. Inability to control the system pressure and
 
maintain subcooling under conditions of natural circulation
 
flow in the primary system could lead to a loss of single
 
phase natural circulation and decreased capability to remove
 
core decay heat.
APPLICABLE
 
SAFETY ANALYSES In MODES 1, 2, and 3, the LCO requirement for a steam bubble is reflected implicitly in the accident analyses. Safety
 
analyses performed for lower MODES are not limiting. All
 
analyses performed from a critical reactor condition assume
 
the existence of a steam bubble and saturated conditions in
 
the pressurizer. In making this assumption, the analyses
 
neglect the small fraction of noncondensible gases normally
 
present.Safety analyses presented in the UFSAR (Ref. 1) do not take
 
credit for pressurizer heater operation unless their
 
operation would increase the severity of the event; however, an implicit initial condition assumption of the safety
 
analyses is that the pressure control system is maintaining
 
RCS pressure in the normal operating range.
The maximum pressurizer water level limit, which ensures
 
that a steam bubble exists in the pressurizer, satisfies
 
Criterion 2 of 10 CFR 50.36(c)(2)(ii). Although the heaters are not specifically used in accident analysis, the need to
 
maintain subcooling in the long term during loss of offsite
 
power, as indicated in NUREG-0737 (Ref.
2), is the reason for providing an LCO.
LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume  1240 cubic feet, which is equivalent to  93%, ensures that a steam bubble exists. Limiting the LCO maximum operating water level preserves the steam space for pressure control. The LCO has been established to ensure the capability to establish and maintain pressure control for
 
steady state operation and to minimize the consequences of
 
potential overpressure transients. Requiring the presence of
 
a steam bubble is also consistent with analytical
 
assumptions.
The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity  125 kW, capable of being powered from an emergency bus. The two heater groups are designated as (continued)
Pressurizer B 3.4.9 BASESNorth Anna Units 1 and 2B 3.4.9-3Revision 0 LCO (continued)
Group 1 and Group 4. The minimum heater capacity required is sufficient to maintain the RCS near normal operating
 
pressure when accounting for heat losses through the
 
pressurizer insulation. By maintaining the pressure near the
 
operating conditions, a wide margin to subcooling can be
 
obtained in the loops. The exact design value of 125 kW is derived from the use of seven heaters rated at 17.9 kW each. The amount needed to maintain pressure is dependent on the
 
heat losses.
APPLICABILITY The need for pressure control is most pertinent when core
 
heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and
 
RCS pressure control. Thus, applicability has been
 
designated for MODES 1 and 2. The applicability is also provided for MODE
: 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid
 
pressure rises caused by normal operational perturbation, such as reactor coolant pump startup.
In MODES 1, 2, and 3, there is need to maintain the availability of pressurizer heaters, capable of being
 
powered from an emergency bus. In the event of a loss of
 
offsite power, the initial conditions of these MODES give
 
the greatest demand for maintaining the RCS in a hot
 
pressurized condition with loop subcooling for an extended
 
period. For MODE 4, 5, or 6, the need for pressurizer heaters supplied from an emergency bus to maintain pressure control
 
is reduced because core heat is reduced, and has a
 
correspondingly lower effect on pressurizer level and RCS pressure control. In ad dition, other mechanisms, such as the Residual Heat Removal (RHR) System and the Power Operated
 
Relief Valves (PORVs) are available to control RCS
 
temperature and pressure should normal offsite power be
 
lost.ACTIONS A.1, A.2, A.3 and A.4 Pressurizer water level control malfunctions or other unit evolutions may result in a pressurizer water level above the
 
nominal upper limit, even with the unit at steady state
 
conditions. Normally the unit will trip in this event since
 
the upper limit of this LCO is the same as the Pressurizer
 
Water Level-High Trip.(continued)
North Anna Units 1 and 2B 3.4.9-4Revision 46 Pressurizer B 3.4.9 BASES ACTIONS A.1, A.2, A.3 and A.4 (continued)
If the pressurizer water level is not within the limit, action must be taken to bring the unit to a MODE in which the
 
LCO does not apply. To achieve this status, within 6 hours the unit must be brought to MODE 3, with all rods fully inserted and incapable of withdrawal. Additionally, the unit
 
must be brought to MODE 4 within 12 hours. This takes the unit out of the applicable MODES.
The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
B.1 If one required group of pressurizer heaters is inoperable, restoration is required within 72 hours. The Completion Time of 72 hours is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pressure control may be maintained during this
 
time using the remaining heaters.
C.1 and C.2 If one group of pressurizer heaters are inoperable and
 
cannot be restored in the allowed Completion Time of
 
Required Action B.1, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the
 
unit must be brought to MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR 3.4.9.1 This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper
 
limit to provide a minimum space for a steam bubble. The
 
Surveillance is performed by observing the indicated level.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
Pressurizer B 3.4.9 BASESNorth Anna Units 1 and 2B 3.4.9-5Revision 46 SURVEILLANCE REQUIREMENTS SR 3.4.9.2 The SR is satisfied when the power supplies are demonstrated
 
to be capable of producing the minimum power and the
 
associated pressurizer heaters are verified to be at their required rating. This may be done by testing the power supply output and by performing an electrical check on heater
 
element continuity and resistance. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 15.2.NUREG-0737, November 1980.
Intentionally Blank North Anna Units 1 and 2B 3.4.10-1Revision 20 Pressurizer Safety Valves B 3.4.10 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.10Pressurizer Safety Valves BASES BACKGROUND The pressurizer safety valves provide, in conjunction with
 
the Reactor Protection System, overpressure protection for
 
the RCS. The pressurizer safety valves are totally enclosed
 
pop type, spring loaded, self actuated valves with backpressure compensation. The safety valves are designed to prevent the system pressure f rom exceeding the system Safety Limit (SL), 2735 psig, which is 110% of the design pressure.
Because the safety valves are totally enclosed and self
 
actuating, they are considered independent components. The
 
relief capacity for each valve, 380,000 lb/hr, is based on postulated overpressure transient conditions resulting from
 
a complete loss of steam flow to the turbine, a locked
 
reactor coolant pump rotor, and reactivity insertion due to
 
control rod withdrawal. The complete loss of steam flow is
 
typically the limiting event. The limiting event results in
 
the maximum surge rate into the pressurizer, which specifies
 
the minimum relief capacity for the safety valves. The
 
discharge flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indicated by an increase in temperature downstream of the
 
pressurizer safety valves, increase in the pressurizer
 
relief tank temperature or level, or by the acoustic
 
monitors located on the relief line.
Overpressure protection is required in MODES 1, 2, 3, 4, and 5; however, in MODE 4, with one or more RCS cold leg temperatures  280&deg;F, and MODE 5 and MODE 6 with the reactor vessel head on, overpressure protection is provided by
 
operating procedures and by meeting the requirements of
 
LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP)
System." The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positive
 
or negative percentage of each tested safety valve, is
 
summed and divided by the number of valves tested. This
 
average as-found value is compared to the acceptable range
 
of +2% to -3%. In addition, no single valve is allowed to be
 
outside of +/-3%. The lift setting is for the ambient
 
conditions associated with MODES 1, 2, and 3. This requires (continued)
North Anna Units 1 and 2B 3.4.10-2Revision 8 Pressurizer Safety Valves B 3.4.10 BASES BACKGROUND (continued) either that the valves be set hot or that a correlation
 
between hot and cold settings be established.
The pressurizer safety valves are part of the primary
 
success path and mitigate the effects of postulated
 
accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to  110% of design pressure in accordance with ASME Code, Section III (Ref. 1). The consequence of exceeding the ASME Code pressure limit could
 
include damage to RCS components, increased leakage, or a
 
requirement to perform additional stress analyses prior to
 
resumption of reactor operation.
APPLICABLE
 
SAFETY ANALYSES All accident and safety analyses in the UFSAR (Ref.
: 2) that require safety valve actuation assume operation of three
 
pressurizer safety valves to limit increases in RCS
 
pressure. The overpressure protection analysis (Ref.
: 3) is also based on operation of three safety valves. Accidents
 
that could result in overpressurization if not properly
 
terminated include:a.Uncontrolled rod withdrawal from full power;b.Loss of reactor coolant flow;c.Loss of external electrical load;d.Loss of normal feedwater;e.Loss of all AC power to station auxiliaries;f.Locked rotor; andg.Uncontrolled rod withdrawal from subcritical.
Description of the analyses of the above transients are
 
contained in Reference
: 2. Safety valve actuation is required in events a, c, f and g (above) to limit the pressure increase. Compliance with this LCO is consistent with the
 
design bases and accident analyses assumptions.
Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Pressurizer Safety Valves B 3.4.10 BASESNorth Anna Units 1 and 2B 3.4.10-3Revision 20 LCO The three pressurizer safety valves are set to open at the RCS design pressure (2485 psig), and within the ASME specified tolerance, to avoid exceeding the maximum design
 
pressure SL, to maintain accident analyses assumptions, and
 
to comply with ASME requirements. The safety valve pressure
 
tolerance limit is expressed as an average value. The as-
 
found error, expressed as a positive or negative percentage
 
of each tested safety valve, is summed and divided by the
 
number of valves tested. This average as-found value is compared to the acceptable range of +2% to -3%. In addition, no single valve is allowed to be outside of +/-3%. The limit
 
protected by this Specification is the reactor coolant
 
pressure boundary (RCPB) SL of 110% of design pressure.
 
Inoperability of one or more valves could result in
 
exceeding the SL if a transient were to occur. The
 
consequences of exceeding the ASME pressure limit could
 
include damage to one or more RCS components, increased
 
leakage, or additional stress analysis being required prior
 
to resumption of reactor operation.
APPLICABILITY In MODES 1, 2, and 3, and portions of MODE 4 above the LTOP enabling temperature, OPERABILITY of three valves is
 
required because the combined capacity is required to keep
 
reactor coolant pressure below 110% of its design value
 
during certain accidents. MODE 3 and portions of MODE 4 are conservatively included, although the listed accidents may
 
not require the safety valves for protection.
The LCO is not applicable in MODE 4 when any RCS cold leg temperatures are  280&deg;F or in MODE 5 because LTOP is provided. Overpressure protection is not required in MODE 6 with reactor vessel head detensioned.
The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and
 
examination of the safety valves at high pressure and
 
temperature near their normal operating range, but only
 
after the valves have had a preliminary cold setting. The
 
cold setting gives assurance that the valves are OPERABLE
 
near their design condition. This method of testing is not
 
currently used at North Anna, but it is an accepted method.
 
Only one valve at a time may be removed from service for
 
testing. The 54 hour exception is based on 18 hour outage time for each of the three valves. The 18 hour period is derived from industry experience that hot testing can be
 
performed in this timeframe.
North Anna Units 1 and 2B 3.4.10-4Revision 20 Pressurizer Safety Valves B 3.4.10 BASES ACTIONS A.1 With one pressurizer safety valve inoperable, restoration
 
must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve
 
coincident with an RCS overpressure event could challenge
 
the integrity of the pressure boundary.
B.1 and B.2 If the Required Action of A.1 cannot be met within the
 
required Completion Time or if two or more pressurizer
 
safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 4 with any RCS cold leg temperatures  280&deg;F within 24 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems. With
 
any RCS cold leg temperatures at or below 280
&deg;F, overpressure protection is provided by the LTOP System. The change from
 
MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer
 
insurges, and thereby removes the need for overpressure
 
protection by three pressurizer safety valves.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.10.1 SRs are specified in the Inservice Testing Program.
 
Pressurizer safety valves are to be tested in accordance
 
with the requirements of the ASME Code (Ref.
4), which provides the activities and Frequencies necessary to satisfy
 
the SRs. No additional requirements are specified.
The pressurizer safety valve lift setting given in the LCO is
 
for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift.
REFERENCES1.ASME, Boiler and Pressure Vessel Code, Section III.2.UFSAR, Chapter 15.3.WCAP-7769, Rev.
1, June 1972.
Pressurizer Safety Valves B 3.4.10 BASESNorth Anna Units 1 and 2B 3.4.10-5Revision 0 REFERENCES (continued)4.ASME Code for Operation and Maintenance of Nuclear Power Plants.
Intentionally Blank North Anna Units 1 and 2B 3.4.11-1Revision 0 Pressurizer PORVs B 3.4.11 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.11Pressurizer Power Operated Relief Valves (PORVs)
BASES BACKGROUND The pressurizer is equipped with two types of devices for
 
pressure relief: pressurizer safety valves and PORVs. The
 
PORVs are air or nitrogen operated valves that are
 
controlled to open at a set pressure when the pressurizer
 
pressure increases and close when the pressurizer pressure
 
decreases. The PORVs may also be manually operated from the
 
control room.
Block valves, which are normally open, are located between
 
the pressurizer and the PORVs. The block valves are used to
 
isolate the PORVs in case of excessive leakage or a stuck
 
open PORV. Block valve closure is accomplished manually
 
using controls in the control room. A stuck open PORV is, in
 
effect, a small break loss of coolant accident (LOCA). As
 
such, block valve closure terminates the RCS
 
depressurization and coolant inventory loss.
The PORVs and their associated block valves may be used by
 
unit operators to depressurize the RCS to recover from
 
certain transients if normal pressurizer spray is not
 
available. Additionally, the series arrangement of the PORVs
 
and their block valves permit performance of surveillances
 
on the valves during power operation.
The PORVs may also be used for feed and bleed core cooling in the case of multiple equipment failure events that are not
 
within the design basis, such as a total loss of feedwater.
The PORVs, their block valves, and their controls are
 
powered from the emergency buses that normally receive power from offsite power sources, but are also capable of being
 
powered from emergency power sources in the event of a loss
 
of offsite power. The PORVs are air operated valves and
 
normally are provided motive force by the Instrument Air
 
System. A backup, nitrogen supply for the PORVs is also
 
available. Two PORVs and their associated block valves are
 
powered from two separate safety trains (Ref.
1).The unit has two PORVs, each having a relief capacity of
 
210,000 lb/hr at 2335 psig. The functional design of the PORVs is based on maintaining pressure below the Pressurizer (continued)
North Anna Units 1 and 2B 3.4.11-2Revision 0 Pressurizer PORVs B 3.4.11 BASES BACKGROUND (continued)
Pressure-High reactor trip setpoint following a step
 
reduction of 50% of full load with steam dump. In addition, the PORVs minimize challenges to the pressurizer safety
 
valves and also may be used for low temperature overpressure
 
protection (LTOP). See LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System." APPLICABLE
 
SAFETY ANALYSES Unit operators employ the PORVs to depressurize the RCS in
 
response to certain unit transients if normal pressurizer
 
spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual
 
operator actions are required to mitigate the event. A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS
 
pressure. The PORVs are assumed to be used for RCS
 
depressurization, which is one of the steps performed to
 
equalize the primary and secondary pressures in order to
 
terminate the primary to secondary break flow and the
 
radioactive releases from the affected steam generator.The PORVs are also modeled in safety analyses for events that result in increasing RCS pressure for which departure from
 
nucleate boiling ratio (DNBR) criteria are critical (Ref. 2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint;
 
thus, the DNBR calculation is more conservative. As such, this actuation is not required to mitigate these events, and
 
PORV automatic operation is, therefore, not an assumed
 
safety function.
Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requires the PORVs and their associated block valves
 
to be OPERABLE for manual operation to mitigate the effects
 
associated with an SGTR.
By maintaining two PORVs and their associated block valves
 
OPERABLE, the single failure criterion is satisfied. An
 
OPERABLE block valve may be either open and energized with
 
the capability to be closed, or closed and energized with the
 
capability to be opened, since the required safety function
 
is accomplished by manual operation. Although typically open
 
to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of an inoperable PORV (continued)
Pressurizer PORVs B 3.4.11 BASESNorth Anna Units 1 and 2B 3.4.11-3Revision 0 LCO (continued) that is capable of being manually cycled (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an
 
OPERABLE PORV does not render that PORV or block valve
 
inoperable provided the relief function remains available
 
with manual action.
An OPERABLE PORV is required to be capable of manually
 
opening and closing, and not experiencing excessive seat
 
leakage. Excessive seat leakage, although not associated
 
with a specific acceptance criteria, exists when conditions
 
dictate closure of the block valve to limit leakage to within
 
LCO 3.4.13, "RCS Operational Leakage."
Satisfying the LCO helps minimize challenges to fission
 
product barriers.
APPLICABILITY In MODES 1, 2, and 3, the PORVs and their associated block valves are required to be OPERABLE to limit the potential for
 
a small break LOCA through the flow path and for manual
 
operation to mitigate the effects associated with an SGTR.
 
The PORVs are also required to be OPERABLE in MODES 1, 2, and 3 for manual actuation to mitigate an SGTR event. Imbalances in the energy output of the core and heat removal by the secondary system can cause the RCS pressure to
 
increase to the PORV opening setpoint. The most rapid
 
increases will occur at the higher operating power and
 
pressure conditions of MODES 1 and 2.Pressure increases are less prominent in MODE 3 because the core input energy is reduced, but the RCS pressure is high.
 
Therefore, the LCO is applicable in MODES 1, 2, and 3. The LCO is not applicable in MODES 4, 5, and 6 with the reactor vessel head in place when both pressure and core energy are
 
decreased and the pressure surges become much less
 
significant. LCO 3.4.12 addresses the PORV requirements in these MODES.
ACTIONS Note 1 has been added to clarify that all pressurizer PORVs are treated as separate entities, each with separate
 
Completion Times (i.e., the Completion Time is on a
 
component basis).
North Anna Units 1 and 2B 3.4.11-4Revision 0 Pressurizer PORVs B 3.4.11 BASES ACTIONS (continued)
A.1 The PORVs are provided normal motive force by the Instrument
 
Air system and have a backup nitrogen supply. If the backup
 
nitrogen supply is inoperable, the PORVs are still capable
 
of being manually cycled provided the Instrument Air system
 
is available. The Instrument Air system is highly reliable
 
and the likelihood of its being unavailable during a demand
 
for PORV actuation is low enough to justify a 14 day
 
Completion Time for return of the backup nitrogen supply to
 
OPERABLE status.
B.1 PORVs may be inoperable and capable of being manually cycled (e.g., excessive seat leakage). In this Condition, either
 
the PORVs must be restored or the flow path isolated within
 
1 hour. The associated block valve is required to be closed, but power must be maintained to the associated block valve, since removal of power would render the block valve
 
inoperable. This permits operation of the unit until the
 
next refueling outage (MODE
: 6) so that maintenance can be performed on the PORVs to eliminate the problem condition.
Quick access to the PORV for pressure control can be made
 
when power remains on the closed block valve. The Completion
 
Time of 1 hour is based on unit operating experience that has shown that minor problems can be corrected or closure
 
accomplished in this time period.
C.1, C.2, and C.3 If one PORV is inoperable and not capable of being manually
 
cycled, it must be either restored, or isolated by closing
 
the associated block valve and removing the power to the
 
associated block valve. The Completion Time of 1 hour is reasonable, based on challenges to the PORVs during this
 
time period, and provides the operator adequate time to
 
correct the situation. If the inoperable valve cannot be
 
restored to being capable of being manually cycled (permitting entry into Condition B), or OPERABLE status, it
 
must be isolated within the specified time. Because there is
 
one PORV that remains OPERABLE, an additional 72 hours is provided to restore the inoperable PORV to OPERABLE status.
 
If the PORV cannot be restored within this additional time, the unit must be brought to a MODE in which the LCO does not
 
apply, as required by Condition E.
Pressurizer PORVs B 3.4.11 BASESNorth Anna Units 1 and 2B 3.4.11-5Revision 0 ACTIONS (continued)
D.1 and D.2 If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the
 
Completion Time of 1 hour or place the associated PORV in manual control. The prime importance for the capability to
 
close the block valve is to isolate a stuck open PORV.
 
Therefore, if the block valve cannot be restored to OPERABLE
 
status within 1 hour, the Required Action is to place the PORV in manual control to preclude its automatic opening for
 
an overpressure event and to avoid the potential for a stuck
 
open PORV at a time that the block valve is inoperable. The
 
Completion Time of 1 hour is reasonable, based on the small potential for challenges to the system during this time
 
period, and provides the operator time to correct the
 
situation. Because at least one PORV remains OPERABLE, the
 
operator is permitted a Completion Time of 72 hours to restore the inoperable block valve to OPERABLE status. The
 
time allowed to restore the block valve is based upon the
 
Completion Time for restoring an inoperable PORV in
 
Condition C, since the PORVs may not be capable of mitigating an event if the inoperable block valve is not full
 
open. If the block valve is restored within the Completion
 
Time of 72 hours, the PORV may be restored to automatic operation. If it cannot be restored within this additional
 
time, the unit must be brought to a MODE in which the LCO
 
does not apply, as required by Condition E.The Required Actions D.1 and D.2 are modified by a Note stating that the Required Actions do not apply if the sole
 
reason for the block valve being declared inoperable is as a
 
result of power being removed to comply with another
 
Required Action. In this event, the Required Actions for
 
inoperable PORV(s) (which require the block valve power to
 
be removed once it is closed) are adequate to address the
 
condition. While it may be desirable to also place the
 
PORV(s) in manual control, this may not be possible for all
 
causes of Condition C entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed
 
control power fuse(s) or control switch malfunction(s).)
E.1 and E.2 If the Required Action of Condition A, B, C, or D is not met, then the unit must be brought to a MODE in which the LCO does
 
not apply. To achieve this status, the unit must be brought
 
to at least MODE 3 within 6 hours and to MODE 4 within (continued)
North Anna Units 1 and 2B 3.4.11-6Revision 0 Pressurizer PORVs B 3.4.11 BASES ACTIONS E.1 and E.2 (continued) 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems. In MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.F.1 and F.2If more than one PORV is inoperable and not capable of being
 
manually cycled, then the unit must be brought to a MODE in
 
which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems. In
 
MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.G.1 If two block valves are inoperable, it is necessary to
 
restore at least one block valve within 2 hours. The Completion Time is reasonable, based on the small potential for challenges to the system during this time and provide the
 
operator time to correct the situation.
The Required Action G.1 is modified by a Note stating that the Required Action does not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In
 
this event, the Required Action for inoperable PORV (which
 
requires the block valve power to be removed once it is closed) is adequate to address the condition. While it may be desirable to also place the PORV in manual control, this may not be possible for all causes of Condition C entry with PORV inoperable and not capable of being manually cycled (e.g.,
as a result of failed control power fuse(s) or control switch
 
malfunction(s)).
H.1 and H.2 If the Required Actions of Condition G are not met, then the unit must be brought to a MODE in which the LCO does not
 
apply. To achieve this status, the unit must be brought to at (continued)
Pressurizer PORVs B 3.4.11 BASESNorth Anna Units 1 and 2B 3.4.11-7Revision 46 ACTIONS H.1 and H.2 (continued) least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems. In MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.SURVEILLANCE
 
REQUIREMENTS SR  3.4.11.1 SR 3.4.11.1 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive
 
force for the PORVs to cope with a steam generator tube
 
rupture coincident with loss of the containment Instrument
 
Air system. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.4.11.2Block valve cycling verifies that the valve(s) can be opened
 
and closed if needed. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.This SR is modified by two Notes. Note 1 modifies this SR by stating that it is not required to be performed with the
 
block valve closed, in accordance with the Required Actions
 
of this LCO. Opening the block valve in this condition
 
increases the risk of an unisolable leak from the RCS since
 
the PORV is already inoperable.
Note 2 modifies this SR to allow entry into and operation in MODE 3 prior to performing the SR. This allows the test to be performed in MODE 3 under operating temperature and pressure conditions, prior to entering MODE 1 or 2.SR  3.4.11.3 SR 3.4.11.3 requires a complete cycle of each PORV.
Operating a PORV through one complete cycle ensures that the
 
PORV can be manually actuated for mitigation of an SGTR. This
 
testing is performed in MODES 3 or 4 to prevent possible RCS pressure transients with the reactor critical.(continued)
Pressurizer PORVs B 3.4.11 BASESNorth Anna Units 1 and 2B 3.4.11-8Revision 46 SURVEILLANCE REQUIREMENTS SR  3.4.11.3 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
The Note modifies this SR to allow entry into and operation
 
in MODE 3 prior to performing the SR.
This allows the test to be performed in MODE 3 under operating temperature and pressure conditions, prior to entering MODE 1 or 2.SR  3.4.11.4 Operating the solenoid control valves and check valves on
 
the accumulators ensures the PORV control system actuates
 
properly when called upon. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
REFERENCES1.Regulatory Guide 1.32, February 1977.2.UFSAR, Section 15.4.3.ASME Code for Operation and Maintenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.4.12-1Revision 20 LTOP System B 3.4.12 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.12Low Temperature Overpressure Protection (LTOP) System BASES BACKGROUND The LTOP System controls RCS pressure at low temperatures so
 
the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the LTOP System
 
design basis pressure and temperature (P/T) limit curve (i.e., 100% of the isothermal P/T limit curve determined to
 
satisfy the requirements of 10 CFR 50, Appendix G, Ref. 1). The reactor vessel is the limiting RCPB component for
 
demonstrating such protection. This specification provides
 
the maximum allowable actuation logic setpoints for the
 
power operated relief valves (PORVs) and LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," provides the maximum
 
RCS pressure for the existing RCS cold leg temperature
 
during cooldown, shutdown, and heatup to meet the
 
Reference 1 requirements during the LTOP MODES.
The reactor vessel material is less tough at low
 
temperatures than at normal operating temperature. As the
 
vessel neutron exposure accumulates, the material toughness
 
decreases and becomes less resistant to pressure stress at
 
low temperatures (Ref.
2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as
 
temperature is increased.
The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation can occur more quickly than an operator
 
can react to relieve the condition. Exceeding the RCS P/T
 
limits by a significant amount could cause brittle cracking
 
of the reactor vessel. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrative control
 
of RCS pressure and temperature during heatup and cooldown
 
to prevent exceeding the P/T limits.
This LCO provides RCS overpressure protection by limiting coolant input capability and having adequate pressure relief
 
capacity. Limiting coolant input capability requires all but
 
one low head safety injection (LHSI) pump and one charging
 
pump incapable of injection into the RCS and isolating the
 
accumulators when accumulator pressure is greater than the
 
PORV lift setting. The pressure relief capacity requires
 
either two redundant RCS PORVs or a depressurized RCS and an (continued)
North Anna Units 1 and 2B 3.4.12-2Revision 0 LTOP System B 3.4.12 BASES BACKGROUND (continued)
RCS vent of sufficient size. One RCS PORV or the open RCS
 
vent is the overpressure protection device that acts to
 
terminate an increasing pressure event.
With limited coolant input capability, the ability to
 
provide core coolant addition is restricted. The LCO does
 
not require the makeup control system deactivated or the
 
safety injection (SI) a ctuation circuits blocked. Due to the lower pressures in the LTOP MODES and the expected core decay
 
heat levels, the makeup system can provide adequate flow via
 
the makeup control valve. If conditions require the use of
 
more than one LHSI and charging pump for makeup in the event
 
of loss of inventory, then pumps can be made available
 
through manual actions.
The LTOP System for pressure relief consists of two PORVs
 
with reduced lift settings, or a depressurized RCS and an RCS
 
vent of sufficient size. Two RCS PORVs are required for
 
redundancy. One RCS PORV has adequate relieving capability
 
to keep from overpressurization for the required coolant
 
input capability.
PORV Requirements As designed for the LTOP System, each PORV is signaled to
 
open if the RCS pressure exceeds a limit determined by the
 
LTOP actuation logic. The LTOP actuation logic monitors both RCS temperature and RCS pressure and determines when a
 
condition is not acceptable. The wide range RCS temperature
 
indications are auctioneered to select the lowest
 
temperature signal.
The lowest temperature signal is passed to a comparator
 
circuit which determines the pressure limit for that
 
temperature. The pressure limit is then compared with the
 
indicated RCS pressure from a wide range pressure channel.
 
If the indicated pressure meets or exceeds the calculated
 
value, the PORVs are signaled to open.
The PORV setpoints are staggered so only one valve opens to
 
stop a low temperature overpressure transient. If the
 
opening of the first valve does not prevent a further increase in pressure, a second valve will open at its higher
 
pressure setpoint to stop the transient. Having the
 
setpoints of both valves within the limits in the LCO ensures that the LTOP System design basis P/T limit curve will not be exceeded in any analyzed event.(continued)
LTOP System B 3.4.12 BASESNorth Anna Units 1 and 2B 3.4.12-3Revision 26 BACKGROUND PORV Requirements (continued)
When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to
 
slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to
 
decrease below the reset pressure as the valve closes.
RCS Vent Requirements Once the RCS is depressurized, a vent exposed to the
 
containment atmosphere will maintain the RCS within the LTOP
 
design basis P/T limit curve in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path
 
must be capable of relieving the flow resulting from the
 
limiting LTOP mass or heat input transient, and maintaining pressure below the LTOP System design basis P/T limit curve.
 
The required vent capacity may be provided by one or more
 
vent paths.
For an RCS vent to meet the flow capacity requirement, it
 
requires either removing a pressurizer safety valve, or
 
blocking open a PORV and opening its block valve, or
 
similarly establishing a vent by opening an RCS vent valve.
The vent path(s) must be above the level of reactor coolant, so as not to drain the RCS when open.
APPLICABLE
 
SAFETY ANALYSES Safety analyses (Ref.
: 3) demonstrate that the reactor vessel is adequately protected against exceeding the LTOP System
 
design basis P/T limit curve (i.e., 100% of the isothermal
 
P/T limit curve determined to satisfy the requirements of
 
10 CFR 50, Appendix G, Ref. 1). In MODES 1, 2, and 3, and in MODE 4 with RCS cold leg temperature exceeding 280&deg;F, the pressurizer safety valves will prevent RCS pressure from
 
exceeding the Reference 1 limits. At 280&deg;F and below, overpressure prevention falls to two OPERABLE RCS PORVs or
 
to a depressurized RCS and a sufficient sized RCS vent. Each of these means has a limited overpressure relief capability.
The RCS cold leg temperature below which LTOP protection
 
must be provided increases as the reactor vessel material
 
toughness decreases due to neutron embrittlement. Each time
 
the P/T curves are revised, the LTOP System must be (continued)
North Anna Units 1 and 2B 3.4.12-4Revision 0 LTOP System B 3.4.12 BASES APPLICABLE
 
SAFETY ANALYSES (continued) re-evaluated to ensure its functional requirements can still be met using the PORV method or the depressurized and vented
 
RCS condition.
The LCO contains the acceptance limits that define the LTOP
 
requirements. Any change to the RCS must be evaluated
 
against the Reference 3 analyses to determine the impact of the change on the LTOP acceptance limits.
Transients that are capable of overpressurizing the RCS are
 
categorized as either mass or heat input transients, examples of which follow:
Mass Input Type Transientsa.Inadvertent safety injection; orb.Charging/letdown flow mismatch.
Heat Input Type Transientsa.Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.
The following are required during the LTOP MODES to ensure
 
that mass and heat input transients do not occur, which
 
either of the LTOP overpressure protection means cannot
 
handle:a.Rendering all but one LHSI pump and one charging pump incapable of injection;b.Deactivating the accumulator discharge isolation valves in their closed positions when accumulator pressure is
 
greater than the PORV lift setting; andc.Disallowing start of an RCP if secondary temperature is more than 50
&deg;F above primary temperature in any one loop.
LCO 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," provide this protection.
The Reference 3 analyses demonstrate that either one PORV or the depressurized RCS and RCS vent can maintain RCS pressure
 
below limits when only one LHSI pump and one charging pump
 
are actuated. Thus, the LCO allows only one LHSI pump and one charging pump OPERABLE during the LTOP MODES. The (continued)
LTOP System B 3.4.12 BASESNorth Anna Units 1 and 2B 3.4.12-5Revision 20 APPLICABLE SAFETY ANALYSES Heat Input Type Transients (continued)
Reference 3 analyses do not explicitly model actuation of the LHSI pump, since the RCS pressurization resulting from
 
inadvertent safety injection by a single charging pump
 
against a water-solid RCS would not be made more severe by
 
such actuation. Since the LTOP analyses assume that the
 
accumulators do not cause a mass addition transient, when
 
RCS temperature is low, the LCO also requires the
 
accumulators to be isolated when accumulator pressure is
 
greater than the PORV lift setting. The isolated
 
accumulators must have their discharge valves closed and the
 
valve power supply breakers fixed in their open positions.
Fracture mechanics analyses established the temperature of
 
LTOP Applicability at 280
&deg;F.The consequences of a small break loss of coolant accident (LOCA) in LTOP MODE 4 conform to 10 CFR 50.46 (Ref.
4), requirements by having a maximum of one LHSI pump and one
 
charging pump OPERABLE.
PORV Performance The fracture mechanics analyses show that the vessel is
 
protected when the PORVs are set to open at or below the
 
allowable values shown in the LCO. The setpoint allowable
 
values are derived by analyses that model the performance of
 
the LTOP System, assuming the limiting LTOP transient of one
 
charging pump injecting into the RCS. These analyses
 
consider pressure overshoot beyond the PORV opening and
 
closing, resulting from signal processing and valve stroke
 
times. The PORV setpoints at or below the derived value
 
ensure the RCS pressure at the reactor vessel beltline will
 
not exceed the LTOP design P/T limit curve.
The PORV setpoint allowable values are evaluated when the
 
P/T limits are modified. The P/T limits are periodically
 
modified as the reactor vessel material toughness decreases
 
due to neutron embrittlement caused by neutron irradiation.
 
Revised limits are determined using neutron fluence
 
projections and the results of examinations of the reactor
 
vessel material irradiation surveillance specimens. The
 
Bases for LCO 3.4.3 discuss these examinations.
The PORVs are considered active components. Thus, the
 
failure of one PORV is assumed to represent the worst case, single active failure.
North Anna Units 1 and 2B 3.4.12-6Revision 20 LTOP System B 3.4.12 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
RCS Vent Performance With the RCS depressurized, analyses show a vent size of
 
2.07 square inches is c apable of mitigating the allowed LTOP overpressure transient. (A vent size of 2.07 square inches
 
is the equivalent relief capacity of one PORV.) The capacity
 
of a vent this size is greater than the flow of the limiting transient for the LTOP configuration, one LHSI pump and one
 
charging pump OPERABLE, maintaining RCS pressure less than
 
the LTOP design basis P/T limit curve.
The RCS vent size is re-evaluated for compliance each time the P/T limit curves are revised based on the results of the
 
vessel material surveillance.
The RCS vent is passive and is not subject to active failure.
The LTOP System satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the minimum coolant input and pressure relief capabilities are OPERABLE. Violation of this
 
LCO could lead to the loss of low temperature overpressure mitigation and violation of the LTOP System design basis P/T limit curve (i.e., 100% of the isothermal P/T limit curve
 
determined to satisfy the requirements of 10 CFR 50, Appendix G, Ref. 1) as a result of an operational transient.
To limit the coolant input capability, the LCO requires a
 
maximum of one LHSI pump and one charging pump capable of
 
injecting into the RCS and all accumulator discharge
 
isolation valves closed with power removed from the
 
isolation valve operator, when accumulator pressure is
 
greater than the PORV lift setting.The LCO is modified by two Notes. Note 1 allows two charging pumps to be made capable of injection for  1 hour during pump swap operations. One hour provides sufficient time to
 
safely complete the actual transfer and to complete the
 
administrative controls and Surveillance requirements
 
associated with the swap. The intent is to minimize the
 
actual time that more than one charging pump is physically
 
capable of injection.(continued)
LTOP System B 3.4.12 BASESNorth Anna Units 1 and 2B 3.4.12-7Revision 20 LCO (continued)
Note 2 states that accumulator isolation is only required when the accumulator pressure is more than the PORV lift
 
setting. This Note permits the accumulator discharge
 
isolation valves to be open if the accumulator cannot
 
challenge the LTOP limits.
The elements of the LCO that provide low temperature
 
overpressure mitigation through pressure relief are:a.Two OPERABLE PORVs; or A PORV is OPERABLE for LTOP when its block valve is open, its lift setpoint is set to the limits provided in the LCO and testing proves its ability to open at this setpoint, and backup nitrogen motive power is available to the
 
PORVs and their control circuits.b.A depressurized RCS and an RCS vent.
An RCS vent is OPERABLE when open with an area of 2.07 square inches.
Each of these methods of overpressure prevention is capable
 
of mitigating the limiting LTOP transient.
APPLICABILITY This LCO is applicable in MODE 4 when any RCS cold leg temperature is  280&deg;F, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves
 
provide overpressure protection that meets the Reference 1 P/T limits above 280
&deg;F. When the reactor vessel head is off, overpressurization cannot occur.
LCO 3.4.3 provides the operational P/T limits for all MODES.
LCO 3.4.10, "Pressurizer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide
 
overpressure protection during MODES 1, 2, and 3, and MODE 4 above 280&deg;F.
Low temperature overpressure prevention is most critical
 
during shutdown when the RCS is water solid, and a mass or
 
heat input transient can cause a very rapid increase in RCS
 
pressure when little or no time allows operator action to
 
mitigate the event.
North Anna Units 1 and 2B 3.4.12-8Revision 20 LTOP System B 3.4.12 BASES ACTIONS A.1 and B.1 With more than one LHSI pump and one charging pump capable of injecting into the RCS, RCS overpressurization is possible.
To immediately initiate action to restore restricted coolant
 
input capability to the RCS reflects the urgency of removing
 
the RCS from this condition.
C.1, C.2, D.1, and D.2 An unisolated accumulator requires isolation immediately.
 
Power available to an accumulator isolation valve operator must be removed in one hour. These ACTIONS are modified by a
 
Note which states the Condition only applies if the
 
accumulator pressure is more than the PORV lift setting.
If isolation is needed and cannot be accomplished, Required
 
Action D.1 and Required Action D.2 provide two options, either of which must be performed in the next 12 hours. By increasing the RCS temperature to >
280&deg;F, the LCO is no longer Applicable. Depressurizing the accumulators below the
 
PORV lift setting also exits the Condition.
The Completion Times are based on operating experience that
 
these activities can be accomplished in these time periods
 
and on engineering judgement indicating that an event
 
requiring LTOP is not likely in the allowed times.
E.1 In MODE 4 when any RCS cold leg temperature is  280&deg;F, with one RCS PORV inoperable, the RCS PORV must be restored to
 
OPERABLE status within a Completion Time of 7 days. Two PORVs are required to provide low temperature overpressure
 
mitigation while withstanding a single failure of an active
 
component.
The Completion Time considers the facts that only one of the
 
PORVs is required to mitigate an overpressure transient and
 
that the likelihood of an active failure of the remaining
 
valve path during this time period is very low.
LTOP System B 3.4.12 BASESNorth Anna Units 1 and 2B 3.4.12-9Revision 0 ACTIONS (continued)
F.1 The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref. 5). Thus, with one of the two RCS PORVs inoperable in MODE 5 or in MODE 6 with the head on, the Completion Time to restore two valves to OPERABLE status is 24 hours.The Completion Time represents a reasonable time to
 
investigate and repair PORV failures without exposure to a
 
lengthy period with only one OPERABLE RCS PORV to protect
 
against overpressure events.
G.1 The RCS must be depressurized and a vent must be established within 12 hours when:a.Both required RCS PORVs are inoperable; orb.A Required Action and associated Completion Time of Condition A, B, D, E, or F is not met; orc.The LTOP System is inoperable for any reason other than Condition A, B, C, D, E, or F.The vent must be sized  2.07 square inches to ensure that the flow capacity is greater than that required for the worst
 
case mass input transient reasonable during the applicable
 
MODES. This action is needed to protect the RCPB from a low
 
temperature overpressure event and a possible brittle
 
failure of the reactor vessel.The Completion Time considers the time required to place the
 
unit in this Condition and the relatively low probability of
 
an overpressure event during this time period due to
 
increased operator awareness of administrative control
 
requirements.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.12.1, SR 3.4.12.2, and SR 3.4.12.3To minimize the potential for a low temperature overpressure event by limiting the mass input capability, a maximum of one
 
LHSI pump and a maximum of one charging pump are verified (continued)
North Anna Units 1 and 2B 3.4.12-10Revision 46 LTOP System B 3.4.12 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.4.12.1, SR 3.4.12.2, and SR 3.4.12.3 (continued) incapable of injecting into the RCS and the accumulator
 
discharge isolation valves are verified closed with power
 
removed from the isolation valve operator.
SR  3.4.12.3 is modified by a Note stating that the verification is only required when accumulator pressure is
 
greater than the PORV lift setting. With accumulator
 
pressure less than the PORV lift setting, the accumulator
 
cannot challenge the LTOP limits and the isolation valves
 
are allowed to be open.
The LHSI pumps and charging pumps are rendered incapable of
 
injecting into the RCS through removing the power from the
 
pumps by racking the breakers out under administrative control. An alternate method of LTOP control may be employed using at least two independent means to prevent a pump start
 
such that a single failure or single action will not result
 
in an injection into the RCS. This may be accomplished through the pump control switch being placed in pull to lock
 
and at least one valve in the discharge flow path being
 
closed.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.12.4 The RCS vent of  2.07 square inches is proven OPERABLE by verifying its open condition either:a.Once every 12 hours for a valve that is not locked.b.The Surveillance Frequency for locked valves is based on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
The passive vent arrangement must only be open to be
 
OPERABLE. This Surveillance is required to be performed if
 
the vent is being used to satisfy the pressure relief
 
requirements of the LCO 3.4.12b.
LTOP System B 3.4.12 BASESNorth Anna Units 1 and 2B 3.4.12-11Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR 3.4.12.5The PORV block valve must be verified open every 72 hours to provide the flow path for each required PORV to perform its
 
function when actuated. The valve may be remotely verified
 
open in the main control room. In addition, the PORV
 
keyswitch must be verified to be in the proper position to
 
provide the appropriated trip setpoints to the PORV
 
actuation logic. This Surveillance is performed if the PORV
 
is used to satisfy the LCO.
The block valve is a remotely controlled, motor operated
 
valve. The power to the valve operator is not required
 
removed, and the manual operator is not required locked in
 
the inactive position. Thus, the block valve can be closed in
 
the event the PORV develops excessive leakage or does not
 
close (sticks open) after relieving an overpressure
 
situation.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.12.6 SR 3.4.12.6 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive
 
force for the PORVs to cope with an overpressure event. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.12.7 Performance of a COT is required on each required PORV to
 
verify the PORV is capable of performing its LTOP function
 
and, as necessary, adjust its lift setpoint. A successful
 
test of the required contact(s) of a channel relay may be
 
performed by the verification of the change of state of a
 
single contact of the relay. This clarifies what is an
 
acceptable CHANNEL OPERATIONAL TEST of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions. The COT will
 
verify the setpoint is within the allowed maximum limits in
 
this specification. PORV actuation could depressurize the (continued)
North Anna Units 1 and 2B 3.4.12-12Revision 46 LTOP System B 3.4.12 BASES SURVEILLANCE
 
REQUIREMENTS SR 3.4.12.7 (continued)
RCS and is not required. The Surveillance Frequency is based
 
on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
A Note has been added indicating that this SR is not required to be performed until 12 hours after entering a condition in which the PORV is required to be OPERABLE. The Note allows
 
entering the LTOP Applicability prior to performing the SR.
 
The 12-hour frequency considers the unlikelihood of a low
 
temperature overpressure event during this time.
S R  3.4.12.8 Performance of a CHANNEL CALIBRATION on each required PORV
 
actuation channel is required to adjust the whole channel so that it responds and the valve opens within the required
 
range and accuracy to known input. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.10 CFR 50, Appendix G.2.Generic Letter 88-11.3.UFSAR, Section 5.2.2.2.4.10 CFR 50, Section 50.46.5.Generic Letter 90-06.
North Anna Units 1 and 2B 3.4.13-1Revision 0 RCS Operational LEAKAGE B 3.4.13 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.13RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from
 
the reactor core make up the RCS. Component joints are made
 
by welding, bolting, rolling, or pressure loading, and
 
valves isolate connecting systems from the RCS.
During plant life, the joint and valve interfaces can
 
produce varying amounts of reactor coolant LEAKAGE, through
 
either normal operational wear or mechanical deterioration.
 
The purpose of the RCS Operational LEAKAGE LCO is to limit
 
system operation in the presence of LEAKAGE from these
 
sources to amounts that do not compromise safety. This LCO
 
specifies the types and amounts of LEAKAGE.
General Design Criteria 3 (Ref. 1), requires means for detecting and, to the extent practical, identifying the
 
source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
The safety significance of RCS LEAKAGE varies widely
 
depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the
 
containment area is necessary. Quickly separating the
 
identified LEAKAGE from the unidentified LEAKAGE is
 
necessary to provide quantitative information to the
 
operators, allowing them to take corrective action should a
 
leak occur that is detrimental to the safety of the facility
 
and the public.
A limited amount of leakage inside containment is expected
 
from auxiliary systems that cannot be made 100% leaktight.
 
Leakage from these systems should be detected, located, and
 
isolated from the containment atmosphere, if possible, to
 
not interfere with RCS leakage detection.
This LCO deals with protection of the reactor coolant
 
pressure boundary (RCPB) from degradation and the core from
 
inadequate cooling, in addition to preventing the accident
 
analyses radiation release assumptions from being exceeded.
 
The consequences of violating this LCO include the
 
possibility of a loss of coolant accident (LOCA).
North Anna Units 1 and 2B 3.4.13-2Revision 28 RCS Operational LEAKAGE B 3.4.13 BASES APPLICABLE
 
SAFETY ANALYSESExcept for primary to second ary LEAKAGE, the safety analyses do not address operational LEAKAGE. However, other
 
operational LEAKAGE is related to the safety analyses for
 
LOCA; the amount of leakage can affect the probability of
 
such an event. The safety analysis for an event resulting in
 
steam discharge to the atmosphere assumes that primary to
 
secondary LEAKAGE from all steam generators (SGs) is one
 
gallon per minute or increases to one gallon per minute as a
 
result of accident induced conditions. The LCO requirement
 
to limit primary to secondary LEAKAGE through any one SG to
 
less than or equal to 150 gallons per day is significantly less than the conditions assumed in the safety analysis.Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a main steam line break (MSLB) accident. Other accidents or transients involve
 
secondary steam release to the atmosphere, such as a steam
 
generator tube rupture (SGTR). The leakage contaminates the
 
secondary fluid.
The UFSAR (Ref.
: 3) analysis for SGTR assumes the contaminated secondary fluid is released via power operated
 
relief valves or safety valves. The source term in the
 
primary system coolant is transported to the affected (ruptured) steam generator by the break flow. The affected
 
steam generator discharges steam to the environment for
 
30 minutes until the generator is manually isolated. The 1 gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue
 
through the unaffected steam generators until the Residual
 
Heat Removal System is placed in service.
The MSLB is less limiting for site radiation releases than
 
the SGTR. The safety analysis for the MSLB accident assumes
 
1 gpm primary to secondary LEAKAGE as an initial condition.
The dose consequences resulting from the MSLB and SGTR
 
accidents are within the limits defined in the staff
 
approved licensing basis.
The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
RCS Operational LEAKAGE B 3.4.13 BASESNorth Anna Units 1 and 2B 3.4.13-3Revision 28 LCO RCS operational LEAKAGE shall be limited to:
a.Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is
 
unacceptable as the leak itself could cause further
 
deterioration, resulting in higher LEAKAGE. Violation of
 
this LCO could result in continued degradation of the
 
RCPB. LEAKAGE past seals and gaskets is not pressure
 
boundary LEAKAGE.
b.Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is
 
allowed as a reasonable minimum detectable amount that
 
the containment air monitoring and containment sump level
 
monitoring equipment can detect within a reasonable time
 
period. Violation of this LCO could result in continued
 
degradation of the RCPB, if the LEAKAGE is from the
 
pressure boundary.
c.Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do
 
not interfere with detection of unidentified LEAKAGE and
 
is well within the capability of the RCS Makeup System.
 
Identified LEAKAGE includes LEAKAGE to the containment
 
from specifically known and located sources, but does not
 
include pressure boundary LEAKAGE or controlled reactor
 
coolant pump (RCP) seal leakoff (a normal function not
 
considered LEAKAGE). Violation of this LCO could result
 
in continued degradation of a component or system.
d.Primary to Secondary LEAKAGE through Any One SG The limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref.
4). The Steam Generator Program operational LEAKAGE performance
 
criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be
 
limited to 150 gallons per day." The limit is based on operating experience with SG tube degradation mechanisms
 
that result in tube leakage. The operational leakage (continued)
North Anna Units 1 and 2B 3.4.13-4Revision 28 RCS Operational LEAKAGE B 3.4.13 BASES LCO d.Primary to Secondary LEAKAGE through Any One SG (continued) rate criterion in conjunction with the implementation of
 
the Steam Generator Program is an effective measure for
 
minimizing the frequency of steam generator tube
 
ruptures.APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.
In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in
 
lower stresses and reduced potentials for LEAKAGE.
LCO 3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS
 
LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be
 
included in the allowable identified LEAKAGE.
ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the
 
LCO limits must be reduced to within limits within 4 hours. This Completion Time allows time to verify leakage rates and
 
either identify unidentified LEAKAGE or reduce LEAKAGE to
 
within limits before the reactor must be shut down. This
 
action is necessary to prevent further deterioration of the
 
RCPB.B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to
 
secondary LEAKAGE is not within limit, or if unidentified
 
LEAKAGE, or identified LEAKAGE, cannot be reduced to within
 
limits within 4 hours, the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE
 
and its potential consequences. It should be noted that
 
LEAKAGE past seals and gaskets is not pressure boundary
 
LEAKAGE. The reactor must be brought to MODE 3 within (continued)
RCS Operational LEAKAGE B 3.4.13 BASESNorth Anna Units 1 and 2B 3.4.13-5Revision 28 ACTIONS B.1 and B.2 (continued) 6 hours and MODE 5 within 36 hours. This action reduces the LEAKAGE and also reduces the factors that tend to degrade the
 
pressure boundary.
The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems. In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration
 
is much less likely.
SURVEILLANCE
 
REQUIREMENTS SR 3.4.13.1 Verifying RCS LEAKAGE to be within the LCO limits ensures the
 
integrity of the RCPB is maintained. Pressure boundary
 
LEAKAGE would at first appear as unidentified LEAKAGE and
 
can only be positively identified by inspection. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified
 
LEAKAGE are determined by performance of an RCS water
 
inventory balance.
The RCS water inventory balance must be met with the reactor
 
at steady state operating conditions (stable temperature, power level, pressurizer and makeup tank levels, makeup and
 
letdown, and RCP seal injection and return flows). The
 
surveillance is modified by two Notes. Note 1 states that this SR is not required to be performed until 12 hours after establishing steady state operation. The 12 hour allowance provides sufficient time to collect and process all
 
necessary data after stable plant conditions are
 
established.
Steady state operation is required to perform a proper
 
inventory balance since calculations during maneuvering are
 
not useful. For RCS operational LEAKAGE determination by
 
water inventory balance, steady state is defined as stable
 
RCS pressure, temperature, power level, pressurizer and
 
makeup tank levels, makeup and letdown, and RCP seal
 
injection and return flows.
An early warning of pressure boundary LEAKAGE or
 
unidentified LEAKAGE is provided by the automatic systems
 
that monitor the containment atmosphere radioactivity and (continued)
North Anna Units 1 and 2B 3.4.13-6Revision 46 RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE
 
REQUIREMENTS SR 3.4.13.1 (continued) the containment sump level. It should be noted that LEAKAGE
 
past seals and gaskets is not pressure boundary LEAKAGE.
 
These leakage detection systems are specified in LCO 3.4.15, "RCS Leakage Detection Instrumentation." Note 2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory
 
balance.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.13.2 This SR verifies that primary to secondary LEAKAGE is less
 
than or equal to 150 gallons per day through any one SG.
Satisfying the primary to secondary LEAKAGE limit ensures
 
that the operational LEAKAGE performance criterion in the
 
Steam Generator Program is met. If this SR is not met, compliance with LCO 3.4.20, "Steam Generator Tube Integrity," should be evaluated. The 150 gallons per day limit is measured at room temperature as described in
 
Reference 5. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary
 
LEAKAGE should be conservatively assumed to be from one SG.The Surveillance is modified by a Note, which states that the
 
Surveillance is not required to be performed until 12 hours after establishment of steady state operation. For RCS
 
primary to secondary LEAKAGE determination, steady state is
 
defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and
 
RCP seal injection and return flows.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. The
 
primary to secondary LEAKAGE is determined using continuous process radiation monitors or radiochemical grab sampling in
 
accordance with the EPRI guidelines (Ref.
5).
RCS Operational LEAKAGE B 3.4.13 BASESNorth Anna Units 1 and 2B 3.4.13-7Revision 28 REFERENCES1.UFSAR, Section 3.1.26.2.Regulatory Guide 1.45, May 1973.3.UFSAR, Chapter 15.4.NEI 97-06, "Steam Generator Program Guidelines."5.EPRI, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines."
Intentionally Blank North Anna Units 1 and 2B 3.4.14-1Revision 0 RCS PIV Leakage B 3.4.14 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.14RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and General Design Criteria 55 (Refs. 1, 2, and 3), define RCS PIVs as any two normally closed valves in series within the reactor coolant
 
pressure boundary (RCPB), which separate the high pressure
 
RCS from an attached low pressure system. The 1975 Reactor
 
Safety Study, WASH-1400, (Ref. 4) identified intersystem
 
LOCAs as a significant contributor to the risk of core melt.
 
The study considered designs containing two in-series check
 
valves and two check valves in series with an MOV which
 
isolate the high pressure RCS from the low pressure safety
 
injection system. The scenario considered is a failure of
 
the two check valves leading to overpressurization and
 
rupture of the low pressure injection piping which results
 
in a LOCA that bypasses containment. A letter was issued (Ref. 5) by the NRC requiring plants to describe the PIV
 
configuration of the plant. On April 20, 1981, the NRC issued
 
an Order modifying the North Anna Unit 1 Technical
 
Specifications to include testing requirements on PIVs and
 
to specify the PIVs to be tested. The original North Anna 2
 
Technical Specifications, dated August 21, 1980, included a
 
list of PIVs required to be tested and described the required
 
testing. The valves required to be leak tested by this
 
Specification are listed in Tables B 3.4.14-1 (Unit
: 1) and B 3.4.14-2 (Unit 2).
During their lives, these val ves can produce varying amounts of reactor coolant leakage through either normal operational
 
wear or mechanical deterioration. The RCS PIV Leakage LCO
 
allows RCS high pressure operation when leakage through
 
these valves exists in amounts that do not compromise
 
safety.The PIV leakage limit applies to each individual valve to
 
which the LCO applies. Leakage through both series PIVs in a
 
line must be included as part of the identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through
 
two series valves is determined by a water inventory balance (SR 3.4.13.1). A known component of the identified LEAKAGE before operation begins is the least of the two individual
 
leak rates determined for leaking series PIVs during the (continued)
North Anna Units 1 and 2B 3.4.14-2Revision 0 RCS PIV Leakage B 3.4.14 BASES BACKGROUND (continued) required surveillance testing; leakage measured through one
 
PIV in a line is not RCS operational LEAKAGE if the other is
 
leaktight.
Although this specification provides a limit on allowable
 
PIV leakage rate, its main purpose is to prevent
 
overpressure failure of the low pressure portions of
 
connecting systems. The leakage limit is an indication that
 
the PIVs between the RCS and the connecting systems are
 
degraded or degrading. PIV leakage could lead to
 
overpressure of the low pressure piping or components.
 
Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident, that
 
could degrade the ability for low pressure injection.
Violation of this LCO could result in continued degradation
 
of a PIV, which could lead to overpressurization of a low
 
pressure system and the loss of the integrity of a fission
 
product barrier.
APPLICABLE
 
SAFETY ANALYSES Reference 4 identified potential intersystem LOCAs as a significant contributor to the risk of core melt. The
 
dominant accident sequence in the intersystem LOCA category
 
is the failure of the low pressure portion of the ECCS low
 
pressure injection system outside of containment. The
 
accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent
 
pressurization of the ECCS low pressure injection system
 
downstream of the PIVs from the RCS. Because the low pressure
 
portion of the system is not designed for RCS pressure, overpressurization failure of the low pressure line would
 
result in a LOCA outside containment and subsequent risk of
 
core melt.
RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The RCS PIVs required to be leak tested are listed in
 
Tables B 3.4.14-1 (Unit 1) and B 3.4.14-2 (Unit 2).
RCS PIV leakage is identified LEAKAGE into closed systems
 
connected to the RCS. Isolation valve leakage is usually on
 
the order of drops per minute. Leakage that increases
 
significantly suggests that something is operationally wrong and corrective action must be taken.(continued)
RCS PIV Leakage B 3.4.14 BASESNorth Anna Units 1 and 2B 3.4.14-3Revision 0 LCO (continued)
The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size with a maximum limit of 5 gpm. The previous criterion of 1 gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing
 
information on potential valve degradation and resulted in
 
higher personnel radiation exposures. A study concluded a
 
leakage rate limit based on valve size was superior to a
 
single allowable value.
Reference 6 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure
 
and the normal pressure of the connected system during RCS
 
operation (the maximum pressure differential) in those types
 
of valves in which the higher service pressure will tend to diminish the overall le akage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to
 
the pressure differential to the one half power.
APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized.
 
In MODE 4, any valves in the RHR flow path that are required to be tested are not required to meet the requirements of
 
this LCO when in, or during the transition to or from, the
 
RHR mode of operation.
In MODES 5 and 6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced
 
potential for leakage and for a LOCA outside the
 
containment.
ACTIONS The Actions are modified by two Notes. Note 1 provides clarification that each flow path allows separate entry into
 
a Condition. This is allowed based upon the functional
 
independence of the flo w path. Note 2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may
 
have affected system operability, or isolation of a leaking
 
flow path with an alternate valve may have degraded the
 
ability of the interconnected system to perform its safety
 
function.
North Anna Units 1 and 2B 3.4.14-4Revision 46 RCS PIV Leakage B 3.4.14 BASES ACTIONS (continued)
A.1 Required Action A.1 requires that RCS PIV leakage be restored to within limit within 4 hours. Four hours provides time to reduce leakage in ex cess of the allowable limit. The 4 hour Completion Time allows the actions and restricts the operation with leaking isolation valves.
B.1 and B.2 If leakage cannot be reduced the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. This Action may reduce the leakage and also reduces the potential for a LOCA outside the
 
containment. The allowed Completion Times are reasonable
 
based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.14.1 Performance of leakage testing on the affected RCS PIV or
 
isolation valve used to satisfy Required Action A.1 is required to verify that leakage is below the specified limit
 
and to identify each leaking valve. The leakage limit of
 
0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a
 
stable pressure condition. Leakage may be measured
 
indirectly (as from the performance of pressure indicators)
 
to satisfy ALARA requirements if supported by calculations
 
verifying that the method is capable of demonstrating valve
 
compliance with the leakage criteria.
For the two PIVs in series, the leakage requirement applies
 
to each valve individually and not to the combined leakage
 
across both valves. If the PIVs are not individually leakage
 
tested, one valve may have failed completely and not be
 
detected if the other valve in series meets the leakage
 
requirement. In this situation, the protection provided by
 
redundant valves would be lost.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
RCS PIV Leakage B 3.4.14 BASESNorth Anna Units 1 and 2B 3.4.14-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.4.14.1 (continued)
The Frequency is within frequency allowed by the American
 
Society of Mechanical Engineers (ASME) Code (Ref.
6).In addition, testing must be performed once after the valve
 
has been opened by flow or exercised to ensure tight
 
reseating. PIVs disturbed in the performance of this
 
Surveillance should also be tested unless documentation
 
shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24 hours after the valve has been reseated. Within 24 hours is a reasonable and practical time limit for performing this test after opening
 
or reseating a valve.
The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures with stable conditions not possible
 
in the MODES with lower pressures. If testing cannot be
 
performed at these pressures, testing can be performed at
 
lower pressures and scaled to operating pressure.
Entry into MODES 3 and 4 is allowed if needed to establish the necessary differential pressures and stable conditions
 
to allow for performance of this Surveillance. The Note that
 
allows this provision is complementary to the Frequency of
 
prior to entry into MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on any RCS PIVs in the RHR System flow path when the RHR System is aligned to the RCS in the shutdown cooling mode of operation. PIVs
 
contained in the RHR shutdown cooling flow path that are
 
required to be tested must be leakage rate tested after RHR
 
is secured and stable unit conditions and the necessary
 
differential pressures are established.
REFERENCES1.10 CFR 50.2.2.10 CFR 50.55a(c).3.UFSAR, Section 3.1.48.1.
North Anna Units 1 and 2B 3.4.14-6Revision 0 RCS PIV Leakage B 3.4.14 BASES REFERENCES (continued)4.WASH-1400 (NUREG-75/014), Appendix V, October 1975.5.Letter from D. G. Eisenhut, NRC, to all LWR licensees, LWR Primary Coolant System Pressure Isolation Valves, February 23, 1980.6.ASME Code for Operation and Maintenance of Nuclear Power Plants.7.10 CFR 50.55a(g).
North Anna Units 1 and 2B 3.4.14-7Revision 0 RCS PIV Leakage B 3.4.14 Table B 3.4.14-1 (page 1 of 1)Unit 1 RCS PIVS Required To Be Tested VALVE FUNCTION 1-SI-83 Low Head Safety Injection to Cold Legs-Loop 1 1-SI-195 Low Head Safety Injection to Cold Legs-Loop 1 1-SI-86 Low Head Safety Injection to Cold Legs-Loop 2 1-SI-197 Low Head Safety Injection to Cold Legs-Loop 2 1-SI-89 Low Head Safety Injection to Cold Legs-Loop 3 1-SI-199 Low Head Safety Injection to Cold Legs-Loop 3 North Anna Units 1 and 2B 3.4.14-8Revision 0 RCS PIV Leakage B 3.4.14 Table B 3.4.14-2 (page 1 of 1)
Unit 2 RCS PIVS Required To Be Tested Valve Function 2-SI-85 High head safety injection to cold legs and hot legs 2-SI-93 High head safety injection to cold legs and hot legs 2-SI-107 High head safety injection to cold legs and hot legs 2-SI-119 High head safety injection to cold legs and hot legs MOV-2836 High head safety injection off charging header MOV-2869A, B High head safety injection off charging header MOV-2867C, D Boron injection tank outlet valves 2-SI-91 Low head safety injection to cold legs 2-SI-99 Low head safety injection to cold legs 2-SI-105 Low head safety injection to cold legs 2-SI-126 Low head safety injection to hot legs 2-SI-128 Low head safety injection to hot legs 2-SI-151 Accumulator discharge check valves 2-SI-153 Accumulator discharge check valves 2-SI-168 Accumulator discharge check valves 2-SI-170 Accumulator discharge check valves 2-SI-185 Accumulator discharge check valves 2-SI-187 Accumulator discharge check valves MOV-2700 RHR system isolation valves MOV-2701 RHR system isolation valves MOV-2720A, B RHR system isolation valves MOV-2890A, B, C, & D Low head safety injection to cold legs and hot legs North Anna Units 1 and 2B 3.4.15-1Revision 5 RCS Leakage Detection Instrumentation B 3.4.15 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.15RCS Leakage Detection Instrumentation BASES BACKGROUND UFSAR, Chapter 3 (Ref. 1) requires compliance with Regulatory Guide 1.45. Regulatory Guide 1.45 (Ref.
: 2) describes acceptable methods for selecting RCS leakage
 
detection systems.
Leakage detection systems must have the capability to detect
 
significant reactor coolant pressure boundary (RCPB)
 
degradation as soon after occurrence as practical to
 
minimize the potential for propagation to a gross failure.
 
Thus, an early indication or warning signal in the control
 
room is necessary to permit proper evaluation of all
 
unidentified LEAKAGE.Industry practice has shown that water flow changes of 0.5 to 1.0 gpm can be readily detected in contained volumes by monitoring changes in water level, in flow rate, or in the
 
operating frequency of a pump. The containment sump used to
 
collect unidentified LEAKAGE includes two sump level
 
monitors that provide level indication. The "A" train level indicator provides input to a calculated discharge flow rate determined by the plant computer. Either level indication or the calculated containment sump discharge flow rate is
 
acceptable for detecting increases in unidentified LEAKAGE.
The reactor coolant contains radioactivity that, when
 
released to the containment, can be detected by radiation
 
monitoring instrumentation. Reactor coolant radioactivity
 
levels will be low during initial reactor startup and for a
 
few weeks thereafter, until activated corrosion products
 
have been formed and fission products appear from fuel
 
element cladding contamination or cladding defects.
 
Instrument sensitivities in accordance with Regulatory
 
Guide 1.45 (Ref.
: 2) particulate and for gaseous monitoring are practical for these leakage detection systems.
 
Radioactivity detection systems are included for monitoring
 
both particulate and gaseous activities because of their
 
sensitivities and rapid responses to RCS LEAKAGE. One
 
Containment Air Recirculation Fan (CARF) provides enough air
 
flow for the operation of the radiation detectors.(continued)
North Anna Units 1 and 2B 3.4.15-2Revision 5 RCS Leakage Detection Instrumentation B 3.4.15 BASES BACKGROUND (continued)
Air temperature and pressure monitoring methods may also be
 
used to infer unidentified LEAKAGE to the containment.
 
Containment temperature and pressure fluctuate slightly
 
during unit operation, but a rise above the normally
 
indicated range of values may indicate RCS leakage into the
 
containment. The relevance of temperature and pressure
 
measurements are affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valu able in recognizing rapid and sizable leakage to the containment. Temperature and pressure
 
monitors are not required by this LCO.
APPLICABLE
 
SAFETY ANALYSES The need to evaluate the severity of an alarm or an
 
indication is important to the operators, and the ability to compare and verify with indications from other systems is
 
necessary. Multiple instrument locations are utilized, if
 
needed, to ensure that the transport delay time of the
 
leakage from its source to an instrument location yields an
 
acceptable overall response time.
The safety significance of RCS LEAKAGE varies widely
 
depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE
 
from the unidentified LEAKAGE provides quantitative
 
information to the operators, allowing them to take
 
corrective action should a leakage occur detrimental to the
 
safety of the unit and the public.
RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).
LCO One method of protecting against large RCS leakage derives
 
from the ability of instruments to rapidly detect extremely
 
small leaks. This LCO requires instruments of diverse
 
monitoring principles to be OPERABLE to provide a high
 
degree of confidence that extremely small leaks are detected in time to allow actions to place the unit in a safe
 
condition, when RCS LEAKAGE indicates possible RCPB
 
degradation.
The LCO is satisfied when monitors of diverse measurement
 
means are available. Thus, the containment sump monitor, in
 
combination with a gaseous or particulate radioactivity monitor, provides an acceptable minimum.
RCS Leakage Detection Instrumentation B 3.4.15 BASESNorth Anna Units 1 and 2B 3.4.15-3Revision 0 APPLICABILITYBecause of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.
In MODE 5 or 6, the temperature is to be  200&deg;F and pressure is maintained low or at atmospheric pressure. Since the
 
temperatures and pressures are far lower than those for
 
MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of
 
this LCO are not applicable in MODES 5 and 6.ACTIONS A.1 and A.2 With the required containment sump monitor inoperable, no
 
other form of sampling can provide the equivalent
 
information; however, the containment atmosphere radioactivity monitor will provide indications of changes in
 
leakage. Together with the atmosphere monitor, the periodic
 
surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours after establishing steady state operation (stable temperature, power level, pressurizer and
 
makeup tank levels, makeup and letdown, and RCP seal
 
injection and return flow). The 12 hour allowance provides sufficient time to collect and process all necessary data
 
after stable unit conditions are established.
Restoration of the required sump monitor to OPERABLE status
 
within a Completion Time of 30 days is required to regain the function after the monitor's failure. This time is
 
acceptable, considering the Frequency and adequacy of the
 
RCS water inventory balance required by Required Action A.1.B.1.1, B.1.2, and B.2 With both gaseous and particulate containment atmosphere
 
radioactivity monitoring instrumentation channels
 
inoperable, alternative action is required. Either grab
 
samples of the containment atmosphere must be taken and
 
analyzed or water inventory balances, in accordance with
 
SR 3.4.13.1, must be performed to provide alternate periodic information.(continued)
North Anna Units 1 and 2B 3.4.15-4Revision 46 RCS Leakage Detection Instrumentation B 3.4.15 BASES ACTIONS B.1.1, B.1.2, and B.2 (continued)
With a sample obtained and analyzed or water inventory
 
balance performed every 24 hours, the reactor may be operated for up to 30 days to allow restoration of the required containment atmosphere radioactivity monitors.
The 24 hour interval provides periodic information that is adequate to detect leakage. A Note is added allowing that
 
SR 3.4.13.1 is not required to be performed until 12 hours after establishing steady state operation (stable
 
temperature, power level, pressurizer and makeup tank
 
levels, makeup and letdown, and RCP seal injection and
 
return flow). The 12 hour allowance provides sufficient time to collect and process all necessary data after stable unit
 
conditions are established. The 30 day Completion Time recognizes at least one other form of leakage detection is
 
available.
C.1 and C.2 If a Required Action of Condition A or B cannot be met, the unit must be brought to a MODE in which the requirement does
 
not apply. To achieve this status, the unit must be brought
 
to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems.
D.1 With all required monitors inoperable, no required automatic
 
means of monitoring leakage are available, and immediate
 
unit shutdown in accordance with LCO 3.0.3 is required.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.15.1 SR 3.4.15.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitor.
 
The check gives reasonable confidence that the channel is
 
operating properly. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
RCS Leakage Detection Instrumentation B 3.4.15 BASESNorth Anna Units 1 and 2B 3.4.15-5Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.4.15.2 SR 3.4.15.2 requires the performance of a COT on the required containment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the
 
desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.4.15.3 and SR 3.4.15.4 These SRs require the performance of a CHANNEL CALIBRATION
 
for each of the RCS leakage detection instrumentation
 
channels. The calibration verifies the accuracy of the
 
instrument string, including the instruments located inside
 
containment. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.REFERENCES1.UFSAR, Chapter 3.2.Regulatory Guide 1.45, dated May, 1973.3.NUREG-1366, dated December, 1992.
Intentionally Blank North Anna Units 1 and 2B 3.4.16-1Revision 42 RCS Specific Activity B 3.4.16 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.16RCS Specific Activity BASES BACKGROUND The maximum dose that an individual at the exclusion area
 
boundary can receive for 2 hours following an accident, or at the low population zone outer boundary for the
 
radiological release duration, is specified in 10 CFR 50.67 (Ref. 1). Doses to control room operators must be limited per GDC 19. The limits on specific activity ensure that the offsite and control room doses are appropriately limited
 
during analyzed transients and accidents.
The RCS specific activity LCO limits the allowable
 
concentration level of radionuclides in the reactor coolant.
 
The LCO limits are established to minimize the dose
 
consequences in the event of a steam line break (SLB) or
 
steam generator tube rupture (SGTR) accident.
The LCO contains specific activity limits for both DOSE
 
EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to ensure that offsite and control room
 
doses meet the appropriate acceptance criteria in the
 
Standard Review Plan (Ref. 2).
APPLICABLE
 
SAFETY ANALYSES The LCO limits on the specific activity of the reactor
 
coolant ensure that the resulting offsite and control room
 
doses meet the appropriate SRP acceptance criteria following
 
a SLB or SGTR accident. The safety analyses (Refs. 3 and 4) assume the specific activity of the reactor coolant is at the
 
LCO limits, and an existing reactor coolant steam generator (SG) tube leakage rate of 1 gpm exists. The safety analyses assume the specific activity of the secondary coolant is at
 
its limit of 0.1
&#xb5;Ci/gm DOSE EQUIVALENT I-131 from LCO 3.7.18, "Secondary Specific Activity."
The analyses for the SLB and SGTR accidents establish the
 
acceptance limits for RCS specific activity. Reference to
 
these analyses is used to assess changes to the unit that
 
could affect RCS specific activity, as they related to the
 
acceptance limits.(continued)
North Anna Units 1 and 2B 3.4.16-2Revision 42 RCS Specific Activity B 3.4.16 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The safety analyses consider two cases of reactor coolant
 
iodine specific activity. One cases assumes specific
 
activity at 1.0
&#xb5;Ci/gm DOSE EQUIVALENT I-131 with a concurrent large iodine spike that increases the rate of
 
release of iodine from the fuel rods containing cladding
 
defects to the primary coolant immediately after a SLB (by a
 
factor of 500), or SGTR (by a factor of 335), respectively.
 
The second case assumes the initial reactor coolant iodine
 
activity at 60.0
&#xb5;Ci/gm DOSE EQUIVALENT I-131 due to an iodine spike cause by a reactor or an RCS transient prior to
 
the accident. In both cases, the noble gas specific activity
 
is assumed to be 197
&#xb5;Ci/gm DOSE EQUIVALENT XE-133 The SGTR analysis also assumes a loss of offsite power at the same time as the reactor trip. The SGTR cause a reduction in reactor coolant inventory. The reduction initiates a reactor
 
trip from a low pressurizer pressure signal or an RCS
 
overtemperature T signal.The loss of offsite power causes the steam dump valves to close to protect the condenser. The rise in pressure in the
 
ruptured SG discharges radioactively contaminated steam to
 
the atmosphere through the SG power operated relief valves
 
and the main steam safety valves. The unaffected SGs remove
 
core decay heat by venting steam to the atmosphere until the cooldown ends and the Residual Heat Removal (RHR) system is
 
placed in service.
The SLB radiological analysis assumes that offsite power is lost at the same time as the pipe break occurs outside
 
containment. Reactor trip occurs after the generation of an
 
SI signal on low steam line pressure. The affected SG blows
 
downs completely and steam is vented directly to the
 
atmosphere. The unaffected SGs remove core decay heat by
 
venting steam to the atmosphere until the cooldown ends and
 
the RHR system is placed in service.
Operation with iodine specific activity levels greater than the LCO limit is permissible, if the activity levels do not
 
exceed 60.0
&#xb5;Ci/gm for more than 48 hours.
The limits on RCS specific activity are also used for establishing standardization in radiation shielding and
 
plant personnel radiation protection practices.
RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The iodine specific activity in the reactor coolant is
 
limited to [1.0]
&#xb5;Ci/gm DOSE EQUIVALENT I-131, and the noble RCS Specific Activity B 3.4.16 BASESNorth Anna Units 1 and 2B 3.4.16-3Revision 42 gas specific activity in the reactor coolant is limited to 197 &#xb5;Ci/gm DOSE EQUIVALENT XE-133. The limits on specific activity ensure that offsite and control room doses will
 
meet the appropriate SRP acceptance criteria (Ref.
2).The SLB and SGTR accident analyses (Refs.
3 and 4) show that the calculated doses are within acceptable limits. Violation
 
of the LCO may result in reactor coolant radioactivity
 
levels that could, in the event of a SLB or SGTR, lead to
 
doses that exceed the SRP acceptance criteria (Ref.
2).APPLICABILITY In MODES 1, 2, 3, and 4, operation within the LCO limits for DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133 is necessary to limit the potential consequences of a SLB or
 
SGTR to within the SRP acceptance criteria (Ref.
2).In MODES 5 and 6, the steam generators are not being used for decay heat removal, the RCS and steam generators are
 
depressurized, and primary to secondary leakage is minimal.
 
Therefore, the monitoring of RCS specific activity is not
 
required.ACTIONS A.1 and A.2 With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours must be taken to demonstrate
 
that the specific activity is <
60.0 &#xb5;Ci/gm. The Completion Time of 4 hours is required to obtain and analyze a sample.
 
Sampling is continued every 4 hours to provide a trend.
The DOSE EQUIVALENT I-131 must be restored to within limit within 48 hours. The Completion Time of 48 hours is
 
acceptable since it is expected that, if there were an iodine
 
spike, the normal coolant iodine concentration would be
 
restored within this time period. Also, there is a low
 
probability of a SLB or SGTR occurring during this time
 
period.A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S), relying
 
on Required Actions A.1 and A.2 while the DOSE EQUIVALENT I-
 
131 LCO limit is not met. This allowance is acceptable due (continued)
ACTIONS (continued) to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the North Anna Units 1 and 2B 3.4.16-4Revision 46 RCS Specific Activity B 3.4.16 BASES ACTIONS (continued) ability to restore transient-specific activity excursions
 
while the plant remains at, or proceeds to, power operation.
B.1 With the DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit
 
within 48 hours. The allowed Completion Time of 48 hours is
 
acceptable since it is expected that, if there were a noble
 
gas spike, the normal coolant noble gas concentration would
 
be restored within this time period. Also, there is a low
 
probability of a SLB or SGTR occurring during this time
 
period.A Note permits that the use of the provisions of LCO 3.0.4.c.
This allowance permits entry into the applicable MODE(S),
relying on Required Action B.1 while the DOSE EQUIVALENT XE-
 
133 LCO limit is not met.
This allowance is acceptable due to significant conservatism incorporated into the specific
 
activity limit, the low probability of an event which is
 
limiting due to exceeding this limit, and the ability to
 
restore transient-specific activity excursions while the
 
plant remains at, or proceeds to, power operation.
C.1 and C.2 If the Required Action and associated Completion Time of Condition A or B is not met, or if the DOSE EQUIVALENT I-131 is > 60.0
&#xb5;Ci/gm, the reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed
 
Completion Times are reasonable, based on operating experience, to reach th e required plant conditions from full power conditions in an order ly manner an without challenging plant systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.16.1 SR 3.4.16.1 requires performing a gamma isotopic analysis as a measure of the noble gas specific activity of the reactor
 
coolant. This measurement is the sum of the degassed gamma
 
activities and the gaseous gamma activities in the sample
 
taken. This Surveillance provides an indication of any
 
increase in the noble gas specific activity.(continued)
RCS Specific Activity B 3.4.16 BASESNorth Anna Units 1 and 2B 3.4.16-5Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.4.16.1 (continued)
Trending the results of this Surveillance allows proper
 
remedial action to be taken before reaching the LCO limit
 
under normal operating conditions. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
Due to the inherent difficulty in detecting Kr-85 in a
 
reactor coolant sample due to masking from radioisotopes
 
within similar decay energies, such as F-18 and I-134, it is
 
acceptable to include the minimum detectable activity for
 
Kr-85 in the SR 3.4.16.1 calculation. If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at
 
the minimum detectable activity.
SR  3.4.16.2 This Surveillance is performed to ensure iodine specific
 
activity remains within the LCO limit during normal
 
operation and following fast power changes when iodine
 
spiking is more apt to occur. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program. The Frequency, between 2 and 6
 
hours after a power change
> 15% RTP within a 1 hour period, is established because the iodine levels peak during this time following the iodine spike initiation; samples at other times would provide accurate results.
 
RCS Specific Activity B 3.4.16 BASESNorth Anna Units 1 and 2B 3.4.16-6Revision 42 REFERENCES1.10 CFR 50.67.2.Standard Review Plan (SRP) Section 15.0.1 "Radiological Consequence Analyses Using Alternative Source Terms."3.UFSAR, Section 15.4.2.4.UFSAR, Section 15.4.3.
North Anna Units 1 and 2B 3.4.17-1Revision 0 RCS Loop Isolation Valves B 3.4.17 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.17RCS Loop Isolation Valves BASES BACKGROUND The reactor coolant loops are equipped with loop isolation
 
valves that permit any loop to be isolated from the reactor
 
vessel. One valve is installed on each hot leg and one on
 
each cold leg. The loop isolation valves are used to perform
 
maintenance on an isolated loop. Power operation with a loop
 
isolated is not permitted.To ensure that inadvertent closure of a loop isolation valve
 
does not occur, the valves must be open with power to the
 
valve operators removed in MODES 1, 2, 3 and
: 4. If the valves are closed, a set of administrative controls and equipment
 
interlocks must be satisfied prior to opening the isolation
 
valves as described in LCO 3.4.18, "RCS Isolated Loop Startup." APPLICABLE
 
SAFETY ANALYSES The safety analyses performed for the reactor at power
 
assume that all reactor coolant loops are initially in
 
operation and the loop isolation valves are open. This LCO
 
places controls on the loop isolation valves to ensure that
 
the valves are not inadvertently closed in MODES 1, 2, 3 and 4. The inadvertent closure of a loop isolation valve when the Reactor Coolant Pumps (RCPs) are operating will
 
result in a partial loss of forced reactor coolant flow (Ref. 1). If the reactor is at power at the time of the event, the effect of the partial loss of forced coolant flow
 
is a rapid increase in the coolant temperature which could
 
result in DNB with subsequent fuel damage if the reactor is
 
not tripped by the Low Flow reactor trip. If the reactor is shutdown and an RCS loop is in operation removing decay heat, closure of the loop isolation valve associated with the
 
operating loop could also result in increasing coolant
 
temperature and the possibility of fuel damage.
RCS Loop Isolation Valves satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCOThis LCO ensures that the loop isolation valves are open and power to the valve operators is removed. Loop isolation
 
valves are used for performing maintenance in MODES 5 and 6.(continued)
North Anna Units 1 and 2B 3.4.17-2Revision 0 RCS Loop Isolation Valves B 3.4.17 BASES LCO (continued)
The safety analyses assume that the loop isolation valves
 
are open in any RCS loops required to be OPERABLE by
 
LCO 3.4.4, "RCS Loops-MODES 1 and 2," LCO 3.4.5, "RCS Loops-MODE 3," or LCO 3.4.6, "RCS Loops-MODE 4." APPLICABILITY In MODES 1 through 4, this LCO ensures that the loop isolation valves are open and power to the valve operators is
 
removed. The safety analyses assume that the loop isolation
 
valves are open in any RCS loops required to be OPERABLE.
In MODES 5 and 6, the loop isolation valves may be closed.
Controlled startup of an isolated loop is governed by the
 
requirements of LCO 3.4.18, "RCS Isolated Loop Startup." ACTIONS The Actions have been provided with a Note to clarify that
 
all RCS loop isolation valves for this LCO are treated as
 
separate entities, each with separate Completion Times, i.e., the Completion Time is on a component basis.
A.1 If power is inadvertently restored to one or more loop
 
isolation valve operators, the potential exists for
 
accidental isolation of a loop. The loop isolation valves
 
have motor operators. Therefore, these valves will maintain
 
their last position when power is removed from the valve
 
operator. With power applied to the valve operators, only
 
the interlocks prevent the valve from being operated.
 
Although operating procedures and interlocks make the
 
occurrence of this event unlikely, the prudent action is to
 
remove power from the loop isolation valve operators. The
 
Completion Time of 30 minutes to remove power from the loop isolation valve operators is sufficient considering the
 
complexity of the task.
B.1, B.2, and B.3 Should a loop isolation valve be closed in MODES 1 through 4, the affected loop isolation valve(s) must remain closed and the unit placed in MODE
: 5. Once in MODE 5, the isolated loop may be started in a controlled manner in
 
accordance with LCO 3.4.18, "RCS Isolated Loop Startup." Opening the closed isolation valve in MODES 1 through 4 could result in colder water or water at a lower boron concentration being mixed with the operating RCS loops (continued)
RCS Loop Isolation Valves B 3.4.17 BASESNorth Anna Units 1 and 2B 3.4.17-3Revision 46 ACTIONS B.1, B.2, and B.3 (continued) resulting in positive reactivity insertion. The Completion Time of Required Action B.1 allows time for borating the operating loops to a shutdown boration level such that the
 
unit can be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.17.1 The Surveillance is performed to ensure that the RCS loop
 
isolation valves are open prior to removing power from the
 
isolation valve operator. There is no remote position
 
indication available after power is removed from the valve
 
operators. The valves w ill maintain their last position when power is removed for the valve operator.
SR  3.4.17.2 The primary function of this Surveillance is to ensure that
 
power is removed from the valve operators, since SR 3.4.4.1 of LCO 3.4.4, "RCS Loops-MODES 1 and 2," ensures that the loop isolation valves are open by verifying every 12 hours that all loops are operating and circulating reactor
 
coolant. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 15.2.6.
Intentionally Blank North Anna Units 1 and 2B 3.4.18-1Revision 0 RCS Isolated Loop Startup B 3.4.18 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.18RCS Isolated Loop Startup BASES BACKGROUND The RCS may be operated with loops isolated in MODES 5 and 6 in order to perform maintenance. While operating with a loop
 
isolated, there is potential for inadvertently opening the
 
isolation valves in the isolated loop. In this event, any
 
coolant in the isolated loop would begin to mix with the
 
coolant in the operating loops. This situation has the
 
potential of causing a positive reactivity addition with a
 
corresponding reduction of SDM if:a.The temperature in the isolated loop is lower than the temperature in the operating Residual Heat Removal (RHR)
 
or RCS loops (cold water incident); orb.The boron concentration in the isolated loop is lower than the boron concentration required to meet the SDM of
 
LCO 3.1.1 or the boron concentration of LCO 3.9.1 (boron dilution incident).
If the loop is drained of coolant, startup of an isolated
 
loop will cause coolant to flow from the RCS into the isolated portion of the l oop with the potential to lower the RCS water level and cause a loss of suction to the RHR System
 
pumps.As discussed in the UFSAR (Ref.
1), the startup of a filled, isolated loop is done in a controlled manner that virtually
 
eliminates any sudden r eactivity addition from cold water or boron dilution because:a.This LCO and unit operating procedures require that the boron concentration in the isolated loop be equal to or
 
greater than the boron concentration required to meet the
 
SDM of LCO 3.1.1 or the boron concentration of LCO 3.9.1 prior to opening the isolation valves, thus eliminating
 
the potential for introducing coolant from the isolated
 
loop that could dilute the boron concentration in the
 
operating loops below the required limit.b.The cold leg loop isolation valve cannot be opened unless the loop has been operated with the hot leg isolation
 
valve open and recirculation flow of  125 gpm for (continued)
North Anna Units 1 and 2B 3.4.18-2Revision 0 RCS Isolated Loop Startup B 3.4.18 BASES BACKGROUNDb.(continued) 90 minutes. This ensures that the temperatures of both the hot leg and cold leg of the isolated loop are within
 
20&deg;F of the operating loops and the boron concentration of the isolated loop is greater than or equal to the boron
 
concentration required to meet the SDM of LCO 3.1.1 or the boron concentration of LCO 3.9.1. Compliance with the recirculation requirement is ensured by operating
 
procedures and automatic interlocks.c.Other automatic interlocks prevent opening the hot leg loop isolation valve unless the cold leg loop isolation
 
valve is fully closed.
The startup of an initially drained, isolated loop is
 
performed in a controlled manner to ensure that sufficient
 
water is available in the RCS to support RHR operation. In
 
this case, the automatic interlocks are defeated and the
 
isolated loop is filled under administrative control.
APPLICABLE
 
SAFETY ANALYSES During startup of a filled isolated loop, the cold leg loop
 
isolation valve interlocks and operating procedures prevent
 
opening the valve until the isolated loop and active RCS
 
volume temperatures are equalized and the boron
 
concentration is within limit. This ensures that any
 
undesirable reactivity effect from the isolated loop does
 
not occur.
An evaluation of the effects of opening the loop isolation
 
valves with the boron concentration or temperature
 
requirements of the filled, isolated portion not met is
 
described in Reference
: 1. Failure to follow the requirements in the LCO could result in the RCS boron concentration or
 
coolant temperature being reduced with a corresponding
 
reduction in SDM. The evaluation concluded that adequate time is available for an operator to identify and respond to such an event prior to reactor criticality.
The initial RCS volume requirements ensure that the
 
operation of the RHR System is not impaired during the filling of an isolated loop from the RCS should the isolation valves on three drained, isolated loops be inadvertently
 
opened.RCS isolated loop startup satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
RCS Isolated Loop Startup B 3.4.18 BASESNorth Anna Units 1 and 2B 3.4.18-3Revision 0 LCO Loop isolation valves are used for performing maintenance when the unit is in MODE 5 or 6. This LCO governs the return to operation of an isolated loop (i.e., the hot and cold leg
 
loop isolation valves are initially closed) and ensures that the loop isolation valves remain closed unless acceptable
 
conditions for opening the valves are established.
There are two methods for returning an isolated loop to
 
operation. The first method is used when the isolated loop is filled with water. When using the filled loop method, the hot leg isolation valve (e.g., the inlet valve to the isolated
 
portion of the loop) is opened first. As described in
 
LCO 3.4.18.a, the water in the isolated loop must be borated to at least the boron concentration needed to provide the
 
required shutdown margin prior to opening the hot leg
 
isolation valve. This ensures that the RCS boron
 
concentration is not re duced below that required to maintain the required shutdown margin. The water in the isolated loop is then mixed with the water in the RCS by establishing flow
 
through the recirculation line (which bypasses the cold leg
 
isolation valve). After the flow through the recirculation
 
line has thoroughly mixed the water in the isolated loop with
 
the water in the RCS and it is verified that the isolated
 
loop temperature is no more than 20
&deg;F below the temperature of the RCS (to avoid reactivity additions due to reduced RCS
 
temperature), the cold leg isolation valve may be opened.
The second method for returning an isolated loop to
 
operation is described in LCO 3.4.18.b and is used when the isolated loop is drained of water. In the drained loop
 
method, the water in the RCS is used to fill the isolated
 
portion of the loop. The LCO also requires that the
 
pressurizer water level be established sufficiently high
 
prior to and during the opening of the isolation valves to ensure that the inadvertent opening of all three sets of loop
 
isolation valves on three drained and isolated loops would
 
not result in loss of net positive suction head for the
 
Residual Heat Removal system.
The LCO is modified by a Note which allows Reactor Coolant
 
Pump (RCP) seal injection to be initiated to a RCP in a
 
drained, isolated loop. This is to support vacuum assisted
 
backfill of the loop. In this method, a vacuum is drawn on
 
the isolated loop prior to opening the cold leg isolation
 
valve in order to minimize the amount of trapped air in the loop and to minimize the need to run the RCP in the isolated loop to clear out air pockets. In order to draw a vacuum on (continued)
North Anna Units 1 and 2B 3.4.18-4Revision 0 RCS Isolated Loop Startup B 3.4.18 BASES LCO (continued) the isolated loop, the RCP seals must be filled with water.
 
The boron concentration of the water used for seal injection
 
must meet the same requirements as the reactor coolant
 
system and the loop must be drained prior to starting seal
 
injection in order to be sure that no water at a boron
 
concentration less than required remains in the isolated
 
loop.The LCO is modified by a Note which allows a hot or cold leg isolation valve to be closed for up to two hours without
 
considering the loop isolated and meeting the LCO
 
requirements when opening the closed valve. This allows for
 
necessary maintenance and testing on the valves and the
 
valve operators. If the closed valve is not reopened with two hours, it is necessary to cl ose both isolation valves on the affected loop and follow the requirements of the LCO when
 
reopening the isolation valves. This is required because
 
there is a possibility that the water in the isolated loop
 
has become diluted or cooled to the point that reintroduction of the water into to the reactor vessel could result in a significant reactivity change.
APPLICABILITY In MODES 5 and 6, RCS loops may be isolated to perform
 
maintenance. When a filled, isolated loop is to be put in
 
operation, the isolated loop boron concentration and
 
temperature must be controlled prior to opening the loop
 
isolation valves in order to avoid the potential for
 
positive reactivity addition. When an initially drained, isolated loop is to be put into operation, sufficient RCS
 
inventory must be available to ensure that RCS water level
 
continues to support RHR operation. The LCO water level
 
requirement is sufficient to ensure that RCS water level
 
does not drop below that required for RHR operation. In
 
MODES 1, 2, 3 and 4, the loop isolation valves are required to be open with power to the valve operators removed by
 
LCO 3.4.17, "RCS Loop Isolation Valves."
ACTIONS A.1, B.1, and C.1 Required Actions A.1, B.1, and C.1 apply when the requirements of LCO 3.4.18.a are not met and a loop isolation valve has been opened. Therefore, the Actions
 
require immediate closure of isolation valves to preclude a
 
boron dilution event or a cold water event or RCS water level falling below that required for RHR operation.
RCS Isolated Loop Startup B 3.4.18 BASESNorth Anna Units 1 and 2B 3.4.18-5Revision 0 ACTIONS (continued)
D.1, D.2, E.1 and E.2 Required Actions D.1, D.2, E.1 and E.2 apply when the requirements of LCO 3.4.18.b are not met and an initially drained, isolated loop is filled from the active RCS volume
 
by opening a loop isolation valve. If the RCS water level
 
requirement is not met, there is the possibility of
 
insufficient net positive suction head to support the RHR
 
pumps. If the RCP seal injection boron concentration
 
requirements are not met, there is the possibility of
 
diluting the reactor coolant boron concentration below that
 
which is required. In both cases, the isolation valve(s) are
 
to be closed and the requirements of the LCO must be met
 
prior to opening the isolation valves. If both isolation
 
valves on the loop are not fully opened within 2 hours, the lack of flow through the closed valve(s) could result in the
 
boron concentration of the previously isolated portion of
 
the loop being significantly different from the remainder of
 
the RCS. The boron concentration in the isolated loop must be verified to be within limit or the isolation valve(s) are to be closed and the requirements of the LCO must be met prior
 
to opening the isolation valves.
F.1 If power is restored to one or more closed loop isolation
 
valve operators without the initial conditions in LCO 3.4.18.a.1 or LCO 3.4.1 8.b.1 being met, the potential exists for accidental startup of an isolated loop and possible
 
reduction in shutdown m argin. The loop isolation valves have motor operators. Therefore, these valves will maintain their
 
last position when power is removed from the valve operator.
 
With power applied to the valve operators, only the
 
interlocks prevent the valve from being operated. Although
 
operating procedures and interlocks make the occurrence of
 
this event unlikely, the prudent action is to remove power from the loop isolation valve operators. The Completion Time of 30 minutes to remove power from the loop isolation valve operators is sufficient considering the complexity of the
 
task.SURVEILLANCE
 
REQUIREMENTS SR  3.4.18.1 This Surveillance is performed to ensure that the
 
temperature differential between a filled, isolated loop and
 
the operating loops is  20&deg;F. The loop stop valve interlocks (continued)
North Anna Units 1 and 2B 3.4.18-6Revision 0 RCS Isolated Loop Startup B 3.4.18 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.4.18.1 (continued) ensure that the temperature of the isolated loop is
 
equalized with the temperature of the operating loops by
 
requiring that the isolated loop is operated for at least
 
90 minutes with a recirculation flow of  125 gpm. The safety analysis neglects the uncertainty associated with measuring recirculation flow due to the insignificant effect
 
on the analysis. Performing the Surveillance 30 minutes prior to opening the cold leg isolation valve in the isolated
 
loop provides reasonable assurance, based on engineering
 
judgment, that the temperature differential will stay within
 
limits until the cold leg isolation valve is opened. This
 
Frequency has been shown to be acceptable through operating
 
experience.
The Surveillance is modified by a Note which states that the
 
Surveillance is only required to be met when utilizing the
 
requirements of the LCO applicable to starting a filled, isolated loop.
SR  3.4.18.2 To ensure that the boron concentration of a filled, isolated
 
loop is greater than or equal to the boron concentration
 
required to meet the SDM of LCO 3.1.1 or the boron concentration of LCO 3.9.1, a Surveillance is performed 1 hour prior to opening either the hot or cold leg isolation valve. Performing the Surveillance 1 hour prior to opening either the hot or cold leg isolation valve provides
 
reasonable assurance the boron concentration difference will
 
stay within acceptable limits until the loop is unisolated.
This Frequency is a reasonable amount of time given that the
 
isolated loop boron concentration changes slowly and the
 
time required to request and have analyzed a boron
 
concentration measurement prior to opening the isolation
 
valve.The Surveillance is modified by a Note which states that the
 
Surveillance is only required to be met when utilizing the
 
requirements of the LCO applicable to starting a filled, isolated loop.
RCS Isolated Loop Startup B 3.4.18 BASESNorth Anna Units 1 and 2B 3.4.18-7Revision 0 SURVEILLANCE REQUIREMENTS (continued)
SR  3.4.18.3 This Surveillance is performed to ensure that a filled, isolated loop is recirculated, with the hot leg isolation
 
valve open, for at least 90 minutes at a flow rate of at
 
least 125 gpm. This will ensure that the boron concentration
 
and temperature of the isolated loop is similar to those of
 
the operating loops. The Frequency of within 30 minutes
 
prior to opening the cold leg isolation valve in a filled, isolated loop is considered a reasonable time to prepare for
 
the opening of the cold leg isolation valve. The
 
Surveillance is modified by a Note which states that the
 
Surveillance is only required to be met when utilizing the
 
requirements of the LCO applicable to starting a filled, isolated loop.
SR  3.4.18.4 This Surveillance is performed to ensure that an isolated loop is drained before opening an isolation valve to fill the
 
isolated portion of the RCS from the RCS active volume or
 
before initiating seal injection to the RCP in the isolated
 
loop. This verification is performed to prevent unsampled
 
water in a partially filled, isolated loop from mixing with
 
the water in the RCS and potentially causing reactivity
 
changes due to differences in boron concentration. The
 
Frequency of within 2 hours prior to filling an initially drained loop from the active RCS volume or within 2 hours of initiating seal injection to the RCP in the isolated loop is
 
considered a reasonable time to prepare for the opening of
 
the isolation valve. The Surveillance is modified by a Note
 
which states that the Surveillance is only required to be met
 
when utilizing the requirements of the LCO applicable to
 
starting an initially drained, isolated loop.
SR  3.4.18.5 This Surveillance verifies that the boron concentration of the water used for seal injection to the RCP in the isolated
 
loop is borated to the same requirement as the RCS. This will prevent the water used for seal injection from diluting the
 
water in the RCS. The LCO is modified by two Notes. Note 1 states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting an initially drained, isolated loop. Note 2 states that the Surveillance is only required to be met when using blended
 
flow as the source for RCP seal injection. The other sources (continued)
North Anna Units 1 and 2B 3.4.18-8Revision 0 RCS Isolated Loop Startup B 3.4.18 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.4.18.5 (continued) for seal injection are required to be borated to at least the
 
required boron concentration and are periodically verified
 
by other specifications. The Frequency of within 1 hour prior to initiating seal injection flow and once per hour
 
during filling of an initially drained loop from the active
 
RCS volume is considered a reasonable time to monitor the
 
seal injection boron concentration.
SR  3.4.18.6 This Surveillance verifies that there is sufficient water in
 
the RCS when filling an initially drained, isolated portion
 
of the RCS. The volume of water required is sufficient to
 
continue to support RHR operation in the event of the
 
inadvertent opening of the isolation valves on three
 
isolated and drained loops. The required level of 32%
 
incorporates inaccuracies due to use of instruments
 
calibrated at cold conditions. If instruments calibrated at
 
hot conditions are used, an indicated level of 39% is
 
required due to the increased instrument uncertainty. The
 
Frequency of every 15 minutes during filling of a drained, isolated loop ensures that the operators are aware of the
 
water level during the filling operation. The Surveillance
 
is modified by a Note which states that the Surveillance is
 
only required to be met when utilizing the requirements of
 
the LCO applicable to starting a drained, isolated loop.
SR  3.4.18.7 This Surveillance is performed to ensure that the boron
 
concentration of an isolated loop satisfies the boron
 
concentration requirements of the RCS prior to completely
 
opening the cold leg isolation valve or opening the hot leg
 
isolation valve. The Surveillance is modified by a Note which states that the Surveillance is only required to be met
 
when utilizing the requirements of the LCO applicable to
 
starting an initially drained, isolated loop. The Frequency
 
of within 1 hour prior to fully opening the cold leg isolation valve or opening the hot leg isolation valve is
 
considered a reasonable time to prepare for the opening of
 
the isolation valves.
REFERENCES1.UFSAR, Section 15.2.6.
North Anna Units 1 and 2B 3.4.19-1Revision 0 RCS Loops-Test Exceptions B 3.4.19 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.19RCS Loops-Test Exceptions BASES BACKGROUND The primary purpose of this test exception is to provide an
 
exception to LCO 3.4.4, "RCS Loops-MODES 1 and 2," to permit reactor criticality under no forced flow conditions during
 
certain PHYSICS TESTS (natural circulation demonstration, station blackout, and loss of offsite power) to be performed
 
while at low THERMAL POWER levels. Section XI of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and
 
components will perform satisfactorily in service. All
 
functions necessary to ensure that the specified design
 
conditions are not exceeded during normal operation and
 
anticipated operational occurrences must be tested. This
 
testing is an integral part of the design, construction, and
 
operation of the power plant as specified in General Design
 
Criteria 1, "Quality Standards and Records" (Ref.
2).The key objectives of a test program are to provide assurance
 
that the facility has been adequately designed to validate
 
the analytical models used in the design and analysis, to
 
verify the assumptions used to predict unit response, to
 
provide assurance that installation of equipment at the unit
 
has been accomplished in accordance with the design, and to
 
verify that the operating and emergency procedures are adequate. Testing is performed prior to initial criticality, during startup, and following low power operations.
The tests will include verifying the ability to establish
 
and maintain natural circulation following a unit trip, performing natural circulation cooldown on emergency power, and during the cooldown, showing that adequate boron mixing
 
occurs and that pressure can be controlled using auxiliary
 
spray and pressurizer heaters powered from the emergency
 
power sources.
APPLICABLE
 
SAFETY ANALYSES The tests described above require operating the unit without forced convection flow and as such are not bounded by any
 
safety analyses. However, operating experience has
 
demonstrated this exception to be safe under the present
 
applicability.(continued)
North Anna Units 1 and 2B 3.4.19-2Revision 0 RCS Loops-Test Exceptions B 3.4.19 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide
 
flexibility to perform certain operations by appropriately
 
modifying requirements of other LCOs. A discussion of the
 
criteria satisfied for the other LCOs is provided in their
 
respective Bases.
LCO This LCO provides an exemption to the requirements of
 
LCO 3.4.4.The LCO is provided to allow for the performance of PHYSICS
 
TESTS in MODE 2 (after a refueling), where the core cooling requirements are significantly different than after the core
 
has been operating. Without the LCO, unit operations would
 
be held bound to the normal operating LCOs for reactor
 
coolant loops and circulation (MODES 1 and 2), and the appropriate tests could not be performed.
In MODE 2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under no flow conditions provided THERMAL POWER is P-7 and the reactor trip setpoints of the OPERABLE power level channels are set  25% RTP. This ensures, if some problem caused the unit to enter MODE 1 and start increasing unit power, the Reactor Trip System (RTS) would automatically shut it down before power became too high, and
 
thereby prevent violation of fuel design limits.
The exemption is allowed even though there are no bounding
 
safety analyses. However, these tests are performed under
 
close supervision during the test program and provide
 
valuable information on the unit's capability to cool down
 
without offsite power available to the reactor coolant
 
pumps.APPLICABILITY This LCO is applicable when performing low power PHYSICS
 
TESTS without any forced convection flow. This testing is
 
performed to establish that heat input from nuclear heat
 
does not exceed the natural circulation heat removal
 
capabilities. Therefore, no safety or fuel design limits
 
will be violated as a result of the associated tests.
RCS Loops-Test Exceptions B 3.4.19 BASESNorth Anna Units 1 and 2B 3.4.19-3Revision 46 ACTIONS A.1 When THERMAL POWER is  the P-7 interlock setpoint 10%, the only acceptable action is to ensure the reactor trip
 
breakers (RTBs) are opened immediately in accordance with
 
Required Action A.1 to prevent operation of the fuel beyond its design limits. Opening the RTBs will shut down the
 
reactor and prevent operation of the fuel outside of its
 
design limits.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.19.1 Verification that the power level is < the P-7 interlock setpoint (10%) will ensure that the fuel design criteria are
 
not violated during the performance of the PHYSICS TESTS.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.4.19.2 The power range and intermediate range neutron detectors, P-10, and P-13 interlock setpoint must be verified to be OPERABLE and adjusted to the proper value. The Low Power
 
Reactor Trips Block, P-7 interlock, is actuated from either
 
the Power Range Neutron Flux, P-10, or the Turbine Impulse
 
Chamber Pressure, P-13 interlock. The P-7 interlock is a
 
logic Function with train, not channel identity. A COT is
 
performed prior to initiation of the PHYSICS TESTS. A
 
successful test of the required contact(s) of a channel
 
relay may be performed by the verification of the change of
 
state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is
 
acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and
 
non-Technical Specifications tests at least once per
 
refueling interval with applicable extensions. This will
 
ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS. The SR 3.3.1.8 Frequency is sufficient for the power range and intermedia te range neutron detectors to ensure that the instrumentation is OPERABLE before
 
initiating PHYSICS TESTS.
North Anna Units 1 and 2B 3.4.19-4Revision 0 RCS Loops-Test Exceptions B 3.4.19 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.4.19.3 The Low Power Reactor Trips Block, P-7 interlock, must be
 
verified to be OPERABLE in MODE 1 by LCO 3.3.1, "Reactor Trip System Instrumentation." The P-7 interlock is actuated
 
from either the Power Range Neutron Flux, P-10, or the
 
Turbine Impulse Chamber Pressure, P-13 interlock. The P-7
 
interlock is a logic Function. An ACTUATION LOGIC TEST is
 
performed to verify OPERABILITY of the P-7 interlock prior
 
to initiation of startup and PHYSICS TESTS. This will ensure
 
that the RTS is properly functioning to provide the required
 
degree of core protection during the performance of the
 
PHYSICS TESTS.
REFERENCES1.10 CFR 50, Appendix B, Section XI.2.UFSAR, Section 3.1.1.
North Anna Units 1 and 2B 3.4.20-1Revision 28 SG Tube Integrity B 3.4.20 B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.20Steam Generator (SG) Tube Integrity BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled
 
tubes that carry primary coolant through the primary to
 
secondary heat exchangers. The SG tubes have a number of
 
important safety functions. SG tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and
 
inventory. The SG tubes isolate the radioactive fission
 
products in the primary coolant from the secondary system.
 
In addition, as part of the RCPB, the SG tubes are unique in
 
that they act as the heat transfer surface between the
 
primary and secondary systems to remove heat from the
 
primary system. This Specification addresses only the RCPB
 
integrity function of the SG. The SG heat removal function is
 
addressed by LCO 3.4.4, "RCS Loops-MODES 1 and 2," LCO 3.4.5, "RCS Loops-MODE 3," LCO 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled."SG tube integrity means that the tubes are capable of
 
performing their intended RCPB safety function consistent
 
with the licensing basis, including applicable regulatory
 
requirements.
SG tubing is subject to a variety of degradation mechanisms.
 
SG tubes may experience tube degradation related to
 
corrosion phenomena, such as wastage, pitting, intergranular
 
attack, and stress corrosion cracking, along with other
 
mechanically induced phenomena such as denting and wear.
 
These degradation mechanisms can impair tube integrity if
 
they are not managed effectively. The SG performance
 
criteria are used to manage SG tube degradation.
Specification 5.5.8, "Steam Generator (SG) Program,"
requires that a program be established and implemented to
 
ensure that SG tube integrity is maintained. Pursuant to
 
Specification 5.5.8, tube integrity is maintained when the SG performance criteria are met. There are three SG
 
performance criteria: structural integrity, accident induced
 
leakage, and operational LEAKAGE. The SG performance
 
criteria are described in Specification 5.5.8. Meeting the (continued)
North Anna Units 1 and 2B 3.4.20-2Revision 28 SG Tube Integrity B 3.4.20 BASES BACKGROUND (continued)
SG performance criteria provides reasonable assurance of
 
maintaining tube integrity at normal and accident
 
conditions.
The processes used to meet the SG performance criteria are
 
defined by the Steam Generator Program Guidelines (Ref.
1).APPLICABLE
 
SAFETY ANALYSES The steam generator tube rupture (SGTR) accident is the limiting basis event for SG tubes and avoiding a SGTR is the
 
basis for this Specification. The analysis of a SGTR event
 
assumes a bounding primary to secondary LEAKAGE rate of
 
1 gpm, which is conservative with respect to the operational LEAKAGE rate limits in LCO 3.4.13, "RCS Operational LEAKAGE," plus the leakage rate associated with a
 
double-ended rupture of a single tube. The UFSAR analysis
 
for SGTR assumes the contaminated secondary fluid is
 
released via power operated relief valves or safety valves.
 
The source term in the primary system coolant is transported
 
to the affected (ruptured) steam generator by the break
 
flow. The affected steam generator discharges steam to the
 
environment for 30 minutes until the generator is manually isolated. The 1 gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue through the unaffected steam generators until the
 
Residual Heat Removal System is placed in service.The analysis for design basi s accidents and transients other than a SGTR assume the SG tubes retain their structural
 
integrity (i.e., they are assumed not to rupture.) In these
 
analyses, the steam discharge to the atmosphere is based on
 
the total primary to secondary LEAKAGE from all SGs of
 
1 gallon per minute or is assumed to increase to 1 gallon per minute as a result of accident induced conditions. For
 
accidents that do not involve fuel damage, the primary
 
coolant activity level of DOSE EQUIVALENT I-131 is assumed
 
to be equal to the LCO 3.4.16, "RCS Specific Activity,"
limits. For accidents that assume fuel damage, the primary
 
coolant activity is a function of the amount of activity
 
released from the damaged fuel. The dose consequences of
 
these events are within the limits of GDC 19 (Ref. 2), 10 CFR 50.67 (Ref.
: 3) or RG 1.183 (Ref.
4), as appropriate.
SG tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
SG Tube Integrity B 3.4.20 BASESNorth Anna Units 1 and 2B 3.4.20-3Revision 28 LCO The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the repair
 
criteria be plugged in accordance with the Steam Generator
 
Program.During an SG inspection, any inspected tube that satisfies
 
the Steam Generator Program repair criteria is removed from
 
service by plugging. If a tube was determined to satisfy the repair criteria but was not plugged the tube may still have
 
tube integrity.
In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall between the tube-to-tubesheet weld at the tube inlet and the
 
tube-to-tubesheet weld at the tube outlet. The
 
tube-to-tubesheet weld is not considered part of the tube.
A SG tube has tube integrity when it satisfies the SG
 
performance criteria. The SG performance criteria are
 
defined in Specification 5.5.8, "Steam Generator Program,"
and describe acceptable SG tube performance. The Steam
 
Generator Program also provides the evaluation process for
 
determining conformance with the SG performance criteria.
There are three SG performance criteria: structural
 
integrity, accident induced leakage, and operational
 
LEAKAGE. Failure to meet any one of these criteria is
 
considered failure to meet the LCO.
The structural integrity performance criterion provides a
 
margin of safety against tube burst or collapse under normal and accident conditions, and ensures structural integrity of
 
the SG tubes under all anticipated transients included in
 
the design specification. Tube burst is defined as, "The
 
gross structural failure of the tube wall. The condition
 
typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant
 
pressure) accompanied by ductile (plastic) tearing of the
 
tube material at the ends of the degradation." Tube collapse
 
is defined as, "For the load displacement curve for a given
 
structure, collapse occurs at the top of the load versus
 
displacement curve where the slope of the curve becomes
 
zero." The structural integrity performance criterion provides guidance on as sessing loads that have a significant effect on burst or collapse. In that context, the term
 
"significant" is defined as "An accident loading condition
 
other than differential pressure is considered significant (continued)
North Anna Units 1 and 2B 3.4.20-4Revision 28 SG Tube Integrity B 3.4.20 BASES LCO (continued) when the addition of such loads in the assessment of the
 
structural integrity performance criterion could cause a
 
lower structural limit or limiting burst/collapse condition
 
to be established." For tube integrity evaluations, except
 
for circumferential degradation, axial thermal loads are
 
classified as secondary loads. For circumferential
 
degradation, the classification of axial thermal loads as
 
primary or secondary loads will be evaluated on a
 
case-by-case basis. The division between primary and
 
secondary classifications will be based on detailed analysis
 
and/or testing.
Structural integrity requires that the primary membrane
 
stress intensity in a tube n ot exceed the yield strength for all ASME Code, Section III, Service Level A (normal operating conditions) and Service Level B (upset or abnormal conditions) transients included in the design specification.
 
This includes safety factors and applicable design basis
 
loads based on ASME Code, Section III, Subsection NB (Ref. 5) and Draft Regulatory Guide 1.121 (Ref.
6).The accident induced leakage performance criterion ensures
 
that the primary to secondary LEAKAGE caused by a design
 
basis accident, other than a SGTR, is within the accident
 
analysis assumptions. The accident analysis assumes that accident induced l eakage does not exceed 1 gpm. The accident induced leakage rate includes any primary to secondary
 
LEAKAGE existing prior to the accident in addition to
 
primary to secondary LEAKAGE induced during the accident.
The operational LEAKAGE performance criterion provides an
 
observable indication of SG tube conditions during plant
 
operation. The limit on operational LEAKAGE is contained in
 
LCO 3.4.13, "RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150 gallons per day.
This limit is based on the assumption that a single crack
 
leaking this amount would not propagate to a SGTR under the
 
stress conditions of a LOCA or a main steam line break. If
 
this amount of LEAKAGE is due to more than one crack, the
 
cracks are very small, and the above assumption is
 
conservative.
APPLICABILITY SG tube integrity is challenged when the pressure
 
differential across the tubes is large. Large differential
 
pressures across SG tubes can only be experienced in MODE 1, 2, 3, or 4.(continued)
SG Tube Integrity B 3.4.20 BASESNorth Anna Units 1 and 2B 3.4.20-5Revision 28 APPLICABILITY (continued)
SG integrity limits are not provided in MODES 5 and 6 since RCS conditions are far less challenging than in MODES 5 and 6 than during MODES 1, 2, 3, and
: 4. In MODES 5 and 6, primary to secondary differential pressure is low, resulting
 
in lower stresses and reduced potential for LEAKAGE.
ACTIONS The ACTIONS are modified by a Note clarifying that separate
 
Conditions entry is permitted for each SG tube. This is
 
acceptable because the Required Actions provide appropriate
 
compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent
 
Condition entry and application of associated Required
 
Actions.A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube
 
repair criteria but were not plugged in accordance with the
 
Steam Generator Program as required by SR 3.4.20.2. An evaluation of SG tube integrity of the affected tube(s) must
 
be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG repair criteria define limits on SG tube
 
degradation that allow for flaw growth between inspections
 
while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an
 
evaluation must be completed that demonstrates that the SG
 
performance criteria will continue to be met until the next
 
refueling outage or SG tube inspection. The tube integrity
 
determination is based on the estimated condition of the
 
tube at the time the situation is discovered and the
 
estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not
 
being maintained, Condition B applies.
A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity.
If the evaluation determines that the affected tube(s) have
 
tube integrity, Required Action A.2 allows plant operation to continue until the next refueling outage or SG inspection
 
provided the inspection interval continues to be supported (continued)
North Anna Units 1 and 2B 3.4.20-6Revision 28 SG Tube Integrity B 3.4.20 BASES ACTIONS A.1 and A.2 (continued) by an operational assessment that reflects the affected
 
tubes. However, the affected tube(s) must be plugged prior
 
to entering MODE 4 following the next refueling outage or SG inspection. This Completion Time is acceptable since
 
operation until the next inspection is supported by the
 
operational assessment.
B.1 and B.2 If the Required Actions and associated Completion Times of
 
Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the desired plant conditions
 
from full power conditions in an orderly manner and without
 
challenging plant systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.4.20.1During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref.
1), and its referenced EPRI Guidelines, establish the content of the Steam
 
Generator Program. Use of the Steam Generator Program
 
ensures that the inspection is appropriate and consistent
 
with accepted industry practices.
During SG inspections a condition monitoring assessment of
 
the SG tubes is performed. The condition monitoring
 
assessment determines the "as found" condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for
 
the previous operating period.
The Steam Generator Program determines the scope of the
 
inspection and the methods used to determine whether the
 
tubes contain flaws satisfying the tube repair criteria.
 
Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing
 
and potential degradation locations. The Steam Generator
 
Program also specifies the inspection methods to be used to
 
find potential degradation. Inspection methods are a SG Tube Integrity B 3.4.20 BASESNorth Anna Units 1 and 2B 3.4.20-7Revision 28 SURVEILLANCE REQUIREMENTS SR  3.4.20.1 (continued) function of degradation morphology, non-destructive
 
examination (NDE) technique capabilities, and inspection
 
locations.
The Steam Generator Program defines the Frequency of
 
SR 3.4.20.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 7). The Steam Generator Program uses information on existing degradations and growth rates to determine an
 
inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next
 
scheduled inspection. In addition, Specification 5.5.8 contains prescriptive requirements concerning inspection
 
intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections.
SR  3.4.20.2 During an SG inspection, any inspected tube that satisfies
 
the Steam Generator Program repair criteria is removed from
 
service by plugging. The tube repair criteria delineated in
 
Specification 5.5.8 are intended to ensure that tubes accepted for continued service satisfy the SG performance
 
criteria with allowance for error in the flaw size
 
measurement and for future flaw growth. In addition, the
 
tube repair criteria, in conjunction with other elements of
 
the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes
 
remaining in service will continue to meet the SG
 
performance criteria.
The Frequency of prior to entering MODE 4 following a SG inspection ensures that the Surveillance has been completed
 
and all tubes meeting the repair criteria are plugged prior
 
to subjecting the SG tubes to significant primary to
 
secondary pressure differential.
REFERENCES1.NEI 97-06, "Steam Generator Program Guidelines."2.10 CFR 50 Appendix A, GDC 19.3.10 CFR 50.67.
North Anna Units 1 and 2B 3.4.20-8Revision 28 SG Tube Integrity B 3.4.20 BASES REFERENCES (continued)4.RG 1.183, July 2000.5.ASME Boiler and Pressure Vessel Code, Section III, Subsection NB.6.Draft Regulatory Guide 1.121, "Basis for Plugging Degraded Steam Generator Tubes," August 1976.7.EPRI, "Pressurized Water Reactor Steam Generator
 
Examination Guidelines."
North Anna Units 1 and 2B 3.5.1-1Revision 0 Accumulators B 3.5.1 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.1Accumulators BASES BACKGROUNDThe functions of the ECCS accumulators are to supply water to
 
the reactor vessel during the blowdown phase of a loss of
 
coolant accident (LOCA), to provide inventory to help
 
accomplish the refill phase that follows thereafter, and to
 
provide Reactor Coolant System (RCS) makeup for a small
 
break LOCA.
The blowdown phase of a large break LOCA is the initial
 
period of the transient during which the RCS departs from
 
equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to
 
the reactor coolant. The blowdown phase of the transient
 
ends when the RCS pressure falls to a value approaching that of the containment atmosphere.
In the refill phase of a large break LOCA, which immediately follows the blowdown phase, reactor coolant inventory has
 
vacated the core through steam flashing and ejection out
 
through the break. The core is essentially in adiabatic
 
heatup. The balance of accumulator inventory is then available to help fill vo ids in the lower plenum and reactor vessel downcomer so as to establish a recovery level at the
 
bottom of the core and ongoing reflood of the core with the
 
addition of safety injection (SI) water.
The accumulators are pressure vessels partially filled with
 
borated water and pressurized with nitrogen gas. The
 
accumulators are passive components, since no operator or
 
control actions are required in order for them to perform
 
their function. Internal accumulator tank pressure is sufficient to discharge the accumulator contents to the RCS, if RCS pressure decreases below the accumulator pressure.
Each accumulator is piped into an RCS cold leg via an
 
accumulator line and is isolated from the RCS by a motor
 
operated isolation valve and two check valves in series.
The accumulator size, water volume, and nitrogen cover
 
pressure are selected so that two of the three accumulators
 
are sufficient to partially cover the core before
 
significant clad melting or zirconium water reaction can (continued)
North Anna Units 1 and 2B 3.5.1-2Revision 0 Accumulators B 3.5.1 BASES BACKGROUND (continued) occur following a large break LOCA. The need to ensure that
 
two accumulators are adequate for this function is
 
consistent with the large break LOCA assumption that the
 
entire contents of one accumulator will be lost via the RCS
 
pipe break during the blowdown phase of the large break LOCA.
APPLICABLE
 
SAFETY ANALYSES The accumulators are assumed OPERABLE in both the large and
 
small break LOCA analyses at full power (Ref.
1). These are the Design Basis Accidents (DBAs) that establish the
 
acceptance limits for the accumulators. Reference to the
 
analyses for these DBAs is used to assess changes in the
 
accumulators as they relate to the acceptance limits.
In performing the LOCA calculations, conservative
 
assumptions are made concerning the availability of ECCS
 
flow. In the early stages of a large break LOCA, with or
 
without a loss of offsite power, the accumulators provide
 
the sole source of makeup water to the RCS. The assumption of loss of offsite power is required by regulations and
 
conservatively imposes a delay wherein the ECCS pumps cannot
 
deliver flow until the emergency diesel generators start, come to rated speed, and energize their respective buses. In
 
cold leg large break scenarios, the entire contents of one
 
accumulator are assumed to be lost through the break.
The limiting large break LOCA is a double ended guillotine
 
break at the discharge of the reactor coolant pump. During
 
this event, the accumulators discharge to the RCS as soon as
 
RCS pressure decreases to below accumulator pressure.
As a conservative estimate, no credit is taken for ECCS pump
 
flow until an effective delay has elapsed. This delay accounts for the diesels starting and the pumps being loaded
 
and delivering full flow. The delay time is conservatively
 
set with an additional 2 seconds to account for SI signal generation. During this time, the accumulators are analyzed
 
as providing the sole source of emergency core cooling. No
 
operator action is assumed during the blowdown stage of a
 
large break LOCA.
The worst case small break LOCA analyses also assume a time
 
delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the
 
increase in fuel clad temperature is terminated solely by
 
the accumulators, with pumped flow then providing continued
 
cooling. As break size decreases, the accumulators and High (continued)
Accumulators B 3.5.1 BASESNorth Anna Units 1 and 2B 3.5.1-3Revision 13 APPLICABLE SAFETY ANALYSES (continued)
Head Safety Injection (HHSI) pumps both play a part in
 
terminating the rise in clad temperature. As break size
 
continues to decrease, the role of the accumulators
 
continues to decrease until they are not required and the
 
HHSI pumps become solely responsible for terminating the
 
temperature increase.
This LCO helps to ensure that the following acceptance
 
criteria established for the ECCS by 10 CFR 50.46 (Ref.
: 2) will be met following a LOCA:a.Maximum fuel element cladding temperature is  2200&deg;F. for small breaks, and there must be a high level of
 
probability that the peak cladding temperature does not
 
exceed 2200&deg;F for large breaks;b.Maximum cladding oxidation is  0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is  0.01 times the hypothetical amount that would be generated if all of the metal in the cladding
 
cylinders surrounding the fuel, excluding the cladding
 
surrounding the plenum volume, were to react; andd.Core is maintained in a coolable geometry.
Since the accumulators discharge during the blowdown phase of a LBLOCA, they do not contribute to the long term cooling requirements of 10 CFR 50.46.For both the large and small break LOCA analyses, a nominal
 
contained accumulator water volume is used. For small
 
breaks, the accumulator water volume only affects the mass flow rate of water into the RCS since the tanks do not empty
 
for most break sizes analyzed. The assumed water volume has
 
an insignificant effect upon the peak clad temperature. For
 
large breaks, an increase in water volume can be either a
 
peak clad temperature penalty or benefit, depending on
 
downcomer filling and subsequent spill through the break
 
during the core reflooding portion of the transient. The
 
safety analysis supports operation with a contained water
 
volume of between 7580 gallons and 7756 gallons per accumulator.(continued)
North Anna Units 1 and 2B 3.5.1-4Revision 9 Accumulators B 3.5.1 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The minimum boron concentration setpoint is used in the post LOCA boron concentration calculation. The calculation is
 
performed to assure reactor subcriticality in a post LOCA
 
environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly insertion.
A reduction in the accumulator minimum boron concentration
 
would produce a subsequent reduction in the available
 
containment sump concentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron
 
concentration is used in determining the cold leg to hot leg
 
recirculation injection switchover time and minimum sump pH.
The large and small break LOCA peak clad temperature
 
analyses are performed at the minimum nitrogen cover
 
pressure, since sensitivity analyses have demonstrated that
 
higher nitrogen cover pressure results in a computed peak
 
clad temperature benefit. The maximum nitrogen cover
 
pressure limit prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity.
The effects on containment mass and energy releases from the
 
accumulators are accounted for in the appropriate analyses (Ref. 1). The large break LOCA containment analyses assume that the accumulator nitrogen is discharged into the
 
containment, which affects transient subatmospheric
 
pressure.The accumulators satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO establishes the minimum conditions required to
 
ensure that the accumulators are available to accomplish
 
their core cooling safety function following a LOCA. Three
 
accumulators are required to ensure that 100% of the
 
contents of two of the accumulators will reach the core
 
during a large break LOCA. This is consistent with the
 
assumption that the contents of one accumulator spill
 
through the break. If less than two accumulators are injected during the blowdown phase of a large break LOCA, the ECCS acceptance criteria of 10 CFR 50.46 (Ref.
: 2) could be violated.(continued)
Accumulators B 3.5.1 BASESNorth Anna Units 1 and 2B 3.5.1-5Revision 9 LCO (continued)
For an accumulator to be considered OPERABLE, the isolation valve must be fully open, pow er removed when RCS pressure is  2000 psig, and the limits established in the SRs for contained volume, boron concentration, and nitrogen cover
 
pressure must be met.
APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure
> 1000 psig, the accumulator OPERABILITY requirements are based on full power operation. Although cooling requirements
 
decrease as power decreases, the accumulators are still
 
required to provide core cooling as long as elevated RCS
 
pressures and temperatures exist.
This LCO is only applicable at pressures >
1000 psig. At pressures  1000 psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that
 
peak clad temperature remains below the 10 CFR 50.46 (Ref. 2) limit of 2200
&deg;F.In MODE 3, with RCS pressure  1000 psig, and in MODES 4, 5, and 6, the accumulator motor operated isolation valves are closed to isolate the accumulators from the RCS. This allows
 
RCS cooldown and depressurization without discharging the
 
accumulators into the RCS or requiring depressurization of
 
the accumulators.
ACTIONS A.1 If the boron concentration of one accumulator is not within
 
limits, it must be returned to within the limits within
 
72 hours. In this Condition, ability to maintain subcriticality or minimum boron precipitation time may be
 
reduced. The boron in the accumulators contributes to the
 
assumption that the combined ECCS water in the partially
 
recovered core during the early reflooding phase of a large
 
break LOCA is sufficient to keep that portion of the core
 
subcritical. One accumulator below the minimum boron
 
concentration limit, however, will have no effect on
 
available ECCS water and an insignificant effect on core
 
subcriticality during reflood. Boiling of ECCS water in the
 
core during reflood concentrates boron in the saturated
 
liquid that remains in the core. In addition, the
 
accumulators do not discharge following a large main steam
 
line break. Thus, 72 hours is allowed to return the boron concentration to within limits.
North Anna Units 1 and 2B 3.5.1-6Revision 46 Accumulators B 3.5.1 BASES ACTIONS (continued)
B.1 If one accumulator is inoperable for a reason other than
 
boron concentration, the accumulator must be returned to
 
OPERABLE status within 1 hour. In this Condition, the required contents of two accumulators cannot be assumed to reach the core during a large break LOCA. Due to the severity of the consequences should a large break LOCA occur in these
 
conditions, the 1 hour Completion Time to open the valve, remove power to the valve, or restore the proper water volume
 
or nitrogen cover pressure ensures that prompt action will
 
be taken to return the inoperable accumulator to OPERABLE
 
status. The Completion Time minimizes the time the unit is
 
exposed to a LOCA under these conditions.
C.1 and C.2 If the accumulator cannot be returned to OPERABLE status
 
within the associated Completion Time, the unit must be
 
brought to a MODE in which the LCO does not apply. To achieve
 
this status, the unit must be brought to MODE 3 within 6 hours and RCS pressure reduced to  1000 psig within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
 
conditions from full power conditions in an orderly manner
 
and without challenging unit systems.
D.1 If more than one accumulator is inoperable, the unit is in a
 
condition outside the accident analyses; therefore, LCO 3.0.3 must be entered immediately.
SURVEILLANCE
 
REQUIREMENTS SR  3.5.1.1 Each accumulator isolation valve should be verified to be
 
fully open. This verification ensures that the accumulators
 
are available for injection and ensures timely discovery if
 
a valve should be less than fully open. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change with power removed, a closed valve could result in not
 
meeting accident analyses assumptions. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
Accumulators B 3.5.1 BASESNorth Anna Units 1 and 2B 3.5.1-7Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.5.1.2 and SR 3.5.1.3 Borated water volume and nitrogen cover pressure are verified for each accumulator. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR  3.5.1.4 The boron concentration should be verified to be within required limits for eac h accumulator since the static design of the accumulators limits the ways in which the
 
concentration can be changed. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program. Sampling the affected accumulator within 6 hours after a 50% increase of indicated level will identify whether inleakage has caused a reduction in boron
 
concentration to below the required limit. It is not
 
necessary to verify boron concentration if the added water
 
inventory is from the refueling water storage tank (RWST),
because the water contained in the RWST is within the
 
accumulator boron concentration requirements. This is
 
consistent with the recommendation of NUREG-1366 (Ref.
3).Although the run of piping between the two accumulator
 
discharge check valves is credited in demonstrating
 
compliance with Technical Specification 3.5.1 minimum accumulator volume requirement, the minimum boron
 
concentration requirement does not apply to this run of
 
piping. Applicable accident analyses have explicitly
 
considered in-leakage from the RCS, and the resulting
 
reduction in boron concentration in this run of piping, which is not sampled.
SR  3.5.1.5 Verification that power is removed from each accumulator
 
isolation valve operator when the RCS pressure is  2000 psig ensures that an active failure could not result in the
 
closure of an accumulator mot or operated isolation valve. If this were to occur, only one accumulator would be available
 
for injection given a single failure (continued)
North Anna Units 1 and 2B 3.5.1-8Revision 46 Accumulators B 3.5.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.5.1.5 (continued) coincident with a LOCA. The Surveillance Frequency is based
 
on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
This SR allows power to be supplied to the motor operated
 
isolation valves when RCS pressure is <
2000 psig, thus allowing operational flexibility by avoiding unnecessary
 
delays to manipulate the breakers during unit startups or
 
shutdowns.
REFERENCES
: 1. UFSAR, Chapter 6 and Chapter 15.2. 10 CFR 50.46.3. NUREG-1366, February 1990.
North Anna Units 1 and 2B 3.5.2-1Revision 0 ECCS-Operating B 3.5.2 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.2ECCS-Operating BASES BACKGROUND The function of the ECCS is to provide core cooling and
 
negative reactivity to ensure that the reactor core is
 
protected after any of the following accidents:a.Loss of coolant accident (LOCA), coolant leakage greater than the capability of the normal charging system;b.Rupture of a control rod drive mechanism-control rod assembly ejection accident;c.Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater; andd.Steam generator tube rupture (SGTR).
The addition of negative reactivity is designed primarily
 
for the MSLB where primary cooldown could add enough
 
positive reactivity to achieve criticality and return to
 
significant power.
There are three phases of ECCS operation: injection, cold
 
leg recirculation, and hot leg recirculation. In the
 
injection phase, water is taken from the refueling water
 
storage tank (RWST) and injected into the Reactor Coolant
 
System (RCS) through the cold legs. When sufficient water is
 
removed from the RWST to ensure that enough boron has been
 
added to maintain the reactor subcritical and the
 
containment sumps have enough water to supply the required
 
net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation.
Within approximately 5 hours, the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the boiling in the top of the core and any
 
resulting boron precipitation.
The ECCS consists of two separate subsystems: High Head
 
Safety Injection (HHSI) and Low Head Safety Injection (LHSI). Each subsystem consists of two redundant, 100%
capacity trains. The ECCS accumula tors and the RWST are also part of the ECCS, but are not considered part of an ECCS flow
 
path as described by this LCO.(continued)
North Anna Units 1 and 2B 3.5.2-2Revision 0 ECCS-Operating B 3.5.2 BASES BACKGROUND (continued)The ECCS flow paths consist of piping, valves, and pumps such
 
that water from the RWST can be injected into the RCS
 
following the accidents described in this LCO. The major components of each subsystem are the HHSI pumps and the LHSI pumps. Each of the two subsystems consists of two 100%
 
capacity trains that are interconnected and redundant such
 
that either train is capable of supplying 100% of the flow
 
required to mitigate the accident consequences. This
 
interconnecting and redundant subsystem design provides the
 
operators with the ability to utilize components from
 
opposite trains to achieve the required 100% flow to the
 
core.During the injection phase of LOCA recovery, a suction
 
header supplies water from the RWST to the ECCS pumps. Water
 
from the supply header enters the LHSI pumps through
 
parallel, normally open, motor operated valves. Water to the
 
HHSI pumps is supplied via parallel motor operated valves to
 
ensure that at least one valve opens on receipt of a safety
 
injection actuation signal. The supply header then branches
 
to the three HHSI pumps through normally open, motor
 
operated valves. The discharge from the HHSI pumps combines
 
prior to entering the boron injection tank (BIT) and then
 
divides again into three supply lines, each of which feeds
 
the injection line to one RCS cold leg. The discharge from
 
the LHSI pumps combine and then divide into three supply
 
lines, each of which feeds the injection line to one RCS cold leg. Control valves in the HHSI lines are set to balance the
 
flow to the RCS. This balance ensures sufficient flow to the
 
core to meet the analysis assumptions following a LOCA in one
 
of the RCS cold legs and preclude pump runout.
For LOCAs that are too small to depressurize the RCS below
 
the shutoff head of the LHSI pumps, the HHSI pumps supply
 
water until the RCS pressure decreases below the LHSI pump
 
shutoff head. During this period, the steam generators are
 
used to provide part of the core cooling function.
During the recirculation phase of LOCA recovery, LHSI pump
 
suction is transferred to the containment sump. The LHSI
 
pumps then supply the HHSI pumps. Initially, recirculation
 
is through the same paths as the injection phase.
 
Subsequently, recirculation alternates injection between the
 
hot and cold legs.(continued)
ECCS-Operating B 3.5.2 BASESNorth Anna Units 1 and 2B 3.5.2-3Revision 0 BACKGROUND (continued)
The HHSI subsystem of the ECCS also functions to supply borated water to the reactor core following increased heat
 
removal events, such as an MSLB. The limiting design
 
conditions occur when the negative moderator temperature
 
coefficient is highly negative, such as at the end of each
 
cycle.HHSI pumps A and B a re capable of being automatically started and are powered from separate emergency buses. HHSI pump C
 
can only be manually started, but can be powered from either
 
of the emergency buses that HHSI pumps A and B are powered
 
from. An interlock prevents HHSI pump C from being powered
 
from both emergency buses simultaneously. For HHSI pump C to be OPERABLE, it must be running since it does not start
 
automatically. In the event of a Safety Injection signal
 
coincident with a loss of offsite power, interlocks prevent
 
automatic operation of two HHSI pumps on the same emergency
 
bus to prevent overloading the emergency diesel generators.
 
HHSI pump C is normally either running, or available but not
 
running. HHSI pump C is normally running if either HHSI
 
pump A or B is inoperable or both are otherwise preferred to not be in operation. HHSI pump C is normally available but
 
not running when either HHSI pump A or B is running.
The ECCS subsystems are actuated upon receipt of an SI
 
signal. The actuation of safeguard loads is accomplished in
 
a programmed time sequence. If offsite power is available, the safeguard loads start immediately in the programmed
 
sequence. If offsite power is not available, the Engineered
 
Safety Feature (ESF) buses shed normal operating loads and
 
are connected to the emergency diesel generators (EDGs).
 
Safeguard loads are then actuated in the programmed time sequence. The time dela y associated with diesel starting and pump starting determines the time required before pumped
 
flow is available to the core following a LOCA.
The active ECCS components, along with the passive
 
accumulators and the RWST covered in LCO 3.5.1, "Accumulators," and LCO 3.5.4, "Refueling Water Storage Tank (RWST)," provide the cooling water necessary to meet
 
Reference 1.
North Anna Units 1 and 2B 3.5.2-4Revision 13 ECCS-Operating B 3.5.2 BASES APPLICABLE
 
SAFETY ANALYSES The LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref.
2), will be met following a LOCA:a.Maximum fuel element cladding temperature is  2200&deg;F for small breaks, and there must be a high level of
 
probability that the peak cladding temperature does not
 
exceed 2200&deg;F for large breaks;b.Maximum cladding oxidation is  0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is  0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders
 
surrounding the fuel, excluding the cladding surrounding
 
the plenum volume, were to react;d.Core is maintained in a coolable geometry; ande.Adequate long term core cooling capability is maintained.
The LCO also limits the magnitude of post trip return to
 
power following an MSLB event and ensures that containment
 
temperature limits are met.
Each ECCS subsystem is taken credit for in a large break LOCA
 
event at full power (Refs.
3 and 4). This event establishes the maximum flow requirement for the ECCS pumps. The HHSI
 
pumps are credited in a small break LOCA event. This event
 
relies upon the flow and discharge head of the HHSI pumps.
 
The SGTR and MSLB events also credit the HHSI pumps. The
 
OPERABILITY requirements for the ECCS are based on the
 
following LOCA analysis assumptions:a.A large break LOCA event, wi th loss of offsite power and a single failure disabling one LHSI pump (both EDG trains
 
are assumed to operate due to requirements for modeling
 
full active containment heat removal system operation);
 
andb.A small break LOCA event, wi th a loss of offsite power and a single failure disabling one Emergency Diesel
 
Generator.(continued)
ECCS-Operating B 3.5.2 BASESNorth Anna Units 1 and 2B 3.5.2-5Revision 9 APPLICABLE SAFETY ANALYSES (continued)
During the blowdown stage of a large break LOCA, the RCS
 
depressurizes as primary coolant is ejected through the
 
break into the containment. The nuclear reaction is
 
terminated either by moderator voiding during large breaks
 
or control rod insertion for small breaks. Following
 
depressurization, emergency cooling water is injected into
 
the cold legs, flows into the downcomer, fills the lower
 
plenum, and refloods the core.
The effects on containment mass and energy releases are
 
accounted for in appropriate analysis (Ref.
3). The LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It also
 
ensures that the HHSI pumps will deliver sufficient water
 
and boron during a small LOCA to maintain core
 
subcriticality. For smaller LOCAs, the HHSI pump delivers
 
sufficient fluid to maintain RCS inventory. For a small
 
break LOCA, the steam generators continue to serve as the
 
heat sink, providing part of the required core cooling.
The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO In MODES 1, 2, and 3, two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is
 
available, assuming a single failure affecting either train.
 
Additionally, individual components within the ECCS trains
 
may be called upon to mitigate the consequences of other
 
transients and accidents.
In MODES 1, 2, and 3, an ECCS train consists of an HHSI subsystem and a LHSI subsystem. Each train includes the
 
piping, instruments, and controls to ensure an OPERABLE flow
 
path capable of taking suction from the RWST upon an SI
 
signal and automatically transferring suction to the
 
containment sump.
During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply
 
headers to each of the three cold leg injection nozzles. In
 
the long term, this flow path may be switched to take its
 
supply from the containment sump and to supply its flow to
 
the RCS hot and cold legs.(continued)
North Anna Units 1 and 2B 3.5.2-6Revision 12 ECCS-Operating B 3.5.2 BASES LCO (continued)
The flow path for each train must maintain its designed
 
independence to ensure that no single failure can disable
 
both ECCS trains.
As indicated in the Note, the SI flow paths may be isolated
 
for 2 hours in MODE 3, under controlled conditions, to perform pressure isolation valve testing per SR 3.4.14.1.
The flow path is readily restorable from the control room.
APPLICABILITY In MODES 1, 2, and 3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are
 
based on full power operation. Although reduced power would
 
not require the same level of performance, the accident
 
analysis does not provide for reduced cooling requirements
 
in the lower MODES. MODE 2 and MODE 3 requirements are bounded by the MODE 1 analysis.
This LCO is only applicable in MODE 3 and above. Below MODE 3, the SI signal setpoint has already been manually bypassed by operator control, and system functional
 
requirements are relaxed as described in LCO 3.5.3, "ECCS-Shutdown." In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is
 
extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High
 
Water Level," and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level." ACTIONS A.1 With one or more trains inoperable and at least 100% of the
 
ECCS flow equivalent to a single OPERABLE ECCS train
 
available, the inoperable components must be returned to OPERABLE status within 72 hours. The 72 hour Completion Time is based on an NRC reliability evaluation (Ref.
: 5) and is a reasonable time for repair of many ECCS components.
A note has been added to this Action's Completion Time to permit a one-time extension of the Completion Time to 7 days to effect repairs on the Unit 1 "A" LHSI train.(continued)
ECCS-Operating B 3.5.2 BASESNorth Anna Units 1 and 2B 3.5.2-7Revision 9 ACTIONS A.1 (continued)
An ECCS train is inoperable if it is not capable of delivering design flow to the RCS. Individual components are inoperable if they are not capable of performing their
 
design function or supporting systems are not available.
The LCO requires the OPERABILITY of a number of independent
 
subsystems. Due to the redundancy of trains and the
 
diversity of subsystems, the inoperability of one active
 
component in a train does not render the ECCS incapable of
 
performing its function. Neither does the inoperability of
 
two different components, each in a different train, necessarily result in a loss of function for the ECCS (e.g., an inoperable HHSI pump in one train, and an inoperable LHSI pump in the other). This allows increased flexibility in
 
unit operations under circumstances when components in
 
opposite trains are inoperable.
An event accompanied by a loss of offsite power and the
 
failure of an EDG can disable one ECCS train until power is
 
restored. A reliability analysis (Ref.
: 5) has shown that the impact of having one full ECCS train inoperable is
 
sufficiently small to justify continued operation for
 
72 hours.B.1 and B.2 If the inoperable trains cannot be returned to OPERABLE
 
status within the associated Completion Time, the unit must
 
be brought to a MODE in which the LCO does not apply. To
 
achieve this status, the unit must be brought to MODE 3 within 6 hours and MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
C.1 Condition A is applicable with one or more trains inoperable. The allowed Completion Time is based on the
 
assumption that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is available. With less than
 
100% of the ECCS flow equivalent to a single OPERABLE ECCS
 
train available, the facility is in a condition outside of
 
the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.
North Anna Units 1 and 2B 3.5.2-8Revision 46 ECCS-Operating B 3.5.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.5.2.1 Verification of proper valve position ensures that the flow
 
path from the ECCS pumps to the RCS is maintained.
 
Misalignment of these valves could render both ECCS trains
 
inoperable. Securing these valves in position by removal of
 
power or by key locking the control in the correct position
 
ensures that they cannot change position as a result of an
 
active failure or be inadvertently misaligned. These valves
 
are of the type that can disable the function of both ECCS
 
trains and invalidate the accident analyses. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.5.2.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides
 
assurance that the proper flow paths will exist for ECCS
 
operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were
 
verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation
 
signal is allowed to be in a nonaccident position provided
 
the valve will automatically reposition within the proper
 
stroke time. This Surveillance does not require any testing
 
or valve manipulation. Rather, it involves verification that
 
those valves capable of being mispositioned are in the
 
correct position. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.5.2.3 With the exception of the operating charging pump, the ECCS
 
pumps are normally in a standby nonoperating mode. As such, some flow path piping has the potential to develop pockets of
 
entrained gases. Plant operating experience and analysis has
 
shown that after proper system filling (following
 
maintenance or refueling outages), some entrained
 
noncondensable gases remain. These gases will form small
 
voids, which remain stable in the system in both normal and
 
transient operation. Mechanisms postulated to increase the (continued)
ECCS-Operating B 3.5.2 BASESNorth Anna Units 1 and 2B 3.5.2-9Revision 46 SURVEILLANCE REQUIREMENTS SR  3.5.2.3 (continued) void size are gradual in nature, and the system is operated
 
in accordance with procedures to preclude growth in these
 
voids.To provide additional assurances that the system will
 
function, a verification is performed that the system is
 
sufficiently full of water. The system is sufficiently full of water when the voids and pockets of entrained gases in the ECCS piping are small enough in size and number so as to not
 
interfere with the proper operation of the ECCS.
 
Verification that the ECCS piping is sufficiently full of
 
water can be performed by venting the necessary high point
 
ECCS vents outside containment, using NDE, or using other
 
Engineering-justified means. Maintaining the piping from the ECCS pumps to the RCS sufficiently full of water ensures that the system will perform properly, injecting its full
 
capacity into the RCS upon demand. This will also prevent
 
water hammer, pump cavitation, and pumping of excess
 
noncondensable gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an SI signal or during shutdown
 
cooling. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.5.2.4 Periodic surveillance testing of ECCS pumps is required by
 
the ASME Code. This type of testing may be accomplished by
 
measuring the pump developed head at only one point of the
 
pump characteristic curve. This testing is performed at low
 
flow conditions during quarterly tests and near design flow
 
conditions at least once every 24 months, as required by the Code. The quarterly test will detect gross degradation
 
caused by impeller structural damage or other hydraulic
 
component problems, but is not a good indicator of expected
 
pump performance at high flow conditions. Both tests verify
 
that the measured performance is within an acceptable
 
tolerance of the original pump baseline performance.
 
Additionally, the 24-month comprehensive test verifies that
 
the test flow is greater than or equal to the performance
 
assumed in the safety analysis. Due to limitations in system
 
design, the 24-month test is performed during refueling
 
outages. SRs are specified in the Inservice Testing Program, (continued)
North Anna Units 1 and 2B 3.5.2-10Revision46 ECCS-Operating B 3.5.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.5.2.4 (continued) which encompasses the ASME Code. The ASME Code provides the
 
activities and Frequencies necessary to satisfy the
 
requirements.
SR  3.5.2.5 and SR 3.5.2.6 These Surveillances demonstrate that each automatic ECCS
 
valve actuates to the required position on an actual or
 
simulated SI signal and that each ECCS pump capable of
 
starting automatically starts on receipt of an actual or
 
simulated SI signal. This Surveillance is not required for
 
valves that are locked, sealed, or otherwise secured in the
 
required position under administrative controls. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.5.2.7 Proper throttle valve position is necessary for proper ECCS
 
performance and to prevent pump runout and subsequent
 
component damage. The Surveillance verifies each listed ECCS
 
throttle valve is secured in the correct position. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.5.2.8 Periodic inspections of the containment sump components
 
ensure that they are unrestricted and stay in proper
 
operating condition. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
ECCS-Operating B 3.5.2 BASESNorth Anna Units 1 and 2B 3.5.2-11Revision 0 REFERENCES1.UFSAR, Section 3.1.31.2.10 CFR 50.46.3.UFSAR, Section 15.4.1.4.UFSAR, Section 6.2 and Chapter 15.5.NRC Memorandum to V.
Stello, Jr., from R.L.
Baer, "Recommended Interim Revisions to LCOs for ECCS
 
Components," December 1, 1975.
Intentionally Blank North Anna Units 1 and 2B 3.5.3-1Revision 0 ECCS-Shutdown B 3.5.3 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.3ECCS-Shutdown BASES BACKGROUND The Background section for Bases 3.5.2, "ECCS-Operating," is applicable to these Bases, with the following modifications.
In MODE 4, the required ECCS train consists of two separate subsystems: High Head Safety Injection (HHSI) and Low Head
 
Safety Injection (LHSI).The ECCS flow paths consist of piping, valves and pumps such
 
that water from the refueling water storage tank (RWST) can
 
be injected into the Reactor Coolant System (RCS) following
 
the accidents described in Bases 3.5.2.APPLICABLE
 
SAFETY ANALYSES The Applicable Safety Analyses section of Bases 3.5.2 also applies to this Bases section.
Due to the stable conditions associated with operation in
 
MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are
 
reduced. It is understood in these reductions that certain
 
automatic safety injection (SI) actuation is not available.
 
In this MODE, sufficient time exists for manual actuation of the required ECCS to miti gate the consequences of a DBA. The safety analysis assumes that flow from one HHSI pump is
 
manually initiated 10 minutes after the DBA.
Only one train of ECCS is required for MODE
: 4. This requirement dictates that single failures are not considered
 
during this MODE of operation.
The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO In MODE 4, one of the two independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient
 
ECCS flow is available to the core following a DBA.
In MODE 4, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of (continued)
North Anna Units 1 and 2B 3.5.3-2Revision 0 ECCS-Shutdown B 3.5.3 BASES LCO (continued)taking suction from the RWST and transferring suction to the
 
containment sump.
During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply
 
headers to each of the three cold leg injection nozzles. In
 
the long term, this flow path may be switched to take its
 
supply from the containment sump and to deliver its flow to
 
the RCS hot or cold legs.
APPLICABILITY In MODES 1, 2, and 3, the OPERABILITY requirements for ECCS are covered by LCO 3.5.2.In MODE 4 with RCS temperature below 350
&deg;F, one OPERABLE ECCS train is acceptable without single failure consideration, on
 
the basis of the stable reactivity of the reactor and the
 
limited core cooling requirements.
In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is
 
extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High
 
Water Level," and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level." ACTIONS A.1 With no ECCS train OPERABLE, due to the inoperability of the ECCS flow path, the unit is not prepared to respond to Design Basis Events requiring SI. The 1 hour Completion Time to restore at least one ECCS train to OPERABLE status ensures
 
that prompt action is taken to provide the required cooling capacity or to initiate actions to place the unit in MODE 5, where an ECCS train is not required.
B.1When the Required Actions of Condition A cannot be completed within the required Completion Time, the unit should be
 
placed in MODE
: 5. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE 5 in an orderly manner and without challenging unit systems or operators.
ECCS-Shutdown B 3.5.3 BASESNorth Anna Units 1 and 2B 3.5.3-3Revision 0 SURVEILLANCE REQUIREMENTS SR  3.5.3.1 The applicable Surveillance descriptions from Bases 3.5.2 apply.REFERENCES The applicable references from Bases 3.5.2 apply.
Intentionally Blank North Anna Units 1 and 2B 3.5.4-1Revision 0 RWST B 3.5.4 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.4Refueling Water Storage Tank (RWST)
BASES BACKGROUND The RWST supplies borated water to the Chemical and Volume
 
Control System (CVCS) during abnormal operating conditions, to the refueling pool during refueling, and to the ECCS and
 
the Quench Spray System during accident conditions.
The RWST supplies water to the ECCS pumps through a common
 
supply header. Water from the supply header enters the low
 
head safety injection (LHSI) pumps through parallel, normally open, motor operated valv es. Water to the High Head Safety Injection (HHSI) pumps is supplied via parallel motor operated valves to ensure that at least one opens on receipt of a safety injection actuation signal. The supply header
 
then branches to the three HHSI pumps. The RWST supplies
 
water to the Quench Spray pumps via separate, redundant
 
lines. A motor operated isolation valve is provided in each header to isolate the RWST from the ECCS once the system has
 
been transferred to the recirculation mode. The
 
recirculation mode is entered when pump suction is
 
transferred to the containment sump either manually or
 
automatically following receipt of the RWST-Low Low level
 
signal. Use of a single RWST to supply both trains of the ECCS and Quench Spray System is acceptable since the RWST is a passive component used for a short period of time following
 
an accident, and passive failures are not required to be
 
assumed to occur during the time the RWST is needed following
 
Design Basis Events.
The switchover from normal operation to the injection phase
 
of ECCS operation requires changing HHSI pump suction from
 
the CVCS volume control tank (VCT) to the RWST through the
 
use of isolation valves.
During normal operation, the LHSI pumps are aligned to take
 
suction from the RWST.
The ECCS pumps are provided with recirculation lines that ensure each pump can maintain mini mum flow requirements when operating at or near shutoff head conditions.(continued)
North Anna Units 1 and 2B 3.5.4-2Revision 0 RWST B 3.5.4 BASES BACKGROUND (continued)
When the suction for the ECCS pumps is transferred to the
 
containment sump, the recirculation lines are isolated to
 
prevent a release of the containment sump contents to the
 
RWST, which could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ECCS
 
pumps.This LCO ensures that:a.The RWST contains sufficient borated water to support the ECCS during the injection phase and Quench Spray System;b.Sufficient water volume exists in the containment sump to support continued operation of the ECCS and Recirculation
 
Spray System pumps following transfer to the
 
recirculation mode of cooling; andc.The reactor remains subcritical following a loss of coolant accident (LOCA).
Insufficient water volume in the RWST could result in
 
insufficient cooling capacity when the transfer to the
 
recirculation mode occurs. Improper boron concentrations
 
could result in a reduction of SDM or excessive boric acid
 
precipitation in the core following the LOCA, as well as
 
excessive caustic stress corrosion of mechanical components
 
and systems inside the containment.
APPLICABLE
 
SAFETY ANALYSES During accident conditions, the RWST provides a source of
 
borated water to the ECCS and Quench Spray System pumps. As
 
such, it provides containment cooling and depressurization, core cooling, and replacement inventory to the RCS and is a
 
source of negative reactivity for reactor shutdown (Ref.
1). The design basis transients and applicable safety analyses
 
concerning each of these systems are discussed in the
 
Applicable Safety Analyses section of B 3.5.2, "ECCS-Operating"; B 3.5.3, "ECCS-Shutdown"; and B 3.6.6, "Quench Spray System." These analyses are used to assess
 
changes to the RWST in order to evaluate their effects in
 
relation to the acceptance limits in the analyses.
The RWST must also meet volume, boron concentration, and
 
temperature requirements for certain non-LOCA events. The
 
volume is not an explicit assumption in non-LOCA events
 
since the required volume is a small fraction of the (continued)
RWST B 3.5.4 BASESNorth Anna Units 1 and 2B 3.5.4-3Revision 10 APPLICABLE SAFETY ANALYSES (continued) available volume. The d eliverable volume limit is assumed by the Large Break LOCA containment analyses. For the RWST, the
 
deliverable volume is different from the total volume
 
contained. Because of the design of the tank, more water can
 
be contained than can be delivered. The upper RWST volume
 
limit is assumed for pH control after a LBLOCA. The minimum
 
boron concentration is an explicit assumption in the main
 
steam line break (MSLB) analysis to ensure the required
 
shutdown capability. The importance of its value is small
 
because of the boron injection tank (BIT) with a high boron
 
concentration. The maximum boron concentration is an
 
explicit assumption in the inadvertent ECCS actuation
 
analysis, although it is typically a nonlimiting event and
 
the results are very insensitive to boron concentrations.
 
The maximum RWST temperature ensures that the amount of
 
containment cooling provided from the RWST during
 
containment pressurization events is consistent with safety
 
analysis assumptions. The minimum RWST temperature is an
 
assumption in the inadvertent Quench Spray actuation
 
analyses.For a large break LOCA analysis, the minimum water volume
 
limit of 466,200 gallons and the lower boron concentration limit of 2600 ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The
 
large break LOCA is the limiting case since the safety
 
analysis assumes that all control rods are out of the core.
The upper limit on boron concentration of 2800 ppm is used to determine the maximum allowable time to switch to hot leg
 
recirculation following a LOCA. The purpose of switching
 
from cold leg to hot leg injection is to avoid boron
 
precipitation in the core following the accident.
In the ECCS analysis, the quench spray temperature is
 
bounded by the RWST lower temperature limit of 40
&deg;F. If the lower temperature limit is violated, the quench spray
 
further reduces containment pressure, which decreases the rate at which steam can be vented out the break and increases peak clad temperature. The upper temperature limit of 50
&deg;F is bounded by the values used in the small break LOCA analysis
 
and containment OPERABILITY analysis. Exceeding this
 
temperature will result in a higher peak clad temperature, because there is less heat transfer from the core to the
 
injected water for the small break LOCA and higher
 
containment pressures due to reduced quench spray cooling
 
capacity. For the containment response following an MSLB, (continued)
North Anna Units 1 and 2B 3.5.4-4Revision 10 RWST B 3.5.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued)the lower limit on boron concentration and the upper limit on
 
RWST water temperature are used to maximize the total energy
 
release to containment.
The RWST satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCOThe RWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the
 
event of a Design Basis Accident (DBA), to cool and cover the core in the event of a LOCA, to maintain the reactor
 
subcritical following a DBA, and to ensure adequate level in the containment sump to supp ort ECCS and Recirculation Spray System pump operation in the recirculation mode.
To be considered OPERABLE, the RWST must meet the water
 
volume, boron concentration, and temperature limits
 
established in the SRs.
APPLICABILITY In MODES 1, 2, 3, and 4, RWST OPERABILITY requirements are dictated by ECCS and Quench Spray System OPERABILITY
 
requirements. Since both the ECCS and the Quench Spray
 
System must be OPERABLE in MODES 1, 2, 3, and 4, the RWST must also be OPERABLE to support their operation. Core
 
cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level." ACTIONS A.1 With RWST boron concentration or borated water temperature
 
not within limits, they must be returned to within limits
 
within 8 hours. Under these conditions neither the ECCS nor the Quench Spray System can perform its design function.
 
Therefore, prompt action must be taken to restore the tank to
 
OPERABLE condition. The 8 hour limit to restore the RWST temperature or boron concentration to within limits was
 
developed considering the time required to change either the
 
boron concentration or temperature and the fact that the
 
contents of the tank are still available for injection.
RWST B 3.5.4 BASESNorth Anna Units 1 and 2B 3.5.4-5Revision 46 ACTIONS (continued)
B.1 With the RWST inoperable for reasons other than Condition A (e.g., water volume), it must be restored to OPERABLE status
 
within 1 hour.In this Condition, neither the ECCS nor the Quench Spray
 
System can perform its design function. Therefore, prompt
 
action must be taken to restore the tank to OPERABLE status
 
or to place the unit in a MODE in which the RWST is not
 
required. The short time limit of 1 hour to restore the RWST to OPERABLE status is based on this condition simultaneously affecting redundant trains.
C.1 and C.2 If the RWST cannot be returned to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.5.4.1 The RWST borated water temperature should be verified to be
 
within the limits assumed in the accident analyses band. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.5.4.2 The RWST water volume should be verified to be above the
 
required minimum level in order to ensure that a sufficient
 
initial supply is available for injection and to support
 
continued ECCS and Recirculation Spray System pump operation
 
on recirculation. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
North Anna Units 1 and 2B 3.5.4-6Revision 46 RWST B 3.5.4 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.5.4.3 The boron concentration of the RWST should be verified to be within the required limits. This SR ensures that the reactor
 
will remain subcritical following a LOCA. Further, it
 
assures that the resulting sump pH will be maintained in an
 
acceptable range so that boron precipitation in the core
 
will not occur and the effect of chloride and caustic stress
 
corrosion on mechanical systems and components will be
 
minimized. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 6 and Chapter
: 15.
North Anna Units 1 and 2B 3.5.5-1Revision 0 Seal Injection Flow B 3.5.5 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.5Seal Injection Flow BASES BACKGROUND The function of the seal injection throttle valves during an
 
accident is similar to the function of the ECCS throttle
 
valves in that each restricts flow from the High Head Safety
 
Injection (HHSI) pump header to the Reactor Coolant System (RCS).The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted
 
from the injection path following an accident and precludes
 
HHSI pump runout due to excessive seal injection flow. This
 
limit is based on safety analysis assumptions that are
 
required because RCP seal injection flow is not isolated
 
during safety injection (SI).
APPLICABLE
 
SAFETY ANALYSES All ECCS subsystems are assumed to be OPERABLE in the large
 
break loss of coolant accident (LOCA) at full power (Ref. 1). The LOCA anal ysis establishes the minimum flow for the HHSI pumps. The HHSI pumps are also credited in the small break LOCA analysis. This analysis establishes the flow and discharge head requirements at the design point for the HHSI pumps. The steam generator tube rupture and main steam line
 
break event analyses also credit the HHSI pumps, but are not
 
limiting in their design. Reference to these analyses is
 
made in assessing changes to the Seal Injection System for
 
evaluation of their effects in relation to the acceptance
 
limits in these analyses.
This LCO ensures that seal injection flow of  30 gpm, with RCS pressure  2215 psig and  2255 psig and seal injection (air operated) hand control valve full open, will be limited
 
in such a manner that the ECCS trains will be capable of
 
delivering sufficient water to provide adequate core cooling
 
following a large LOCA, and protect against HHSI pump
 
runout. The analysis conservatively neglects the
 
contribution from seal injection to the RCS. This
 
conservatism bounds the minor effect of instrument
 
uncertainty, so instrument uncertainties have not been
 
included in the derivation of the flow (30 gpm) and RCS
 
pressure ( 2215 psig and  2255 psig) setpoints. The flow limit also ensures that the HHSI pumps will deliver (continued)
North Anna Units 1 and 2B 3.5.5-2Revision 0 Seal Injection Flow B 3.5.5 BASES APPLICABLE
 
SAFETY ANALYSES (continued) sufficient water for a small LOCA and sufficient boron to
 
maintain the core subcritical. For smaller LOCAs, the HHSI
 
pumps alone deliver sufficient fluid to overcome the loss
 
and maintain RCS inventory.
Seal injection flow satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The intent of the LCO limit on seal injection flow is to make
 
sure that flow through the RCP seal water injection line is
 
low enough to ensure that sufficient HHSI pump injection
 
flow is directed to the RCS via the injection points and to
 
prevent pump runout.
The LCO is not strictly a flow limit, but rather a flow limit based on a flow line resistance. In order to establish the
 
proper flow line resistance, a pressure and flow must be
 
known. The flow line resistance is determined by assuming
 
that the RCS pressure is at normal operating pressure as
 
specified in this LCO. The HHSI pump discharge header
 
pressure remains essentially constant through all the
 
applicable MODES of this LCO. A reduction in RCS pressure
 
would result in more flow being diverted to the RCP seal
 
injection line than at normal operating pressure. The valve
 
settings established at the prescribed RCS pressure result
 
in a conservative valve position should RCS pressure
 
decrease. The additional modifier of this LCO, the seal
 
injection (air operated) hand control valve being full open, is required since the valve is designed to fail open for the
 
accident condition. With the discharge pressure and control
 
valve position as specified by the LCO, a flow path resistance limit is est ablished. It is this resistance limit that is used in the accident analyses.
The limit on seal injection flow, combined with the RCS
 
pressure limit and an open wide condition of the seal
 
injection hand control valve, must be met to render the ECCS OPERABLE. If these conditions are not met, the ECCS flow to
 
the core could be less than that assumed in the accident
 
analyses.APPLICABILITY In MODES 1, 2, and 3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for
 
MODES 1, 2, 3, and
: 4. The seal injection flow limit is not applicable for MODE 4 and lower, however, because high seal (continued)
Seal Injection Flow B 3.5.5 BASESNorth Anna Units 1 and 2B 3.5.5-3Revision 46 APPLICABILITY (continued) injection flow is less critical as a result of the lower initial RCS pressure and decay heat removal requirements in
 
these MODES. Therefore, RCP seal injection flow must be
 
limited in MODES 1, 2, and 3 to ensure adequate ECCS performance.
ACTIONS A.1 With the seal injection flow exceeding its limit, the amount
 
of charging flow available to the RCS may be reduced or, following a LOCA, pump runout could occur. Under this
 
Condition, action must be taken to restore the flow to below
 
its limit. The operator has 4 hours from the time the flow is known to be above the limit to correctly position the manual
 
valves and thus be in compliance with the accident analysis.
 
The Completion Time minimizes the potential exposure of the
 
unit to a LOCA with insufficient injection flow and provides
 
a reasonable time to restore seal injection flow within
 
limits. This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating
 
experience and is sufficient for taking corrective actions
 
by operations personnel.
B.1 and B.2 When the Required Actions cannot be completed within the
 
required Completion Time, a controlled shutdown must be
 
initiated. The Completion Time of 6 hours for reaching MODE 3 from MODE 1 is a reasonable time for a controlled shutdown, based on operating experience and normal cooldown
 
rates, and does not challenge unit safety systems or
 
operators. Continuing the unit shutdown begun in Required
 
Action B.1, an additional 6 hours is a reasonable time, based on operating experience and normal cooldown rates, to
 
reach MODE 4, where this LCO is no longer applicable.
SURVEILLANCE
 
REQUIREMENTS SR  3.5.5.1 Verification that the manual seal injection throttle valves
 
are adjusted to give a flow within the limit ensures that
 
proper manual seal injection throttle valve position, and
 
hence, proper seal injection flow, is maintained. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
North Anna Units 1 and 2B 3.5.5-4Revision 46 Seal Injection Flow B 3.5.5 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.5.5.1 (continued)
As noted, the Surveillance is not required to be performed
 
until 4 hours after the RCS pressure has stabilized within a
+/- 20 psi range of normal operating pressure. The RCS pressure requirement is specified since this configuration
 
will produce the required pressure conditions necessary to
 
assure that the manual valves are set correctly. The
 
exception is limited to 4 hours to ensure that the Surveillance is timely.
REFERENCES1.UFSAR, Chapter 6 and Chapter
: 15.
North Anna Units 1 and 2B 3.5.6-1Revision 0 BIT B 3.5.6 B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.6Boron Injection Tank (BIT)
BASES BACKGROUND The BIT is the primary means of quickly introducing negative reactivity into the Reactor Coolant System (RCS) on a safety injection (SI) signal.
The main flow path through the Boron Injection Tank is from
 
the discharge of the High Head Safety Injection (HHSI) pumps
 
through lines equipped with a flow element and two valves in
 
parallel that open on an SI signal. The valves can be
 
operated from the main control board. The valves and flow
 
elements have main control board indications. Downstream of
 
these valves, the flow enters the BIT (Ref.
1).The BIT is a stainless steel clad tank containing
 
concentrated boric acid. Two trains of strip heaters are
 
mounted on the tank to keep the temperature of the boric acid solution above the precipitation point. The strip heaters
 
are controlled by temperature elements located near the
 
bottom of the BIT. The temperature elements also activate
 
High and Low temperature alarms in the Control Room. In
 
addition to the strip heaters on the BIT, there is a
 
recirculation system with a heat tracing system, including
 
the piping section between the motor operated isolation
 
valves, which further ensures that the boric acid stays in
 
solution. The entire contents of the BIT are injected when
 
required; thus, the contained and deliverable volumes are
 
the same.During normal operation, a bo ric acid transfer pump provides recirculation between the boric acid tank and the BIT. On
 
receipt of an SI signal, the recirculation line valves
 
close. Flow to the BIT is then supplied from the HHSI pumps.
The solution of the BIT is injected into the RCS through the
 
RCS cold legs.
APPLICABLE
 
SAFETY ANALYSES During a main steam line break (MSLB) or loss of coolant
 
accident (LOCA), the BIT provides an immediate source of
 
concentrated boric acid that quickly introduces negative
 
reactivity into the RCS.(continued)
North Anna Units 1 and 2B 3.5.6-2Revision 0 BIT B 3.5.6 BASES APPLICABLE
 
SAFETY ANALYSES (continued)The contents of the BIT are not credited for core cooling or
 
immediate boration in the LOCA analysis, but are for post
 
LOCA recovery. The BIT maximum boron concentration of
 
15,750 ppm is used to determine the minimum time for hot leg recirculation switchover. The minimum boron concentration of
 
12,950 ppm is used to determine the minimum mixed mean sump boron concentration for post LOCA shutdown requirements.
For the MSLB, the BIT is the primary mechanism for injecting
 
boron into the core to counteract the positive increases in
 
reactivity caused by an RCS cooldown. The MSLB core response
 
analysis conservatively assumes a 0 ppm minimum boron concentration of the BIT, which also affects the departure
 
from nucleate boiling design analysis. The MSLB containment
 
response analysis conservatively assumes a 2000 ppm minimum boron concentration of the BIT. Reference to the LOCA and
 
MSLB analyses is used to assess changes to the BIT to
 
evaluate their effect on the acceptance limits contained in
 
these analyses.
The minimum temperature limit of 115
&deg;F for the BIT ensures that the solution does not reach the boric acid
 
precipitation point. The temperature of the solution is
 
monitored and alarmed on the main control board.
The BIT boron concentration limits are established to ensure
 
that the core remains subcritical during post LOCA recovery.
The BIT will counteract any positive increases in reactivity caused by an RCS cooldown.
The BIT water volume of 900 gallons is used to ensure that the appropriate quantity of highly borated water with
 
sufficient negative reactivity is injected into the RCS to
 
shut down the core following an MSLB, to determine the hot
 
leg recirculation switchover time, and to safeguard against
 
boron precipitation.
The BIT satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO establishes the minimum requirements for contained
 
volume, boron concentration, and temperature of the BIT
 
inventory. This ensures that an adequate supply of borated water is available in the event of a LOCA or MSLB to maintain
 
the reactor subcritical following these accidents.(continued)
BIT B 3.5.6 BASESNorth Anna Units 1 and 2B 3.5.6-3Revision 0 LCO (continued)
To be considered OPERABLE, the limits established in the SR for water volume, boron concentration, and temperature must
 
be met.APPLICABILITY In MODES 1, 2, and 3, the BIT OPERABILITY requirements are consistent with those of LCO 3.5.2, "ECCS-Operating." In MODES 4, 5, and 6, the respective accidents are less severe, so the BIT is not required in these lower MODES.
ACTIONS A.1 If the required volume is not present in the BIT, both the
 
hot leg recirculation switchover time analysis and the boron
 
precipitation analysis may not be correct. Under these
 
conditions, prompt action must be taken to restore the
 
volume to above its required limit to declare the tank
 
OPERABLE, or the unit must be placed in a MODE in which the
 
BIT is not required.
The BIT boron concentration is considered in the hot leg
 
recirculation switchover time analysis, the boron
 
precipitation analysis, and may effect the reactivity
 
analysis for an MSLB. If the concentration were not within
 
the required limits, these analyses could not be relied on.
 
Under these conditions, prompt action must be taken to
 
restore the concentration to within its required limits, or the unit must be placed in a MODE in which the BIT is not required.The BIT temperature limit is established to ensure that the
 
solution does not reach the boric acid crystallization
 
point. If the temperature of the solution drops below the
 
minimum, prompt action must be taken to raise the
 
temperature and declare the tank OPERABLE, or the unit must
 
be placed in a MODE in which the BIT is not required.
The 1 hour Completion Time to restore the BIT to OPERABLE status is consistent with other Completion Times established
 
for loss of a safety function and ensures that the unit will
 
not operate for long periods outside of the safety analyses.
North Anna Units 1 and 2B 3.5.6-4Revision 46 BIT B 3.5.6 BASES ACTIONS (continued)
B.1, B.2, and B.3 When Required Action A.1 cannot be completed within the required Completion Time, a controlled shutdown should be
 
initiated. Six hours is a reasonable time, based on
 
operating experience, to reach MODE 3 from full power conditions and to be borated to the required SDM without
 
challenging unit systems or operators. Borating to the
 
required SDM assures that the unit is in a safe condition, without need for any additional boration.
After determining that the BIT is inoperable and the
 
Required Actions of B.1 and B.2 have been completed, the tank must be returned to OPERABLE status within 7 days. These actions ensure that the unit will not be operated with
 
an inoperable BIT for a lengthy period of time. It should be
 
noted, however, that changes to applicable MODES cannot be
 
made until the BIT is restored to OPERABLE status, except as provided by LCO 3.0.4.C.1 Even though the RCS has been borated to a safe and stable
 
condition as a result of Required Action B.2, either the BIT must be restored to OPERABLE status (Required Action C.1) or the unit must be placed in a condition in which the BIT is
 
not required (MODE 4). The 12 hour Completion Time to reach MODE 4 is reasonable, based on operating experience and normal cooldown rates, and does not challenge unit safety
 
systems or operators.
SURVEILLANCE
 
REQUIREMENTS SR  3.5.6.1 Verification that the BIT water temperature is at or above
 
the specified minimum temperature will identify a
 
temperature change that would approach the acceptable limit.
 
The solution temperature is also monitored by an alarm that
 
provides further assurance of protection against low
 
temperature. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
BIT B 3.5.6 BASESNorth Anna Units 1 and 2B 3.5.6-5Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.5.6.2 Verification that the BIT contained volume is above the
 
required limit assures that this volume will be available
 
for quick injection into the RCS. The 900 gallon limit corresponds to the BIT being completely full. Methods of
 
verifying that the BIT is completely full include venting
 
from the high point vent, and recirculation flow with the
 
Boric Acid Storage Tanks. If the volume is too low, the BIT
 
would not provide enough borated water to ensure subcriticality during recirculation or to provide additional
 
core shutdown margin following an MSLB. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.5.6.3 Verification that the boron concentration of the BIT is
 
within the required band ensures that the reactor remains
 
subcritical following a LOCA; it limits return to power following an MSLB, and maintains the resulting sump pH in an acceptable range so that boron precipitation will not occur in the core. In addition, the effect of chloride and caustic stress corrosion on mechanical systems and components will
 
be minimized.
The BIT is in a recirculation loop that provides continuous
 
circulation of the boric acid solution through the BIT and
 
the boric acid tank (BAT). There are a number of points along the recirculation loop where local samples can be taken. The actual location used to take a sample of the solution is
 
specified in the unit Surveillance procedures. Sampling from
 
the BAT to verify the concentration of the BIT is not
 
recommended, since this sample may not be homogenous and the boron concentration of the two tanks may differ.
The sample should be taken from the BIT or from a point in
 
the flow path of the BIT recirculation loop.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 6 and Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.6.1-1Revision 0 Containment B 3.6.1 B 3.6  CONTAINMENT SYSTEMSB 3.6.1Containment BASES BACKGROUND The containment consists of the concrete reactor building, its steel liner, and the penetrations through this
 
structure. The structure is designed to contain radioactive
 
material that may be released from the reactor core
 
following a design basis loss of coolant accident (LOCA).
 
Additionally, this structure provides shielding from the
 
fission products that may be present in the containment
 
atmosphere following accident conditions.
The containment is a reinforced concrete structure with a
 
cylindrical wall, a flat foundation mat, and a hemispherical dome roof. The inside surface of the containment is lined
 
with a carbon steel liner to ensure a high degree of leak
 
tightness during operating and accident conditions.
The concrete reactor building is required for structural
 
integrity of the containment under Design Basis Accident (DBA) conditions. The steel liner and its penetrations
 
establish the leakage limiting boundary of the containment.
 
Maintaining the containment OPERABLE limits the leakage of
 
fission product radioactivity from the containment to the
 
environment. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B (Ref. 1), as modified by approved exemptions.
The isolation devices for the penetrations in the
 
containment boundary are a part of the containment leak
 
tight barrier. To maintain this leak tight barrier:a.All penetrations required to be closed during accident conditions are either:1.capable of being closed by an OPERABLE automatic containment isolation system, or2.closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed
 
positions, except as provided in LCO 3.6.3, "Containment Isolation Valves";
North Anna Units 1 and 2B 3.6.1-2Revision 31 Containment B 3.6.1 BASES BACKGROUND (continued)b.Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks";c.All equipment hatches are closed; andd.The sealing mechanism associated with each penetration (e.g. welds, bellows, or O-rings) is OPERABLE.
APPLICABLE
 
SAFETY ANALYSES The safety design basis for the containment is that the containment must withstand the pressures and temperatures of
 
the limiting DBA without exceeding the design leakage rate.
The DBAs that result in a challenge to containment
 
OPERABILITY from high p ressures and temperatures are a LOCA, a steam line break, and a rod ejection accident (REA)
(Ref. 2). In addition, release of significant fission product radioactivity within containment can occur from a
 
LOCA or REA. In the DBA analyses, it is assumed that the
 
containment is OPERABLE such that, for the DBAs involving
 
release of fission product radioactivity, release to the
 
environment is controlled by the rate of containment
 
leakage. The containment was designed with an allowable
 
leakage rate of 0.1% of containment air weight per day (Ref. 3). This leakage rate, used to evaluate offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as L a: the maximum allowable containment leakage rate at the calculated peak containment
 
internal pressure (P a) resulting from the limiting design basis LOCA. The allowable leakage rate represented by L a forms the basis for the acceptance criteria imposed on all
 
containment leakage rate testing. L a is assumed to be 0.1% of containment air weight per day in the safety analyses at P a (Ref. 3).Satisfactory leakage rate test results are a requirement for
 
the establishment of containment OPERABILITY.
The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCOContainment OPERABILITY is maintained by limiting leakage to 1.0 L a , except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage
 
test. At this time the applicable leakage limits must be met.(continued)
Containment B 3.6.1 BASESNorth Anna Units 1 and 2B 3.6.1-3Revision 0 LCO (continued)
Compliance with this LCO will ensure a containment configuration, including the equipment hatch, that is
 
structurally sound and that will limit leakage to those
 
leakage rates assumed in the safety analysis.
Individual leakage rates specified for the containment air
 
lock (LCO 3.6.2) and purge valves with resilient seals (LCO 3.6.3) are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J. Therefore, leakage rates exceeding these individual limits only result in the
 
containment being inoperable when the leakage results in
 
exceeding the overall acceptance criteria of 1.0 L a.APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
 
Therefore, containment is not required to be OPERABLE in
 
MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.4, "Containment Penetrations." ACTIONS A.1 In the event containment is inoperable, containment must be
 
restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and
: 4. This time period also ensures that the probability of an accident (requiring
 
containment OPERABILITY) occurring during periods when
 
containment is inoperable is minimal.
B.1 and B.2 If containment cannot be restored to OPERABLE status within
 
the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.6.1-4Revision 0 Containment B 3.6.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.6.1.1 Maintaining the containment OPERABLE requires compliance
 
with the visual examinations and leakage rate test
 
requirements of the Containment Leakage Rate Testing
 
Program. Failure to meet air lock and purge valves with
 
resilient seal leakage limits specified in LCO 3.6.2 and LCO 3.6.3 does not invalidate the acceptability of these overall leakage determinations unless their contribution to
 
overall Type A, B, and C leakage causes that to exceed limits. As left leakage prior to the first startup after
 
performing a required Containment Leakage Rate Testing Program, leakage test is required to be  0.6 L a for combined Type B and C leakage, and  0.75 L a for overall Type A leakage. At all other times between required leakage rate
 
tests, the acceptance criteria is based on an overall Type A
 
leakage limit of  1.0 L a. At  1.0 L a the offsite dose consequences are bounded by the assumptions of the safety
 
analysis. SR Frequencies are as required by the Containment
 
Leakage Rate Testing Program. These periodic testing
 
requirements verify that the containment leakage rate does
 
not exceed the leakage rate assumed in the safety analysis.
REFERENCES1.10 CFR 50, Appendix J, Option B.2.UFSAR, Chapter 15.3.UFSAR, Section 6.2.
North Anna Units 1 and 2B 3.6.2-1Revision 0 Containment Air Locks B 3.6.2 B 3.6  CONTAINMENT SYSTEMSB 3.6.2Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all
 
MODES of operation.
Each air lock is nominally a right circular cylinder, one of which is 7 ft in diameter, the other 5.75 ft in diameter, with a door at each end. The 5.75 ft diameter equipment hatch escape air lock is an integral part of the containment
 
equipment hatch. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be
 
disabled, allowing both doors of an air lock to remain open
 
for extended periods when frequent containment entry is
 
necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the
 
maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains
 
double gasketed seals and local leakage rate testing capability to ensure pr essure integrity. The inner and outer door of the 7 ft diameter personnel air lock include an 18
 
inch diameter emergency manway. The manways contain double
 
gasketed seals and local leak rate testing capability to
 
ensure pressure integrity. The manways are to be used only
 
for emergency entrance or exit from the air lock. Operation
 
of the manways of the 7 ft personnel air lock is controlled
 
administratively.
The 7 ft personnel air lock is provided with limit switches on both doors that provide control room alarm of inside or
 
outside door operation. Outside access to the 5.75 ft equipment hatch escape air lock is controlled by an alarmed
 
door to the space outside containment which provides access
 
to the air lock.
The containment air locks form part of the containment
 
pressure boundary. As such, air lock integrity and leak
 
tightness is essential for maintaining the containment
 
leakage rate within limit in the event of a DBA. Not
 
maintaining air lock integrity or leak tightness may result
 
in a leakage rate in excess of that assumed in the unit
 
safety analyses.
North Anna Units 1 and 2B 3.6.2-2Revision 31 Containment Air Locks B 3.6.2 BASES APPLICABLE
 
SAFETY ANALYSES The DBAs that result in a release of radioactive material
 
within containment are a loss of coolant accident and a rod ejection accident (Ref.
3). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such
 
that release of fission products to the environment is
 
controlled by the rate of containment leakage. The
 
containment was designed with an allowable leakage rate of
 
0.1% of containment air weight per day (Ref.
2). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as L a = 0.1% of containment air weight per day, the maximum allowable containment leakage rate at the calculated
 
peak containment internal pressure P a following a design basis LOCA. This allowable leakage rate forms the basis for
 
the acceptance criteria imposed on the SRs associated with
 
the air locks.
The containment air locks satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Each containment air lock forms part of the containment
 
pressure boundary. As part of the containment pressure
 
boundary, the air lock safety function is related to control
 
of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are
 
essential to the successful mitigation of such an event.
Each air lock is required to be OPERABLE. For the air lock to
 
be considered OPERABLE, the air lock interlock mechanism
 
must be OPERABLE, the air loc k must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. Opening or closing of the manways of the 7 ft
 
personnel air lock is treated in the same manner as opening
 
or closing of the associated door. The interlock allows only
 
one air lock door of an air lock to be opened at one time.
 
Operation of the manways of the 7 ft personnel air lock is
 
controlled administratively. These provisions ensure that a
 
gross breach of containment does not exist when containment
 
is required to be OPERABLE. Closure of a single door in each
 
air lock is sufficient to provide a leak tight barrier
 
following postulated events. Nevertheless, both doors are
 
kept closed when the air lock is not being used for entry
 
into or exit from containment.
Containment Air Locks B 3.6.2 BASESNorth Anna Units 1 and 2B 3.6.2-3Revision 0 APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
 
Therefore, the containment air locks are not required in
 
MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks
 
during MODE 6 are addressed in LCO 3.9.4, "Containment Penetrations." ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the
 
outer door is inoperable, then it may be easily accessed for
 
most repairs. It is preferred that the 7 ft personnel air lock be used for access to Containment due to the size and
 
configuration of the 5.75 ft equipment hatch escape air locks. The equipment hatch escape air lock is typically only
 
used in case of emergency. This means there is a short time
 
during which the containment boundary is not intact (during
 
access through the OPERABLE door). The ability to open the
 
OPERABLE door, even if it means the containment boundary is
 
temporarily not intact, is acceptable due to the low
 
probability of an event that could pressurize the
 
containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the
 
OPERABLE door must be immediately closed.
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each
 
air lock. This is acceptable, since the Required Actions for
 
each Condition provide appropriate compensatory actions for
 
each inoperable air lock. Complying with the Required
 
Actions may allow for continued operation, and a subsequent
 
inoperable air lock is governed by subsequent Condition
 
entry and application of associated Required Actions.
In the event the air lock leakage results in exceeding the
 
overall containment leakage rate, Note 3 directs entry into the applicable Conditions and Required Actions of LCO 3.6.1, "Containment."
North Anna Units 1 and 2B 3.6.2-4Revision 0 Containment Air Locks B 3.6.2 BASES ACTIONS (continued)
A.1, A.2, and A.3 With one air lock door in one or more containment air locks
 
inoperable, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock.
This ensures that a leak tight containment barrier is
 
maintained by the use of an OPERABLE air lock door. This
 
action must be completed within 1 hour. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires containment be restored to OPERABLE status within
 
1 hour.In addition, the affected air lock penetration must be isolated by locking closed the OPERABLE air lock door within
 
the 24 hour Completion Time. The 24 hour Completion Time is reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is
 
being maintained closed.
Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and
 
closed OPERABLE air lock door. This ensures that an
 
acceptable containment leakage boundary is maintained. The
 
Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low
 
likelihood of a locked door being mispositioned and other
 
administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high
 
radiation areas and allows these doors to be verified locked
 
closed by use of administrative means. Allowing verification
 
by administrative means is considered acceptable, since
 
access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been
 
verified to be in the proper position, is small.
The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated
 
Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the
 
same air lock inoperable, an OPERABLE door is not available
 
to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does
 
not affect tracking the Completion Time from the initial
 
entry into Condition A; only the requirement to comply with
 
the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls if the air lock has an inoperable door. This 7 day restriction (continued)
Containment Air Locks B 3.6.2 BASESNorth Anna Units 1 and 2B 3.6.2-5Revision 0 ACTIONS A.1, A.2, and A.3 (continued) begins when the air lock door is discovered inoperable.
Containment entry may be required on a periodic basis to
 
perform Technical Specifications (TS) Surveillances and
 
Required Actions, as well as other activities on equipment
 
inside containment that are required by TS or activities on
 
equipment that support TS-required equipment. This Note is
 
not intended to preclude performing other activities (i.e.,
non-TS-required activities) if the containment is entered, using the inoperable air lock, to perform an allowed
 
activity listed above. This allowance is acceptable due to
 
the low probability of an event that could pressurize the
 
containment during the short time that the OPERABLE door is
 
expected to be open.
B.1, B.2, and B.3 With an air lock interlock mechanism inoperable in one or
 
more air locks, the Required Actions and associated
 
Completion Times are consistent with those specified in
 
Condition A.The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated
 
Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the
 
same air lock inoperable, an OPERABLE door is not available
 
to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from containment under the control of a dedicated
 
individual stationed at the air lock to ensure that only one
 
door is opened at a time (i.e., the individual performs the
 
function of the interlock).Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these
 
doors to be verified locked closed by use of administrative
 
means. Allowing verification by administrative means is
 
considered acceptable, since access to these areas is
 
typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in
 
the proper position, is small.
North Anna Units 1 and 2B 3.6.2-6Revision 0 Containment Air Locks B 3.6.2 BASES ACTIONS (continued)
C.1, C.2, and C.3 With one or more air locks inoperable for reasons other than
 
those described in Condition A or B, Required Action C.1 requires action to be initiated immediately to evaluate
 
previous combined leakage rates using current air lock test
 
results. An evaluation is acceptable, since it is overly
 
conservative to immediately declare the containment
 
inoperable if both doors in an air lock have failed a seal
 
test or if the overall air lock leakage is not within limits.
In many instances (e.g., only one seal per door has failed),
containment remains OPERABLE, yet only 1 hour (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a unit shutdown. In
 
addition, even with both doors failing the seal test, the
 
overall containment leakage rate can still be within limits.
Required Action C.2 requires that one door in the affected containment air lock must be verified to be closed within the
 
1 hour Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be restored to OPERABLE status within
 
1 hour.Additionally, the affected air lock(s) must be restored to
 
OPERABLE status within the 24 hour Completion Time. The specified time period is considered reasonable for restoring
 
an inoperable air lock to OPERABLE status, assuming that at
 
least one door is maintained closed in each affected air
 
lock.D.1 and D.2 If the inoperable containment air lock cannot be restored to
 
OPERABLE status within the required Completion Time, the
 
unit must be brought to a MODE in which the LCO does not
 
apply. To achieve this status, the unit must be brought to at
 
least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
Containment Air Locks B 3.6.2 BASESNorth Anna Units 1 and 2B 3.6.2-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.6.2.1 Maintaining containment air locks OPERABLE requires
 
compliance with the leakage rate test requirements of
 
TS 5.5.15 Containment Leakage Rate Testing Program. This SR reflects the overall air lock leakage rate testing
 
acceptance criteria with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing.
 
The periodic testing requirements verify that the air lock
 
leakage limits do not exceed the allowed fraction of the
 
overall containment leakage rate required by the Technical Specifications. The Frequency is required by the Containment
 
Leakage Rate Testing Program.
The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous
 
successful performance of the overall air lock leakage test.
 
This is considered reasonable since either air lock door is
 
capable of providing a fission product barrier in the event
 
of a DBA. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria
 
which are applicable to SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the
 
combined Type B and C containment leakage rate.
SR  3.6.2.2 The air lock interlock is designed to prevent simultaneous
 
opening of both doors in a single air lock. Since both the
 
inner and outer doors of an air lock are designed to
 
withstand the maximum expected post accident containment
 
pressure, closure of either door will support containment
 
OPERABILITY. Thus, the door interlock feature supports
 
containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic
 
testing of this interlock demonstrates that the interlock
 
will function as designed and that simultaneous opening of
 
the inner and outer doors will not inadvertently occur when
 
combined with administrative procedures. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
 
North Anna Units 1 and 2B 3.6.2-8Revision 46 Containment Air Locks B 3.6.2 BASES REFERENCES1.10 CFR 50, Appendix J, Option B.2.UFSAR, Section 6.2.3.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.6.3-1Revision 8 Containment Isolation Valves B 3.6.3 B 3.6  CONTAINMENT SYSTEMS B 3.6.3Containment Isolation Valves BASES BACKGROUND The containment isolation valves listed in TRM Tables 4.1-1 (Unit 1) and 4.1-2 (Unit
: 2) form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be
 
provided with two isolation barriers that are closed on a
 
containment isolation signal. These isolation devices are
 
either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve
 
secured), blind flanges, and closed systems are considered
 
passive devices. Automatic valves designed to close without
 
operator action following an accident are considered active
 
devices. Two barriers in series are provided for each
 
penetration so that no single credible failure or
 
malfunction of an active component can result in a loss of
 
isolation or leakage that exceeds limits assumed in the
 
safety analyses. One of these barriers may be a closed
 
system. These barriers (typically containment isolation
 
valves) make up the Containment Isolation System.
Automatic isolation signals are produced during accident
 
conditions. Containment Phase "A" isolation occurs upon receipt of a safety injection signal. The Phase "A" isolation signal isolates nonessential process lines in
 
order to minimize leakage of fission product radioactivity.
 
Containment Phase "B" isolation occurs upon receipt of a containment pressure High-High signal and isolates the
 
remaining process lines, except systems required for
 
accident mitigation.
The OPERABILITY requirements for containment isolation
 
valves help ensure that containment is isolated within the
 
time limits assumed in the safety analyses. Therefore, the
 
OPERABILITY requirements provide assurance that the
 
containment function assumed in the safety analyses will be
 
maintained.(continued)
North Anna Units 1 and 2B 3.6.3-2Revision 0 Containment Isolation Valves B 3.6.3 BASES BACKGROUND (continued)
Containment Purge System (36 inch purge and exhaust valves, 18 inch containment vacuum breaking valve, and 8 inch purge bypass valve)
The Containment Purge System operates to supply outside air
 
into the containment for ventilation and cooling or heating
 
and may also be used to reduce the concentration of noble
 
gases within containment prior to and during personnel
 
access. The supply and exhaust lines each contain two
 
isolation valves. Because of their large size, the 36 inch purge valves are not qualified for automatic closure from
 
their open position under Design Basis Accident (DBA)
 
conditions. Therefore, the 36 inch purge valves are maintained closed in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained. The 18 inch containment vacuum breaking valve and 8 inch bypass valve are also maintained closed in MODES 1, 2, 3, and 4.APPLICABLE
 
SAFETY ANALYSES The containment isolation valve LCO was derived from the
 
assumptions related to minimizing the loss of reactor
 
coolant inventory and establishing the containment boundary
 
during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analyses
 
of any event requiring isolation of containment is
 
applicable to this LCO.
The DBAs that result in a release of radioactive material
 
within containment are a loss of coolant accident (LOCA) and
 
a rod ejection accident (Ref.
1). In the analyses for each of these accidents, it is assumed that containment isolation
 
valves are either closed or function to close within the
 
required isolation time following event initiation. This
 
ensures that potential paths to the environment through
 
containment isolation valves (including containment purge
 
valves) are minimized. The safety analyses assume that the
 
36 inch purge and exhaust valves are closed at event initiation.
The DBA analysis assumes that, within 60 seconds after the accident, isolation of the containment is complete and
 
leakage terminated except for the design leakage rate, La.
 
The containment isolation total response time of 60 seconds includes signal delay, diesel generator startup (for loss of offsite power), and containment isolation valve stroke
 
times.(continued)
Containment Isolation Valves B 3.6.3 BASESNorth Anna Units 1 and 2B 3.6.3-3Revision 8 APPLICABLE SAFETY ANALYSES (continued)
The containment isolation valves satisfy Criterion 3 of
 
10 CFR 50.36(c)(2)(ii).
LCO Containment isolation valves listed in TRM Tables 4.1-1 (Unit 1) and 4.1-2 (Unit
: 2) form a part of the containment boundary. The containment isolation valves' safety function
 
is related to minimizing the loss of reactor coolant
 
inventory and establishing the containment boundary during a
 
DBA.The automatic power operated isolation valves are required
 
to have isolation times within limits and to actuate on an
 
automatic isolation signal. The 36, 18, and 8 inch purge valves must be maintained locked, sealed, or otherwise
 
secured closed. The valves covered by this LCO are listed
 
along with their associated stroke times in the Technical
 
Requirements Manual (Ref.
2).The normally closed isolation valves are considered OPERABLE
 
when manual valves are closed, automatic valves are
 
de-activated and secured in their closed position, blind
 
flanges are in place, and closed systems are intact. These
 
passive isolation valves/devices are those listed in
 
Reference 2.Purge valves with resilient seals must meet additional
 
leakage rate requirements. The other containment isolation
 
valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.
This LCO provides assurance that the containment isolation
 
valves and purge valves will perform their designed safety
 
functions to minimize the loss of reactor coolant inventory
 
and establish the containment boundary during accidents.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
 
Therefore, the containment isolation valves are not required
 
to be OPERABLE in MODE
: 5. The requirements for containment isolation valves during MODE 6 are addressed in LCO 3.9.4, "Containment Penetrations."
North Anna Units 1 and 2B 3.6.3-4Revision 0 Containment Isolation Valves B 3.6.3 BASES ACTIONS The ACTIONS are modified by a Note allowing penetration flow
 
paths, except for 36 inch purge and exhaust valve, 18 inch containment vacuum breaking valve, 8 inch purge bypass valve, and steam jet air ejector suction penetration flow
 
paths, to be unisolated intermittently under administrative
 
controls. These administrative controls consist of
 
stationing a dedicated operator at the valve controls, who
 
is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the fact that the 36 inch valves are not qualified for automatic closure from their open position under DBA conditions and that these
 
and the other penetrations listed as excepted exhaust directly from the containment atmosphere to the environment, the penetration flow path containing these valves may not be opened under administrative controls.
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each
 
penetration flow path. This is acceptable, since the
 
Required Actions for each Condition provide appropriate
 
compensatory actions for each inoperable containment
 
isolation valve. Complying with the Required Actions may
 
allow for continued operation, and subsequent inoperable
 
containment isolation valves are governed by subsequent
 
Condition entry and application of associated Required
 
Actions.The ACTIONS are further modified by a third Note, which
 
ensures appropriate remedial actions are taken, if
 
necessary, if the affected systems are rendered inoperable
 
by an inoperable containment isolation valve.
In the event the leakage for a containment penetration flow
 
path results in exceeding the overall containment leakage
 
rate acceptance criteria, Note 4 directs entry into the applicable Conditions and Required Actions of LCO 3.6.1.A.1 and A.2 In the event one containment isolation valve in one or more
 
penetration flow paths is inoperable, except for purge valve leakage not within limit, th e affected penetration flow path must be isolated. The method of isolation must include the
 
use of at least one isolation barrier that cannot be
 
adversely affected by a single active failure. Isolation
 
barriers that meet this criterion are a closed and (continued)
Containment Isolation Valves B 3.6.3 BASESNorth Anna Units 1 and 2B 3.6.3-5Revision 0 ACTIONS A.1 and A.2 (continued) de-activated automatic containment isolation valve, a closed manual valve, a blind flange, or a check valve with flow
 
through the valve secured. For a penetration flow path
 
isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest
 
available one to containment. Required Action A.1 must be completed within 4 hours. The 4 hour Completion Time is reasonable, considering the time required to isolate the
 
penetration and the relative importance of supporting
 
containment OPERABILITY during MODES 1, 2, 3, and 4.For affected penetration flow paths that cannot be restored
 
to OPERABLE status within the 4 hour Completion Time and that have been isolated in accordance with Required
 
Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is
 
necessary to ensure that containment penetrations required
 
to be isolated following an accident and no longer capable of
 
being automatically isolated will be in the isolation
 
position should an event occur. This Required Action does
 
not require any testing or device manipulation. Rather, it involves verification, through a system walkdown, that those
 
isolation devices outside containment and capable of being
 
mispositioned are in the correct position. The Completion
 
Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the
 
devices are operated under administrative controls and the
 
probability of their misalignment is low. For the isolation
 
devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the
 
inaccessibility of the isolation devices and other
 
administrative controls that will ensure that isolation
 
device misalignment is an unlikely possibility.
Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves. For penetration flow paths with only one containment isolation valve and a closed
 
system, Condition C provides the appropriate actions.Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and
 
allows these devices to be verified closed by use of (continued)
North Anna Units 1 and 2B 3.6.3-6Revision 0 Containment Isolation Valves B 3.6.3 BASES ACTIONS A.1 and A.2 (continued) administrative means. Allowing verification by
 
administrative means is considered acceptable, since access
 
to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise
 
secured in position and allows these devices to be verified
 
closed by use of administrative means. Allowing verification
 
by administrative means is considered acceptable, since the
 
function of locking, sealing, or securing components is to
 
ensure that these devices are not inadvertently
 
repositioned. Therefore, the probability of misalignment of
 
these devices once they have been verified to be in the
 
proper position, is small.
B.1 With two containment isolation valves in one or more
 
penetration flow paths inoperable, except for purge valve leakage not within limit, th e affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot
 
be adversely affected by a single active failure. Isolation
 
barriers that meet this criterion are a closed and
 
de-activated automatic valve, a closed manual valve, and a
 
blind flange. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required
 
Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary
 
to assure leak tightness of containment and that
 
penetrations requiring isolation following an accident are
 
isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative control and the probability of
 
their misalignment is low.
Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two
 
containment isolation valves. Condition A of this LCO addresses the condition of one containment isolation valve
 
inoperable in this type of penetration flow path.
Containment Isolation Valves B 3.6.3 BASESNorth Anna Units 1 and 2B 3.6.3-7Revision 0 ACTIONS (continued)
C.1 and C.2 With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve flow path
 
must be restored to OPERABLE status or the affected
 
penetration flow path must be isolated. The method of
 
isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active
 
failure. Isolation barriers that meet this criterion are a
 
closed and de-activated automatic valve, a closed manual
 
valve, and a blind flange. A check valve may not be used to
 
isolate the affected penetration flow path, with the
 
exception of valves specified in Reference
: 4. Required Action C.1 must be completed within the 72 hour Completion Time. The specified time period is reasonable considering
 
the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of maintaining containment integrity
 
during MODES 1, 2, 3, and
: 4. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure leak tightness of
 
containment and that containment penetrations requiring
 
isolation following an accident are isolated. The Completion
 
Time of once per 31 days for verifying that each affected penetration flow path is isolated is appropriate because the valves are operated under administrative controls and the
 
probability of their misalignment is low.
Condition C is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with only one containment isolation valve and a closed
 
system. The closed system must meet the requirements of
 
Reference 3. This Note is necessary since this Condition is written to specifically address those penetration flow paths
 
in a closed system.Required Action C.2 is modified by two Notes. Note 1 applies to valves and blind flanges located in high radiation areas
 
and allows these devices to be verified closed by use of
 
administrative means. Allowing verification by
 
administrative means is considered acceptable, since access
 
to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise
 
secured in position and allows these devices to be verified
 
closed by use of administrative means. Allowing verification (continued)
North Anna Units 1 and 2B 3.6.3-8Revision 0 Containment Isolation Valves B 3.6.3 BASES ACTIONS C.1 and C.2 (continued) by administrative means is considered acceptable, since the
 
function of locking, sealing, or securing components is to
 
ensure that these devices are not inadvertently
 
repositioned. Therefore, the probability of misalignment of
 
these valves, once they have been verified to be in the
 
proper position, is small.
D.1 With the purge valve penetration leakage rate (SR 3.6.3.4) not within limit, the assumptions of the safety analyses are
 
not met. Therefore, the leakage must be restored to within
 
limit. Restoration can be accomplished by isolating the penetration(s) that caused the limit to be exceeded by use of
 
one closed and de-activated automatic valve, closed manual
 
valve, or blind flange. When a penetration is isolated the
 
leakage rate for the isolated penetration is assumed to be
 
the actual pathway leakage through the isolation device. If
 
two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway
 
leakage of the two devices. The 24 hour Completion Time for purge valve penetration leakage is acceptable considering
 
the purge valves remain closed so that a gross breach of
 
containment does not exist.
E.1 and E.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the LCO
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.3.1 This SR requires verification that each containment
 
isolation manual valve and blind flange located outside
 
containment and not loc ked, sealed, or otherwise secured and required to be closed during accident conditions is closed.
 
The SR helps to ensure that post accident leakage of
 
radioactive fluids or gases outside of the containment (continued)
Containment Isolation Valves B 3.6.3 BASESNorth Anna Units 1 and 2B 3.6.3-9Revision 46 SURVEILLANCE REQUIREMENTS SR  3.6.3.1 (continued) boundary is within design limits. This SR does not require
 
any testing or valve manipulation. Rather, it involves
 
verification, through a system walkdown, that those
 
containment isolation valves outside containment and capable
 
of being mispositioned are in the correct position. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. The SR
 
specifies that containment isolation valves that are open
 
under administrative controls are not required to meet the
 
SR during the time the valves are open. This SR does not
 
apply to valves that are locked, sealed, or otherwise
 
secured in the closed position, since these were verified to
 
be in the correct position upon locking, sealing, or
 
securing.The Note applies to valves an d blind flanges located in high radiation areas and allows these devices to be verified
 
closed by use of administrative means. Allowing verification
 
by administrative means is considered acceptable, since
 
access to these areas is typically restricted during
 
MODES 1, 2, 3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation
 
valves, once they have been verified to be in the proper
 
position, is small.
SR  3.6.3.2 This SR requires verification that each containment
 
isolation manual valve and blind flange located inside
 
containment and not loc ked, sealed, or otherwise secured and required to be closed during accident conditions is closed.
 
The SR helps to ensure that post accident leakage of
 
radioactive fluids or gases outside of the containment
 
boundary is within design limits. For containment isolation
 
valves inside containment, the Frequency of "prior to
 
entering MODE 4 from MODE 5 if not performed within the previous 92 days" is appropriate since these containment isolation valves are operated under administrative controls
 
and the probability of their misalignment is low. The SR
 
specifies that containment isolation valves that are open
 
under administrative controls are not required to meet the
 
SR during the time they are open. This SR does not apply to (continued)
North Anna Units 1 and 2B 3.6.3-10Revision 0 Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.6.3.2 (continued) valves that are locked, sealed, or otherwise secured in the
 
closed position, since these were verified to be in the
 
correct position upon locking, sealing, or securing.
This Note allows valves and blind flanges located in high
 
radiation areas to be verified closed by use of
 
administrative means. Allowing verification by
 
administrative means is considered acceptable, since access
 
to these areas is typically restricted during MODES 1, 2, 3, and 4, for ALARA reasons. Therefore, the probability of
 
misalignment of these containment isolation valves, once
 
they have been verified to be in their proper position, is
 
small.SR  3.6.3.3 Verifying that the isolation time of each automatic power
 
operated containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test
 
ensures the valve will isolate in a time period less than or
 
equal to that assumed in the safety analyses. The isolation
 
time and Frequency of this SR are in accordance with the
 
Inservice Testing Program.
SR  3.6.3.4 For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements
 
of 10 CFR 50, Appendix J, Option B, is required to ensure OPERABILITY. Operating experience has demonstrated that this
 
type of seal has the potential to degrade in a shorter time
 
period than do other seal types.
This SR must be performed prior to entering MODE 4 from MODE 5 after containment vacuum has been broken. This Frequency was chosen recognizing that cycling the valve
 
could introduce additional seal degradation (beyond that
 
occurring to a valve that has not been opened). This Frequency will ensure that each time these valves are cycled they will be leak tested.
Containment Isolation Valves B 3.6.3 BASESNorth Anna Units 1 and 2B 3.6.3-11Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.6.3.5 Automatic containment isolation valves close on a
 
containment isolation signal to prevent leakage of
 
radioactive material from containment following a DBA. This
 
SR ensures that each automatic power operated containment
 
isolation valve will actuate to its isolation position on a
 
containment isolation signal. Check valves which are
 
containment isolation valves are not considered automatic
 
valves for the purpose of this Surveillance as they do not receive a containment isolation signal. This Surveillance is
 
not required for valves that are locked, sealed, or
 
otherwise secured in the required position under
 
administrative controls. The Surveillance Frequency is based
 
on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
SR  3.6.3.6 The check valves that serve a containment isolation function
 
are weight or spring loaded to provide positive closure in
 
the direction of flow. This ensures that these check valves
 
will remain closed when the inside containment atmosphere
 
returns to subatmospheric conditions following a DBA.
 
SR 3.6.3.6 verifies the operation of the check valves that are not testable during unit operation. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 15.2.Technical Requirements Manual.3.Standard Review Plan 6.2.4.4.UFSAR, Section 6.2.4.2.
Intentionally Blank North Anna Units 1 and 2B 3.6.4-1Revision 31 Containment Pressure B 3.6.4 B 3.6  CONTAINMENT SYSTEMS B 3.6.4  Containment Pressure BASES BACKGROUND Containment air partial pressure is a process variable that
 
is monitored and controlled. The containment air partial
 
pressure is maintained as a function of refueling water
 
storage tank temperature and service water temperature
 
according to Figure 3.6.4-1 of the LCO, to ensure that, following a Design Basis Accident (DBA), the containment
 
would depressurize to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours. Controlling containment partial pressure within prescribed limits also
 
prevents the containment pressure from exceeding the
 
containment design negative pressure differential with
 
respect to the outside atmosphere in the event of an
 
inadvertent actuation of the Quench Spray (QS) System.
 
Controlling containment air partial pressure limits within
 
prescribed limits ensures adequate net positive suction head (NPSH) for the recirculation spray and low head safety
 
injection pumps following a DBA.
The containment internal air partial pressure limits of
 
Figure 3.6.4-1 are derived from the input conditions used in the containment DBA analyses. Limiting the containment internal air partial pr essure and temperature in turn limits the pressure that could be expected following a DBA, thus
 
ensuring containment OPERABILITY. Ensuring containment
 
OPERABILITY limits leakage of fission product radioactivity
 
from containment to the environment.
APPLICABLE
 
SAFETY ANALYSES Containment air partial pressure is an initial condition
 
used in the containment DBA analyses to establish the
 
maximum peak containment internal pressure. The limiting
 
DBAs considered relative to containment pressure are the
 
loss of coolant accident (LOCA) and steam line break (SLB).
 
The LOCA and SLB are analyzed using computer codes designed
 
to predict the resultant containment pressure transients.
 
DBAs are assumed not to occur simultaneously or
 
consecutively. The postulated DBAs are analyzed assuming degraded containment Engineered Safety Feature (ESF) systems (i.e., assuming no offsite power and the loss of one
 
emergency diesel generator, which is the worst case single
 
active failure, resulting in one train of the QS System and (continued)
North Anna Units 1 and 2B 3.6.4-2Revision 31 Containment Pressure B 3.6.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued) one train of the Recirculation Spray System becoming
 
inoperable). The containment analysis for the DBA (Ref.
: 1) shows that the maximum peak containment pressure results
 
from the limiting design basis SLB.
The maximum design internal pressure for the containment is
 
45.0 psig. The LOCA and SLB analyses establish the limits for the containment air partial pressure operating range.
 
The initial conditions used in the containment design basis
 
LOCA analyses were an air partial pressure of 12.3 psia and an air temperature of 115
&deg;F. This resulted in a maximum peak containment internal pressure of 42.7 psig, which is less than the maximum design internal pressure for the
 
containment. The SLB analysis resulted in a maximum peak
 
containment internal pressure of 43.0 psig, which is less than the maximum design internal pressure for the
 
containment.
The containment was also designed for an external pressure
 
load of 9.2 psid (i.e., a design minimum pressure of 5.5 psia). The inadvertent actuation of the QS System was analyzed to determine the reduction in containment pressure (Ref. 1). The initial conditions used in the analysis were 10.3 psia and 115
&deg;F. This resulted in a minimum pressure inside containment of 8.6 psia, which is considerably above the design minimum of 5.5 psia.Controlling containment air partial pressure limits within
 
prescribed limits ensures adequate NPSH for the
 
recirculation spray and low head safety injection pumps
 
following a DBA. The minimum containment air partial
 
pressure is an initial condition for the NPSH analyses.
For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not
 
conservative. In particular, the cooling effectiveness of
 
the Emergency Core Cooling System during the core reflood
 
phase of a LOCA analysis increases with increasing
 
containment backpressure. For the reflood phase
 
calculations, the containment backpressure is calculated in
 
a manner designed to conservatively minimize, rather than
 
maximize, the containment pressure response in accordance
 
with 10 CFR 50, Appendix K (Ref. 2).The radiological consequences analysis demonstrates
 
acceptable results provided the containment pressure
 
decreases to 2.0 psig in 1 hour and does not exceed 2.0 psig (continued)
Containment Pressure B 3.6.4 BASESNorth Anna Units 1 and 2B 3.6.4-3Revision 31 APPLICABLE SAFETY ANALYSES (continued) for the interval from 1 to 6 hours following the Design Basis Accident (Ref.
3). Beyond 6 hours the containment pressure is assumed to be less than 0.0 psig, terminating leakage from containment.
Containment pressure satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Maintaining containment pressure within the limits shown in
 
Figure 3.6.4-1 of the LCO ensures that in the event of a DBA the resultant peak containment accident pressure will be
 
maintained below the containment design pressure. These
 
limits also prevent the containment pressure from exceeding
 
the containment design negative pressure differential with
 
respect to the outside atmosphere in the event of
 
inadvertent actuation of the QS System. The LCO limits also
 
ensure the containment structure will depressurize to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours following a DBA.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining
 
containment pressure within design basis limits is essential
 
to ensure initial conditions assumed in the accident
 
analyses are maintained, the LCO is applicable in MODES 1, 2, 3, and 4.In MODES 5 and 6, the probability and consequences of these events are reduced due to the Reactor Coolant System
 
pressure and temperature limitations of these MODES.
 
Therefore, maintaining containment pressure within the
 
limits of the LCO is not required in MODE 5 or 6.ACTIONS A.1 When containment air partial pressure is not within the
 
limits of the LCO, containment pressure must be restored to
 
within these limits within 1 hour. The Required Action is necessary to return operation to within the bounds of the
 
containment analysis. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1, "Containment," which requires that containment be restored to OPERABLE
 
status within 1 hour.
North Anna Units 1 and 2B 3.6.4-4Revision46 Containment Pressure B 3.6.4 BASES ACTION  (continued)
B.1 and B.2 If containment air partial pressure cannot be restored to
 
within limits within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To
 
achieve this status, the unit must be brought to at least
 
MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.4.1 Verifying that containment air partial pressure is within
 
limits ensures that operation remains within the limits
 
assumed in the containment analysis. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 6.2.2.10 CFR 50, Appendix K.3.UFSAR, Section 15.4.1.7.
North Anna Units 1 and 2B 3.6.5-1Revision 31 Containment Air Temperature B 3.6.5 B 3.6  CONTAINMENT SYSTEMSB 3.6.5Containment Air Temperature BASES BACKGROUND The containment structure serves to contain radioactive
 
material that may be released from the reactor core
 
following a Design Basis Accident (DBA). The containment
 
average air temperature is limited during normal operation
 
to preserve the initial conditions assumed in the accident analyses for a loss of coolan t accident (LOCA) or steam line break (SLB).
The containment average air temperature limit is derived
 
from the input conditions use d in the containment functional analyses and the containment structure external pressure
 
analyses. This LCO ensures that initial conditions assumed
 
in the analysis of containment response to a DBA are not
 
violated during unit operations. The total amount of energy
 
to be removed from containment by the Containment Spray
 
systems during post accident conditions is dependent upon
 
the energy released to the containment due to the event, as
 
well as the initial containment temperature and pressure.
 
The higher the initial temperature, the more energy which
 
must be removed, resulting in a higher peak containment
 
pressure and temperature. Exceeding containment design
 
pressure may result in leakage greater than that assumed in
 
the accident analysis. Operation with containment
 
temperature in excess of the LCO limit violates an initial
 
condition assumed in the accident analysis.
APPLICABLE
 
SAFETY ANALYSES Containment average air temperature is an initial condition
 
used in the DBA analyses that establishes the containment
 
environmental qualification operating envelope for both
 
pressure and temperature. The limit for containment average
 
air temperature ensures that operation is maintained within
 
the assumptions used in the DBA analyses for containment (Ref. 1).The limiting DBAs considered relative to containment
 
OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are
 
analyzed using computer codes designed to predict the
 
resultant containment pressure transients. No two DBAs are
 
assumed to occur simultaneously or consecutively. The
 
postulated DBAs are analyzed with regard to containment (continued)
North Anna Units 1 and 2B 3.6.5-2Revision 31 Containment Air Temperature B 3.6.5 BASES APPLICABLE
 
SAFETY ANALYSES (continued)Engineered Safety Feature (ESF) systems, assuming no offsite
 
power and the loss of one emergency diesel generator, which
 
is the worst case single active failure, resulting in one
 
train of the Quench Spray (QS) System and Recirculation
 
Spray System being rendered inoperable. The postulated SLB
 
events are analyzed without credit for the RS system.
The limiting DBA for the maximum peak containment air
 
temperature is an SLB. The initial containment average air
 
temperature assumed in the design basis analyses is 115
&deg;F. This resulted in a maximum containment air temperature of
 
309&deg;F. The design temperature is 280
&deg;F.The temperature upper limit is used to establish the environmental qualification operating envelope for
 
containment. The maximum peak containment air temperature
 
was calculated to exceed the containment design temperature
 
for a relatively short period of time during the transient.
The basis of the containment design temperature, however, is to ensure the performance of safety related equipment inside containment (Ref.
2). Thermal analyses showed that the time interval during which the containment air temperature exceeded the containment design temperature was short enough
 
that there would be no adverse effect on equipment inside
 
containment assumed to mitigate the consequences of the DBA.
 
Therefore, it is concluded that the calculated transient
 
containment air temperature is acceptable for the DBA SLB.
The temperature upper limit is also used in the
 
depressurization analyses to ensure that the minimum
 
pressure limit is maintained following an inadvertent
 
actuation of the QS System (Ref.
1).The containment pressure transient is sensitive to the
 
initial air mass in containment and, therefore, to the
 
initial containment air temperature. The limiting DBA for
 
establishing the maximum peak containment internal pressure
 
is an SLB. The temperature upper limit is used in the SLB
 
analysis to ensure that, in the event of an accident, the
 
maximum containment internal pressure will not be exceeded.
Containment average air temperature satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
Containment Air Temperature B 3.6.5 BASESNorth Anna Units 1 and 2B 3.6.5-3Revision 0 LCO During an SLB, with an initial containment average temperature less than or equal to the LCO temperature
 
limits, the resultant peak accident temperature exceeds
 
containment design temperature for a relatively short period
 
of time, but otherwise is maintained below the containment
 
design temperature. As a result, the ability of containment
 
to perform its design function is ensured.
APPLICABILITY In MODES 1, 2, 3, and 4, an SLB could cause an accidental release of radioactive material to the environment or a
 
reactivity excursion. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the
 
limit is not required in MODE 5 or 6.ACTIONS A.1 When containment average air temperature is not within the
 
limits of the LCO, it must be restored to within limits
 
within 8 hours. This Required Action is necessary to return operation to within the bounds of the containment analysis.
 
The 8 hour Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter
 
and provides sufficient time to correct minor problems.
B.1 and B.2 If the containment average air temperature cannot be restored to within its limits within the required Completion Time, the unit must be brought to a MODE in which the LCO
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.5.1 Verifying that containment average air temperature is within
 
the LCO limits ensures that containment operation remains
 
within the limits assumed for the containment analyses. In
 
order to determine the containment average air temperature, (continued)
North Anna Units 1 and 2B 3.6.5-4Revision 46 Containment Air Temperature B 3.6.5 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.6.5.1 (continued)a weighted average is calculated using measurements taken at
 
locations within containment selected to provide a
 
representative sample of the overall containment atmosphere.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 6.2.2.10 CFR 50.49.
North Anna Units 1 and 2B 3.6.6-1Revision 31 QS System B 3.6.6 B 3.6  CONTAINMENT SYSTEMSB 3.6.6Quench Spray (QS) System BASES BACKGROUND The QS System is designed to provide containment atmosphere
 
cooling to limit post accident pressure and temperature in
 
containment to less than the design values. The QS System, operating in conjunction with the Recirculation Spray (RS)
 
System, is designed to cool and depressurize the containment
 
structure to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours following a Design Basis Accident (DBA). Reduction of containment pressure and
 
the iodine removal capability of the spray limit the release
 
of fission product radioactivity from containment to the
 
environment in the event of a DBA.
The QS System consists of two separate trains of equal
 
capacity, each capable of meeting the design bases. Each
 
train includes a spray pump, a dedicated spray header, nozzles, valves, and piping. Each train is powered from a separate Engineered Safety Features (ESF) bus. The refueling
 
water storage tank (RWST) supplies borated water to the QS
 
System.The QS System is actuated either automatically by a
 
containment High-High pressure signal or manually. The QS System provides a spray of cold borated water into the upper regions of containment to reduce the containment pressure
 
and temperature during a DBA. Each train of the QS System
 
provides adequate spray coverage to meet the system design
 
requirements for containment heat and iodine fission product
 
removal. The QS System also provides flow to the Inside RS
 
pumps to improve the net positive suction head available.
The Chemical Addition System supplies a sodium hydroxide (NaOH) solution into the spray. The resulting alkaline pH of
 
the spray enhances the ability of the spray to scavenge
 
iodine fission products from the containment atmosphere. The
 
NaOH added to the spray also ensures an alkaline pH for the
 
solution recirculated in the containment sump. The alkaline
 
pH of the containment sump water minimizes the evolution of
 
iodine and minimizes the occurrence of chloride and caustic
 
stress corrosion on mechanical systems and components
 
exposed to the fluid.(continued)
North Anna Units 1 and 2B 3.6.6-2Revision 31 QS System B 3.6.6 BASES BACKGROUND (continued)The QS System is a containment ESF system. It is designed to
 
ensure that the heat removal capability required during the
 
post accident period can be attained. Operation of the QS
 
System and RS System provides the required heat removal
 
capability to limit post accident conditions to less than
 
the containment design values and depressurize the
 
containment structure to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours following a DBA.
The QS System limits the temperature and pressure that could be expected following a DBA and ensures that containment
 
leakage is maintained consistent with the accident analysis.
APPLICABLE
 
SAFETY ANALYSES The limiting DBAs considered are the loss of coolant accident (LOCA) and the steam line break (SLB). The LOCA and
 
SLB are analyzed using computer codes designed to predict
 
the resultant containment pressure and temperature
 
transients. No DBAs are assumed to occur simultaneously or
 
consecutively. The postulated DBAs are analyzed, with
 
respect to containment ESF Systems, assuming no offsite
 
power and the loss of one emergency diesel generator, which
 
is the worst case single active failure, resulting in one
 
train of the QS System and the RS System inoperable. The postulated SLB events are analyzed without credit for the RS system.During normal operation, the containment internal pressure
 
is varied, along with other parameters, to maintain the
 
capability to depressurize the containment to less than 2.0
 
psig in 1 hour and to subatmospheric pressure within 6 hours
 
after a DBA. This capability and the variation of
 
containment pressure during a DBA are functions of the
 
service water temperature, the RWST water temperature, and
 
the containment air temperature.
The DBA analyses (Ref.
: 1) show that the maximum peak containment pressure of 43.0 psig results from the SLB analysis and is calculated to be less than the containment
 
design pressure. The maximum peak containment atmosphere
 
temperature of 309
&deg;F results from the SLB analysis and was calculated to exceed the containment design temperature for
 
a relatively short period of time during the transient. The
 
basis of the containment design temperature, however, is to
 
ensure OPERABILITY of safety related equipment inside
 
containment (Ref.
2). Thermal analyses show that the time interval during which the containment atmosphere temperature (continued)
QS System B 3.6.6 BASESNorth Anna Units 1 and 2B 3.6.6-3Revision 31 APPLICABLE SAFETY ANALYSES (continued)exceeded the containment design temperature was short enough
 
that there would be no adverse effect on equipment inside
 
containment assumed to mitigate the consequences of the DBA.
Therefore, it is concluded that the calculated transient
 
containment atmosphere temperatures are acceptable for the
 
SLB.The modeled QS System actuation from the containment
 
analysis is based upon a response time associated with
 
exceeding the containment High-High pressure signal setpoint to achieving full flow through the spray nozzles. A delayed
 
response time initiation provides conservative analyses of
 
peak calculated containment temperature and pressure
 
responses. The QS System total response time of 70 seconds after Containment Pressure-High High comprises the signal
 
delay, diesel generator startup time, and system startup
 
time, including pipe fill time.
For certain aspects of accident analyses, maximizing the
 
calculated containment pressure is not conservative. In
 
particular, the cooling effectiveness of the Emergency Core
 
Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure.
 
For these calculations, the containment backpressure is
 
calculated in a manner designed to conservatively minimize, rather than maximize, the calculated transient containment
 
pressures in accordance with 10 CFR 50, Appendix K (Ref. 3).Inadvertent actuation of the QS System is evaluated in the
 
analysis, and the resultant reduction in containment
 
pressure is calculated. The maximum calculated reduction in containment pressure results in containment pressures within
 
the design containment minimum pressure.
The radiological consequences analysis demonstrates
 
acceptable results provided the containment pressure
 
decreases to 2.0 psig in 1 hour and does not exceed 2.0 psig for the interval from 1 to 6 hours following the Design Basis Accident (Ref.
4). Beyond 6 hours the containment pressure is assumed to be less than 0.0 psig, terminating leakage from containment.
The QS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.6.6-4Revision 31 QS System B 3.6.6 BASES LCO During a DBA, one train of the QS System is required to
 
provide the heat removal capability assumed in the safety
 
analyses for containment. In addition, one QS System train, with spray pH adjusted by the contents of the chemical
 
addition tank, is required to scavenge iodine fission
 
products from the containment atmosphere and ensure their
 
retention in the containment sump water. To ensure that
 
these requirements are met, two QS System trains must be
 
OPERABLE with power from two safety related, independent
 
power supplies. Therefore, in the event of an accident, at
 
least one train of QS will operate, assuming that the worst
 
case single active failure occurs.
Each QS train includes a spray pump, a dedicated spray
 
header, nozzles, valves, piping, instruments, and controls
 
to ensure an OPERABLE flow path capable of taking suction
 
from the RWST.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment and an increase in
 
containment pressure and temperature requiring the operation
 
of the QS System.
In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature
 
limitations of these MODES. Thus, the QS System is not
 
required to be OPERABLE in MODE 5 or 6.ACTIONS A.1 If one QS train is inoperable, it must be restored to OPERABLE status within 72 hours. The components available in this degraded condition are capable of providing 100% of the heat removal and iodine removal needs after an accident. The
 
72 hour Completion Time was developed taking into account the redundant heat removal and iodine removal capabilities
 
afforded by the OPERABLE train and the low probability of a
 
DBA occurring during this period.
B.1 and B.2 If the Required Action and associated Completion Time are not met, the unit must be brought to a MODE in which the LCO
 
does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 (continued)
QS System B 3.6.6 BASESNorth Anna Units 1 and 2B 3.6.6-5Revision46 ACTIONS B.1 and B.2 (continued) within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.6.1 Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the QS
 
System provides assurance that the proper flow path exists
 
for QS System operation. This SR does not apply to valves
 
that are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to being secured. This SR does not require any testing or
 
valve manipulation. Rather, it involves verification, through a system walkdown, that those valves outside
 
containment and capable of potentially being mispositioned
 
are in the correct position. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
SR  3.6.6.2 Verifying that each QS pump's developed head at the flow test
 
point is greater than or equal to the required developed head
 
ensures that QS pump performance is consistent with the
 
safety analysis assumptions. Flow and differential head are
 
normal tests of centrifugal p ump performance required by the ASME Code (Ref.
5). Since the QS System pumps cannot be tested with flow through the spray headers, they are tested
 
on recirculation flow. This test confirms one point on the
 
pump design curve and is indicative of overall performance.
 
Such inservice tests confirm component OPERABILITY, trend
 
performance, and detect incipient failures by indicating
 
abnormal performance. The Frequency of this SR is in
 
accordance with the Inservice Testing Program.
SR  3.6.6.3 and SR 3.6.6.4These SRs ensure that each QS automatic valve actuates to its
 
correct position and each QS pump starts upon receipt of an
 
actual or simulated Containment Pressure high-high signal.(continued)
North Anna Units 1 and 2B 3.6.6-6Revision46 QS System B 3.6.6 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.6.6.3 and SR 3.6.6.4 (continued)
This Surveillance is not required for valves that are
 
locked, sealed, or otherwise secured in the required
 
position under administrative controls.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. Therefore, the Frequency was concluded to be acceptable from a
 
reliability standpoint.
SR  3.6.6.5 With the quench spray inlet valves closed and the spray
 
header drained of any solution, low pressure air or smoke can
 
be blown through test connections or an inspection of the
 
nozzles can be performed. This SR ensures that each spray
 
nozzle is unobstructed and that spray coverage of the
 
containment during an accident is not degraded. Due to the
 
passive nature of the design of the nozzle and the
 
non-corrosive design of the system, a test performed
 
following maintenance which could result in nozzle blockage
 
is considered adequate to detect obstruction of the nozzles.
REFERENCES1.UFSAR, Section 6.2.2.10 CFR 50.49.3.10 CFR 50, Appendix K.4.UFSAR, Section 15.4.1.7.5.ASME Code for Operation and Maintenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.6.7-1Revision 31 RS System B 3.6.7 B 3.6  CONTAINMENT SYSTEMS B 3.6.7  Recirculation Spray (RS) System BASES BACKGROUND The RS System, operating in conjunction with the Quench
 
Spray (QS) System, is designed to limit the post accident pressure and temperature in the containment to less than the design values and to depressurize the containment structure
 
to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours following a Design Basis Accident (DBA). The reduction of containment pressure and the removal of iodine from the containment atmosphere by the spray limit
 
the release of fission product radioactivity from
 
containment to the environment in the event of a DBA.
The RS System consists of two separate trains of equal
 
capacity, each capable of meeting the design and accident analysis bases. Each train includes one RS subsystem outside containment and one RS subsystem inside containment. Each
 
subsystem consists of one approximately 50% capacity spray
 
pump, one spray cooler, one 180
&deg; coverage spray header, nozzles, valves, piping, instrumentatio n, and controls. Each outside RS subsystem also includes a casing cooling pump
 
with its own valves, piping, instrumentation, and controls.
 
The two outside RS subsystems' spray pumps are located
 
outside containment and the two inside RS subsystems' spray
 
pumps are located inside containment. Each RS train (one
 
inside and one outside RS subsystem) is powered from a separate Engineered Safety Features (ESF) bus. Each train of
 
the RS System provides adequate spray coverage to meet the
 
system design requirements for containment heat and iodine
 
fission product removal. Two spray pumps are required to
 
provide 360
&deg; of containment spray coverage assumed in the accident analysis. One train of RS or two outside RS
 
subsystems will provide the containment spray coverage and
 
required flow.
The two casing cooling pumps and common casing cooling tank
 
are designed to increase the net positive suction head (NPSH) available to the outside RS pumps by injecting cold
 
water into the suction of the spray pumps. They are also beneficial to the containment depressurization analysis. The casing cooling tank con tains at least 116,500 gal of chilled and borated water. Each casing cooling pump supplies one
 
outside spray pump with cold borated water from the casing (continued)
North Anna Units 1 and 2B 3.6.7-2Revision 31 RS System B 3.6.7 BASES BACKGROUND (continued) cooling tank. The casing cooling pumps are considered part
 
of the outside RS subsystems. Each casing cooling pump is
 
powered from a separate ESF bus.
The inside RS subsystem pump NPSH is increased by reducing
 
the temperature of the water at the pump suction. Flow is
 
diverted from the QS system to the suction of the inside RS
 
pump on the same safety train as the quench spray pump
 
supplying the water.
The RS System provides a spray of subcooled water into the
 
upper regions of containment to reduce the containment
 
pressure and temperature during a DBA. Upon receipt of a
 
High-High containment pressure signal, the two casing
 
cooling pumps start, the casing cooling discharge valves open, and the RS pump suction and discharge valves receive an
 
open signal to assure the valves are open. Refueling water
 
storage tank (RWST) Level-Low coincident with Containment
 
Pressure-High High provides the automatic start signal for
 
the inside RS and outside RS pumps. Once the coincidence
 
logic is satisfied, the outside RS pumps start immediately
 
and the inside RS pumps start after a 120-second delay. The
 
delay time is sufficient to avoid simultaneous starting of
 
the RS pumps on the same emergency diesel generator. The
 
coincident trip ensures that adequate water inventory is
 
present in the containment sump to meet the RS sump strainer functional requirements following a loss of coolant accident (LOCA). The RS system is not required for steam line break (SLB) mitigation. The RS pumps take suction from the
 
containment sump and discharge through their respective
 
spray coolers to the spray headers and into the containment
 
atmosphere. Heat is transferred from the containment sump
 
water to service water in the spray coolers.
The Chemical Addition System supplies a sodium hydroxide (NaOH) solution to the R WST water supplied to the suction of the QS System pumps. The NaOH added to the QS System spray
 
ensures an alkaline pH for the solution recirculated in the
 
containment sump. The resulting alkaline pH of the RS spray (pumped from the sump) enhances the ability of the spray to
 
scavenge iodine fission products from the containment
 
atmosphere. The alkaline pH of the containment sump water
 
minimizes the evolution of iodine and minimizes the
 
occurrence of chloride and caustic stress corrosion on
 
mechanical systems and components exposed to the fluid.(continued)
RS System B 3.6.7 BASESNorth Anna Units 1 and 2B 3.6.7-3Revision 31 BACKGROUND (continued)
The RS System is a containment ESF system. It is designed to ensure that the heat removal capability required during the
 
post accident period can be attained. Operation of the QS and
 
RS systems provides the required heat removal capability to
 
limit post accident conditions to less than the containment
 
design values and depressurize the containment structure to
 
less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours following a DBA.
The RS System limits the temperature and pressure that could
 
be expected following a DBA and ensures that containment
 
leakage is maintained consistent with the accident analysis.
APPLICABLE
 
SAFETY ANALYSES The limiting DBAs considered are the LOCA and the SLB. The
 
LOCA and SLB are analyzed using computer codes designed to
 
predict the resultant containment pressure and temperature
 
transients; DBAs are assumed not to occur simultaneously or
 
consecutively. The postulated DBAs are analyzed assuming no
 
offsite power and the loss of one emergency diesel
 
generator, which is the worst case single active failure for
 
containment depressurization, resulting in one train of the
 
QS and RS systems being rendered inoperable (Ref.
1). The postulated SLB events are analyzed without credit for the RS system.The peak containment pressure following a high energy line
 
break is affected by the initial total pressure and
 
temperature of the containment atmosphere and the QS System
 
operation. Maximizing the initial containment total pressure and average atmospheric temperature maximizes the calculated
 
peak pressure. The heat removal effectiveness of the QS System spray is dependent on the temperature of the water in
 
the RWST. The time required to depressurize the containment
 
and the capability to maintain it depressurized below atmospheric pressure depend on the functional performance of
 
the QS and RS systems and the service water temperature. When
 
the Service Water temperature is elevated, it is more
 
difficult to depressurize the containment to less than
 
2.0 psig in 1 hour and to subatmospheric pressure within 6 hours since the heat removal effectiveness of the RS System is limited.
During normal operation, the containment internal pressure
 
is varied to maintain the capability to depressurize the
 
containment to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours after a DBA. This (continued)
North Anna Units 1 and 2B 3.6.7-4Revision 31 RS System B 3.6.7 BASES APPLICABLE
 
SAFETY ANALYSES (continued) capability and the variation of containment pressure are
 
functions of service water temperature, RWST water
 
temperature, and the containment air temperature.
The DBA analyses show that the maximum peak containment
 
pressure of 43.0 psig results from the SLB analysis and is calculated to be less than the containment design pressure.
 
The maximum 309
&deg;F peak containment atmosphere temperature results from the SLB analysis and is calculated to exceed the
 
containment design temperature for a relatively short period
 
of time during the transient. The basis of the containment
 
design temperature, however, is to ensure OPERABILITY of
 
safety related equipment inside containment (Ref.
2). Thermal analyses show that the time interval during which
 
the containment atmosphere temperature exceeds the
 
containment design temperature is short enough that there
 
would be no adverse effect on equipment inside containment.
 
Therefore, it is concluded that the calculated transient
 
containment atmosphere temperatures are acceptable for the
 
SLB and LOCA.
The RS System actuation model from the containment analysis
 
is based upon a response associated with exceeding the
 
Containment Pressure-High High signal setpoint and RWST
 
level decreasing below the RWST Level-Low setpoint. The
 
containment analysis models account conservatively for
 
instrument uncertainty for the Containment Pressure-High
 
High setpoint and the RWST Level-Low setpoint. The RS
 
System's total response time is determined by the time to
 
satisfy the coincidence logic, the timer delay for the
 
inside RS pumps, pump startup time, and piping fill time.
For certain aspects of accident analyses, maximizing the
 
calculated containment pressure is not conservative. In
 
particular, the cooling effectiveness of the Emergency Core
 
Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure.
 
For these calculations, the containment backpressure is
 
calculated in a manner designed to conservatively minimize, rather than maximize, the calculated transient containment
 
pressures in accordance with 10 CFR 50, Appendix K (Ref. 3).The radiological consequences analysis demonstrates
 
acceptable results provided the containment pressure
 
decreases to 2.0 psig in 1 hour and does not exceed 2.0 psig for the interval from 1 to 6 hours following the Design Basis (continued)
RS System B 3.6.7 BASESNorth Anna Units 1 and 2B 3.6.7-5Revision 31 APPLICABLE SAFETY ANALYSES (continued)
Accident (Ref.
4). Beyond 6 hours the containment pressure is assumed to be less than 0.0 psig, terminating leakage from containment.
The RS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO During a DBA, one train (one inside and one outside RS subsystem in the same tra in) or two outside RS subsystems of the RS System are required to provide the minimum heat
 
removal capability assumed in the safety analysis. To ensure
 
that this requirement is met, four RS subsystems and the
 
casing cooling tank must be OPERABLE. This will ensure that
 
at least one train will operate assuming the worst case
 
single failure occurs, which is no offsite power and the loss
 
of one emergency diesel generator. Inoperability of the
 
casing cooling tank, the casing cooling pumps, the casing
 
cooling valves, piping, instrumentation, or controls, or of
 
the QS System requires an assessment of the effect on RS subsystem OPERABILITY.
Each RS train consists of one RS subsystem outside
 
containment and one RS subsystem inside containment. Each RS subsystem includes one spray pump, one spray cooler, one
 
180&deg; coverage spray header, nozzles, valves, piping, instrumentation, and controls to ensure an OPERABLE flow
 
path capable of taking suction from the containment sump.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause an increase in containment pressure and temperature requiring the operation
 
of the RS System.
In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature
 
limitations of these MODES. Thus, the RS System is not
 
required to be OPERABLE in MODE 5 or 6.ACTIONS A.1 With one of the RS subsystems inoperable, the inoperable
 
subsystem must be restored to OPERABLE status within 7 days. The components in this degraded condition are capable of
 
providing at least 100% of the heat removal needs (i.e.,
approximately 150% when one RS subsystem is inoperable)(continued)
North Anna Units 1 and 2B 3.6.7-6Revision 31 RS System B 3.6.7 BASES ACTIONS A.1 (continued) after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the RS and QS systems and the low probability of a DBA occurring during this period.
B.1 and C.1 With two of the required RS subsystems inoperable either in
 
the same train, or both insid e RS subsystems, at least one of the inoperable RS subsystems must be restored to OPERABLE
 
status within 72 hours. The components in this degraded condition are capable of providing 100% of the heat removal
 
needs and 360
&deg; containment spray co verage after an accident.
The 72 hour Completion Time was developed taking into account the redundant heat removal capability afforded by
 
the OPERABLE subsystems, a reasonable amount of time for
 
repairs, and the low probability of a DBA occurring during
 
this period.
D.1 With the casing cooling tank inoperable, the NPSH available
 
to both outside RS subsystem pumps may not be sufficient. The
 
inoperable casing cooling tank must be restored to OPERABLE
 
status within 72 hours. The components in this degraded condition are capable of providing 100% of the heat removal
 
needs after an accident. The casing cooling tank does not
 
affect the OPERABILITY of the inside RS subsystem pumps. The
 
effect on NPSH of the outside RS pumps must be assessed as
 
part of outside RS pump OPERABILITY. The 72 hour Completion Time was chosen based on the same reasons as given in
 
Required Action B.1.E.1 and E.2 If the inoperable RS subsystem(s) or the casing cooling tank
 
cannot be restored to OPERABLE status within the required
 
Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 84 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without
 
challenging unit systems. The extended interval to reach (continued)
RS System B 3.6.7 BASESNorth Anna Units 1 and 2B 3.6.7-7Revision46 ACTIONS E.1 and E.2 (continued)
MODE 5 allows additional time and is reasonable considering that the driving force for a release of radioactive material
 
from the Reactor Coolant System is reduced in MODE 3.F.1 With an inoperable inside RS subsystem in one train, and an inoperable outside RS subsys tem in the other train, only 180
&deg; containment spray coverage is available. This condition is
 
outside accident analysis. With three or more RS subsystems
 
inoperable, the unit is in a condition outside the accident
 
analysis. With two inoperable outside RS subsystems, less
 
than 100% of required RS flow is available. Therefore, in all
 
three cases, LCO 3.0.3 must be entered immediately.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.7.1 Verifying that the casing cooling tank solution temperature
 
is within the specified tolerances provides assurance that
 
the water injected into the suction of the outside RS pumps
 
will increase the NPSH available as per design. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.7.2 Verifying the casing cooling tank contained borated water volume provides assurance that sufficient water is available
 
to support the outside RS subsystem pumps during the time
 
they are required to operate. The Surveillance Frequency is
 
based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
North Anna Units 1 and 2B 3.6.7-8Revision46 RS System B 3.6.7 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.6.7.3 Verifying the boron concentration of the solution in the
 
casing cooling tank provides assurance that borated water
 
added from the casing cooling tank to RS subsystems will not
 
dilute the solution being recirculated in the containment
 
sump. A Note states that for Unit 2, until the first entry into MODE 4 following the Unit 2 Fall 2002 refueling outage, the casing cooling tank boron concentration acceptance
 
criteria shall be  2300 ppm and  2400 ppm. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.7.4 Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the RS
 
System and casing cooling tank provides assurance that the proper flow path exists for operation of the RS System. This
 
SR does not apply to valves that are locked, sealed, or
 
otherwise secured in position, since they are verified as
 
being in the correct position prior to being secured. This SR
 
does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that
 
those valves outside containment and capable of potentially
 
being mispositioned are in the correct position. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.7.5 Verifying that each RS and casing cooling pump's developed
 
head at the flow test point is greater than or equal to the
 
required developed head ensures that these pumps'
 
performance has not degraded during the cycle. Flow and
 
differential head are normal tests of centrifugal pump
 
performance required by the ASME Code (Ref.
5). Since the RS System pumps cannot be tested with flow through the spray
 
headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm
 
component OPERABILITY, trend performance, and detect
 
incipient failures by indicating abnormal performance. The
 
Frequency of this SR is in accordance with the Inservice
 
Testing Program.
RS System B 3.6.7 BASESNorth Anna Units 1 and 2B 3.6.7-9Revision46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.6.7.6 These SRs ensure that each automatic valve actuates and that
 
the casing cooling pumps start upon receipt of an actual or
 
simulated High-High containment pressure signal. The RS pumps are verified to start with an actual or simulated RWST Level-Low signal coincident with a Containment Pressure-High
 
High signal. The start delay times for the inside RS pumps
 
are also verified. This Surveillance is not required for
 
valves that are locked, sealed, or otherwise secured in the
 
required position under administrative controls. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.7.7 Periodic inspections of the containment sump components
 
ensure that they are unrestricted and stay in proper
 
operating condition. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.6.7.8 This SR ensures that each spray nozzle is unobstructed and
 
that spray coverage of the containment will meet its design
 
bases objective. Either an inspection of the nozzles or an
 
air or smoke test is performed through each spray header. Due
 
to the passive design of the spray header and its normally
 
dry state, a test performed following maintenance which
 
could result in nozzle blockage is considered adequate for
 
detecting obstruction of the nozzles.
REFERENCES1.UFSAR, Section 6.2.2.10 CFR 50.49.3.10 CFR 50, Appendix K.
North Anna Units 1 and 2B 3.6.7-10Revision 31 RS System B 3.6.7 BASES REFERENCES (continued)4.UFSAR, Section 15.4.1.7.5.ASME Code for Operation and Maintenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.6.8-1Revision 36 Chemical Addition System B 3.6.8 B 3.6  CONTAINMENT SYSTEMSB 3.6.8Chemical Addition System BASES BACKGROUND The Chemical Addition System is a subsystem of the Quench
 
Spray System that assists in reducing the iodine fission
 
product inventory in the containment atmosphere resulting
 
from a Design Basis Accident (DBA).
Radioiodine in its various forms is the fission product of primary concern in the evaluation of a DBA. It is absorbed by
 
the spray from the containment atmosphere. To enhance the
 
iodine absorption capacity of the spray, the spray solution
 
is adjusted to an alkaline pH that promotes iodine
 
hydrolysis, in which iodine is converted to nonvolatile
 
forms. Because of its stability when exposed to radiation
 
and elevated temperature, sodium hydroxide (NaOH) is the
 
preferred spray additive. The NaOH added to the spray also
 
ensures a pH value of between 7.0 and 8.5 of the solution recirculated from the containment sump. This pH band
 
minimizes the evolution of iodine as well as the occurrence
 
of chloride and caustic stress corrosion on mechanical
 
systems and components.
The Chemical Addition System consists of one chemical
 
addition tank, two parallel redundant motor operated valves
 
in the line between the chemical addition tank and the
 
refueling water storage tank (RWST), instrumentation, and a
 
recirculation pump. The NaOH solution is added to the spray
 
water by a balanced gravity feed from the chemical addition
 
tank through the connecting piping into a weir within the
 
RWST. There, it mixes with the borated water flowing to the
 
spray pump suction. Because of the hydrostatic balance
 
between the two tanks, the flow rate of the NaOH is controlled by the volume per foot of height ratio of the two
 
tanks. This ensures a spray mixture pH that is  8.5 and  10.5.The Quench Spray System actuation signal opens the valves
 
from the chemical addition tank to the spray pump suctions or the quench spray pump start signal opens the valves from the chemical addition tank after a 5 minute delay. The 12%
to 13% NaOH solution is drawn into the spray pump suctions. The chemical addition tank capacity provides for the addition of NaOH solution to all of the water sprayed from the RWST into
 
containment. The percent solution and volume of solution (continued)
North Anna Units 1 and 2B 3.6.8-2Revision 36 Chemical Addition System B 3.6.8 BASES BACKGROUND (continued) sprayed into containment ensures a long term containment
 
sump pH of  7.0 and  8.5. This ensures the continued iodine retention effectiveness of the sump water during the
 
recirculation phase of spray operation and also minimizes
 
the occurrence of chloride induced stress corrosion cracking of the stainless steel recirculation piping. Maintaining the sump fluid pH less than or equal to 8.5 ensures that there is adequate NPSH available to the ECCS and RSS pumps with post-
 
LOCA debris and chemical precipitant loading on the
 
containment sump strainer.
APPLICABLE
 
SAFETY ANALYSES The Chemical Addition System is essential to the removal of
 
airborne iodine within containment following a DBA.
Following the assumed release of radioactive materials into
 
containment, the containment is assumed to leak at its
 
analysis value volume following the accident. The plant
 
accident dose calculations use an effective containment
 
coverage of 70% of the containment volume. The containment
 
safety analyses implicitly assume that the containment
 
atmosphere is so turbulent following an accidental release
 
of high energy fluids inside containment that, for heat
 
removal purposes, the containment volume is effectively
 
completely covered by spray.
The DBA response time assumed for the Chemical Addition
 
System is based on the Chemical Addition System isolation
 
valves beginning to open 5 minutes after a QS pump start.
The DBA analyses assume that one train of the Quench Spray
 
System is inoperable and that the entire chemical addition
 
tank volume is added through the remaining Quench Spray
 
System flow path.
The Chemical Addition System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The Chemical Addition System is necessary to reduce the
 
release of radioactive material to the environment in the
 
event of a DBA. To be considered OPERABLE, the volume and
 
concentration of the chemical addition solution must be
 
sufficient to provide NaOH injection into the spray flow
 
until the Quench Spray System has completed pumping water
 
from the RWST to the containment sump, and to raise the (continued)
Chemical Addition System B 3.6.8 BASESNorth Anna Units 1 and 2B 3.6.8-3Revision 36 LCO (continued) average spray solution pH to a level conducive to iodine removal, namely, to between 8.5 and 10.5. This pH range maximizes the effectiveness of the iodine removal mechanism
 
without introducing conditions that may induce caustic
 
stress corrosion cracking of mechanical system components.
In addition, it is essential that valves in the Chemical
 
Addition System flow paths are properly positioned and that
 
automatic valves are capable of activating to their correct
 
positions.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment requiring the operation
 
of the Chemical Addition System. The Chemical Addition
 
System assists in reducing the iodine fission product
 
inventory prior to release to the environment.
In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature
 
limitations in these MODES. Thus, the Chemical Addition
 
System is not required to be OPERABLE in MODE 5 or 6.ACTIONS A.1 If the Chemical Addition System is inoperable, it must be
 
restored to OPERABLE within 72 hours. The pH adjustment of the Quench Spray System flow for iodine removal enhancement
 
is reduced in this condition. The Quench Spray System would
 
still be available and would remove some iodine from the
 
containment atmosphere in the event of a DBA. The 72 hour Completion Time takes into account the ability of the Quench Spray System to remove iodine at a reduced capability using
 
the redundant Quench Spray flow path capabilities and the
 
low probability of the worst case DBA occurring during this
 
period.B.1 and B.2 If the Chemical Addition System cannot be restored to
 
OPERABLE status within the required Completion Time, the
 
unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at
 
least MODE 3 within 6 hours and to MODE 5 within 84 hours. The allowed Completion Time of 6 hours is reasonable, based (continued)
North Anna Units 1 and 2B 3.6.8-4Revision 46 Chemical Addition System B 3.6.8 BASES ACTIONS B.1 and B.2 (continued) on operating experience, to reach MODE 3 from full power conditions in an orderly man ner and without challenging unit systems. The extended interval to reach MODE 5 allows
 
48 hours for restoration of the Chemical Addition System in MODE 3 and 36 hours to reach MODE 5. This is reasonable when
 
considering the reduced pressure and temperature conditions
 
in MODE 3 for the release of radioactive material from the
 
Reactor Coolant System.
SURVEILLANCE
 
REQUIREMENTS SR  3.6.8.1 Verifying the correct alignment of Chemical Addition System manual, power operated, and automatic valves in the chemical
 
addition flow path provides assurance that the system is
 
able to provide additive to the Quench Spray System in the
 
event of a DBA. This SR does not apply to valves that are
 
locked, sealed, or otherwise secured in position, since
 
these valves were verified to be in the correct position
 
prior to locking, sealing, or securing. This SR does not
 
require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those
 
valves outside containment and capable of potentially being
 
mispositioned are in the correct position. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.6.8.2 To provide effective iodine removal, the containment spray must be an alkaline solution. Since the RWST contents are
 
normally acidic, the volume of the chemical addition tank
 
must provide a sufficient volume of spray additive to adjust
 
pH for all water injected. This SR is performed to verify the availability of sufficient NaOH solution in the Chemical
 
Addition System. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.6.8.3 This SR provides verification, by chemical analysis, of the NaOH concentration in the chemical addition tank and is
 
sufficient to ensure that the spray solution being injected (continued)
Chemical Addition System B 3.6.8 BASESNorth Anna Units 1 and 2B 3.6.8-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.6.8.3 (continued) into containment is at the correct pH level. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.8.4 This SR provides verification that each automatic valve in
 
the Chemical Addition System flow path actuates to its
 
correct position. This Surveillance is not required for
 
valves that are locked, sealed, or otherwise secured in the
 
required position under administrative controls. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.6.8.5 To ensure that the correct pH level is established in the
 
borated water solution provided by the Quench Spray System, flow from the Chemical Addition System is verified draining
 
solution from the RWST and chemical addition tank through
 
the drain lines in the cross-connection between the tanks.
 
This SR provides assurance that the correct amount of NaOH
 
will be metered into the flow path upon Quench Spray System initiation. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES None Intentionally Blank North Anna Units 1 and 2B 3.7.1-1Revision 8 MSSVs B 3.7.1 B 3.7  PLANT SYSTEMSB 3.7.1Main Steam Safety Valves (MSSVs)
BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure
 
protection for the secondary system. The MSSVs also provide
 
protection against overpressurizing the reactor coolant
 
pressure boundary (RCPB) by providing a heat sink for the
 
removal of energy from the Reactor Coolant System (RCS) if
 
the preferred heat sink, provided by the Condenser and
 
Circulating Water System, is not available.
Five MSSVs are located on each main steam header, outside
 
containment, upstream of the main steam isolation valves, as
 
described in the UFSAR, Section 10.3.1 (Ref.
1). The MSSVs must have sufficient capacity to limit the secondary system pressure to  110% of the steam generator design pressure in order to meet the requirements of the ASME Code, Section III (Ref. 2). The MSSV design includes staggered lift settings, according to Table 3.7.1-2 in the accompanying LCO, so that only the needed valves will actuate. Staggered lift settings
 
reduce the potential for valve chattering that is due to
 
steam pressure insufficient to fully open all valves
 
following a turbine reactor trip. These lift settings are for ambient conditions of the valve associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be
 
established.
APPLICABLE
 
SAFETY ANALYSES The design basis for the capacity of the MSSVs comes from
 
Reference 2 and its purpose is to limit the secondary system pressure to  110% of design pressure for any anticipated operational occurrence (AOO) or accident considered in the
 
Design Basis Accident (DBA) and transient analysis.
The events that challenge the relieving capacity of the
 
MSSVs, and thus RCS pressure, are those characterized as
 
decreased heat removal events, which are presented in the
 
UFSAR, Section 15.2 (Ref.
3). Of these, the full power turbine trip without steam dump is typically the limiting
 
AOO. This event also terminates normal feedwater flow to the
 
steam generators.(continued)
North Anna Units 1 and 2B 3.7.1-2Revision 8 MSSVs B 3.7.1 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The safety analysis demonstrates that the transient response
 
for turbine trip occurring from full power without a direct
 
reactor trip presents no hazard to the integrity of the RCS
 
or the Main Steam System. One turbine trip analysis is
 
performed assuming primary system pressure control via
 
operation of the pressurizer relief valves and spray. This
 
analysis demonstrates that the DNB design basis is met.
 
Another analysis is performed assuming no primary system
 
pressure control, but crediting reactor trip on high pressurizer pressure and operation of the pressurizer safety
 
valves. This analysis demonstrates that RCS integrity is maintained by showing that the maximum RCS pressure does not
 
exceed 110% of the design pressure. All cases analyzed
 
demonstrate that the MSSVs maintain Main Steam System
 
integrity by limiting the maximum steam pressure to less
 
than 110% of the steam generator design pressure.In addition to the decreased heat removal events, reactivity insertion events may also challenge the relieving capacity
 
of the MSSVs. The uncontrolled rod cluster control assembly (RCCA) bank withdrawal at power event is characterized by an
 
increase in core power and steam generation rate until
 
reactor trip occurs when either the Overtemperature T or Power Range Neutron Flux-High setpoint is reached. Steam flow to the turbine will not increase from its initial value for this event. The increased heat transfer to the secondary
 
side causes an increase in steam pressure and may result in
 
opening of the MSSVs prior to reactor trip, assuming no
 
credit for operation of the atmospheric or condenser steam
 
dump valves. The UFSAR Section 15.2 safety analysis of the RCCA bank withdrawal at power event for a range of initial
 
core power levels demonstrates that the MSSVs are capable of
 
preventing secondary side overpressurization for this AOO.
 
The UFSAR safety analyses discussed above assume that all of the MSSVs for each steam generator are OPERABLE. If there are
 
inoperable MSSV(s), it is necessary to limit the primary
 
system power during steady-state operation and AOOs to a
 
value that does not result in exceeding the combined steam
 
flow capacity of the turbine (if available) and the
 
remaining OPERABLE MSSVs. The required limitation on primary
 
system power necessary to prevent secondary system
 
overpressurization may be determined by system transient
 
analyses or conservatively arrived at by a simple heat
 
balance calculation. In some circumstances it is necessary
 
to limit the primary side heat generation that can be achieved during an AOO by reducing the setpoint of the Power Range Neutron Flux-High reactor trip function. For example, (continued)
MSSVs B 3.7.1 BASESNorth Anna Units 1 and 2B 3.7.1-3Revision 42 APPLICABLE SAFETY ANALYSES (continued) if more than one MSSV on a single steam generator is
 
inoperable, an uncontrolled RCCA bank withdrawal at power
 
event occurring from a partial power level may result in an
 
increase in reactor power that exceeds the combined steam
 
flow capacity of the turbine and the remaining OPERABLE
 
MSSVs. Thus, for multiple inoperable MSSVs on the same steam
 
generator it is necessary to prevent this power increase by
 
lowering the Power Range Neutron Flux-High setpoint to an
 
appropriate value. When Moderator Temperature Coefficient (MTC) is positive, the reactor power may increase above the
 
initial value during an RCS heatup event (e.g., turbine
 
trip). Thus, for any number of inoperable MSSVs it is
 
necessary to reduce the trip setpoint if a positive MTC may
 
exist at partial power conditions.
The MSSVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The accident analysis requires five MSSVs per steam generator be OPERABLE to provide overpressure protection for
 
design basis transients occurring at 100.37%
RTP. The LCO requires that five MSSVs per steam generator be OPERABLE in
 
compliance with Reference 2, and the DBA analysis.
The OPERABILITY of the MSSVs is defined as the ability to
 
open upon demand within the setpoint tolerances to relieve
 
steam generator overpressure, and reseat when pressure has
 
been reduced. The OPERABILITY of the MSSVs is determined by
 
periodic surveillance testing in accordance with the
 
Inservice Testing Program.
This LCO provides assurance that the MSSVs will perform
 
their designed safety functions to mitigate the consequences
 
of accidents that could result in a challenge to the RCPB or
 
Main Steam System integrity.
APPLICABILITY In MODES 1, 2, and 3, five MSSVs per steam generator are required to be OPERABLE to prevent Main Steam System
 
overpressurization.
In MODES 4 and 5, there are no credible transients requiring the MSSVs. The steam generators are not normally used for
 
heat removal in MODES 5 and 6, and thus cannot be overpressurized; there is no requirement for the MSSVs to be OPERABLE in these MODES.
North Anna Units 1 and 2B 3.7.1-4Revision 42 MSSVs B 3.7.1 BASES ACTIONS The ACTIONS table is modified by a Note indicating that
 
separate Condition entry is allowed for each MSSV.
With one or more MSSVs inoperable, action must be taken so
 
that the available MSSV relieving capacity meets Reference 2 requirements.
Operation with less than all five MSSVs OPERABLE for each
 
steam generator is permissible, if THERMAL POWER is limited
 
to the relief capacity of the remaining MSSVs. This is
 
accomplished by restricting THERMAL POWER so that the energy transfer to the most limiting steam generator is not greater
 
than the available relief capacity in that steam generator.
A.1 In the case of only a single inoperable MSSV on one or more
 
steam generators, when the MTC is not positive, a reactor
 
power reduction alone is sufficient to limit primary side
 
heat generation such that overpressurization of the
 
secondary side is precluded for any RCS heatup event.
 
Furthermore, for this case there is sufficient total steam flow capacity provided by th e turbine and remaining OPERABLE MSSVs to preclude overpressurization in the event of an
 
increased reactor power due to reactivity insertion, such as in the event of an uncontrolled RCCA bank withdrawal at
 
power. Therefore, Required Action A.1 requires an appropriate reduction in reactor power within 4 hours.
The maximum THERMAL POWER corresponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balance calculation as described in the
 
attachment to Reference 5, with an appropriate allowance for calorimetric power uncertainty.
B.1 and B.2 In the case of multiple inoperable MSSVs on one or more steam generators, with a reactor power reduction alone there may
 
be insufficient total steam flow capacity provided by the
 
turbine and remaining OPERABLE MSSVs to preclude
 
overpressurization in the event of an increased reactor power due to reactivity insertion, such as in the event of an
 
uncontrolled RCCA bank withdrawal at power. Furthermore, for
 
a single inoperable MSSV on one or more steam generators when
 
the MTC is positive the reactor power may increase as a
 
result of an RCS heatup event such that flow capacity of the (continued)
MSSVs B 3.7.1 BASESNorth Anna Units 1 and 2B 3.7.1-5Revision 42 ACTIONS B.1 and B.2 (continued) remaining OPERABLE MSSVs is insufficient. The 4 hour Completion Time for Required Action B.1 is consistent with A.1. An additional 32 hours is allowed in Required Action B.2 to reduce the setpoints. The Completion Time of 36 hours is based on a reasonable time to correct the MSSV inoperability, the time required to perform the power reduction, operating experience in resetting all channels of
 
a protective function, and on the low probability of the
 
occurrence of a transient that could result in steam
 
generator overpressure during this period.
The maximum THERMAL POWER corresponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balance calculation as described in the
 
attachment to Reference 5, with an appropriate allowance for Nuclear Instrumentation System trip channel uncertainties.
Required Action B.2 is modified by a Note, indicating that the Power Range Neutron Flux-High reactor trip setpoint
 
reduction is only required in MODE
: 1. In MODES 2 and 3 the reactor protection system trips specified in LCO 3.3.1, "Reactor Protection System Instrumentation," provide
 
sufficient protection.
The allowed Completion Times are reasonable based on
 
operating experience to accomplish the Required Actions in
 
an orderly manner without challenging unit systems.
C.1 and C.2 If the Required Actions are not completed within the
 
associated Completion Time, or if one or more steam
 
generators have  4 inoperable MSSVs, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
North Anna Units 1 and 2B 3.7.1-6Revision 19 MSSVs B 3.7.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.7.1.1 SRs are specified in the Inservice Testing Program. MSSVs
 
are to be tested in accordance with the requirements of the
 
ASME Code (Ref.
: 4) which provides the activities and frequencies necessary to satisfy the SR. The MSSV lift
 
settings given in the LCO are for operability, however, the valves are reset to +/-1% during the surveillance to allow for drift.This SR is modified by a Note that allows entry into and
 
operation in MODE 3 prior to performing the SR. The MSSVs may be either bench tested or tested in situ at hot conditions
 
using an assist device to simulate lift pressure.
REFERENCES1.UFSAR, Section 10.3.1.2.ASME, Boiler and Pressure Vessel Code, Section III.3.UFSAR, Section 15.2.4.ASME Code for Operation and Maintenance of Nuclear Power
 
Plants.5.NRC Information Notice 94-60, "Potential
 
Overpressurization of the Main Steam System,"
 
August 22, 1994.
North Anna Units 1 and 2B 3.7.2-1Revision 0 MSTVs B 3.7.2 B 3.7  PLANT SYSTEMSB 3.7.2Main Steam Trip Valves (MSTVs)
BASES BACKGROUND The MSTVs isolate steam flow from the secondary side of the
 
steam generators following a high energy line break (HELB).
 
MSTV closure terminates flow from the unaffected (intact)
 
steam generators.
One MSTV is located in each main steam line outside, but
 
close to, containment. The MSTVs are downstream from the
 
main steam safety valves (MSSVs) and auxiliary feedwater (AFW) pump turbine steam supply, to prevent MSSV and AFW isolation from the stea m generators by MSTV closure. Closing the MSTVs isolates each steam generator from the others, and isolates the turbine, Steam Dump System, and other auxiliary steam supplies from the steam generators.
The MSTVs close on a main steam isolation signal generated by
 
either intermediate high high containment pressure, high
 
steam flow coincident with low low RCS T avg , or low steam line pressure. The MSTVs fail closed on loss of control air
 
pressure.Each MSTV has an MSTV bypass valve. Although these bypass
 
valves are normally closed, they receive the same emergency
 
closure signal as do their associated MSTVs. The MSTV bypass
 
valves may also be actuated manually.
A description of the MSTVs is found in the UFSAR, Section 10.3 (Ref.
1).APPLICABLE
 
SAFETY ANALYSES The design basis of the MSTVs is established by the
 
containment analysis for the main steam line break (MSLB)
 
inside containment, discussed in the UFSAR, Section 6.2 (Ref. 2). It is also affected by the accident analysis of the SLB events presented in the UFSAR, Section 15.4.2 (Ref.
3). The design precludes the blowdown of more than one steam
 
generator, assuming a single active component failure (e.g.,
the failure of one MSTV to close on demand).(continued)
North Anna Units 1 and 2B 3.7.2-2Revision 0 MSTVs B 3.7.2 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The limiting case for the containment analysis is the MSLB
 
inside containment, with a loss of offsite power following
 
turbine trip, and failure of the Non Return Valve (NRV) on
 
the affected steam generator to close. At lower powers, the
 
steam generator inventory and temperature are at their
 
maximum, maximizing the analyzed mass and energy release to
 
the containment. Due to reverse flow and failure of the NRV to close, the additional mass and energy in the steam headers downstream from the other MSTVs contribute to the total release. With the most react ive rod cluster control assembly assumed stuck in the fully withdrawn position, there is an
 
increased possibility that the core will become critical and
 
return to power. The core is ultimately shut down by the
 
boric acid injection delivered by the Emergency Core Cooling
 
System.The accident analysis compares several different MSLB events
 
against different acceptance criteria. The MSLB outside
 
containment upstream of the MSTV is limiting for offsite
 
dose, although a break in this short section of main steam
 
header has a very low probability. The MSLB inside
 
containment at hot zero power is the limiting case for a post
 
trip return to power. The analysis includes scenarios with
 
offsite power available, and with a loss of offsite power
 
following turbine trip. With offsite power available, the
 
reactor coolant pumps continue to circulate coolant through
 
the steam generators, maximizing the Reactor Coolant System
 
cooldown. With a loss of offsite power, the response of
 
mitigating systems is delayed. Significant single failures
 
considered include failure of an MSTV to close.
The MSTVs only serve a safety function and remain open during power operation. These valves operate under the
 
following situations:a.A HELB inside containment. In order to maximize the mass and energy release into containment, the analysis assumes
 
that the NRV in the affected steam generator remains
 
open. For this accident scenario, steam is discharged
 
into containment from all steam generators until the
 
remaining MSTVs close. After MSTV closure, steam is
 
discharged into containment only from the affected steam
 
generator and from the residual steam in the main steam
 
header downstream of the closed MSTVs in the unaffected
 
loops. Closure of the MSTVs isolates the break from the
 
unaffected steam generators.(continued)
MSTVs B 3.7.2 BASESNorth Anna Units 1 and 2B 3.7.2-3Revision 20 APPLICABLE SAFETY ANALYSES (continued)b.A break outside of containment and upstream from the MSTV is not a containment pressurization concern. The
 
uncontrolled blowdown of more than one steam generator
 
must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity addition. Closure of
 
the MSTVs isolates the b reak and limits the blowdown to a single steam generator.c.A break downstream of the MSTVs will be isolated by the closure of the MSTVs.d.Following a steam generator tube rupture, the operator will isolate flow to the rupture d steam generator, adjust auxiliary feedwater flow to maintain specified water
 
levels in the ruptured and intact steam generators and
 
manually isolate steam flow from the ruptured generator
 
to the turbine-driven auxiliary feedwater in the Main
 
Steam Valve House. The operator will also verify that the
 
steam generator power operated relief valves are
 
available and their manual isolation valves are opened (if required) in preparation for subsequent steps.
 
Closure of the MSTVs isolates the ruptured steam
 
generator from the intact steam generators to minimize
 
radiological releases.e.The MSTVs are also utilized during other events such as a feedwater line break. This event is less limiting so far
 
as MSTV OPERABILITY is concerned.
The MSTVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that three MSTVs in the steam lines be
 
OPERABLE. The MSTVs are considered OPERABLE when the
 
isolation times are within limits, and they close on an
 
isolation actuation signal.
This LCO provides assurance that the MSTVs will perform
 
their design safety function to mitigate the consequences of accidents that could result in offsite exposures comparable
 
to the 10 CFR 50.67 (Ref.
: 4) limits or the NRC staff approved licensing basis.
North Anna Units 1 and 2B 3.7.2-4Revision 8 MSTVs B 3.7.2 BASES APPLICABILITY The MSTVs must be OPERABLE in MODE 1, and in MODES 2 and 3 except when closed and de-activated, when there is significant mass and energy in the RCS and steam generators.
When the MSTVs are closed, they are already performing the
 
safety function.
In MODE 4, the steam generator energy is low and the MSTVs are not required to support the safety analyses due to the
 
low probability of a design basis accident.
In MODE 5 or 6, the steam generators do not contain much energy because their temperature is below the boiling point
 
of water; therefore, the MSTVs are not required for
 
isolation of potential high energy secondary system pipe
 
breaks in these MODES.
ACTIONS A.1 With one MSTV inoperable in MODE 1, action must be taken to restore OPERABLE status within 8 hours. Some repairs to the MSTV can be made with the unit hot. The 8 hour Completion Time is reasonable, considering the low probability of an
 
accident occurring during this time period that would
 
require a closure of the MSTVs.
The 8 hour Completion Time is greater than that normally allowed for containment isolation valves because the MSTVs
 
are valves that isolate a closed system penetrating
 
containment. These valves differ from other containment
 
isolation valves in that the closed system provides an
 
additional means for containment isolation.
B.1 If the MSTV cannot be restored to OPERABLE status within
 
8 hours, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be
 
placed in MODE 2 within 6 hours and Condition C would be entered. The Completion Times are reasonable, based on
 
operating experience, to reach MODE 2 and to close the MSTVs in an orderly manner and without challenging unit systems.
C.1 and C.2 Condition C is modified by a Note indicating that separate Condition entry is allowed for each MSTV.(continued)
MSTVs B 3.7.2 BASESNorth Anna Units 1 and 2B 3.7.2-5Revision 8 ACTIONS C.1 and C.2 (continued)
Since the MSTVs are required to be OPERABLE in MODES 2 and 3, the inoperable MSTVs may either be restored to OPERABLE
 
status or closed. When closed, the MSTVs are already in the
 
position required by the assumptions in the safety analysis.
The 8 hour Completion Time is consistent with that allowed in Condition A.For inoperable MSTVs that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, the inoperable MSTVs must be verified on a periodic basis to
 
be closed. This is necessary to ensure that the assumptions
 
in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view
 
of MSTV status indications available in the control room, and other administrative controls, to ensure that these
 
valves are in the closed position.
D.1 and D.2 If the MSTVs cannot be restored to OPERABLE status or are not closed within the associated Completion Time, the unit must
 
be placed in a MODE in which the LCO does not apply. To
 
achieve this status, the unit must be placed at least in
 
MODE 3 within 6 hours, and in MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from
 
MODE 2 conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.2.1 This SR verifies that MSTV isolation time is  5.0 seconds. The MSTV isolation time is assumed in the accident and
 
containment analyses. This Surveillance is normally
 
performed upon returning the unit to operation following a
 
refueling outage. The MSTVs should not be tested at power, since even a part stroke exercise increases the risk of a
 
valve closure when the unit is generating power. As the MSTVs
 
are not tested at power, they are exempt from the ASME Code (Ref. 5) requirements during operation in MODE 1 or 2.The Frequency is in accordance with the Inservice Testing
 
Program.(continued)
North Anna Units 1 and 2B 3.7.2-6Revision 46 MSTVs B 3.7.2 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.7.2.1 (continued)
This test may be conducted in MODE 3 with the unit at operating temperature and pressure.
This SR is modified by a Note that allows entry i nto and operation in MODE 3 prior to performing the SR. This allows a delay of testing until
 
MODE 3, to establish conditions consistent with those under which the acceptance criterion was generated.
SR  3.7.2.2 This SR verifies that each MSTV closes on an actual or
 
simulated actuation signal. This Surveillance is normally
 
performed upon returning the plant to operation following a
 
refueling outage. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.REFERENCES1.UFSAR, Section 10.3.2.UFSAR, Section 6.2.3.UFSAR, Section 15.4.2.4.10 CFR 50.67.5.ASME Code for Operation and Maintenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.7.3-1Revision 23 MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 B 3.7  PLANT SYSTEMS B 3.7.3Main Feedwater Isolation Valves (MFIVs), Main Feedwater Pump Discharge Valves (MFPDVs), Main Feedwater Regulating Valves (MFRVs),
and Main Feedwater Regulating Bypass Valves (MFRBVs)
BASES BACKGROUND The MFIV and the MFRV are in series in the Main Feedwater (MFW) line upstream of each steam generator. The MFRBV is parallel to both the MFIV and the MFRV. The MFPDV is located at the discharge of each main feedwater pump. The valves are located outside of the containment. These valves provide the isolation of each MFW line by the closure of the MFIV and
 
MFRBV, the MFRV and MFRBV, or the closure of the MFPDV. To provide the needed isolation given the single failure of one
 
of the valves, all four valve types are required to be
 
OPERABLE. The MFIVs and the MFRVs provide single failure protection for each other in one flow path and the MFPDVs and the MFRBVs provide single failure protection for each other
 
in the other flow path.
The safety-related function of the MFIVs, MFPDVs, MFRVs and
 
the MFRBVs is to provide isolation of MFW from the secondary
 
side of the steam generators following a high energy line
 
break. Closure of the MFIV and MFRBV, the MFRV and MFRBV, or
 
the closure of the MFPDV terminates the addition of
 
feedwater to an affected steam generator, limiting the mass
 
and energy release for steam or feedwater line breaks and
 
minimizing the positive reactivity effects of the Reactor
 
Coolant System (RCS) cooldown associated with the blowdown.
 
In the event of pipe rupture inside the containment, the
 
valves limit the quantity of high energy fluid that enters
 
the containment through the broken loop.
The containment isolation MFW check valve in each loop
 
provides the first pressure boundary for the addition of
 
Auxiliary Feedwater (AFW) to the intact loops and prevents
 
back flow in the feedwater line should a break occur upstream
 
of these valves. These check valves also isolate the
 
non-safety-related portion of the MFW system from the
 
safety-related portion of the system. The piping volume from
 
the feedwater isolation valve to the steam generators is
 
considered in calculating mass and energy release following
 
either a steam or feedwater line break.(continued)
North Anna Units 1 and 2B 3.7.3-2Revision 23 MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 BASES BACKGROUND (continued)
The MFIVs, MFPDVs, MFRVs, and MFRBVs close on receipt of
 
Safety Injection or Steam Generator Water Level-High High
 
signal. The MFIVs, MFPDVs, MFRVs, and MFRBVs may also be
 
actuated manually.
A description of the operation of the MFIVs, MFPDVs, MFRVs, and MFRBVs is found in the UFSAR, Section 10.4.3 (Ref.
1).APPLICABLE
 
SAFETY ANALYSESThe design basis for the closure of the MFIVs, MFPDVs, MFRVs, and MFRBVs is established by the analyses for the Main Steam
 
Line Break (MSLB). It is also influenced by the accident analysis for the Feedwater Line Break (FWLB). Closure of the
 
MFIVs and MFRBVs, or MFRVs and MFRBVs, or the MFPDVs, may
 
also be relied on to terminate an MSLB on receipt of an SI
 
signal for core response analysis and for an excess
 
feedwater event upon the receipt of a Steam Generator Water
 
Level-High High signal.
Failure of an MFIV and MFRV, or an MFRBV and MFPDV to close
 
following an MSLB or FWLB can result in additional mass and
 
energy being delivered to the steam generators, contributing
 
to cooldown. This failure also results in additional mass
 
and energy releases following an MSLB or FWLB event.
The MFIVs, MFPDVs, MFRVs, and MFRBVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO ensures that the MFIVs, MFPDVs, MFRVs, and MFRBVs
 
will isolate MFW flow to the steam generators, following an
 
FWLB or MSLB.
This LCO requires that three MFIVs, three MFPDVs, three
 
MFRVs, and three MFRBVs be OPERABLE. The valves are
 
considered OPERABLE when isolation times are within limits
 
and they close on an isolation actuation signal. The MFIVs
 
and the MFRVs provide single failure protection for each
 
other, and the MFPDV and the MFRBV provide single failure
 
protection for each other.
Failure to meet the LCO requirements can result in
 
additional mass and energy being released to containment
 
following an MSLB or FWLB inside containment. A feedwater
 
isolation signal on high high steam generator level is
 
relied on to terminate an excess feedwater flow event, and
 
failure to meet the LCO may result in the introduction of
 
water into the main steam lines.(continued)
MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 BASESNorth Anna Units 1 and 2B 3.7.3-3Revision 23 APPLICABILITY The MFIVs, MFPDVs, MFRVs, and MFRBVs must be OPERABLE whenever there is significant mass and energy in the RCS and steam generators. In MODES 1, 2, and 3, the MFIVs, MFPDVs, MFRVs, and MFRBVs are required to be OPERABLE to limit the
 
amount of available fluid that could be added to containment
 
in the case of a secondary system pipe break inside
 
containment. When the valves are closed and de-activated or
 
isolated by a closed manual valve, they are already
 
performing their safety function.
In MODES 4, 5, and 6, steam generator energy is low.
Therefore, the MFIVs, MFPDVs, MFRVs, and MFRBVs are not
 
required to be OPERABLE.
ACTIONS The ACTIONS table is modified by a Note indicating that
 
separate Condition entry is allowed for each valve.
A.1 and A.2 With one MFIV in one or more flow paths inoperable, action
 
must be taken to restore the affected valves to OPERABLE
 
status, or to close or isolate inoperable affected valves
 
within 72 hours. When these valves are closed or isolated, they are performing their required safety function.
The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time
 
period that would require isolation of the MFW flow paths.
 
The 72 hour Completion Time is reasonable, based on operating experience.
Inoperable MFIVs that are closed or isolated must be
 
verified on a periodic basis that they are closed or
 
isolated. This is necessary to ensure that the assumptions
 
in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view
 
of other administrative controls, to ensure that these
 
valves are closed or isolated.
B.1 and B.2 With one MFRV in one or more flow paths inoperable, action
 
must be taken to restore the affected valves to OPERABLE
 
status, or to close or isolate inoperable affected valves
 
within 72 hours. When these valves are closed or isolated, they are performing their required safety function.(continued)
North Anna Units 1 and 2B 3.7.3-4Revision 23 MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 BASES ACTIONS B.1 and B.2 (continued)
The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time
 
period that would require isolation of the MFW flow paths.
 
The 72 hour Completion Time is reasonable, based on operating experience.
Inoperable MFRVs, that are closed or isolated, must be
 
verified on a periodic basis that they are closed or
 
isolated. This is necessary to ensure that the assumptions
 
in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view
 
of other administrative controls to ensure that the valves
 
are closed or isolated.
C.1 and C.2 With one MFRBV in one or more flow paths inoperable, action
 
must be taken to restore the affected valves to OPERABLE
 
status, or to close or isolate inoperable affected valves
 
within 72 hours. When these valves are closed or isolated, they are performing their required safety function.
The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time
 
period that would require isolation of the MFW flow paths.
 
The 72 hour Completion Time is reasonable, based on operating experience.
Inoperable MFRBVs that are closed or isolated must be
 
verified on a periodic basis that they are closed or
 
isolated. This is necessary to ensure that the assumptions
 
in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view
 
of other administrative controls to ensure that these valves
 
are closed or isolated.
D.1 and D.2 With one MFPDV in one or more flow paths inoperable, action
 
must be taken to restore the affected valves to OPERABLE
 
status, or to close or isolate inoperable affected valves
 
within 72 hours. When these valves are closed or isolated, they are performing their required safety function.(continued)
MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 BASESNorth Anna Units 1 and 2B 3.7.3-5Revision 23 ACTIONS D.1 and D.2 (continued)
The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time
 
period that would require isolation of the MFW flow paths.
 
The 72 hour Completion Time is reasonable, based on operating experience.
Inoperable MFPDVs that are closed or isolated must be
 
verified on a periodic basis that they are closed or
 
isolated. This is necessary to ensure that the assumptions
 
in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, and in
 
view of other administrative controls, to ensure that these
 
valves are closed or isolated.
E.1 With two inoperable valves in the same flow path, there may
 
be no redundant system to operate automatically and perform
 
the required safety function. For example , either a MFIV and a MFRV in the same main feedwater line are inoperable or a
 
MFPDV and a MFRBV are inoperable. Under these conditions, at
 
least one of the affected valves must be restored to OPERABLE
 
status, or the affected flow path isolated within 8 hours. This action returns the system to the condition where at least one valve in each flow path is performing the required
 
safety function. The 8 hour Completion Time is reasonable, based on operating experience, to complete the actions
 
required to close the affected valves, or otherwise isolate
 
the affected flow path.
F.1 and F.2 If the inoperable valve(s) cannot be restored to OPERABLE
 
status, or closed, or isolated within the associated
 
Completion Time, the unit must be placed in a MODE in which
 
the LCO does not apply. To achieve this status, the unit must
 
be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.7.3-6Revision 46 MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.7.3.1This SR verifies that the isolation time of each MFIV, MFRV, and MFRBV is  6.98 seconds and the isolation time for each MFPDV is  60 seconds. The isolation times are assumed in the accident and containment analyses. This Surveillance is
 
normally performed during a refueling outage.The Frequency for this SR is in accordance with the Inservice
 
Testing Program.
SR  3.7.3.2 This SR verifies that each MFIV, MFRV, MFRBV, and MFPDV can
 
close on an actual or simulated actuation signal. This
 
Surveillance is normally performed upon returning the plant
 
to operation following a refueling outage.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 10.4.3.
North Anna Units 1 and 2B 3.7.4-1Revision 0 SG PORVs B 3.7.4 B 3.7  PLANT SYSTEMSB 3.7.4Steam Generator Power Operated Relief Valves (SG PORVs)
BASES BACKGROUND The SG PORVs provide a method for cooling the unit to
 
residual heat removal (RHR) entry conditions should the
 
preferred heat sink via the condenser dump valves not be
 
available, as discussed in the UFSAR, Section 10.3 (Ref.
1). This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the emergency condensate
 
storage tank (ECST) (or, alternately, with main feedwater
 
from the condenser hotwell or main condensate tanks, if
 
available).
One SG PORV line for each of the three steam generators is
 
provided. Each SG PORV line consists of one SG PORV and an
 
associated upstream manual isolation valve.
The SG PORVs are provided with upstream manual isolation valves to permit their be ing tested at power, and to provide an alternate means of isolation. The SG PORVs are equipped
 
with pneumatic controllers to permit control of the cooldown
 
rate.The SG PORVs are provided with a backup supply tank which is
 
pressurized from the instrument ai r header via a check valve arrangement that, on a loss of pressure in the normal
 
instrument air supply, automatically supplies air to operate
 
the SG PORVs. The air supply is sized to provide the
 
sufficient pressurized air to operate the SG PORVs until
 
manual operation of the SG PORVs can be established.
A description of the SG PORVs is found in Reference
: 1. The SG PORVs are OPERABLE when they are capable of providing
 
controlled relief of the main steam flow and capable of being
 
fully opened and closed, either remotely or by local manual
 
operation.
APPLICABLE
 
SAFETY ANALYSES The design basis of the SG PORVs is established by the
 
capability to cool the unit to RHR entry conditions. The SG
 
PORVs are used in conjunction with auxiliary feedwater supplied from the ECST (or, alternately, with main feedwater from the condenser hotwell or main condensate tanks, if (continued)
North Anna Units 1 and 2B 3.7.4-2Revision 0 SG PORVs B 3.7.4 BASES APPLICABLE
 
SAFETY ANALYSES (continued) available). Adequate inventory is available in the ECST to support operation for 2 hours in MODE 3 followed by a 4 hour cooldown to the RHR entry conditions.
In the SGTR accident analysis presented in Reference 2, the SG PORVs are assumed to be used by the operator to cool down the unit to RHR entry conditions when the SGTR is accompanied by a loss of offsite power, which renders the condenser dump
 
valves unavailable. Prior to operator actions to cool down
 
the unit, the SG PORVs and main steam safety valves (MSSVs)
 
are assumed to operate automatically to relieve steam and
 
maintain the steam generator pressure below the design
 
value. For the recovery from a steam generator tube rupture (SGTR) event, the operator is also required to perform a
 
limited cooldown to establish adequate subcooling as a
 
necessary step to terminate the primary to secondary break
 
flow into the ruptured steam generator. The time required to
 
terminate the primary to secondary break flow for an SGTR is more critical than the time required to cool down to RHR
 
conditions for this event. Thus, the SGTR is the limiting
 
event for the SG PORVs. The requirement for three SG PORVs to be OPERABLE satisfies the SGTR accident analysis requirements, including consideration of a single failure of
 
one SG PORV to open on demand.
The SG PORVs are equipped with manual isolation valves in the
 
event an SG PORV spuriously fails open or fails to close
 
during use.
The SG PORVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCOThree SG PORV lines are required to be OPERABLE. One SG PORV
 
line is required from each of three steam generators to
 
ensure that at least one SG PORV line is available to conduct
 
a unit cooldown following an SGTR, in which one steam
 
generator becomes unavailable, accompanied by a single, active failure of a second SG PORV line on an unaffected
 
steam generator. The manual isolation valves must be
 
OPERABLE to isolate a failed open SG PORV line. A closed
 
manual isolation valve does not render it or its SG PORV line inoperable because operator action time to open the manual
 
isolation valve is supported in the accident analysis.(continued)
SG PORVs B 3.7.4 BASESNorth Anna Units 1 and 2B 3.7.4-3Revision 0 LCO (continued)
Failure to meet the LCO can result in the inability to cool the unit to RHR entry conditions following an event in which
 
the condenser is unavailable for use with the Steam Dump
 
System.An SG PORV is considered OPERABLE when it is capable of
 
providing controlled relief of the main steam flow and
 
capable of fully opening and closing, remotely or by local
 
manual operation on demand.
APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when a steam generator is being relied upon for heat removal, the SG PORVs are
 
required to be OPERABLE.
In MODE 5 or 6, an SGTR is not a credible event.
ACTIONS A.1 With one required SG PORV line inoperable, action must be
 
taken to restore OPERABLE status within 7 days. The 7 day Completion Time allows for the redundant capability afforded
 
by the remaining OPERABLE SG PORV lines, a nonsafety grade
 
backup in the Steam Dump System, and MSSVs.
B.1 With two or more SG PORV lines inoperable, action must be taken to restore all but one SG PORV line to OPERABLE status.
Since the upstream manual isolation valve can be closed to
 
isolate an SG PORV, some repairs may be possible with the
 
unit at power. The 24 hour Completion Time is reasonable to repair inoperable SG PORV lines, based on the availability
 
of the Steam Dump System and MSSVs, and the low probability
 
of an event occurring during this period that would require
 
the SG PORV lines.
C.1 and C.2 If the SG PORV lines cannot be restored to OPERABLE status
 
within the associated Completion Time, the unit must be
 
placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4, without reliance upon steam generator for heat removal, within 24 hours. The allowed Completion Times are reasonable, based on operating (continued)
North Anna Units 1 and 2B 3.7.4-4Revision 46 SG PORVs B 3.7.4 BASES ACTIONS C.1 and C.2 (continued) experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.4.1 To perform a controlled cooldown of the RCS, the SG PORVs
 
must be able to be opened either remotely or locally and
 
throttled through their full range. This SR ensures that the SG PORVs are tested through a full control cycle at least once per fuel cycle. Performance of inservice testing or use
 
of an SG PORV during a unit cooldown may satisfy this
 
requirement. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.SR  3.7.4.2 The function of the upstream manual isolation valve is to
 
isolate a failed SG PORV. Cycling the upstream manual
 
isolation valve both closed and open demonstrates its
 
capability to perform this function. Performance of
 
inservice testing or use of the upstream manual isolation
 
valve during unit cooldown m ay satisfy this requirement. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 10.3.2.UFSAR, Section 15.4.3.
North Anna Units 1 and 2B 3.7.5-1Revision 0 AFW System B 3.7.5 B 3.7  PLANT SYSTEMSB 3.7.5Auxiliary Feedwater (AFW) System BASES BACKGROUND The AFW System automatically supplies feedwater to the steam
 
generators to remove decay heat from the Reactor Coolant
 
System upon the loss of normal feedwater supply. The AFW
 
pumps take suction through separate and independent suction
 
lines from the emergency condensate storage tank (ECST)
(LCO 3.7.6) and pump to the steam generator secondary side via separate and independent connections to the main
 
feedwater (MFW) piping outside containment. The steam
 
generators function as a heat sink for core decay heat. The
 
heat load is dissipated by releasing steam to the atmosphere
 
from the steam generators via the main steam safety valves (MSSVs) (LCO 3.7.1) or steam generator power operated relief valves (SG PORVs) (LCO 3.7.4). If the main condenser is available, steam may be released via the steam dump valves
 
and recirculated to the condenser hotwell.
The AFW System consists of two motor driven AFW pumps and one steam turbine driven pump configured into three trains. Each pump is aligned to one steam generator, and the capacity of
 
each pump is sufficient to provide the designated flow
 
assumed in the accident analysis. The pumps are equipped
 
with recirculation lines to prevent pump operation against a
 
closed system. Each motor driven AFW pump is powered from an independent Class 1E power supply and normally feeds one steam generator, although each pump has the capability to be realigned to feed other steam generators. The steam turbine
 
driven AFW pump receives steam from three main steam lines
 
upstream of the main steam trip valves (MSTVs). The steam
 
supply lines combine into a header which is isolated from the
 
steam driven auxiliary feedwater pump by two parallel
 
valves. Main steam trip valves, MS-TV-111A and MS-TV-111B (Unit 1), MS-TV-211A and MS-TV-211B (Unit 2) are powered from separate 125 V DC trains and actuated by the Engineered Safety Features Actuation System (ESFAS). Opening of either trip valve will provide sufficient steam to the steam driven
 
pump to produce the design flow rate from the ECST to the
 
steam generator(s).
The AFW System is capable of supplying feedwater to the steam
 
generators during normal unit startup, shutdown, and hot
 
standby conditions.(continued)
North Anna Units 1 and 2B 3.7.5-2Revision 0 AFW System B 3.7.5 BASES BACKGROUND (continued)
The AFW pumps may be aligned and supply a common header
 
capable of feeding all steam generators. One pump at full flow is sufficient to remove decay heat and cool the unit to
 
residual heat removal (RHR) entry conditions. Thus, the
 
requirement for diversity in motive power sources for the
 
AFW System is met.The AFW System is designed to supply sufficient water to the
 
steam generator(s) to remove decay heat with steam generator
 
pressure associated with the lowest setpoint MSSV.
 
Subsequently, the AFW System supplies sufficient water to
 
cool the unit to RHR entry conditions, with steam released
 
through the SG PORVs.
The AFW System actuates automatically on Steam Generator
 
Water Level low-low by the ESFAS (LCO 3.3.2). The system also actuates on loss of offsite power, safety injection, and trip of all MFW pumps.
The AFW System is discussed in the UFSAR, Section 10.4.3.2 (Ref. 1).APPLICABLE
 
SAFETY ANALYSES The AFW System mitigates the consequences of any event with
 
loss of normal feedwater.
The design basis of the AFW System is to supply water to the
 
steam generator to remove decay heat and other residual heat by delivering at least t he minimum required flow rate to the steam generators at pressures corresponding to the lowest
 
steam generator safety valve set pressure plus 3%.
In addition, the AFW System must supply enough makeup water
 
to replace steam generator secondary inventory lost as the
 
unit cools to MODE 4 conditions. Sufficient AFW flow must also be available to account for flow losses such as pump
 
recirculation and line breaks.
The limiting Design Basis Accidents (DBAs) and transients
 
for the AFW System are as follows:a.Feedwater Line Break (FWLB);b.Main Steam Line Break (MSLB); andc.Loss of MFW.(continued)
AFW System B 3.7.5 BASESNorth Anna Units 1 and 2B 3.7.5-3Revision 0 APPLICABLE SAFETY ANALYSES (continued)
In addition, the minimum available AFW flow and system
 
characteristics are considerations in the analysis of a
 
small break loss of coolant accident (LOCA).
The AFW System design is such that it can perform its
 
function following an FWLB between the MFW isolation valves
 
and containment, combined with a loss of offsite power
 
following turbine trip, and a single active failure of the
 
steam turbine driven AFW pump. In such a case, the ESFAS
 
logic may not detect the affected steam generator if the
 
backflow check valve to the affected MFW header worked
 
properly. One motor driven AFW pump would deliver to the
 
broken MFW header at maximum design flow until the problem
 
was detected, and flow terminated by the operator.
 
Sufficient flow would be delivered to the intact steam
 
generator by the redundant AFW pump.
The ESFAS automatically actuates the AFW turbine driven pump
 
when required to ensure an adequate feedwater supply to its dedicated steam generator during loss of power. Air or motor operated valves are provided for each AFW line to control the
 
AFW flow to each steam generator.
The AFW System satisfies the requirements of Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO provides assurance that the AFW System will perform
 
its design safety function to mitigate the consequences of
 
accidents that could result in overpressurization of the
 
reactor coolant pressure boundary. Three independent AFW
 
pumps in three diverse trains are required to be OPERABLE to
 
ensure the availability of AFW capability for all events accompanied by a loss of offs ite power and a single failure.
This is accomplished by powering two of the pumps from
 
independent emergency buses. The third AFW pump is powered
 
by a different means, a steam driven turbine supplied with
 
steam from a source that is not isolated by closure of the
 
MSTVs.The AFW System is configured into three trains. The AFW
 
System is considered OPERABLE when the components and flow
 
paths required to provide redundant AFW flow to the steam
 
generators are OPERABLE. This requires that the two motor
 
driven AFW pumps be OPERABLE in two diverse paths, each
 
supplying AFW to separate steam generators. The turbine
 
driven AFW pump is required to be OPERABLE with redundant (continued)
North Anna Units 1 and 2B 3.7.5-4Revision 37 AFW System B 3.7.5 BASES LCO (continued) steam supplies from each of two main steam supply paths
 
through MS-TV-111A and MS-TV-111B (Unit 1), MS-TV-211A and MS-TV-211B (Unit 2), which receive steam from at least two of the three main steam lines upstream of the MSTVs. The
 
piping, valves, instrumentation, and controls required to
 
perform the safety function in the required flow paths also
 
are required to be OPERABLE.
In addition, if a seismic air tank or the inlet check valve
 
to the seismic air tank associated with any of the air
 
operated valves (FW-PCV-159A, FW-PCV-159B, FW-HCV-100A, FW-HCV-1OOB, FW-HCV-100C, MS-TV-111A and MS-TV-111B (Unit 1), FW-PCV-259A, FW-PCV-259B, FW-HCV-200A, FW-HCV-200B, FW-HCV-200C, MS-TV-211A and MS-TV-211B (Unit 2)) is removed from service, or becomes unavailable, then the associated valve is considered inoperable.
The LCO is modified by a Note indicating that one AFW train, which includes a motor driven pump, is required to be
 
OPERABLE in MODE 4 when the steam generator is relied upon for heat removal. This is because of the reduced heat removal
 
requirements and short period of time in MODE 4 during which the AFW is required and the insufficient steam available in
 
MODE 4 to power the turbine driven AFW pump.
APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE in the event that it is called upon to function when the MFW is lost. In addition, the AFW System is required to
 
supply enough makeup water to replace the steam generator
 
secondary inventory, lost as the unit cools to MODE 4 conditions.
In MODE 4 one AFW train is required to be OPERABLE when the steam generator(s) is relied upon for heat removal.
In MODE 5 or 6, the steam generators are not normally used for heat removal, and the AFW System is not required.
ACTIONS A.1 If one of the two steam supplies, MS-TV-111A and MS-TV-111B (Unit 1), MS-TV-211A and MS-TV-211B (Unit 2), to the turbine driven AFW train is inoperable or if a turbine driven AFW
 
pump is inoperable while in MODE 3 immediately following refueling, action must be taken to restore the affected (continued)
AFW System B 3.7.5 BASESNorth Anna Units 1 and 2B 3.7.5-5Revision 37 ACTIONS A.1 (continued) equipment to an OPERABLE status within 7 days. The 7 day Completion Time is reasonable, based on the following
 
reasons:a.For the inoperability of a steam supply to the turbine driven AFW pump, the 7 day Completion Time is reasonable since there is a redundant steam supply line for the
 
turbine driven pump.b.For the inoperability of a turbine driven AFW pump while in MODE 3 immediately subsequent to a refueling outage, the 7 day Completion Time is reasonable due to the minimal decay heat levels in this situation.c.For both the inoperability of a steam supply line to the turbine driven pump and an inoperable turbine driven AFW
 
pump while in MODE 3 immediately following a refueling outage, the 7 day Completion Time is reasonable due to the availability of redundant OPERABLE motor driven AFW
 
pumps; and due to the low probability of an event
 
requiring the use of the turbine driven AFW pump.
The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any
 
combination of Conditions during any contiguous failure to
 
meet this LCO.
The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of
 
failure to meet the LCO. This limit is considered reasonable
 
for situations in which Conditions A and B are entered concurrently. The AND connector between 7 days and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.
Condition A is modified by a Note which limits the applicability of the Conditions to when the unit has not
 
entered MODE 2 following a refueling. Condition A allows the turbine driven AFW train to be inoperable for 7 days vice the 72 hour Completion Time in Condition B. This longer Completion Time is based on the reduced decay heat following
 
refueling and prior to the reactor being critical.
 
North Anna Units 1 and 2B 3.7.5-6Revision 37 AFW System B 3.7.5 BASES ACTIONS (continued)
B.1 With one of the required AFW trains (pump or flow path)
 
inoperable in MODE 1, 2, or 3 for reasons other than Condition A, action must be taken to restore OPERABLE status within 72 hours. This Condition includes the loss of two steam supply lines to the turbine driven AFW pump. The
 
72 hour Completion Time is reasonable, based on redundant capabilities afforded by the AFW System, time needed for
 
repairs, and the low probability of a DBA occurring during
 
this time period.
The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any
 
combination of Conditions to be inoperable during any
 
contiguous failure to meet this LCO.
The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of
 
failure to meet the LCO. This limit is considered reasonable
 
for situations in which Conditions A and B are entered concurrently. The AND connector between 72 hours and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.
C.1 and C.2 When Required Action A.1 or B.1 cannot be completed within the required Completion Time, or if two AFW trains are
 
inoperable in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 18 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
In MODE 4, when the steam generator is relied upon for heat removal, with two AFW trains inoperable, operation is
 
allowed to continue because only one motor driven pump AFW
 
train is required in accordance with the Note that modifies
 
the LCO. Although not required, the unit may continue to cool
 
down and initiate RHR.
 
AFW System B 3.7.5 BASESNorth Anna Units 1 and 2B 3.7.5-7Revision 46 ACTIONS (continued)
D.1 If all three AFW trains are inoperable in MODE 1, 2, or 3, the unit is in a seriously degraded condition with no safety
 
related means for conducting a cooldown, and only limited
 
means for conducting a cooldown with nonsafety related
 
equipment. In such a condition, the unit should not be
 
perturbed by any action, including a power change, that
 
might result in a trip. The seriousness of this condition
 
requires that action be started immediately to restore one
 
AFW train to OPERABLE status.
Required Action D.1 is modified by a Note indicating that all required MODE changes or power reductions required by
 
the Technical Specifications are suspended until one AFW
 
train is restored to OPERABLE status. In this case, LCO 3.0.3 is not applicable because it could force the unit into a less safe condition.
E.1 In MODE 4, either the reactor coolant pumps or the RHR loops can be used to provide forced circulation. This is addressed
 
in LCO 3.4.6, "RCS Loops-MODE 4." With the required AFW train inoperable, action must be taken to immediately
 
restore the inoperable train to OPERABLE status. The
 
immediate Completion Time is consistent with LCO 3.4.6.SURVEILLANCE
 
REQUIREMENTS SR  3.7.5.1 Verifying the correct alignment for manual, power operated, and automatic valves in the AFW System water and steam supply
 
flow paths provides assurance that the proper flow paths
 
will exist for AFW operation. This SR does not apply to
 
valves that are locked, sealed, or otherwise secured in
 
position, since they are verified to be in the correct
 
position prior to locking, sealing, or securing. This SR
 
also does not apply to valves that cannot be inadvertently misaligned, such as che ck valves. This Surveillance does not require any testing or valve manipulation; rather, it
 
involves verification that those valves capable of being
 
mispositioned are in the correct position.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.7.5-8Revision46 AFW System B 3.7.5 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.7.5.2 Verifying that each AFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that AFW pump performance has not degraded
 
during the cycle. Flow and differential head are normal
 
tests of centrifugal pump performance required by the ASME
 
Code (Ref 2). Because it is sometimes undesirable to introduce cold AFW into the steam generators while they are
 
operating, this testing is typically performed on
 
recirculation flow. This test conf irms one point on the pump design curve and is indicative of overall performance. Such
 
inservice tests confirm component OPERABILITY, trend
 
performance, and detect incipient failures by indicating
 
abnormal performance. Performance of inservice testing
 
discussed in the ASME Code (Ref.
: 2) (only required at 3 month intervals) satisfies this requirement.
This SR is modified by a Note indicating that the SR should
 
be deferred until suitable test conditions are established.
 
This deferral is required because there may be insufficient
 
steam pressure to perform the test.
SR  3.7.5.3This SR verifies that AFW can be delivered to the appropriate
 
steam generator in the event of any accident or transient
 
that generates an ESFAS, by demonstrating that each
 
automatic valve in the flow path actuates to its correct
 
position on an actual or simulated actuation signal. This
 
Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under
 
administrative controls. The Surveillance Frequency is based
 
on operating experience, equipment reliability, and plant
 
risk and is controlled under the Surveillance Frequency
 
Control Program.
This SR is modified by a Note that states the SR is not required in MODE 4. In MODE 4, the heat removal requirements would be less providing more time for operator action to
 
manually align the required valves.
AFW System B 3.7.5 BASESNorth Anna Units 1 and 2B 3.7.5-9Revision46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.7.5.4 This SR verifies that the AFW pumps will start in the event
 
of any accident or transient that generates an ESFAS by
 
demonstrating that each AFW pump starts automatically on an
 
actual or simulated actuation signal in MODES 1, 2, and 3. In MODE 4, the required pump's autostart function is not required. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
This SR is modified by two Notes. Note 1 indicates that the
 
SR be deferred until suitable test conditions are
 
established. This deferral is required because there may be
 
insufficient steam pressure to perform the test. Note 2 states that the SR is not required in MODE 4. In MODE 4, the
 
heat removal requirements would be less providing more time
 
for operator action to manually start the required AFW pump.
SR  3.7.5.5 This SR verifies that the AFW is properly aligned by
 
verifying the flow paths from the ECST to each steam
 
generator prior to entering MODE 3 after more than 30 contiguous days in any combination of MODES 5, 6, or defueled. OPERABILITY of AFW flow paths must be verified
 
before sufficient core heat is generated that would require
 
the operation of the AFW System during a subsequent
 
shutdown. The Frequency is reasonable, based on engineering
 
judgement and other administrative controls that ensure that
 
flow paths remain OPERABLE. To further ensure AFW System
 
alignment, flow path OPERABILITY is verified following
 
extended outages to determine no misalignment of valves has occurred. This SR ensures that the flow path from the ECST to the steam generators is properly aligned.
REFERENCES1.UFSAR, Section 10.4.3.2.2.ASME Code for Operation and Maintenance of Nuclear Power Plants.
Intentionally Blank North Anna Units 1 and 2B 3.7.6-1Revision 0 ECST B 3.7.6 B 3.7  PLANT SYSTEMSB 3.7.6Emergency Condensate Storage Tank (ECST)
BASES BACKGROUND The ECST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the
 
Reactor Coolant System (RCS). The ECST provides a passive
 
flow of water, by gravity, to the Auxiliary Feedwater (AFW)
 
System (LCO 3.7.5). The steam produced is released to the atmosphere by the main steam safety valves (MSSVs) or the
 
steam generator power o perated relief valves (SG PORVs). The AFW pumps operate with a continuous recirculation to the
 
ECST.When the main steam trip valves are open, the preferred means
 
of heat removal is to dischar ge steam to the condenser by the nonsafety grade path of the steam dump valves. The condensed
 
steam is returned to the hotwell and is pumped to the
 
300,000 gallon condensate storage tank which can be aligned to gravity feed the ECST. This has the advantage of
 
conserving condensate while minimizing releases to the
 
environment.
Because the ECST is a principal component in removing
 
residual heat from the RCS, it is designed to withstand
 
earthquakes and other natural phenomena, including missiles
 
that might be generated by natural phenomena. The ECST is designed to Seismic Category I to ensure availability of the feedwater supply. Feedwater is also available from alternate
 
sources.A description of the ECST is found in the UFSAR, Section 9.2.4 (Ref.
1).APPLICABLE
 
SAFETY ANALYSES The ECST provides cooling water to remove decay heat and to
 
cool down the unit following all events in the accident
 
analysis as discussed in the UFSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively). For anticipated operational occurrences and accidents that do not affect the OPERABILITY of the steam generators, the analysis assumption is 2 hours
 
in MODE 3, steaming through the MSSVs, followed by a 4 hour cooldown to residual heat removal (RHR) entry conditions at
 
the design cooldown rate.(continued)
North Anna Units 1 and 2B 3.7.6-2Revision 42 ECST B 3.7.6 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The limiting event for the condensate volume is the large
 
feedwater line break coincident with a loss of offsite
 
power. Single failures accommodated by the accident include
 
the following:a.Failure of the diesel generator powering the motor driven AFW pump to one unaffected steam generator (requiring
 
additional steam to drive the remaining AFW pump
 
turbine); andb.Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one motor driven AFW pump).
These are not usually the limiting failures in terms of
 
consequences for these events.
A nonlimiting event considered in ECST inventory
 
determinations is a break in either the main feedwater or AFW
 
line near where the two join. This break has the potential
 
for dumping condensate until terminated by operator action, since the Engineered Safety Features Actuation System (LCO 3.3.2, ESFAS) starts the AFW system and would not detect a difference in press ure between the steam generators for this break location. This loss of condensate inventory
 
is partially compensated for by the retention of steam
 
generator inventory.
The ECST satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO To satisfy accident analysis assumptions, the ECST must
 
contain sufficient cooling water to remove decay heat for
 
30 minutes following a reactor trip from 100.37%
RTP, and then to cool down the RCS to RHR entry conditions, assuming a
 
coincident loss of offsite power and the most adverse single
 
failure. In doing this, it must retain sufficient water to
 
ensure adequate net positive suction head for the AFW pumps
 
during cooldown, as well as account for any losses from the
 
steam driven AFW pump turbine, or before isolating AFW to a
 
broken line.
The ECST level required is equivalent to a contained volume
 
of  110,000 gallons, which is based on holding the unit in MODE 3 for 8 hours, or maintaining the unit in MODE 3 for 2 hours followed by a 4 hour cooldown to RHR entry (continued)
ECST B 3.7.6 BASESNorth Anna Units 1 and 2B 3.7.6-3Revision 0 LCO (continued) conditions within the limit of 100
&deg;F/hour. The basis for these times is established in the accident analysis.The OPERABILITY of the ECST is determined by maintaining the
 
tank level at or above the minimum required level to ensure
 
the minimum volume of water.
APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the ECST is required to
 
be OPERABLE.
In MODE 5 or 6, the ECST is not required because the AFW System is not required.
ACTIONS A.1 and A.2 If the ECST is not OPERABLE, the OPERABILITY of the backup
 
supply, the Condensate Storage Tank, should be verified by
 
administrative means within 4 hours and once every 12 hours thereafter. OPERABILITY of the backup feedwater supply must
 
include verification that the flow paths from the backup
 
water supply to the AFW pumps are OPERABLE, and that the
 
backup supply has the required volume of water available.
 
The ECST must be restored to OPERABLE status within 7 days, because the backup supply may be performing this function in addition to its normal functions. The 4 hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the backup water supply. Additionally, verifying the backup water supply every 12 hours is adequate to ensure the backup water supply continues to be available.
 
The 7 day Completion Time is reasonable, based on an OPERABLE backup water supply being available, and the low
 
probability of an event occurring during this time period
 
requiring the ECST.
B.1 and B.2 If the ECST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the
 
unit must be placed in at least MODE 3 within 6 hours, and in MODE 4, without reliance on the steam generator for heat removal, within 24 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.7.6-4Revision46 ECST B 3.7.6 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.7.6.1 This SR verifies that the ECST contains the required volume
 
of cooling water. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.REFERENCES1.UFSAR, Section 9.2.4.2.UFSAR, Chapter 6.3.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.7.7-1Revision 20 Secondary Specific Activity B 3.7.7 B 3.7  PLANT SYSTEMSB 3.7.7Secondary Specific Activity BASES BACKGROUND Activity in the secondary coolant results from steam
 
generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is
 
primarily iodines with relatively short half lives and, thus, indicates current conditions. During transients, I-131 spikes have been observed as well as increased releases of some noble gases. Other fission product
 
isotopes, as well as activated corrosion products in lesser
 
amounts, may also be found in the secondary coolant.
A limit on secondary coolant specific activity during power
 
operation minimizes releases to the environment because of
 
normal operation, anticipated operational occurrences, and
 
accidents.
This limit is lower than the activity value that might be
 
expected from a 1 gpm tube leak (LCO 3.4.13, "RCS Operational LEAKAGE") of primary coolant at the limit of
 
1.0 &#xb5;Ci/gm (LCO 3.4.16, "RCS Specific Activity"). The steam line failure is assumed to result in the release of the noble gas and iodine activity contained in the steam generator
 
inventory, the feedwater, and the reactor coolant LEAKAGE.
 
Most of the iodine isotopes have short half lives, (i.e.,
< 20 hours).If the main steam safety valves (MSSVs) open for 2 hours following a trip from full power with the specified activity
 
limit, the resultant 2 hour dose to a person at the exclusion area boundary (EAB) would be less than 0.033 rem TEDE (the consequences of the design basis main steam line break
 
accident).
Operating a unit at the allowable limits could result in a
 
2 hour EAB exposure at the Regulatory Guide 1.183 (Ref.
: 1) limits, or the limits established as the NRC staff approved
 
licensing basis.
North Anna Units 1 and 2B 3.7.7-2Revision 20 Secondary Specific Activity B 3.7.7 BASES APPLICABLE
 
SAFETY ANALYSES The accident analysis of the main steam line break (MSLB), as
 
discussed in the UFSAR, Chapter 15 (Ref. 2) assumes the initial secondary coolant specific activity to have a
 
radioactive isotope concentration of 0.10
&#xb5;Ci/gm DOSE EQUIVALENT I-131. This assumption is used in the analysis for determining the radiological consequences of the
 
postulated accident. The accident analysis, based on this
 
and other assumptions, shows that the radiological
 
consequences of an MSLB do not exceed the limits specified in
 
Regulatory Guide 1.183 (Ref.
1).With the loss of offsite power, the remaining steam
 
generators are available for core decay heat dissipation by
 
venting steam to the atmosphere through the MSSVs and steam
 
generator power operated relief valves (SG PORVs). The
 
Auxiliary Feedwater System supplies the necessary makeup to
 
the steam generators. Venting continues until the reactor
 
coolant temperature and pressure have decreased sufficiently
 
for the Residual Heat Removal System to complete the
 
cooldown.In the evaluation of the radiological consequences of this
 
accident, the activity released from the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator
 
is assumed to discharge steam and any entrained activity
 
through the MSSVs and SG PORV during the event. Since no
 
credit is taken in the analysis for activity plateout or
 
retention, the resultant radiological consequences represent
 
a conservative estimate of t he potential integrated dose due to the postulated steam line failure.
Secondary specific activity limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO As indicated in the Applicable Safety Analyses, the specific
 
activity of the secondary coolant is required to be 0.10 &#xb5;Ci/gm DOSE EQUIVALENT I-131 to limit the radiological consequences of a Design Basis Accident (DBA)
 
to the required limit (Ref.
1).Monitoring the specific activity of the secondary coolant
 
ensures that when secondary specific activity limits are
 
exceeded, appropriate actions are taken in a timely manner
 
to place the unit in an operational MODE that would minimize
 
the radiological consequences of a DBA.
Secondary Specific Activity B 3.7.7 BASESNorth Anna Units 1 and 2B 3.7.7-3Revision 46 APPLICABILITY In MODES 1, 2, 3, and 4, the limits on secondary specific activity apply due to the potential for secondary steam
 
releases to the atmosphere.
In MODES 5 and 6, the steam generators are not being used for heat removal. Both the RCS and steam generators are
 
depressurized, and primary to secondary LEAKAGE is minimal.
 
Therefore, monitoring of secondary specific activity is not
 
required.ACTIONS A.1 and A.2 DOSE EQUIVALENT I-131 exceeding the allowable value in the secondary coolant, is an indication of a problem in the RCS
 
and contributes to increased post accident doses. If the
 
secondary specific activity cannot be restored to within
 
limits within the associated Completion Time, the unit must
 
be placed in a MODE in which the LCO does not apply. To
 
achieve this status, the unit must be placed in at least
 
MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.7.1 This SR verifies that the secondary specific activity is
 
within the limits of the accident analysis. A gamma isotopic
 
analysis of the secondary coolant, which determines DOSE
 
EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident
 
releases. It also serves to identify and trend any unusual
 
isotopic concentrations that might indicate changes in
 
reactor coolant activity or LEAKAGE. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.Regulatory Guide 1.183, July 2000.2.UFSAR, Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.7.8-1Revision 0 SW System B 3.7.8 B 3.7  PLANT SYSTEMSB 3.7.8Service Water (SW) System BASES BACKGROUNDThe SW System provides a heat sink for the removal of process and operating heat from safety related components during a
 
Design Basis Accident (DBA) or transient. During normal
 
operation, and a normal shutdown, the SW System also
 
provides this function for various safety related and nonsafety related components. The safety related function is
 
covered by this LCO.
The SW System is common to Units 1 and 2 and is designed for
 
the simultaneous operation of various subsystems and
 
components of both units. The source of cooling water for the
 
SW System is the Service Water Reservoir. The SW System
 
consists of two loops and components can be aligned to
 
operate on either loop. There are four main SW pumps taking
 
suction on the Service Water Reservoir, supplying various
 
components through the supply headers, and then returning to
 
the Service Water Reservoir through the return headers.
 
Eight spray arrays are available to provide cooling to the
 
service water, as well as two winter bypass lines. The
 
isolation valves on the spray array lines automatically
 
open, and the isolation valves on the winter bypass lines
 
automatically shut, following receipt of a Safety Injection signal. The main SW pumps are powered from the four emergency
 
buses (two from each unit). There are also two auxiliary SW
 
pumps which take suction on North Anna Reservoir and
 
discharge to the supply header. When the auxiliary SW pumps
 
are in service, the return header may be redirected to waste
 
heat treatment facility if desired. However, the auxiliary SW pumps are strictly a backup to the normal arrangement and are not credited in the analysis for a DBA.
During a design basis loss of coolant accident (LOCA)
 
concurrent with a loss of offsite power to both units, one SW loop will provide sufficient cooling to supply post-LOCA
 
loads on one unit and shutdown and cooldown loads on the
 
other unit. During a DBA, the two SW loops are
 
cross-connected at the recirculation spray (RS) heat
 
exchanger supply and return header s of the accident unit. On a Safety Injection (SI) s ignal on either unit, all four main SW pumps start and the system is aligned for Service Water
 
Reservoir spray operation. On a containment high-high (continued)
North Anna Units 1 and 2B 3.7.8-2Revision 0 SW System B 3.7.8 BASES BACKGROUND (continued) pressure signal the accident unit's Component Cooling (CC)
 
heat exchangers are isolated from the SW System and its RS
 
heat exchangers are placed into service. All safety-related
 
systems or components requiring cooling during an accident
 
are cooled by the SW System, including the RS heat
 
exchangers, main control room air conditioning condensers, and charging pump lubricating oil and gearbox coolers.
The SW System also provides cooling to the instrument air
 
compressors, which are not safety-related, and the
 
non-accident unit's CC heat exchangers, and serves as a
 
backup water supply to the Auxiliary Feedwater System, the
 
spent fuel pool coolers, and the containment recirculation
 
air cooling coils. The SW System has sufficient redundancy
 
to withstand a single failure, including the failure of an
 
emergency diesel generator on the affected unit.
Additional information about the design and operation of the
 
SW System, along with a list of the components served, is
 
presented in the UFSAR, Section 9.2.1 (Ref.
1). The principal safety related function of the SW System is the
 
removal of decay heat from the reactor following a DBA via
 
the RS System.
APPLICABLE
 
SAFETY ANALYSES The design basis of the SW System is for one SW loop, in
 
conjunction with the RS System, to remove core decay heat
 
following a design basis LOCA as discussed in the UFSAR, Section 6.2.2 (Ref.
2). This prevents the containment sump fluid from increasing in temperature, once the cooler RWST
 
water has reached equilibrium with the fluid in containment, during the recirculation phase following a LOCA and provides
 
for a gradual reduction in the temperature of this fluid
 
which is supplied to the Reactor Coolant System by the ECCS
 
pumps. The SW System also prevents the buildup of
 
containment pressure from exceeding the containment design
 
pressure by removing heat through the RS System heat
 
exchangers. The SW System is designed to perform its
 
function with a single failure of any active component, assuming the loss of offsite power.
The SW System, in conjunction with the CC System, also cools
 
the unit from residual heat removal (RHR), as discussed in
 
the UFSAR, Section 5.5.4, (Ref.
: 3) entry conditions to MODE 5 during normal and post accident operations. The time required for this evolution is a function of the number of CC and RHR System trains that are operating.(continued)
SW System B 3.7.8 BASESNorth Anna Units 1 and 2B 3.7.8-3Revision 14 APPLICABLE SAFETY ANALYSES (continued)
The SW System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two SW loops are required to be OPERABLE to provide the
 
required redundancy to ensure that the system functions to
 
remove post accident heat loads, assuming that the worst
 
case single active failure occurs coincident with the loss
 
of offsite power.
A SW loop is considered OPERABLE during MODES 1, 2, 3, and 4 when:a.Eithera.1Two SW pumps are OPERABLE in an OPERABLE flow path; ora.2One SW pump is OPERABLE in an OPERABLE flow path provided two SW pumps are OPERABLE in the other loop
 
and SW flow to the CC heat exchangers is throttled;
 
andb.Eitherb.1Three spray arrays are OPERABLE in an OPERABLE flow path; orb.2Two spray arrays are OPERABLE in an OPERABLE flow path, provided two spray arrays are OPERABLE in the
 
other loop; and the spray valves for the required
 
OPERABLE spray arrays in both loops are secured in
 
the accident position and power removed from the
 
valve operators; andc.The associated piping, valves, and instrumentation and controls required to perform the safety related function
 
are OPERABLE.
A required valve directing flow to a spray array, bypass
 
line, or other component is considered OPERABLE if it is
 
capable of automatically moving to its safety position or if it is administratively placed in its safety position.
North Anna Units 1 and 2B 3.7.8-4Revision 14 SW System B 3.7.8 BASES APPLICABILITY In MODES 1, 2, 3, and 4, the SW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the SW System and required to be OPERABLE in these MODES.
In MODES 5 and 6, the OPERABILITY requirements of the SW System are determined by the systems it supports.
ACTIONS A.1 If one SW System loop is inoperable due to an inoperable SW pump, the flow resistance of the system must be adjusted
 
within 72 hours by throttling component cooling water heat
 
exchanger flows to ensure that design flows to the RS System heat exchangers are achieved following an accident. The
 
required resistance is obtained by throttling SW flow
 
through the CC heat exchangers. In this configuration, a
 
single failure disabling a SW pump would not result in loss
 
of the SW System function.
B.1 and B.2If one or more SW System loops are inoperable due to only two SW pumps being OPERABLE, the flow resistance of the system must be adjusted within one hour to ensure that design flows to the RS System heat exchangers are achieved if no
 
additional failures occur following an accident. The
 
required resistance is obtained by throttling SW flow
 
through the CC heat exchangers. Two SW pumps aligned to one
 
loop or one SW pump aligned to each loop is capable of
 
performing the safety function if CC heat exchanger flow is
 
properly throttled. However, overall reliability is reduced because a single failure disabling a SW pump could result in
 
loss of the SW System function. The one hour time reflects
 
the need to minimize the time that two pumps are inoperable
 
and CC heat exchanger flow is not properly throttled, but is a reasonable time based on the low probability of a DBA
 
occurring during this time period. Restoring one SW pump to OPERABLE status within 72 hours together with the throttling ensures that design flows to the RS System heat exchangers
 
are achieved following an accident. The required resistance
 
is obtained by throttling SW flow through the CC heat
 
exchangers. In this configuration, a single failure
 
disabling a SW pump would not re sult in loss of the SW System function.
SW System B 3.7.8 BASESNorth Anna Units 1 and 2B 3.7.8-5Revision 14 ACTIONS (continued)
C.1 If one SW loop is inoperable for reasons other than Condition A, action must be taken to restore the loop to OPERABLE status.
In this Condition, the remaining OPERABLE SW loop is
 
adequate to perform the heat removal function. However, the
 
overall reliability is reduced because a single failure in
 
the OPERABLE SW loop could result in loss of SW System
 
function. The inoperable SW loop is required to be restored
 
to OPERABLE status within 72 hours unless the criteria for a
 
7 day Completion Time are met, as stated in the 72 hour
 
Completion Time Note. The 7 day Completion Time applies if the three criteria in the 7 day Completion Time Note are met.The first criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if the
 
inoperability of one SW loop is part of SW System upgrades.
 
Service Water System upgrades include modification and
 
maintenance activities associated with the installation of
 
new discharge headers and spray arrays, mechanical and
 
chemical cleaning of SW System piping and valves, pipe
 
repair and replacement, valve repair and replacement, installation of corrosion mitigation measures and inspection
 
of and repairs to buried piping interior coatings and pump or
 
valve house components. The second criterion in the 7 day
 
Completion Time Note states that the 7 day Completion Time is
 
only applicable if three SW pumps are OPERABLE from initial
 
Condition entry, including one SW pump being allowed to not
 
have automatic start capability. The third criterion in the
 
7 day Completion Time Note states that the 7 day Completion
 
Time is only applicable if two auxiliary SW pumps are OPERABLE from initial Condition entry. The 72 hour and 7 day Completion Times are both based on the redundant
 
capabilities afforded by the OPERABLE loop, and the low
 
probability of a DBA occurring during this time period. The
 
7 day Completion Time also credits the redundant capabilities afforded by three OPERABLE SW pumps (one
 
without automatic start capability) and two OPERABLE
 
auxiliary SW pumps. Changing the designation of the three
 
OPERABLE SW pumps during the 7 day Completion Time is allowed.
North Anna Units 1 and 2B 3.7.8-6Revision 14 SW System B 3.7.8 BASES ACTIONS (continued)
D.1 and D.2If the SW pumps or loop cannot be restored to OPERABLE status within the associated Completion Time, the unit must be
 
placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
E.1 and E.2 If two SW loops are inoperable for reasons other than only
 
two SW pumps being OPERABLE, the SW System cannot perform the safety function. With two SW loops inoperable, the CC System
 
and, consequently, the Residual Heat Removal (RHR) System
 
have no heat sink and are inoperable. Twelve hours is allowed
 
to enter MODE 4, in which the Steam Generators can be used
 
for decay heat removal to maintain reactor temperature.
 
Twelve hours is reasonable, based on operating experience, to reach MODE 4 from full power conditions in an orderly
 
manner and without challenging unit systems. The unit may
 
then remain in MODE 4 until a method to further cool the
 
units becomes available, but actions to determine a method
 
and cool the unit to a condition outside of the Applicability
 
must be initiated within one hour and continued in a
 
reasonable manner and without delay until the unit is
 
brought to MODE 5.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.8.1 This SR is modified by a Note indicating that the isolation
 
of the SW System components or systems may render those
 
components inoperable, but does not affect the OPERABILITY
 
of the SW System.
Verifying the correct alignment for manual, power operated, and automatic valves in the SW System flow path provides
 
assurance that the proper flow paths exist for SW System
 
operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or (continued)
SW System B 3.7.8 BASESNorth Anna Units 1 and 2B 3.7.8-7Revision 46 SURVEILLANCE REQUIREMENTS SR  3.7.8.1 (continued) valve manipulation; rather, it involves verification that
 
those valves capable of being mispositioned are in the
 
correct position. This SR does not apply to valves that
 
cannot be inadvertently misaligned, such as check valves.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.7.8.2 This SR verifies proper automatic operation of the SW System
 
valves on an actual or simulated actuation signal. The SW
 
System is a normally operating system that cannot be fully actuated as part of normal testing. This Surveillance is not
 
required for valves that are locked, sealed, or otherwise
 
secured in the required position under administrative
 
controls. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.7.8.3 This SR verifies proper automatic operation of the SW pumps on an actual or simulated actuation signal. The SW System is
 
a normally operating system that cannot be fully actuated as
 
part of normal testing during normal operation. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.2.1.2.UFSAR, Section 6.2.2.3.UFSAR, Section 5.5.4.
Intentionally Blank North Anna Units 1 and 2B 3.7.9-1Revision 0 UHS B 3.7.9 B 3.7  PLANT SYSTEMSB 3.7.9Ultimate Heat Sink (UHS)
BASES BACKGROUND The UHS provides a heat sink for processing and operating
 
heat from safety related components during a transient or accident, as well as during normal operation. This is done by
 
utilizing the Service Water (SW) System.
The ultimate heat sink is the Service Water Reservoir and its
 
associated retaining structures, and is the normal source of
 
service water for Units 1 and 2.The Service Water Reservoir is located approximately 500 ft.
 
south of the station site area. The Service Water Reservoir
 
is adequate to provide sufficient cooling to permit
 
simultaneous safe shutdown and cooldown of both units, and then maintain them in a safe-shutdown condition. Further, in the event of a design basis loss of coolant accident (LOCA)
 
in one unit concurrent with a loss of offsite power to both
 
units, the Service Water Reservoir is designed to provide
 
sufficient water inventory to supply post-LOCA loads on one
 
unit and shutdown and cooldown loads on the other unit and
 
maintain them in a safe-shutdown condition for at least
 
30 days without makeup. After 30 days, makeup to the Service Water Reservoir is provided from the North Anna Reservoir as
 
necessary to maintain cooling water inventory, ensuring a
 
continued cooling capability. The Service Water Reservoir spray system is designed for operation of two units based on
 
the occurrence of a LOCA on one unit with cooldown of the
 
non-accident unit and simultaneous loss of offsite power to
 
both units.
The two principal functions of the UHS are the dissipation of
 
residual heat after reactor shutdown, and dissipation of
 
residual heat after an accident.
The North Anna Reservoir provides a backup source of service
 
water using the auxiliary SW pumps, and can provide makeup
 
water to the Service Water Reservoir using the Circulating
 
Water screen wash pumps, but is not credited for the DBA. The
 
Lake Anna Dam impounds a lake with a surface area of
 
13,000 acres and 305,000 acre-ft. of storage, at its normal-stage elevation of 250 ft., along the channel of the North
 
Anna River. The lake is normally used by the power station as (continued)
North Anna Units 1 and 2B 3.7.9-2Revision 0 UHS B 3.7.9 BASES BACKGROUND (continued) a cooling pond for condenser circulating water. To improve
 
the thermal performance of the lake, it has been divided by a
 
series of dikes and canals into two parts. The larger, referred to as the North Anna Reservoir, is 9600 acres. The
 
smaller part, called the waste heat treatment facility, is
 
3400 acres. When the North Anna Reservoir is used by the SW
 
System, water is withdrawn from the North Anna Reservoir and
 
discharged to the waste heat treatment facility, though it
 
is possible to discharge water to the Service Water
 
Reservoir.
The two sources of water are independent, and each has
 
separate, redundant supply and discharge headers. The only
 
common points are the main redundant supply and discharge
 
headers in the service building where distribution to the
 
components takes place. These common headers are encased in
 
concrete.Additional information on the design and operation of the
 
system, along with a list of components served, can be found in Reference 1.APPLICABLE
 
SAFETY ANALYSES The UHS is the sink for heat removed from the reactor core
 
following all accidents and anticipated operational
 
occurrences in which the unit is cooled down and placed on
 
residual heat removal (RHR) operation. Its maximum post
 
accident heat load occurs in the first hour after a design
 
basis LOCA. During this time, the Recirculation Spray (RS)
 
subsystems have started to remove the core decay heat.The operating limits are based on conservative heat transfer analyses for the worst case LOCA. The analyses provide the
 
details of the assumptions used in the analysis, which
 
include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and
 
the worst case single active failure (e.g., single failure
 
of an EDG). The UHS is designed in accordance with the
 
Regulatory Guide 1.27 (Ref.
: 2) requirement for a 30 day supply of cooling water in the UHS.
The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
UHS B 3.7.9 BASESNorth Anna Units 1 and 2B 3.7.9-3Revision 46 LCO The UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the SW System
 
to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH),
and without exceeding the maximum design temperature of the
 
equipment served by the SW System. To meet this condition, the Service Water Reservoir temperature should not exceed
 
95&deg;F and the level should not fall below 313 ft mean sea level during normal unit operation.
APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and
 
required to be OPERABLE in these MODES.
In MODE 5 or 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.
ACTIONS A.1 and A.2 If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the
 
unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours.The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.9.1 This SR verifies that adequate long term (30 day) cooling can be maintained. The specified level also ensures that
 
sufficient NPSH is available to operate the SW pumps. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.7.9-4Revision 46 UHS B 3.7.9 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.7.9.2 This SR verifies that the SW System is available with the
 
maximum accident or normal design heat loads for 30 days following a Design Basis Accident. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.2.2.Regulatory Guide 1.27, March, 1974.
North Anna Units 1 and 2B 3.7.10-1Revision 39 MCR/ESGR EVS B 3.7.10 B 3.7  PLANT SYSTEMSB 3.7.10Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS)
BASES BACKGROUND The MCR/ESGR Emergency Ventilation System (EVS) provides a
 
protected environment from which occupants can control the
 
unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. The MCR/ESGR EVS consists of
 
four 100% capacity redundant trains (2 per unit) that can filter and recirculate air inside the MCR/ESGR envelope or
 
supply filtered makeup air to the MCR/ESGR envelope, and a
 
MCR/ESGR boundary that limits the inleakage of unfiltered
 
air. Each train consists of a heater, demister filter, a high
 
efficiency particulate air (HEPA) filter, an activated
 
charcoal adsorber section for removal of gaseous activity (principally iodines), and a fan (Ref.
1). Ductwork, valves, dampers, doors, barriers, and instrumentation also form part
 
of the system. One EVS train is capable of performing the
 
safety function of supplying outside filtered air. In the
 
event of a Safety Injection (SI), the two MCR/ESGR EVS trains on the accident unit actuate automatically in recirculation.
 
All available trains of MCR/ESGR EVS start automatically on
 
a fuel building radiation monitor signal or manual actuation
 
of the MCR/ESGR Isolation Actuation Instrumentation. These
 
trains can also be aligned to provide filtered outside air
 
when appropriate. Either train from the other unit can be
 
manually actuated to provide filtered outside air
 
approximately 60 minutes after the event. However, due to the location of the air intake for 1-HV-F-41, it can not be
 
used to satisfy the requirements of LCO 3.7.10. Two of the three remaining trains (1-HV-F-42, 2-HV-F-41, and 2-HV-F-42)
 
are required for independence and redundancy.The MCR/ESGR envelope is the area within the confines of the
 
MCR/ESGR envelope boundary that contains the spaces that
 
control room occupants inhabit to control the unit during
 
normal and accident conditions. This area encompasses the
 
control room, and may encompass other non-critical areas to
 
which frequent personnel access or continuous occupancy is
 
not necessary in the event of an accident. The MCR/ESGR
 
envelope is protected during normal operation, natural (continued)
North Anna Units 1 and 2B 3.7.10-2Revision 39 MCR/ESGR EVS B 3.7.10 BASES BACKGROUND (continued) events, and accident conditions. The MCR/ESGR envelope
 
boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the
 
MCR/ESGR envelope. The OPERABILITY of the MCR/ESGR envelope
 
boundary must be maintained to ensure that the inleakage of
 
unfiltered air into the MCR/ESGR envelope will not exceed
 
the inleakage assumed in the licensing basis analysis of
 
design basis accident (DBA) consequences to MCR/ESGR
 
envelope occupants. The MCR/ESGR envelope and its boundary
 
are defined in the MCR/ESGR Envelope Habitability Program.
Upon receipt of an actuating signal(s) (i.e., SI, fuel building radiation monitors or manual), normal air supply to
 
and exhaust from the MCR/ESGR envelope is isolated, and at least two trains of MCR/ESGR EVS receive a signal to actuate
 
to recirculate air in the MCR/ESGR envelope. Approximately
 
60 minutes after actuation of the MCR/ESGR Isolation Actuation Instrumentation, a single MCR/ESGR EVS train is manually actuated or aligned to provide filtered outside air to the MCR/ESGR envelope through HEPA filters and charcoal adsorbers. The demisters remove any entrained water droplets
 
present, to prevent excessive moisture loading of the HEPA
 
filters and charcoal adsorbers. Continuous operation of each
 
train for at least 10 hours per month, with the heaters on, reduces moisture buildup on the HEPA filters and adsorbers.
 
Both the demister and heater are important to the
 
effectiveness of the HEPA filters and charcoal adsorbers.
Although not assumed in the Analysis of Record, pressurization of the MCR/ESGR envelope minimizes
 
infiltration of unfiltered air through the MCR/ESGR envelope
 
boundary from all the surrounding areas adjacent to the
 
MCR/ESGR envelope boundary.
Redundant MCR/ESGR EVS supply and recirculation trains
 
provide the required filtration of outside air should an
 
excessive pressure drop develop across the other filter
 
train.(continued)
MCR/ESGR EVS B 3.7.10 BASESNorth Anna Units 1 and 2B 3.7.10-3Revision 39 BACKGROUND (continued)
The MCR/ESGR EVS is designed in accordance with Seismic Category I requirements. Any of the actuation signal(s) will isolate the MCR/ESGR envelope and start the MCR/ESGR EVS trains for the affected unit in recirculation. Requiring two
 
of the three MCR/ESGR EVS trains provides redundancy, assuring that at least one train is available to be realigned to provide filtered outside air.
The MCR/ESGR EVS is designed to maintain a habitable
 
environment in the MCR/ESGR envelope for 30 days of continuous occupancy after a DBA without exceeding the
 
control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref.
: 3) for alternative source terms.
APPLICABLE
 
SAFETY ANALYSES The MCR/ESGR EVS components are arranged in redundant, safety related ventilation trains. The location of most
 
components and ducting within the MCR/ESGR envelope ensures
 
an adequate supply of filtered air to all areas requiring
 
access. The MCR/ESGR EVS provides airborne radiological
 
protection for the MCR/ESGR envelope occupants, as
 
demonstrated by the MCR/ESGR envelope accident dose analyses
 
for the most limiting DBA (LOCA) fission product release
 
presented in the UFSAR, Chapter 15 (Ref. 2). The accident analysis assumes that at least one train is aligned to
 
provide filtered outside air to the MCR/ESGR envelope
 
approximately 60 minutes after MCR/ESGR envelope isolation, but does not take any credit for automatic start of the
 
trains in the recirculation mode or any filtration of
 
recirculated air. Since the MCR/ESGR EVS train associated
 
with 1-HV-F-41 can not be used to provide filtered outside
 
air (due to the location of its air intake with respect to
 
Vent Stack B), it can not be used to satisfy the requirements of LCO 3.7.10.The North Anna UFSAR describes potentially hazardous
 
chemicals stored onsite in quantities greater than 100 lb. These include hydrogen, sulfuric acid, sodium hydroxide, hydrazine, ethanolamine, and sodium hypochlorite.
 
Evaluations for accidental release of these chemicals
 
indicate that the worst-case concentrations at the control
 
room intake would be expected to be less than their (continued)
North Anna Units 1 and 2B 3.7.10-4Revision 39 MCR/ESGR EVS B 3.7.10 BASES APPLICABLE
 
SAFETY ANALYSES (continued) respective toxicity limit (Refs.
1 and 4). The assessment assumed no action being taken by the control room operator (i.e., normal or emergency supply system remains operating).
In the event of fire/smoke external to the MCR/ESGR
 
envelope, equipment and procedures are available to maintain
 
habitability of the control room. Smoke detectors are
 
installed in the return ducts to the MCR Air-Handling Units (AHUs), in the near vicinity of the ESGR AHUs, and in the
 
MCR/ESGR EVS supply ducts, as well as other numerous
 
locations in the ESGRs and MCR. Smoke detectors are also
 
installed in the MCR/ESGR chiller rooms, which are
 
ventilated with air from the Turbine Building, and the
 
Mechanical Equipment rooms. If smoke is detected, the MCR/ESGR normal and EVS supply can be manually isolated. The
 
fire response procedures provide direction for removing
 
smoke from the MCR or ESGRs. (Ref.
5)For the remainder of the DBAs, MCR/ESGR envelope isolation
 
is not assumed. Normal ventilation with 500 cfm of additional inleakage is assumed. The safety analysis for a
 
fuel handling accident (FHA) assumes isolation of the
 
MCR/ESGR envelope.
The worst case single active failure of a component of the
 
MCR/ESGR EVS, assuming a loss of offsite power, does not
 
impair the ability of the system to perform its design
 
function.The MCR/ESGR EVS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two independent and redundant MCR/ESGR EVS trains are required to be OPERABLE to ensure that at least one train is
 
available to be manually ali gned to provide outside filtered air to the MCR/ESGR envelope, if a single active failure
 
disables one of the two required OPERABLE trains. Total
 
system failure, such as from a loss of both required EVS
 
trains or from an inoperable MCR/ESGR envelope boundary, could result in exceeding the control room operator dose
 
limits of 10 CFR 50, Appendix A, GDC-19 (Ref.
: 3) for alternative source terms, in the event of a large
 
radioactive release.(continued)
MCR/ESGR EVS B 3.7.10 BASESNorth Anna Units 1 and 2B 3.7.10-5Revision 39 LCO (continued)
The MCR/ESGR EVS is considered OPERABLE when the individual components necessary to limit MCR/ESGR envelope occupant
 
exposure are OPERABLE in the two required trains of the
 
MCR/ESGR EVS. 1-HV-F-41 can not be used to satisfy the
 
requirements of LCO 3.7.10.An MCR/ESGR EVS train is OPERABLE when the associated:a.Fan is OPERABLE;b.Demister filters, HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of
 
performing their filtration functions; andc.Heater, ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.
The MCR/ESGR EVS is shared by Unit 1 and Unit 2.In order for the MCR/ESGR EVS trains to be considered
 
OPERABLE, the MCR/ESGR envelope boundary must be maintained
 
such that the MCR/ESGR envelope occupant dose from a large
 
radioactive release does not exceed the calculated dose in
 
the licensing basis consequence analyses for DBAs, and that
 
MCR/ESGR envelope occupants are protected from hazardous
 
chemicals and smoke.
The LCO is modified by a Note allowing the MCR/ESGR envelope boundary to be opened intermittently under administrative
 
controls. This Note only applies to openings in the MCR/ESGR envelope boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access
 
panels. For entry and exit through doors the administrative
 
control of the opening is performed by the person(s)
 
entering or exiting the area. For other openings, these
 
controls should be proceduralized and consist of stationing
 
a dedicated individual at the opening who is in continuous
 
communication with the operators in the MCR/ESGR envelope.
 
This individual will have a method to rapidly close the
 
opening and restore the MCR/ESGR envelope boundary to a condition equivalent to the design condition when a need for MCR/ESGR isolation is indicated.
North Anna Units 1 and 2B 3.7.10-6Revision 39 MCR/ESGR EVS B 3.7.10 BASES APPLICABILITY In MODES 1, 2, 3, and 4, MCR/ESGR EVS must be OPERABLE to ensure that the MCR/ESGR envelope will remain habitable
 
during and following a DBA.
The MCR/ESGR EVS must be OPERABLE to respond to the release
 
from a FHA involving recently irradiated fuel assemblies.
The MCR/ESGR EVS is only required to be OPERABLE during fuel handling involving recently irradiated fuel assemblies (i.e., fuel assemblies that have occupied part of a critical reactor core within the previous 300 hours) due to radioactive decay.
ACTIONS A.1 When one required MCR/ESGR EVS train is inoperable, for
 
reasons other than an inoperable MCR/ESGR envelope boundary, action must be taken to restore OPERABLE status within
 
7 days. In this Condition, the remaining required OPERABLE MCR/ESGR EVS train is adequate to perform the MCR/ESGR
 
envelope occupant protection function. However, the overall
 
reliability is reduced because a failure in the required
 
OPERABLE EVS trains could result in loss of MCR/ESGR EVS
 
function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and
 
ability of the remaining trains to provide the required
 
capability.
B.1 , B.2, and B.3 If the unfiltered inleakage of potentially contaminated air
 
past the MCR/ESGR envelope boundary and into the MCR/ESGR
 
envelope can result in MCR/ESGR envelope occupant
 
radiological dose greater than the calculated dose of the
 
licensing basis analyses of DBA consequences (allowed to be
 
up to 5 rem total effective dose equivalent), or inadequate protection of MCR/ESGR envelope occupants from hazardous
 
chemicals or smoke, the MCR/ESGR envelope boundary is
 
inoperable. Actions must be taken to restore an OPERABLE MCR/ESGR envelope boundary within 90 days. During the period
 
that the MCR/ESGR envelope boundary is considered inoperable, action must be initiated to implement mitigating
 
actions to lessen the effect on MCR/ESGR envelope occupants
 
from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within
 
24 hours to verify that in the event of a DBA, the mitigating actions will ensure that MCR/ESGR envelope occupant (continued)
MCR/ESGR EVS B 3.7.10 BASESNorth Anna Units 1 and 2B 3.7.10-7Revision 39 ACTIONS B.1 (continued) radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and
 
that MCR/ESGR envelope occupants are protected from
 
hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of
 
the inoperable MCR/ESGR envelope boundary) should be
 
preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional.
 
The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is
 
reasonable based on the determination that the mitigating
 
actions will ensure protection of MCR/ESGR envelope
 
occupants within analyzed limits while limiting the
 
probability that MCR/ESGR envelope occupants will have to
 
implement protective measures that may adversely affect
 
their ability to control the reactor and maintain it in a
 
safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the
 
MCR/ESGR envelope boundary.
C.1 and C.2 In MODE 1, 2, 3, or 4, if the inoperable required MCR/ESGR EVS train or the inoperable MCR/ESGR envelope boundary
 
cannot be restored to OPERABLE status within the required
 
Completion Time, the unit must be placed in a MODE that
 
minimizes accident risk. To achieve this status, the unit
 
must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
D.1.1, D.1.2, and D.2 During movement of recently irradiated fuel, if the
 
inoperable MCR/ESGR EVS train cannot be restored to OPERABLE
 
status within the required Completion Time, the MCR/ESGR
 
envelope must be isolated immediately and the remaining
 
OPERABLE MCR/ESGR train placed in service within one hour.
 
These actions will ensure that the MCR/ESGR envelope is in a configuration that would protect the occupants from
 
radioactive exposure consistent with the DBA assumptions and
 
ensure that any active failures would be readily detected.
North Anna Units 1 and 2B 3.7.10-8Revision 46 MCR/ESGR EVS B 3.7.10 BASES ACTIONS D.1.1, D.1.2, and D.2 (continued)
An alternative to Required Action D.1 is to immediately suspend activities that present a potential for releasing
 
radioactivity that might require isolation of the control
 
room. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to
 
a safe position.
E.1During movement of rece ntly irradiated fuel assemblies, if a required train of MCR/ESGR EVS train becomes inoperable due
 
to an inoperable MCR/ESGR envelope boundary or two required
 
MCR/ESGR EVS trains inoperable, action must be taken
 
immediately to suspend activities that could result in a
 
release of radioactivity that might require isolation of the
 
control room. This places the unit in a condition that
 
minimizes risk. This does not preclude the movement of fuel
 
to a safe position.
F.1 When two required MCR/ESGR EVS trains are inoperable in
 
MODE 1, 2, 3, or 4 for reasons other than an inoperable MCR/ESGR envelope boundary (i.e., Condition B), the MCR/ESGR EVS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses.
Therefore, LCO 3.0.3 must be entered immediately.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.10.1 Standby systems should be checked periodically to ensure
 
that they function properly. As the environment and normal operating conditions on the MCR/ESGR EVS are not too severe, testing each required train once every month provides an adequate check of this syste
: m. Monthly heater operations dry out any moisture accumulated in the charcoal and HEPA
 
filters from humidity in the ambient air. Each required
 
train must be operated for  10 continuous hours with the heaters energized. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.
MCR/ESGR EVS B 3.7.10 BASESNorth Anna Units 1 and 2B 3.7.10-9Revision 39 SURVEILLANCE REQUIREMENTS (continued)
SR  3.7.10.2 This SR verifies that the required MCR/ESGR EVS testing is
 
performed in accordance with the Ventilation Filter Testing
 
Program (VFTP). The VFTP includes testing the performance of the demister filter, HEPA filter, charcoal adsorber
 
efficiency, minimum and maximum flow rate, and the physical
 
properties of the activated charcoal. Specific test
 
Frequencies and additional information are discussed in
 
detail in the VFTP.
SR  3.7.10.3 Not Used SR  3.7.10.4 This SR verifies the OPERABILITY of the MCR/ESGR envelope
 
boundary by testing for unfiltered air inleakage past the
 
MCR/ESGR envelope boundary and into the MCR/ESGR envelope.
 
The details of the testing are specified in the MCR/ESGR
 
Envelope Habitability Program. The MCR/ESGR envelope is
 
considered habitable when the radiological dose to MCR/ESGR
 
envelope occupants calculated in the licensing basis
 
analyses of DBA consequences is no more than 5 rem TEDE and
 
the MCR/ESGR envelope occupants are protected from hazardous
 
chemicals and smoke. This SR verifies that the unfiltered
 
air inleakage into the MCR/ESGR envelope is no greater than the flow rate assumed in the licensing basis analyses of DBA
 
consequences. When unfiltered air inleakage is greater than
 
the assumed flow rate, Condition B must be entered. Required Action B.3 allows time to restore the MCR/ESGR envelope boundary to OPERABLE status provided mitigating actions can
 
ensure that the MCR/ESGR envelope remains within the
 
licensing basis habitability limits for the occupants
 
following an accident. Compensatory measures are discussed
 
in Regulatory Guide 1.196, Section C.2.7.3, (Ref.
: 6) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 7). These compensatory measures may also be used as mitigating actions as required by Required
 
Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref.
8). Options for restoring the MCR/ESGR envelope boundary to
 
OPERABLE status include changing the licensing basis DBA
 
consequence analysis, repairing the MCR/ESGR envelope
 
boundary, or a combination of these actions.(continued)
North Anna Units 1 and 2B 3.7.10-10Revision 39 MCR/ESGR EVS B 3.7.10 BASES SR  3.7.10.4 (continued)
Depending upon the nature of the problem and the corrective
 
action, a full scope inleakage test may not be necessary to
 
establish that the MCR/ESGR envelope boundary has been
 
restored to OPERABLE status.
REFERENCES1.UFSAR, Section 6.4.2.UFSAR, Chapter 15.3.10 CFR 50, Appendix A.4.Control Room Habitability Study (Supplement to 1980 Onsite Control Room Ha bitability Study - North Anna Power Station Units 1 and 2, January 1982.5.Letter from L.N. Hartz (Virginia Electric and Power Company) to the USNRC, dated March 3, 2004, Response to Generic Letter 2003-01, "Control Room Habitability -
Control Room Testing & Technical Information."6.Regulatory Guide 1.196.7.NEI 99-03, "Control Room Habitability Assessment,"
June 2001.8.Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS
 
Accession No.
ML040300694)
North Anna Units 1 and 2B 3.7.11-1Revision 15 MCR/ESGR ACS B 3.7.11 B 3.7  PLANT SYSTEMSB 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS)
BASES BACKGROUND The MCR/ESGR ACS provides cooling for the MCR/ESGR envelope
 
following isolation of the MCR/ESGR envelope. The MCR/ESGR
 
ACS also provides cooling for the MCR/ESGR envelope during
 
routine unit operation.
The MCR/ESGR ACS consists of two independent and redundant
 
subsystems that provide cooling of MCR/ESGR envelope air.
 
Each subsystem consists of two air handling units (one for
 
the MCR and one for the ESGR), one chiller in one subsystem
 
and two chillers in the other, valves, piping, instrumentation, and controls to provide for MCR/ESGR
 
envelope cooling. One subsystem has one chiller, the other
 
has two chillers, either of which can be used by that
 
subsystem, but which are not electrically independent from
 
each other.
The MCR/ESGR ACS is an emergency system, parts of which may
 
also operate during normal unit operations. A single
 
subsystem will provide the required cooling to maintain the
 
MCR/ESGR envelope within design limits. The MCR/ESGR ACS
 
operation in maintaining the MCR/ESGR envelope temperature
 
is discussed in the UFSAR, Section 9.4 (Ref. 1).APPLICABLE
 
SAFETY ANALYSES The design basis of the MCR/ESGR ACS is to maintain the
 
MCR/ESGR envelope temperature within limits for 30 days of continuous occupancy after a DBA.
The MCR/ESGR ACS components are arranged in redundant, safety related subsystems. During emergency operation, the MCR/ESGR ACS maintains the temperature within design limits.
 
A single active failure of a component of the MCR/ESGR ACS, with a loss of offsite power, does not impair the ability of
 
the system to perform its design function. The MCR/ESGR ACS
 
is designed in accordance with Seismic Category I requirements. The MCR/ESGR ACS is capable of removing
 
sensible and latent heat loads from the MCR/ESGR envelope, which include consideration of equipment heat loads and
 
personnel occupancy requirements, to ensure equipment
 
OPERABILITY.(continued)
North Anna Units 1 and 2B 3.7.11-2Revision 20 MCR/ESGR ACS B 3.7.11 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The MCR/ESGR ACS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two independent and redundant subsystems of the MCR/ESGR
 
ACS, providing cooling to the unit ESGR and associated
 
portion of the MCR, are required to be OPERABLE to ensure
 
that at least one is available, assuming a single failure
 
disabling the other subsystem. Total system failure could
 
result in the equipment operating temperature exceeding
 
limits in the event of an accident.
The MCR/ESGR ACS is considered to be OPERABLE when the
 
individual components necessary to cool the MCR/ESGR
 
envelope air are OPERABLE in both required subsystems. Each
 
subsystem consists of two air handling units (one for the MCR
 
and one for the ESGR), one chiller, valves, piping, instrumentation and controls. The two subsystems provide air
 
temperature cooling to the portion of the MCR/ESGR envelope
 
associated with the unit. In addition, an OPERABLE MCR/ESGR
 
ACS must be capable of maintaining air circulation. An MCR/ESGR ACS subsystem does not have to be in operation to be considered OPERABLE. The MCR/ESGR ACS is considered OPERABLE when it is capable of being started by manual actions within
 
10 minutes. The time of 10 minutes is based on the time required to start the system manually following required
 
testing.APPLICABILITY In MODES 1, 2, 3, and 4, and during movement of recently irradiated fuel assemblies, the MCR/ESGR ACS must be
 
OPERABLE to ensure that the MCR/ESGR envelope temperature will not exceed equipment operational requirements following
 
isolation of the MCR/ESGR envelope.
The MCR/ESGR ACS is only required to be OPERABLE during fuel handling involving
 
handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous
 
300 hours), due to radioactive decay.
ACTIONS A.1 With one or more required MCR/ESGR ACS subsystem inoperable, and at least 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action
 
must be taken to restore OPERABLE status within 30 days. In (continued)
MCR/ESGR ACS B 3.7.11 BASESNorth Anna Units 1 and 2B 3.7.11-3Revision 20 ACTIONS A.1 (continued) this Condition, the remaining OPERABLE MCR/ESGR ACS subsystem is adequate to maintain the MCR/ESGR envelope
 
temperature within limits. However, the overall reliability
 
is reduced because a single failure in the OPERABLE MCR/ESGR
 
ACS subsystem could result in loss of MCR/ESGR ACS function.
 
The 30 day Completion Time is based on the low probability of an event requiring MCR/ESGR envelope isolation, the
 
consideration that the remaining subsystem can provide the
 
required protection, and that alternate safety or nonsafety
 
related cooling means are available.
The LCO requires the OPERABILITY of a number of independent
 
components. Due to the redundancy of subsystems and the
 
diversity of components, the inoperability of one active
 
component in a subsystem does not render the MCR/ESGR ACS
 
incapable of performing its function. Neither does the
 
inoperability of two different components, each in a
 
different subsystem, necessarily result in a loss of
 
function for the MCR/ESGR ACS (e.g., an inoperable chiller
 
in one subsystem, and an inoperable air handler in the other). This allows increased flexibility in unit operations
 
under circumstances when components in opposite subsystems
 
are inoperable.
B.1 and B.2 In MODE 1, 2, 3, or 4, if the inoperable MCR/ESGR ACS subsystem cannot be restored to OPERABLE status within the
 
required Completion Time, the unit must be placed in a MODE
 
that minimizes the risk. To achieve this status, the unit
 
must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
C.1 and C.2During movement of recently irradiated fuel, if the required inoperable MCR/ESGR ACS subsystems cannot be restored to
 
OPERABLE status within the required Completion Time, the
 
OPERABLE MCR/ESGR ACS subsystem must be placed in operation
 
immediately. This action ensures that the remaining
 
subsystem is OPERABLE and that active failures will be
 
readily detected.(continued)
North Anna Units 1 and 2B 3.7.11-4Revision 46 MCR/ESGR ACS B 3.7.11 BASES ACTIONS C.1 and C.2 (continued)
An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing
 
radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to
 
a safe position.
D.1 During movement of recently irradiated fuel assemblies, with
 
less than 100% of the MCR/ESGR ACS cooling equivalent to a
 
single OPERABLE MCR/ESGR ACS subsystem available, action
 
must be taken immediately to suspend activities that could
 
result in a release of radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a
 
condition that minimizes risk. This does not preclude the
 
movement of fuel to a safe position.
E.1With less than 100% of the MCR/ESGR ACS cooling equivalent to
 
a single OPERABLE MCR/ESGR ACS subsystem available in
 
MODE 1, 2, 3, or 4, the MCR/ESGR ACS may not be capable of performing its intended function. Therefore, LCO 3.0.3 must be entered immediately.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.11.1This SR verifies that the heat removal capability of any one of the three chillers for the unit is sufficient to remove the heat load assumed in the safety analyses in the MCR/ESGR envelope. This SR consists of a combination of testing and
 
calculations. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program.REFERENCES1.UFSAR, Section 9.4.
North Anna Units 1 and 2B 3.7.12-1Revision 45 ECCS PREACS B 3.7.12 B 3.7  PLANT SYSTEMSB 3.7.12Emergency Core Cooling Syst em (ECCS) Pump Room Exhaust Air Cleanup System (PREACS)
BASES BACKGROUND The ECCS PREACS filters air from the area of the active ECCS
 
components during the recirculation phase of a loss of
 
coolant accident (LOCA). The ECCS PREACS, in conjunction
 
with other normally operating systems, also provides
 
environmental control of temperature in the ECCS pump room
 
areas.The charging/high head safety injection pump motors have
 
internal fans that provide design cooling requirements without reliance on the central exhaust fans. The associated equipment in the Safeguards Building, Low Head Safety
 
Injection (LHSI) and Outside Recirculation Spray (OSRS)
 
pumps, remain operable for at least 60 minutes without the safeguards exhaust fans in service.
The ECCS PREACS consists of two subsystems, the Safeguards
 
Area Ventilation subsystem and the Auxiliary Building
 
Central Exhaust subsystem. There are two redundant trains in
 
the Safeguards Area Ven tilation subsystem. Each train of the Safeguards Area Ventilation subsystem consists of one
 
Safeguards Area exhaust fan, prefilter, and high efficiency
 
particulate air (HEPA) filter and charcoal adsorber assembly
 
for removal of gaseous activity (principally iodines)
(shared with the other unit), and controls for the
 
Safeguards Area exhaust filter and bypass dampers. Ductwork, valves or dampers, and instrumentation al so form part of the subsystem. The subsystem automatically initiates filtered ventilation of the safe guards pump room following receipt of a Containment Hi-Hi signal from the affected unit.The Auxiliary Building Central exhaust subsystem consists of
 
the following: three redundant central area exhaust fans (shared with other unit), two redundant filter banks consisting of HEPA filter and charcoal adsorber assembly for removal of gaseous activity (principally iodines) (shared
 
with the other unit), and two redundant trains of controls
 
for the Auxiliary Building Central exhaust subsystem filter (continued)
North Anna Units 1 and 2B 3.7.12-2Revision 45 ECCS PREACS B 3.7.12 BASES BACKGROUND (continued) and bypass dampers (shared with the other unit). Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem initiates filtered ventilation of
 
the charging pump cubicles following manual actuation.
The Auxiliary Building filter banks are shared by the
 
Safeguards Area Ventilation subsystem and the Auxiliary
 
Building Central Exhaust subsystem. Either Auxiliary
 
Building filter bank may be aligned to either ECCS PREACS
 
train. These filter banks are also used by the Auxiliary
 
Building General area exhaust, fuel building exhaust, decontamination building exhaust, and containment purge
 
exhaust.One Safeguards Area exhaust fan is normally operating and
 
dampers are aligned to bypass the HEPA filters and charcoal
 
adsorbers. During emergency operations, the ECCS PREACS
 
dampers are realigned to begin filtration. Upon receipt of
 
the actuating Engineered Safety Feature Actuation System
 
signal(s), normal air discharges from the Safeguards Area
 
room are diverted through the filter banks. Two Auxiliary
 
Building Central Exhaust fans are normally operating. Air
 
discharges from the Auxiliary Building Central Exhaust area
 
are manually diverted through the filter banks. Required
 
Safeguards Area and Auxiliary Building Central Exhaust area
 
fans are manually actuated if they are not already
 
operating. The prefilters remove any large particles in the
 
air to prevent excessive loading of the HEPA filters and
 
charcoal adsorbers.
The ECCS PREACS is discussed in the UFSAR, Section 9.4 (Ref. 1) and it may be used for normal, as well as post accident, atmospheric cleanup functions. The primary purpose of the heaters is to maintain the relative humidity at an
 
acceptable level during normal operations, generally
 
consistent with iodine removal efficiencies per Regulatory
 
Guide 1.52 (Ref.
3). The heaters are not required for post-accident conditions.
APPLICABLE
 
SAFETY ANALYSES The design basis of the ECCS PREACS is established by the large break LOCA. The system evaluation assumes ECCS leakage
 
outside containment, such as safety injection pump leakage, during the recirculation mode. In such a case, if ECCS
 
leakage exceeds certain levels, the system is required in
 
order to limit radioactive release to within the control
 
room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (continued)
ECCS PREACS B 3.7.12 BASESNorth Anna Units 1 and 2B 3.7.12-3Revision 45 APPLICABLE SAFETY ANALYSES (continued)(Ref. 4) for alternative source terms. The analysis of the effects and consequences of a large break LOCA is presented
 
in Reference
: 2. The ECCS PREACS also may actuate following a small break LOCA, in those cases where the ECCS goes into the recirculation mode of long term cooling, to clean up
 
releases of smaller leaks, such as from valve stem packing.
 
The analyses assume the filtration by the ECCS PREACS does
 
not begin for 60 minutes following an accident.
The ECCS PREACS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two redundant trains of the ECCS PREACS are required to be
 
OPERABLE to ensure that at least one is available. Total
 
system failure could result in elevated temperatures within
 
the Safeguards Area, or in exceeding the control room
 
operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 4) for alternative source terms.
ECCS PREACS is considered OPERABLE when the individual
 
components necessary to maintain the ECCS pump room
 
ventilation and filtration are OPERABLE in both trains.
An ECCS PREACS train is considered OPERABLE when its
 
associated:a.Safeguards Area exhaust fan is OPERABLE;b.One Auxiliary Building HEPA filter and charcoal adsorber assembly (shared with the other unit) is OPERABLE;c.One Auxiliary Building Central exhaust system fan (shared with other unit) is OPERABLE;d.HEPA filter and charcoal adsorbers are not excessively restricting flow, and are capable of performing their
 
filtration functions; ande.Ductwork, valves, and dampers are OPERABLE.
Safeguards Area and Auxiliary Building Central exhaust will
 
fail safe to the FILTER position upon loss of power or
 
instrument air. Dampers are considered OPERABLE if capable
 
of moving to the safety position, or if administratively
 
placed in the accident position.(continued)
North Anna Units 1 and 2B 3.7.12-4Revision 45 ECCS PREACS B 3.7.12 BASES LCO (continued)
Portions of ECCS PREACS may be removed from service (e.g.,
tag out fans, open ductwork, etc.), in order to perform
 
required testing and maintenance. The system is OPERABLE in
 
this condition if it can be restored to service and perform
 
its function within 60 minutes following an accident.
In addition, the required Safeguards Area and charging pump
 
cubicle boundaries for charging pumps not isolated from the
 
Reactor Coolant System must be maintained, including the
 
integrity of the walls, floors, ceilings, ductwork, and
 
access doors, except for those openings which are left open
 
by design, including charging pump ladder wells.
The LCO is modified by a Note allowing the ECCS pump room
 
boundary openings not open by design to be opened
 
intermittently under administrative controls. For entry and exit through doors the administrative control of the opening
 
is performed by the person(s) entering or exiting the area.
 
For other openings, these controls consist of stationing a
 
dedicated individual at the opening who is in continuous
 
communication with the control room. This individual will
 
have a method to rapidly close the opening when a need for
 
ECCS pump room isolation is indicated.
APPLICABILITY In MODES 1, 2, 3, and 4, the ECCS PREACS is required to be OPERABLE consistent with the OPERABILITY requirements of the
 
ECCS.In MODE 5 or 6, the ECCS PREACS is not required to be OPERABLE since the ECCS is not required to be OPERABLE.
ACTIONS A.1 With one ECCS PREACS train inoperable for reasons other than
 
Condition B (for example, insufficient ventilation exhaust
 
flow rate), action must be taken to restore OPERABLE status
 
within 7 days. During this time, the remaining OPERABLE train is adequate to perform the ECCS PREACS function.
The 7 day Completion Time is appropriate because the risk contribution is less than that for the ECCS (72 hour Completion Time), and there are backup ventilation systems
 
for these ECCS pump rooms available to provide cooling as (continued)
ECCS PREACS B 3.7.12 BASESNorth Anna Units 1 and 2B 3.7.12-5Revision 45 ACTIONS A.1 (continued) needed. The 7 day Completion Time is based on the low probability of a Design Basis Accident (DBA) occurring
 
during this time period, and ability of the remaining train
 
to provide the required capability.
With two ECCS PREACS trains inoperable for reasons other
 
than Condition C or D, LCO 3.0.3 must be entered immediately.
B.1.1, B.1.2, and B.1.3 With one ECCS PREACS train inoperable due to loss of its
 
filtration capability, action must be taken within one hour
 
to determine if the filtration capability is required (Action B.1.1). This is determined based on comparing the most recent ECCS system operational leakage log value
 
against design basis unfiltered leakage assumptions. If the
 
current total ECCS leakage is less than the maximum
 
allowable unfiltered leakage assumed in the design bases, then the filtration capability of ECCS PREACS is not
 
required and an extended period to restore operability can be applied. The value for "maximum allowable unfiltered ECCS
 
leakage" is documented in the UFSAR (reference 6). During
 
this time, both trains remain operable to perform the
 
ventilation exhaust/cooling function. (For example, a
 
problem with the filter itself or its housing affects a
 
single train, and both trains remain operable to perform the
 
ventilation function using either the flow path of the
 
remaining filter or the flow path of the bypass ductwork.)
The action to restore the inoperable train's filtration to operable status within 30 days (Action B.1.3) is reasonable, consistent with:(a)the dose analysis shows that no filtration function is required when ECCS leakage is less than the
 
maximum allowable unfiltered leakage,(b)significant margin exists between operating limits and actual dose limits,(c)the time necessary to complete repairs on the filter assembly and/or associated dampers may be
 
significant, and(d)the other train of ECCS filtration remains operable to perform its intended safety function if needed.(continued)
North Anna Units 1 and 2B 3.7.12-6Revision 45 ECCS PREACS B 3.7.12 BASES ACTIONS B.1.1, B.1.2, and B.1.3 (continued)
In addition, ECCS leakage is required to be monitored by
 
walking down the areas every 12 hours in order to determine whether or not filtration capability is required (Action B.1.2). Establishing monitoring on a 12 hour frequency is based on operating history, which indicated
 
that a sudden change in ECCS leakage is not expected, and the
 
conservatisms in the design basis dose calculations.
B.2 If total ECCS leakage is equa l to or greater than the maximum allowable unfiltered leakage limit then the filtration
 
capability of ECCS PREACS is required and actions must be
 
taken to restore Operability of the filter within seven days
 
consistent with an inoperable PREACS train for any other
 
reason.C.1.1, C.1.2, and C.1.3If two ECCS PREACS trains are inoperable due to loss of their
 
filtration capability, action must be taken within one hour
 
to determine if the filtration capability is required (Action C.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage
 
is less than the maximum allowable unfiltered leakage, then
 
the filtration capability of ECCS PREACS is not immediately
 
required and an extended period to restore operability can
 
be applied. During this time, both trains remain operable to
 
perform the ventilation exhaust/cooling function. Both
 
trains of ECCS PREACS may be made inoperable without
 
affecting the ventilation exhaust function by potential
 
problems such as an inoperable bypass damper or a charcoal
 
adsorber issue.
If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and restore at
 
least one inoperable train to operable status within 14 days (Action C.1.3) are reasonable, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum
 
allowable unfiltered leakage,(b)significant margin exists between operating limits and actual dose limits, (continued)
ECCS PREACS B 3.7.12 BASESNorth Anna Units 1 and 2B 3.7.12-7Revision 45 ACTIONS C.1.1, C.1.2, and C.1.3 (continued)(c)operating history indicates that a sudden change in ECCS leakage to greater than the maximum allowable
 
unfiltered leakage is not expected,(d)the time necessary to complete repairs on the filter assembly and/or associated dampers may be
 
significant, and(e)unnecessary two-unit shutdown has associated risks.
In addition, ECCS leakage is required to be monitored by
 
walking down the areas every 12 hours in order to determine whether or not filtration capability is required (Action C.l.2). Establishing monitoring on a 12 hour frequency is based on operating history, which indicated that a sudden change in ECCS leakage is not expected, and the
 
conservatisms in the design basis dose calculations.
C.2If total ECCS leakage is equa l to or greater than the maximum allowable unfiltered leakage limit then the filtration
 
capability of ECCS PREACS is required and actions must be
 
taken to restore Operability of at least one train within
 
sixty minutes, consistent with the dose analysis. The analysis assumes the filtration by PREACS does not begin for sixty minutes following an accident (see Applicable Safety
 
Analyses).
D.1.1, D.1.2, and D.1.3 Breaching an ECCS pump room boundary would affect the filtration function of both trains of ECCS PREACS, since the exhaust system may not be able to maintain a negative
 
pressure on the boundary. However, the ventilation/cooling
 
function would not be affected since the charging pump
 
motors have internal fans that provide design cooling
 
requirements without reliance on the central exhaust fans, and the Safeguards Area boundaries are to the exterior
 
atmosphere. Since the inlet to the exhaust ductwork in each
 
pump cubicle in Safeguards is located just above the motor, cooler outside air entering through a breach in a cubicle or the building general area (e.g., the outside door), would eventually be drawn into the cubicle, and out by the exhaust system. Thus, the ventilation and cooling function will not
 
be affected by boundary breaches.(continued)
North Anna Units 1 and 2B 3.7.12-8Revision 45 ECCS PREACS B 3.7.12 BASES ACTIONS D.1.1, D.1.2, and D.1.3 (continued)
If two ECCS PREACS trains are inoperable due to loss of the
 
pump room boundary, action must be taken within one hour to
 
determine if the filtration capability is required (Action D.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage
 
is less than the maximum allowable unfiltered leakage, then
 
the filtration capability of ECCS PREACS is not immediately
 
required and an extended period to restore operability can
 
be applied. During this time, the ability to perform the
 
ventilation exhaust/cooling function remains unaffected.
If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and restore the
 
boundary to operable status within 14 days (Action D.l.3) are reasonable, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum
 
allowable unfiltered leakage,(b)significant margin exists between operating limits and actual dose limits,(c)operating history indicates that a sudden change in ECCS leakage to greater than the maximum allowable
 
unfiltered leakage is not expected, and(d)the time necessary to complete repairs and perform required testing may be significant.
In addition, ECCS leakage is required to be monitored by
 
walking down the areas every 12 hours in order to determine
 
whether or not filtration capability is required (Action
 
D.1.2). Establishing monitoring on a 12 hour frequency is
 
based on operating history, which indicated that a sudden
 
change in ECCS leakage is not expected, and the
 
conservatisms in the design basis dose calculations.
D.2 If total ECCS leakage is equa l to or greater than the maximum allowable unfiltered leakage limit then the filtration
 
capability of ECCS PREACS is required and actions must be
 
taken to restore an operable ECCS pump room boundary within
 
24 hours. During the period that the ECCS pump room boundary (continued)
ECCS PREACS B 3.7.12 BASESNorth Anna Units 1 and 2B 3.7.12-9Revision 46 ACTIONS D.2 (continued) is inoperable, appropriate compensatory measures consistent with the intent of GDC 19 should be utilized to protect control room operators from potential hazards such as
 
radioactive contamination. Preplanned measures should be
 
available to address these concerns for intentional and
 
unintentional entry into the condition. The 24 hour Completion Time is reasonable based on the low probability
 
of a DBA occurring during this time period, and the use of
 
compensatory measures. The 24 hour Completion Time is a typically reasonable time to diagnose, plan and possibly
 
repair, and test most problems with the ECCS pump room
 
boundary.E.1 and E.2 If the ECCS PREACS train(s) or ECCS pump room boundary cannot
 
be restored to OPERABLE status within the associated
 
Completion Time, the unit must be placed in a MODE in which
 
the LCO does not apply. To achieve this status, the unit must
 
be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.12.1 Standby systems should be checked periodically to ensure
 
that they function properly. As the environment and normal
 
operating conditions on this system are not severe, testing
 
each train once a month provides an adequate check on this
 
system. Monthly heater operations dry out any moisture that
 
may have accumulated in the charcoal and HEPA filters from
 
humidity in the ambient air. The system must be operated 10 continuous hours with the heaters energized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
 
North Anna Units 1 and 2B 3.7.12-10Revision 46 ECCS PREACS B 3.7.12 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.7.12.2 This SR verifies that Safeguards Area exhaust flow and
 
Auxiliary Building Central Exhaust subsystem flow, when
 
actuated from the control room, diverts flow through the
 
Auxiliary Building HEPA filter and charcoal adsorber
 
assembly for the operating train. Exhaust flow is diverted manually through the filters in case of a DBA requiring their
 
use. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.7.12.3 This SR verifies that the required ECCS PREACS testing is
 
performed in accordance with the Ventilation Filter Testing
 
Program (VFTP). The VFTP includes testing HEPA filter
 
performance, charcoal adsorbers efficiency, minimum system
 
flow rate, and the physical properties of the activated
 
charcoal (general use and following specific operations).
 
Specific test Frequencies and additional information are
 
discussed in detail in the VFTP.
SR  3.7.12.4 This SR verifies that Safeguards Area exhaust flow for the
 
operating Safeguards Area fan is diverted through the
 
filters on an actual or simulated actuation signal. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.7.12.5 This SR verifies the integrity of the ECCS pump room
 
enclosure. The ability of the ECCS pump room to maintain a
 
negative pressure, with respect to potentially
 
uncontaminated adjacent areas, is periodically tested in a
 
qualitative manner to verify proper functioning of each
 
train of the ECCS PREACS. During the post accident mode of
 
operation, the ECCS PREACS is designed to maintain a slight
 
negative pressure in the ECCS pump room, with respect to
 
adjacent areas, to prevent unfiltered LEAKAGE. A single
 
train of ECCS PREACS is designed to maintain a negative
 
pressure relative to adjacent areas. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
ECCS PREACS B 3.7.12 BASESNorth Anna Units 1 and 2B 3.7.12-11Revision 45 REFERENCES1.UFSAR, Section 9.4.2.UFSAR, Section 15.4.3.Regulatory Guide 1.52 (Rev.
2).4.10 CFR 50, Appendix A.5.NUREG-0800, Rev.
2, July 1981.6.UFSAR, Figure 15.4-110 Intentionally Blank North Anna Units 1 and 2B 3.7.13-1Revision 39 B 3.7.13 B 3.7  PLANT SYSTEMSB 3.7.13Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.14-1Revision 39 B 3.7.14 B 3.7  PLANT SYSTEMSB 3.7.14Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.15-1Revision 20 FBVS B 3.7.15 B 3.7  PLANT SYSTEMSB 3.7.15Fuel Building Ventilation System (FBVS)
BASES BACKGROUND The FBVS discharges airborne radioactive particulates from the area of the fuel pool following a fuel handling accident.
 
The FBVS, in conjunction with other normally operating
 
systems, also provides environmental control of temperature
 
and humidity in the fuel pool area.
The FBVS consists of ductwork, valves and dampers, instrumentation, and two fans.
The FBVS, which may also be operated during normal plant
 
operations, discharges air from the fuel building.
The FBVS is discussed in the UFSAR, Sections 9.4.5 and 15.4.5 (Refs.
1 and 2, respectively) because it may be used for normal, as well as post accident functions.
APPLICABLE
 
SAFETY ANALYSES The FBVS design basis is established by the consequences of
 
the limiting Design Basis Accident (DBA), which is a fuel
 
handling accident involving handling recently irradiated
 
fuel. The analysis of the fuel handling accident, given in
 
Reference 2, assumes that all fuel rods in an assembly are damaged. The DBA analysis of the fuel handling accident
 
assumes that the FBVS is functional with at least one fan
 
operating. The amount of fission products available for
 
release from the fuel building is determined for a fuel
 
handling accident. Due to radioactive decay, FBVS is only
 
required to be OPERABLE during fuel handling accidents
 
involving handling recently irradiated fuel (i.e., fuel that
 
has occupied part of a critical reactor core within the
 
previous 100 hours). These assumptions and the analysis follow the guidance provided in Regulatory Guide 1.183 (Ref. 3).The fuel handling accident analysis for the fuel building
 
assumes all of the radioactive material available for
 
release is discharged from the fuel building by the FBVS.
The FBVS satisfies Criterion 3 of the 10 CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.7.15-2Revision 20 FBVS B 3.7.15 BASES LCO The FBVS is required to be OPERABLE and in operation. Total
 
system failure could result in the atmospheric release from
 
the fuel building exceeding the 10 CFR 50, Appendix A, GDC-19 (Ref.
: 4) limits for alternative source terms, in the event of a fuel handling accident involving handling
 
recently irradiated fuel.
The FBVS is considered OPERABLE when the individual
 
components are OPERABLE. The FBVS is considered OPERABLE
 
when at least one fan is OPERABLE and in operation, the
 
associated FBVS ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained. In addition, an
 
OPERABLE FBVS must maintain a pressure in the fuel building
 
pressure envelope &#xa3;
-0.125 inches water gauge with respect to atmospheric pressure.
The LCO is modified by a Note allowing the fuel building
 
boundary to be opened intermittently under administrative
 
controls. For entry and exit through doors the
 
administrative control of the opening is performed by the
 
person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual
 
at the opening who is in continuous communication with the
 
control room. This individual will have a method to rapidly
 
close the opening when a need for fuel building isolation is indicated.
APPLICABILITY During movement of recently irradiated fuel in the fuel
 
handling area, the FBVS is required to be OPERABLE to
 
alleviate the consequences of a fuel handling accident.
ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel a ssembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in
 
MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3 while in MODE 1, 2, 3, or 4, would require the unit to be shutdown unnecessarily.
FBVS B 3.7.15 BASESNorth Anna Units 1 and 2B 3.7.15-3Revision 46 ACTIONS (continued)
A.1 When the FBVS is inoperable or not in operation during movement of recently irradiated fuel assemblies in the fuel
 
building, action must be taken to place the unit in a
 
condition in which the LCO does not apply. Action must be taken immediately to suspend movement of recently irradiated fuel assemblies in the fuel building. This does not preclude
 
the movement of fuel to a safe position.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.15.1 This SR verifies the integrity of the fuel building pressure
 
envelope. The ability of the fuel building to maintain negative pressure with respect to potentially uncontaminated
 
adjacent areas is periodically tested to verify proper
 
function of the FBVS. The FBVS is designed to maintain a
 
slight negative pressure in the fuel building, to prevent
 
unfiltered LEAKAGE. The FBVS is designed to maintain a
-0.125 inches water gauge with respect to atmospheric pressure. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.4.5.2.UFSAR, Section 15.4.5.3.Regulatory Guide 1.183, July 2000.4.10 CFR 50, Appendix A, GDC-19.
 
Intentionally Blank North Anna Units 1 and 2B 3.7.16-1Revision 20 Fuel Storage Pool Water Level B 3.7.16 B 3.7  PLANT SYSTEMSB 3.7.16Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the
 
assumptions of iodine decontamination factors following a
 
fuel handling accident. The specified water level shields
 
and minimizes the general area dose when the storage racks
 
are filled to their maximum capacity. The water also
 
provides shielding during the movement of spent fuel.
A general description of the fuel storage pool design is
 
given in the UFSAR, Section 9.1.2 (Ref.
1). A description of the Spent Fuel Pool Cooling and Cleanup System is given in
 
the UFSAR, Section 9.1.3 (Ref.
2). The assumptions of the fuel handling accident are given in the UFSAR, Section 15.4.5 (Ref.
3).APPLICABLE
 
SAFETY ANALYSES The minimum water level in the fuel storage pool meets the
 
assumptions of the fuel handling accident described in
 
Regulatory Guide 1.183 (Ref.
4). The resultant 2 hour dose per person at the exclusion area boundary is within the
 
Regulatory Guide 1.183 limits.
According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface
 
during a fuel handling accident. With 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel
 
racks, however, there may be <
23 ft of water above the top of the fuel bundle and the surface, indicated by the width of
 
the bundle. To offset this small nonconservatism, the
 
analysis assumes that all fuel rods fail, although analysis
 
shows that only the first few rows fail from a hypothetical
 
maximum drop.
The fuel storage pool water level satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.7.16-2Revision 46 Fuel Storage Pool Water Level B 3.7.16 BASES LCO The fuel storage pool water level is required to be  23 ft over the top of irradiated fuel assemblies seated in the
 
storage racks. The specified water level preserves the
 
assumptions of the fuel handling accident analysis (Ref.
3). As such, it is the minimum required for fuel storage and
 
movement within the fuel storage pool.
APPLICABILITY This LCO applies during movement of irradiated fuel
 
assemblies in the fuel storage pool, since the potential for
 
a release of fission products exists.
ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.
When the initial conditions for prevention of an accident
 
cannot be met, steps should be taken to preclude the accident
 
from occurring. When the fuel storage pool water level is
 
lower than the required level, the movement of irradiated
 
fuel assemblies in the fuel storage pool is immediately
 
suspended to a safe position. This action effectively
 
precludes the occurrence of a fuel handling accident. This
 
does not preclude movement of a fuel assembly to a safe
 
position.If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not spe cify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies
 
is not sufficient reason to require a reactor shutdown.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.16.1 This SR verifies sufficient fuel storage pool water is
 
available in the event of a fuel handling accident. The water
 
level in the fuel storage pool must be checked periodically.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
Fuel Storage Pool Water Level B 3.7.16 BASESNorth Anna Units 1 and 2B 3.7.16-3Revision 20 SURVEILLANCE REQUIREMENTS SR  3.7.16.1 (continued)
During refueling operations, the level in the fuel storage
 
pool is in equilibrium with the refueling canal, and the
 
level in the refueling canal is checked daily in accordance
 
with SR 3.9.7.1.REFERENCES1.UFSAR, Section 9.1.2.2.UFSAR, Section 9.1.3.3.UFSAR, Section 15.4.5.4.Regulatory Guide 1.183, July 2000.
Intentionally Blank North Anna Units 1 and 2B 3.7.17-1Revision 0 Fuel Storage Pool Boron Concentration B 3.7.17 B 3.7  PLANT SYSTEMSB 3.7.17Fuel Storage Pool Boron Concentration BASES BACKGROUND The water in the spent fuel storage pool contains soluble
 
boron, which results in large subcriticality margins under
 
normal operating conditions. However, the NRC guidelines
 
assume accident conditions, such as loss of all soluble
 
boron or misloading of a fuel assembly. In these cases, the
 
subcriticality margin is allowed to be smaller, but in all
 
cases must be less than 1.0. This subcriticality margin is
 
maintained by storing the fuel assemblies in the fuel
 
storage pool in a geometry which limits the reactivity of the
 
fuel assemblies and by the use of soluble boron in the fuel
 
storage pool water. The required geometry for fuel assembly
 
storage in the fuel storage pool is described in LCO 3.7.18, "Spent Fuel Pool Storage." The accident analyses assume the presence of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed
 
by LCO 3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool
 
water, or a dilution of the boron dissolved in the fuel
 
storage pool.
A general description of the fuel storage pool design is
 
given in the UFSAR, Section 9.1.2 (Ref.
1).APPLICABLE
 
SAFETY ANALYSES Criticality of the fuel assemblies in the fuel storage pool
 
racks is prevented by the design of the rack and by
 
administrative controls related to fuel storage pool boron
 
concentration, fuel assembly burnup credit, and fuel storage
 
pool geometry (Ref.
2). There are three basic acceptance criteria which ensure conformance with the design bases (Ref. 3). They are:a.k eff < 1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure k eff < 0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postulated
 
accidents and to account for the uncertainty in the
 
computed reactivity of fuel assemblies.
North Anna Units 1 and 2B 3.7.17-2Revision 0 Fuel Storage Pool Boron Concentration B 3.7.17 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The postulated accidents considered when determining the
 
required fuel storage pool boron concentration are the
 
misloading of a fuel assembly, an increase in fuel storage
 
pool temperature, and boron dilution. Analyses have shown
 
that the amount of boron required by the LCO is sufficient to ensure that the most limiting misloading of a fuel assembly
 
results in a k eff < 0.95. The boron concentration limit also accommodates decreases in water density due to temperature
 
increases in the fuel storage pool. Analyses have also shown
 
that there is sufficient time to detect and mitigate a boron
 
dilution event prior to exceeding the design basis of
 
k eff < 0.95. The fuel storage pool analyses do not credit the Boraflex neutron absorbing material in the fuel storage pool racks.The concentration of dissolved boron in the fuel storage
 
pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The fuel storage pool boron concentration is required to be 2600 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses which take credit for soluble boron and for fuel
 
loading restrictions based on fuel enrichment and burnup.
 
The fuel loading restrictions are described in LCO 3.7.18. The fuel storage pool boron concentration limit, when combined with fuel burnup and geometry limits in LCO 3.7.18, ensures that the fuel storage pool k eff meets the limits in Section 4.3, "Design Features." APPLICABILITY This LCO applies whenever fuel assemblies are stored in the
 
spent fuel storage pool. The required boron concentration
 
ensures that the k eff limits in Section 4.3 are met when fuel is stored in the fuel storage pool.
ACTIONS A.1 and A.2 The Required Actions are modified by a Note indicating that
 
LCO 3.0.3 does not apply.
When the concentration of boron in the fuel storage pool is
 
less than required, immediate action must be taken to
 
preclude the occurrence of an accident or to mitigate the
 
consequences of an accident in progress. This is most
 
efficiently achieved by immediately suspending the movement (continued)
Fuel Storage Pool Boron Concentration B 3.7.17 BASESNorth Anna Units 1 and 2B 3.7.17-3Revision 46 ACTIONS A.1 and A.2 (continued) of fuel assemblies. The concentration of boron is restored simultaneously with suspending movement of fuel assemblies.
 
Prior to resuming movement of fuel assemblies, the
 
concentration of boron must be restored to within limit.
 
This does not preclude movement of a fuel assembly to a safe
 
position.If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation.
 
Therefore, inability to suspend movement of fuel assemblies
 
is not sufficient reason to require a reactor shutdown.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.17.1This SR verifies that the concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.1.2.2.UFSAR, Section 4.3.2.7.3.UFSAR, Section 3.1.53.
Intentionally Blank North Anna Units 1 and 2B 3.7.18-1Revision 0 Spent Fuel Pool Storage B 3.7.18 B 3.8  PLANT SYSTEMSB 3.7.18Spent Fuel Pool Storage BASES BACKGROUND The fuel storage pool contains racks which hold the fuel
 
assemblies. The arrangement of the fuel assemblies in the
 
fuel racks can be used to limit the interaction of the fuel
 
assemblies and the resulting reactivity of the fuel in the
 
fuel storage pool. The geometrical arrangement is based on
 
classifying fuel assemblies as "high reactivity" or "low
 
reactivity" based on the burnup and initial enrichment of
 
the fuel assemblies. A 5 x 5 fuel location matrix is employed with acceptable locations for high and low
 
reactivity fuel assemblies. Fuel assemblies may also be
 
stored in fuel locations not associated with a storage
 
matrix if the assemblies meet certain requirements.
Storing the fuel assemblies in the locations required by the
 
LCO ensures a fuel storage pool k eff < 1.0 for normal conditions. In addition, the water in the spent fuel storage pool contains soluble boron, which results in large
 
subcriticality margins under normal operating conditions.
However, the NRC guidelines assume accident conditions, such
 
as loss of all soluble boron or misloading of a fuel
 
assembly. In these cases, the subcriticality margin is
 
allowed to be smaller, but in all cases must be less than
 
1.0. This subcriticality margin is maintained by storing the
 
fuel assemblies as described in the LCO and by the use of
 
soluble boron in the fuel storage pool water as required by
 
LCO 3.7.17, "Fuel Storage Pool Boron Concentration." The accident analyses assume the presence of soluble boron under
 
accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO 3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool water, or a dilution of the boron dissolved in the fuel storage pool.
A general description of the fuel storage pool design is
 
given in the UFSAR, Section 9.1.2 (Ref.
1).APPLICABLE
 
SAFETY ANALYSES Criticality of the fuel assemblies in the fuel storage pool
 
racks is prevented by the design of the rack and by
 
administrative controls related to fuel storage pool boron
 
concentration, fuel assembly burnup credit, and fuel storage (continued)
North Anna Units 1 and 2B 3.7.18-2Revision 0 Spent Fuel Pool Storage B 3.7.18 BASES APPLICABLE
 
SAFETY ANALYSES (continued) pool geometry (Ref.
2). There are three basic acceptance criteria which ensure conformance with the design bases (Ref. 3). They are:a.k eff < 1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure k eff < 0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postulated
 
accidents and to account for the uncertainty in the
 
computed reactivity of fuel assemblies.
The postulated accidents considered when determining the
 
required fuel storage pool arrangement and minimum boron
 
concentration are the misloading of a fuel assembly, an
 
increase in fuel storage pool temperature, and boron
 
dilution. Analyses have shown that a combination of the fuel storage pool geometric arrangement and the amount of boron
 
required by the LCO is sufficient to ensure that the most
 
limiting misloading of a fuel assembly results in a
 
k eff < 0.95.The configuration of fuel assemblies in the fuel storage
 
pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The restrictions on the placement of fuel assemblies within
 
the spent fuel pool, in accordance with Figures 3.7.18-1 and 3.7.18-2, in the accompanying LCO, ensures the k eff of the spent fuel storage pool will always remain <
1.0. Figure 3.7.18-1 is used to determine if a fuel assembly is acceptable for storage without use of a fuel assembly
 
matrix. Based on the initial enrichment and burnup, a fuel assembly may be stored without using a fuel assembly matrix, or must be stored in a high or low reactivity location of a
 
fuel assembly matrix. Figure 3.7.18-2 describes the fuel assembly matrix storage configuration. These storage
 
restrictions, when combined with the fuel storage pool boron
 
concentration limit in LCO 3.7.17, ensure that the fuel storage pool k eff meets the limits in Section 4.3, "Design Features." APPLICABILITYThis LCO applies whenever any fuel assembly is stored in the
 
fuel storage pool.
Spent Fuel Pool Storage B 3.7.18 BASESNorth Anna Units 1 and 2B 3.7.18-3Revision 0 ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.
When the configuration of fuel assemblies stored in the
 
spent fuel storage pool is not in accordance with
 
Figure 3.7.18-1 and Figure 3.7.18-2, the immediate action is to initiate action to make the necessary fuel assembly
 
movement(s) to bring the configuration into compliance with
 
the LCO.If unable to move irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the action is independent of reactor operation. Therefore, inability to move fuel assemblies is not sufficient reason
 
to require a reactor shutdown.
SURVEILLANCE
 
REQUIREMENTS SR  3.7.18.1 This SR verifies by a combination of visual inspection and
 
administrative means that the initial enrichment and burnup
 
of the fuel assembly is in accordance with Figure 3.7.18-1 and the fuel assembly storage location is in accordance with
 
Figure 3.7.18-2.REFERENCES1.UFSAR, Section 9.1.2.2.UFSAR, Section 4.3.2.7.3.UFSAR, Section 3.1.53.
Intentionally Blank North Anna Units 1 and 2B 3.7.19-1Revision 0 CC System B 3.7.19 B 3.7  PLANT SYSTEMSB 3.7.19Component Cooling Water (CC) System BASES BACKGROUND The CC System provides a heat sink for the removal of process and operating heat from components during normal operation.
 
The CC System serves as a barrier to the release of radioactive byproducts between potentially radioactive
 
systems and the Service Water System, and thus to the
 
environment.
The CC System consists of four subsystems shared between units. Each subsystem consists of one pump and one heat
 
exchanger. The design basis of the CC System is a fast cooldown of one unit while maintaining normal loads on the
 
other unit. Three CC subsystems are required to accomplish
 
this function. With only two CC subsystems available, a slow
 
cooldown of one unit while maintaining normal loads on the
 
other unit can be accomplished. The removal of normal
 
operating heat loads (including common systems) requires two
 
CC subsystems. During normal operation, the CC subsystems
 
are cross connected between the units with two CC pumps and
 
four CC heat exchangers in operation. Two pumps are normally
 
running, with the other two in standby. A vented surge tank
 
common to all four pumps ensures that sufficient net
 
positive suction head is available.
The CC System serves no accident mitigation function and is not a system which functions to mitigate the failure of or
 
presents a challenge to the integrity of a fission product barrier. The CC System is not designed to withstand a single failure. The CC System supports the Residual Heat Removal (RHR) System. The RHR sys tem does not perform a design basis accident mitigation function.
Additional information on the design and operation of the
 
system, along with a list of the components served, is
 
presented in the UFSAR, Section 9.2.2 (Ref.
1). The principal function of the CC System is the removal of decay heat from the reactor via the Residual Heat Removal (RHR)
 
System.
North Anna Units 1 and 2B 3.7.19-2Revision 0 CC System B 3.7.19 BASES APPLICABLE
 
SAFETY ANALYSES The CC System serves no accident mitigation function. The CC System functions to cool the unit from RHR entry conditions (T cold < 350&deg;F), to T cold < 140&deg;F. The time required to cool from 350
&deg;F to 140&deg;F is a function of the number of CC and RHR trains operating. The CC System is designed to reduce the temperature of the reactor coolant
 
from 350&deg;F to 140&deg;F within 16 hours based on a service water temperature of 95&deg;F and having two CC subsystems in service
 
for the unit being cooled down.
The CC System has been identified in the probabilistic safety assessment as significant to public health and
 
safety. The CC System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCOShould the need arise to cooldown one unit quickly while the other unit is operating, three CC subsystems would be needed
- two to support the quick cooldown of one unit and one to
 
support the normal heat loads of the operating unit. To
 
ensure this function can be performed a total of three CC
 
subsystems shared with the other unit are required to be
 
OPERABLE.A CC subsystem is considered OPERABLE when:a.The pump and common surge tank are OPERABLE; andb.The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the
 
function are OPERABLE.
Each CC subsystem is considered OPERABLE if it is operating or if it can be placed in service from a standby condition by manually unisolating a standby heat exchanger and/or
 
manually starting a standby pump.
APPLICABILITY In MODES 1, 2, 3, and 4, the CC System is a normally operating system. In MODE 4 the CC System must be prepared to perform its RCS heat removal function, which is achieved
 
by cooling the RHR heat exchanger.
In MODE 5 or 6, the OPERABILITY requirements of the CC System are determined by the systems it supports.
CC System B 3.7.19 BASESNorth Anna Units 1 and 2B 3.7.19-3Revision 0 ACTIONS A.1 If one required CC subsystem is inoperable, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining OPERABLE CC subsystems are adequate
 
to perform the heat removal function. The 7 day Completion Time is reasonable, based on the redundant capabilities
 
afforded by the OPERABLE subsystems.
B.1 and B.2 If the required CC subsystem cannot be restored to OPERABLE
 
status within the associated Completion Time, the unit must
 
be placed in a MODE in which the LCO does not apply. To
 
achieve this status, the unit must be placed in at least
 
MODE 3 within 6 hours and in MODE 5 within 30 hours. The allowed Completion Times are reasonable, based on operating
 
experience, to reach the required unit conditions from full
 
power conditions in an orderly manner and without
 
challenging unit systems.
C.1 and C.2 If two required CC subsystems are inoperable, action must be taken to cool the unit to MODE 4 within 12 hours. Action must be initiated to place the unit in MODE 5, where the LCO does not apply, within 13 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
D.1 and D.2 With no CC water available to supply the residual heat
 
removal heat exchangers, action must be taken to cool the
 
unit to MODE 4 within 12 hours. Alternate means to cool the unit must be found and the unit placed in MODE 5, where the LCO does not apply. The allowed Completion Times are
 
reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.7.19-4Revision 46 CC System B 3.7.19 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.7.19.1 Verifying the correct alignment for manual, power operated, and automatic valves in the CC flow path to the RHR heat
 
exchangers provides assurance that the proper flow paths exist for CC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since
 
these valves are verified to be in the correct position prior
 
to locking, sealing, or securing. This SR also does not apply
 
to valves that cannot be inadvertently misaligned, such as check valves. This Surv eillance does not require any testing or valve manipulation; rather, it involves verification that
 
those valves capable of being mispositioned are in the
 
correct position.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.2.2.
North Anna Units 1 and 2B 3.8.1-1Revision 18 AC Sources-Operating B 3.8.1 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.1AC Sources-Operating BASES BACKGROUND The unit Class 1E AC Electrical Po wer Distribution System AC sources consist of offsite (preferred) power (via normal and alternate feeds), the Alternate AC (AAC) diesel, and the
 
onsite standby power sources (Train A(H) and Train B(J) emergency diesel generators (EDGs)). As required by GDC 17 (Ref. 1), the design of the preferred AC electrical power system provides independence and redundancy to ensure an
 
acceptable (i.e., qualified) source of power to the
 
Engineered Safety Feature (ESF) systems.
Additionally, the unit's electrical sources must include
 
electrical sources from the other unit that are required to
 
support the Service Water (SW), Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation
 
System (EVS), Auxiliary Building central exhaust system, or
 
Component Cooling Water (CC) safety functions. This
 
requirement could include both of the other unit's offsite
 
circuits and EDGs for this unit.
The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one
 
group does not prevent the minimum safety functions from
 
being performed. Each train, for a given unit, must have a
 
connection to a qualified offsite (preferred) power source
 
and a dedicated EDG. Also, for each unit, the two qualified offsite sources must be independent of each other. A minimum
 
of two independent qualified offsite sources connecting the
 
230/500 kV switchyard to each unit's ESF (emergency) buses is required. Since the Unit 1 and 2 offsite sources may be shared, a minimum of two sources are required for the
 
station. To be considered independent, a qualified offsite
 
source must be both electrically and physically separated
 
from other offsite sources. This independence must be
 
maintained during possible automatic switching operations
 
such as is initiated following a Unit 2 trip when ESF bus 1J is connected to the station service bus 2B. In this situation, ESF bus 1J is transferred to reserve station service transformer (RSST)
B.(continued)
North Anna Units 1 and 2B 3.8.1-2Revision 18 AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued)
The 230/500 kV switchyard, which is an integral part of the transmission network, is the source of offsite (preferred)
 
power to the station Class 1E electrical system. From the 230/500 kV switchyard, five electrically and physically separated circuits are available to provide AC power, through either the system reserve transformers (SRTs) and
 
RSSTs or the station service transformers (SSTs), to the
 
4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls
 
required to transmit power from the offsite transmission
 
network to the onsite Class 1E ESF bus(es). Each one is "qualified" via analysis to show that they meet the
 
requirements of GDc 17.Certain required unit loads are energized in a predetermined sequence in order to prevent overloading the transformers
 
supplying offsite power to the onsite Class 1E Distribution System. After the initiating signal is received, permanently
 
connected loads and all automatically connected loads, via
 
the load sequencing timing relays, needed to recover the
 
unit or maintain it in a safe condition are energized.The onsite standby power source for each 4.16 kV ESF bus is a dedicated EDG. EDGs H and J are dedicated to ESF buses H and J, respectively. An EDG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or
 
high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start
 
Instrumentation"). After the EDG has started, it will
 
automatically tie to its respective bus after offsite power
 
is isolated as a consequence of ESF bus undervoltage or
 
degraded voltage, independent of or coincident with an SI
 
signal. The EDGs will also start and operate in the standby
 
mode without tying to the ESF bus on an SI signal or a
 
momentary undervoltage condition. Following the loss of
 
offsite power, an undervoltage signal strips nonpermanent loads from the ESF bus. When the EDG is tied to the ESF bus, loads are then sequentially connected to their respective
 
ESF bus by the sequencing timing relays. The specific ESF
 
equipment's sequencing timer controls the permissive and
 
starting signals to motor breakers to prevent overloading
 
the EDG by automatic load application.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-3Revision 18 BACKGROUND (continued)In the event of a loss of preferred (offsite) power, the ESF electrical loads are automatically connected to the EDGs in
 
sufficient time to provide for safe reactor shutdown and to
 
mitigate the consequences of a Design Basis Accident (DBA)
 
such as a loss of coolant accident (LOCA) without
 
overloading the EDGs.
Ratings for Train H and Train J EDGs satisfy the requirements of Safety Guide 9 (Ref. 3). The continuous service rating of each EDG is 2750 kW with 3000 kW allowable for up to 2000 hours per year. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.APPLICABLE
 
SAFETY ANALYSES The initial conditions of DBA and transient analyses in the
 
UFSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources
 
are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of
 
necessary power to ESF systems so that the fuel, Reactor
 
Coolant System (RCS), and containment design limits are not
 
exceeded. These limits are discussed in more detail in the
 
Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.
The OPERABILITY of the AC electrical power sources is
 
consistent with the initial assumptions of the accident
 
analyses and is based upon meeting the design basis of the
 
unit. This results in maintaining at least one train of the
 
onsite or offsite AC sources OPERABLE during accident
 
conditions in the event of:a.An assumed loss of all offsite power or all onsite AC power; andb.A worst case single failure.
The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO A minimum of two qualified offsite circuits between the
 
230/500 kV switchyard and the onsite Class 1E Electrical Power System and two separate and independent EDGs for
 
supplying the redundant trains for each unit ensure (continued)
North Anna Units 1 and 2B 3.8.1-4Revision 21 AC Sources-Operating B 3.8.1 BASES LCO (continued) availability of the required power to shut down the reactor
 
and maintain it in a safe shutdown condition after an
 
anticipated operational occurrence (AOO) or a postulated
 
DBA.Qualified offsite circuits include the two 500-34.5 kV transformers and one 230-34.5 kV transformers (collectively referred to as the SRTs) that feed three independent 34.5 kV buses which supply the RSSTs. In addition, there are two
 
500 kV lines from the switchyard to the Unit 1 and Unit 2 generator step-up transformers and SSTs. These circuits are
 
described in the UFSAR and are part of the licensing basis
 
for the unit.
In addition, the required automatic load sequencing timing
 
relays must be OPERABLE. A "required" load sequencing timing
 
relay is one whose host component is capable of
 
automatically loading onto an emergency bus.
Each independent qualified offsite source must be capable of
 
maintaining rated frequency and voltage, and accepting
 
required loads during an accident, while connected to the
 
ESF buses.Normally, the qualified offsite sources for the Unit 1 and 2 ESF buses are from the 34.5 kV buses 3, 4, and 5 which supply the RSSTs which feed the transfer buses. RSSTs A and B may be fed from the same 34.5 kV bus, but RSST C must be fed from a different 34.5 kV bus than RSST A and RSST B. The D, E, and F transfer buses supply the onsite electrical power to the
 
four ESF buses for the two units. In addition to the normal
 
alignment, the D and E transfer buses can be tied together via the 4160 V bus 0L installed as part of the AAC modifications.
ESF bus 1H is normally fed through the F transfer bus from RSST C. ESF bus 1J is normally fed through the D transfer bus from RSST A. Station service bus 1B can provide an alternate preferred feed for the ESF 1H bus, while the ESF 1J has an alternate preferred feed from station service bus 2B. ESF bus 2H is normally fed through the E transfer bus from RSST B. In addition, ESF bus 2H can also be fed through E transfer bus from RSST A with breakers 05L1 and 05L3 on AAC bus 0L closed. ESF bus 2J is normally fed through the F transfer bus from RSST C.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-5Revision 38 LCO (continued)
The two 500 kV lines connecting each unit's main step-up and SSTs with the switchyard are the remaining qualified sources of offsite (preferred) power that are available to power ESF buses. For Unit 1, this source is normally available following a unit trip since there is an installed main
 
generator breaker. Therefore, station service bus 1B, which provides the alternate preferred feed to the 1H ESF bus, normally will not be affected. For Unit 2, where there is no installed main generator breaker, station service bus 2B, which provides the alternate preferred feed to ESF bus 1J, will automatically transfer to RSST B following a unit trip.
Each EDG must be capable of starting, accelerating to rated
 
speed and voltage, and connecting to its respective ESF bus
 
on detection of bus undervoltage or degraded voltage. This
 
will be accomplished within 10 seconds. Each EDG must also be capable of accepting required loads within the assumed
 
loading sequence intervals, and continue to operate until
 
offsite power can be restored to the ESF buses. These
 
capabilities are required to be met from a variety of initial
 
conditions such as EDG in standby with the engine hot and EDG in standby with the engine at ambient conditions. Additional
 
EDG capabilities must be demonstrated to meet required
 
Surveillances.
Proper sequencing of loads is a required function for EDG
 
OPERABILITY.
In the event of a loss of offsite (preferred) power supply to
 
the emergency bus, the EDG will auto start and re-energize
 
its associated bus. In this configuration the EDG will
 
become inoperable due to the defeat of load sequencing
 
timers. Upon completion of guidance in abnormal procedures
 
for reconfiguration of the affected electrical bus to
 
control loads, TS 3.8.1 Condition K may be exited as
 
sequencing timing relays are no longer required as long as
 
the associated emergency bus is not subsequently paralleled
 
to another bus. The diesel can be considered operable which would allow exiting TS 3.8.1 Conditions B and H and remaining in TS 3.8.1 Condition A.
The other unit's offsite circuit(s) and EDG(s) are required
 
to be OPERABLE to support the SW, MCR/ESGR EVS, Auxiliary
 
Building central exhaust, and CC functions needed for this
 
unit. These functions share components, pump or fans, which
 
are electrically powered from both units.(continued)
North Anna Units 1 and 2B 3.8.1-6Revision 38 AC Sources-Operating B 3.8.1 BASES LCO (continued)
The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other
 
train. For the EDGs, separation and independence are
 
complete.For the offsite AC sources, separation and independence are
 
to the extent practical.
APPLICABILITY The AC sources and sequencing timing relays are required to
 
be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of
 
AOOs or abnormal transients; andb.Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.
The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources-Shutdown." ACTIONS A.1 To ensure a highly reliable power source remains with one
 
offsite circuit inoperable, it is necessary to verify the
 
OPERABILITY of the remaining required offsite circuit(s) on
 
a more frequent basis. Since the Required Action only
 
specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.
 
However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition G, for two offsite circuits inoperable, is entered.
A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide
 
assurance that an event coincident with a single failure of
 
the associated EDG will not result in a complete loss of
 
safety function of critical redundant required features.
 
These features are powered from the redundant AC electrical
 
power trains.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-7Revision 38 ACTIONS A.2 (continued)
The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any
 
discovered inoperabilities. This Completion Time also allows for an exception to the norma l "time zero" for beginning the allowed outage time "clock." In this Required Action, the
 
Completion Time only begins on discovery that both:a.The train has no offsite power supplying its loads; andb.A required feature on the other train is inoperable.
If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature
 
subsequently becomes inoperable, this Completion Time begins
 
to be tracked.
Discovering no offsite power to one train of the onsite
 
Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported
 
features, or both, that are associated with the other train
 
that has offsite power, results in starting the Completion
 
Times for the Required Action. Twenty-four hours is
 
acceptable because it m inimizes risk while allowing time for restoration before subjecting the unit to transients
 
associated with shutdown.The remaining OPERABLE offsite circuit and EDGs are adequate
 
to supply electrical power to Train H and Train J of the onsite Class 1E Distribution System. The 24 hour Completion Time takes into account the component OPERABILITY of the
 
redundant counterpart to the inoperable required feature.
 
Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a
 
reasonable time for repairs, and the low probability of a DBA
 
occurring during this period.
A.3 According to Regulatory Guide 1.93 (Ref.
6), operation may continue in Condition A for a period that should not exceed 72 hours. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the
 
potential for a loss of offsite power is increased, with
 
attendant potential for a challenge to the unit safety
 
systems. In this Condition, however, the remaining OPERABLE (continued)
North Anna Units 1 and 2B 3.8.1-8Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS A.3 (continued) offsite circuit and EDGs are adequate to supply electrical
 
power to the onsite Class 1E Distribution System.
The 72 hour Completion Time takes into account the capacity
 
and capability of the remaining AC sources, a reasonable
 
time for repairs, and the low probability of a DBA occurring during this period.
The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any
 
combination of required AC power sources to be inoperable
 
during any single contiguous occurrence of failing to meet
 
the LCO. If Condition A is entered while, for instance, an EDG is inoperable and that EDG is subsequently returned
 
OPERABLE, the LCO may already have been not met for up to
 
14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At
 
this time, an EDG could again become inoperable, the circuit restored OPERABLE, an d an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO.
The 17 day Completion Time provides a limit on the time
 
allowed in a specified condition after discovery of failure
 
to meet the LCO. This limit is considered reasonable for
 
situations in which Conditions A and B are entered concurrently. The " AND" connector between the 72 hour and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion
 
Time must be met.
As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the
 
allowed outage time "clock." This will result in
 
establishing the "time zero" at the time that the LCO was
 
initially not met, instead of at the time Condition A was entered.B.1Condition B is entered for an inoperable EDG and requires the
 
OPERABILITY of additional electrical sources for the allowed
 
Completion Time of 14 days. The additional electrical
 
sources required to be OPERABLE are the AAC diesel generator (DG) (Station Black Out diesel generator), and both EDGs of
 
the other unit. If any of these additional sources are (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-9Revision 38 ACTIONS B.1 (continued) inoperable at the time an EDG becomes inoperable, or become inoperable with an EDG in Condition B, Condition C must also be entered for the inoperable EDG.
To ensure a highly reliable power source remains with an
 
inoperable EDG, it is necessary to verify the availability
 
of the offsite circuits on a more frequent basis. Since the
 
Required Action only specifies "perform," a failure of
 
SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass
 
SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions
 
must then be entered.
B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is
 
inoperable, does not result in a complete loss of safety
 
function of critical systems. These features are designed
 
with redundant safety related trains. Redundant required
 
feature failures consist of inoperable features associated
 
with a train, redundant to the train that has an inoperable
 
EDG.The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any
 
discovered inoperabilities. This Completion Time also allows for an exception to the norma l "time zero" for beginning the allowed outage time "clock." In this Required Action, the
 
Completion Time only begins on discovery that both:a.An inoperable EDG exists; andb.A required feature on the other train (Train H or Train J) is inoperable.
If at any time during the existence of this Condition (one
 
EDG inoperable) a required feature subsequently becomes
 
inoperable, this Completion Time would begin to be tracked.
Discovering one required EDG inoperable coincident with one
 
or more inoperable required support or supported features, or both, that are associated with the OPERABLE EDG, results (continued)
North Anna Units 1 and 2B 3.8.1-10Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS B.2 (continued) in starting the Completion Time for the Required Action.
 
Four hours from the discovery of these events existing
 
concurrently is acceptable because it minimizes risk while
 
allowing time for restoration before subjecting the unit to
 
transients associated with shutdown.
In this Condition, the remaining OPERABLE EDG and offsite
 
circuits are adequate to supply electrical power to the
 
onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's
 
function may have been lost; however, function has not been
 
lost. The 4 hour Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable
 
required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG. If it can be
 
determined that the cause of the inoperable EDG does not
 
exist on the OPERABLE EDG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other EDG, the other EDG would be declared inoperable upon
 
discovery and Condition I of LCO 3.8.1 would be entered.
Once the failure is repaired, the common cause failure no
 
longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable EDG cannot be confirmed
 
not to exist on the remaining EDG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of
 
that EDG.In the event the inoperable EDG is restored to OPERABLE
 
status prior to completing either B.3.1 or B.3.2, the plant
 
corrective action program will continue to evaluate the
 
common cause possibility, including the other unit's EDGs.
 
This continued evaluation, however, is no longer under the
 
24 hour constraint imposed while in Condition B.
According to Generic Letter 84-15 (Ref.
7), 24 hours is reasonable to confirm that the OPERABLE EDG is not affected
 
by the same problem as the inoperable EDG.
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-11Revision 38 ACTIONS (continued)
B.4 In Condition B, the remaining OPERABLE EDG, offsite circuits, AAC DG, and the other unit's EDGs are adequate to
 
supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources, a
 
reasonable time for repairs, and the low probability of a DBA
 
occurring during this period.
The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any
 
combination of required AC power sources to be inoperable
 
during any single contiguous occurrence of failing to meet
 
the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is
 
subsequently restored OPERABLE, the LCO may already have
 
been not met for up to 72 hours. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the EDG. At this time, an offsite circuit could again become
 
inoperable, the EDG restored OPERABLE, and an additional
 
72 hours (for a total of 20 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on time allowed in a specified condition after
 
discovery of failure to meet the LCO. This limit is
 
considered reasonable for situations in which Conditions A and B are entered concurrently. The " AND" connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more
 
restrictive Completion Time must be met.
As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the
 
allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered.
C.1 and C.2 To ensure a highly reliable electrical power source remains
 
available when one EDG is inoperable, Condition C is established to monitor the OPERABILITY of the AAC DG and the
 
other unit's EDGs. Condition B is entered any time an EDG becomes inoperable and the Required Actions and Completion
 
Times are followed. Concurrently, if the AAC DG or one or
 
more of the other unit's EDG(s) is inoperable, or become (continued)
North Anna Units 1 and 2B 3.8.1-12Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) inoperable, in addition to the Required Actions of
 
Condition B, Required Actions C.1 and C.2 limit the time the EDG may be out of service to 72 hours. If the AAC DG or the other unit's EDG(s) is inoperable when the EDG becomes
 
inoperable, the allowed outage time (AOT) is limited to
 
72 hours, unless the AAC DG and the other unit's EDG(s) are returned to OPERABLE status. If during the 72 hour Completion Time of C.1 or C.2, the AAC DG and the other unit's EDG(s) are returned to OPERABLE status, Condition C is exited and AOT is restricted by the Completion Time
 
tracked in Condition B. If the AAC DG or one or more of the other unit's EDG(s) becomes inoperable at sometime after the
 
initial EDG inoperability, Condition C requires the restoration of the EDG or the AAC DG and the other unit's
 
EDG(s) within 72 hours or Condition L is required to be entered.The 72 hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic
 
safety analysis (PSA) for potential core damage frequency.
D.1, D.2, and D.3 Condition D is modified by a Note indicating that separate Condition entry is allowed for each offsite circuit on the
 
other unit that provides electrical power to required shared
 
components.
To provide the necessary electrical power for the SW, MCR/ESGR EVS, Auxiliary Building central exhaust, and CC functions for a unit, AC electrical sources of both units may
 
be required to be OPERABLE. Action D is entered for one or more inoperable offsite circuit(s) on the other unit that is necessary to support required shared components. These
 
shared components are the SW pump(s), MCR/ESGR EVS fan(s),
Auxiliary Building central exhaust fan(s), and CC pumps.
 
Required Action D.1 verifies the OPERABILITY of the remaining required offsite sources within an hour of the
 
inoperability and every 8 hours thereafter. Since the Required Action only specifies "perform," a failure of the
 
SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-13Revision 38 ACTIONS D.1, D.2, and D.3 (continued)
The Completion Time for Required Action D.2 is intended to allow the operator time to evaluate and repair any
 
discovered inoperabilities. This Completion Time also allows for an exception to the norma l "time zero" for beginning the allowed outage time "clock." In this Required Action, the
 
Completion Time only begins on discovery that both:a.The required shared component has no offsite power; andb.A required shared component(s) in the same system is inoperable.
If at any time during the existence of Condition D (one offsite circuit inoperable on the other unit needed to
 
supply electrical power for a required shared component)
 
another required shared component in the same system
 
subsequently becomes inoperable, this Completion Time begins
 
to be tracked.Discovering no offsite power on the other unit that supports a required shared component and an additional required
 
shared component in the same system inoperable, results in
 
starting the Completion Times for the Required Action.
Twenty-four hours is acceptable because it minimizes risk
 
while allowing time for restoration before subjecting the
 
unit to transients associated with shutdown.
The remaining OPERABLE offsite circuits and EDGs that power
 
the required shared components are adequate to support the
 
SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC functions. The 24 hour Completion Time takes into account the component OPERABILITY of the remaining shared
 
component(s), a reasonable time for repairs, and the low
 
probability of a DBA occurring during this period.
Operation may continue in Condition D for a period of
 
72 hours. With one offsite circuit inoperable on the other unit supplying electrical power to a required shared
 
component, the reliability of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC functions
 
are degraded. The potential for the loss of offsite power to the other required shared components is increased, with the
 
attendant potential for a challenge to SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC functions.(continued)
North Anna Units 1 and 2B 3.8.1-14Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS D.1, D.2, and D.3 (continued)
The required offsite circuit must be returned to OPERABLE
 
status within 72 hours, or the support function for the associated shared component is considered inoperable. At
 
that time, the required shared component must be declared
 
inoperable and the appropriate Conditions of the LCO 3.7.8, "Service Water System," LCO 3.7.10, "MCR/ESGR Emergency Ventilation System," LCO 3.7.12, "Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System," and
 
LCO 3.7.19, "Component Cooling Water (CC) System," must be entered. The 72 hour Completion Time takes into account the capacity and capability of the remaining AC sources
 
providing electrical power to the required shared
 
components, a reasonable time for repairs and the low
 
probability of a DBA occurring during this period of time.
E.1, E.2, and E.3 To ensure a highly reliable power source remains with an
 
inoperable EDG, it is necessary to verify the availability
 
of the required offsite circuits on a more frequent basis.
 
Since the Required Action only specifies "perform," a
 
failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. Required Action E.1 verifies the OPERABILITY of the required offsite sources
 
within an hour of the inoperability and every 8 hours thereafter. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must be entered.
Required Action E.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is
 
inoperable, does not result in a complete loss of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or
 
CC functions.
The Completion Time for Required Action E.2 is intended to allow the operator time to evaluate and repair any
 
discovered inoperabilities. This Completion Time also allows for an exception to the norm al "time zero" for beginning the allowed outage time "clock." In this Required Action, the
 
Completion Time only begins on discovery that both:a.The required shared component with an inoperable EDG; andb.A required shared component(s) in the same system is inoperable.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-15Revision 38 ACTIONS E.1, E.2, and E.3 (continued)
If at any time during the existence of Condition E (one EDG inoperable on the other unit needed to supply electrical
 
power for a required shared component) another required
 
shared component subsequently becomes inoperable, this
 
Completion Time begins to be tracked.
Discovering an EDG on the other unit that supports a required shared component and an additional required shared component
 
inoperable, results in starting the Completion Times for the
 
Required Action. Four hours is acceptable because it
 
minimizes risk while allowing time for restoration before
 
subjecting the unit to transients associated with shutdown.
The remaining OPERABLE offsite circuits and EDGs that power
 
the required shared components are adequate to support the
 
SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or CC functions. The 4 hour Completion Time takes into account the component OPERABILITY of the remaining shared
 
components, a reasonable time for repairs, and the low
 
probability of a DBA occurring during this period.
Operation may continue in Condition E for a period of 14 days. With one EDG inoperable on the other unit supplying electrical power to a required shared component, the
 
reliability of the respective Function is degraded. The
 
potential for the loss of EDGs to the other required shared
 
components is increased, with the attendant potential for a
 
challenge to respective Function.
The required EDG must be returned to OPERABLE status within
 
14 days, or the support function for the associated shared component is considered inoperable. At that time, the
 
required shared component must be declared inoperable and
 
the appropriate Conditions of the LCOs 3.7.8, 3.7.10, 3.7.12, and 3.7.19 must be entered. The 14 day Completion Time takes into account the capacity and capability of the
 
remaining AC sources providing electrical power to the
 
required shared components, a reasonable time for repairs
 
and the low probability of a DBA occurring during this period
 
of time.
North Anna Units 1 and 2B 3.8.1-16Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)
F.1 and F.2 To ensure a highly reliable electrical power source remains
 
available when one EDG is inoperable that is required to
 
support a required shared component on the other unit, Condition F is established to monitor the OPERABILITY of the AAC DG and the LCO 3.8.1.b EDGs. Condition F is entered any time an EDG that is required to support a required shared
 
component that receives its electrical power from the other
 
unit becomes inoperable and the Required Actions and
 
Completion Times are followed. Concurrently, if the AAC DG or one or more of this unit's EDG(s) is inoperable, or become inoperable, in addition to the Required Actions of
 
Condition E, Required Actions F.1 and F.2 limit the time the EDG may be out of service to 72 hours. If the AAC DG or this unit's EDG(s) is inoperable when the other unit's EDG
 
becomes inoperable, the AOT is limited to 72 hours, unless the AAC DG and this unit's EDG(s) are returned to OPERABLE
 
status. If during the 72 hour Completion Time of F.1 or F.2, the AAC DG and this unit's EDG are return to OPERABLE status, Condition F is exited and AOT is restricted by the Completion Time tracked in Condition E. If the AAC DG or one or more of this unit's EDG(s) becomes inoperable at sometime
 
after the initial EDG inoperability, Condition F requires the restoration of the AAC DG and this unit's EDG(s) within
 
72 hours or the supported shared component must be declared inoperable and LCOs 3.7.8, 3.7.10, 3.7.12, and 3.7.19 provides the appropriate restrictions.
The 72 hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic
 
safety analysis (PSA) for potential core damage frequency.
G.1 and G.2Required Action G.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an
 
event with a coincident single failure will not result in a
 
complete loss of redundant required safety functions. The
 
Completion Time for this failure of redundant required
 
features is reduced to 12 hours from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref.
: 6) allows a Completion Time of 24 hours for two required offsite circuits inoperable, based upon the
 
assumption that two complete safety trains are OPERABLE.(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-17Revision 38 ACTIONS G.1 and G.2 (continued)
When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion
 
Time of 12 hours is appropriate. These features are powered from redundant AC safety trains.
The Completion Time for Required Action G.1 is intended to allow the operator time to evaluate and repair any
 
discovered inoperabilities. This Completion Time also allows for an exception to the norma l "time zero" for beginning the allowed outage time "clock." In this Required Action the
 
Completion Time only begins on discovery that both:a.All required offsite circuits are inoperable; andb.A required feature is inoperable.
If at any time during the existence of Condition G (two offsite circuits inoperable) a required feature becomes
 
inoperable, this Completion Time begins to be tracked.
According to Regulatory Guide 1.93 (Ref.
6), operation may continue in Condition G for a period that should not exceed 24 hours. This level of degradation means that the offsite electrical power system does not have the capability to
 
effect a safe shutdown and to mitigate the effects of an
 
accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to
 
a total loss of the immediately accessible offsite power
 
sources.Because of the normally high availability of the offsite
 
sources, this level of degradation may appear to be more
 
severe than other combinations of two AC sources inoperable
 
that involve one or more EDGs inoperable. However, two
 
factors tend to decrease the severity of this level of
 
degradation:a.The configuration of the redundant AC electrical power system that remains available is not susceptible to a
 
single bus or switching failure; andb.The time required to detect and restore an unavailable offsite power source is generally much less than that
 
required to detect and restore an unavailable onsite AC
 
source.(continued)
North Anna Units 1 and 2B 3.8.1-18Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS G.1 and G.2 (continued)
With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the
 
unit in a safe shutdown condition in the event of a DBA or
 
transient. In fact, a simultaneous loss of offsite AC
 
sources, a LOCA, and a worst case single failure were
 
postulated as a part of the design basis in the safety
 
analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite
 
circuits commensurate with the importance of maintaining an
 
AC electrical power system capable of meeting its design
 
criteria.According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may
 
continue for 24 hours. If two offsite sources are restored within 24 hours, unrestricted operation may continue. If only one offsite source is restored within 24 hours, power operation continues in accordance with Condition A.H.1 and H.2Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required
 
Actions of Condition H are modified by a Note to indicate that when Condition H is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems-Operating," must be immediately entered. This allows Condition H to provide requirements for the loss of one offsite circuit and one EDG, without regard
 
to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train.
According to Regulatory Guide 1.93 (Ref.
6), operation may continue in Condition H for a period that should not exceed 12 hours.In Condition H, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical
 
power system. Since power system redundancy is provided by
 
two diverse sources of power, however, the reliability of
 
the power systems in this Condition may appear higher than
 
that in Condition G (loss of both required offsite circuits). This difference in reliability is offset by the
 
susceptibility of this power system configuration to a (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-19Revision 38 ACTIONS H.1 and H.2 (continued)single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
I.1 With Train H and Train J EDGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of
 
offsite electrical power, insufficient standby AC sources
 
are available to power the minimum required ESF functions.
Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk
 
associated with continued operation for a very short time
 
could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid
 
instability, which could result in a total loss of AC power).
 
Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for
 
continued operation is severely restricted. The intent here
 
is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level
 
of degradation.
According to Reference 6, with both EDGs inoperable, operation may continue for a period that should not exceed
 
2 hours.J.1 With two LCO 3.8.1.c required EDGs inoperable, as many as two required shared and potentially required components have
 
no remaining standby AC sources. Thus, with an assumed loss
 
of offsite power condition, the required shared components
 
powered from the other unit would be significantly degraded.
 
Therefore, the required shared component would immediately
 
be declared inoperable and LCOs 3.7.8, 3.7.10, 3.7.12, and 3.7.19 would provide the appropriate restrictions.
K.1 and K.2 Condition K is modified by a Note indicating that separate Condition entry is allowed for each inoperable sequencing
 
timing relay.(continued)
North Anna Units 1 and 2B 3.8.1-20Revision 38 AC Sources-Operating B 3.8.1 BASES ACTIONS K.1 and K.2 (continued)
Condition K is entered any t ime a required sequencing timing relay (STR) becomes inoperable. Required Action K.1 directs the entry into the Required Actions and Completion Times
 
associated for the individual component served by the
 
inoperable relay. The instrumentation signals that provide
 
the actuation are governed by LCO 3.3.2, "Engineered Safety Features Actuation System Instrumentation" for safety
 
injection (SI), Containment Spray (Containment
 
Depressurization Actuation (CDA)) and LCO 3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start
 
Instrumentation" for the LOP.
The STRs provide a time delay for the individual component to
 
close its breaker to the associated emergency electrical
 
bus. Each component is sequenced onto the emergency bus by an
 
initiating signal. Required Action K.2 provides for the immediate isolation of the component(s) ability to
 
automatically load on an emergency electrical bus with an
 
inoperable STR. This provides an assurance that the
 
component will not be loaded onto an emergency bus at an
 
incorrect time. Improper loading sequence may cause the
 
emergency bus to become inoperable. Rendering a component
 
with an inoperable STR incapable of loading to the emergency
 
bus prevents a possible overload condition. Upon
 
implementation of Action K.2.1, the inoperable sequencing timing relay is no longer required. Required Action K.2.2 provides an alternative option for isolating the component with an inoperable STR from the emergency bus by allowing the
 
associated EDG to be declared inoperable.
L.1 and L.2 If the inoperable AC electric power sources cannot be
 
restored to OPERABLE status within the required Completion
 
Time, the unit must be brought to a MODE in which the LCO
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-21Revision 38 ACTIONS (continued)
M.1 Condition M corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been
 
lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function.
 
Therefore, no additional time is justified for continued
 
operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.
SURVEILLANCE
 
REQUIREMENTS The AC sources are designed to permit inspection and testing
 
of all important areas and features, especially those that
 
have a standby function, in accordance with GDC 18 (Ref. 1). Periodic component tests are supplemented by extensive
 
functional tests during refueling outages (under simulated
 
accident conditions). The SRs for demonstrating the
 
OPERABILITY of the EDGs are in accordance with the
 
recommendations of Safety Guide 9 (Ref. 3), Regulatory Guide 1.108 (Ref.
8), and Regulatory Guide 1.137 (Ref.
9), as addressed in the UFSAR.Where the SRs discussed herei n specify voltage and frequency tolerances, the following is applicable. The minimum steady
 
state output voltage of 3740 V is 90% of the nominal 4160 V output voltage. This value, which is specified in ANSI C84.1 (Ref. 10), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90%
 
of name plate rating. The specified maximum steady state
 
output voltage of 4580 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum
 
frequencies of the EDG are 59.5 Hz and 60.5 Hz, respectively. These values are <
+/-1% of the 60 Hz nominal frequency and are derived from the safety analysis
 
assumptions for operation of ECCS pump criteria.
North Anna Units 1 and 2B 3.8.1-22Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.8.1.1 This SR ensures proper circuit continuity for the offsite AC
 
electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct
 
position to ensure that distribution buses and loads are
 
connected to the preferred or alternate power sources for
 
Unit 1 or the preferred power source for Unit 2, and that appropriate independence of offsite circuits is maintained.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby
 
electrical power supply to mitigate DBAs and transients and
 
to maintain the unit in a safe shutdown condition.
To minimize the wear on moving parts that do not get
 
lubricated when the engine is not running, these SRs are
 
modified by a Note (Note 1 for SR 3.8.1.2) to indicate that all EDG starts for these Surveillances may be preceded by an
 
engine prelube period and followed by a warmup period prior
 
to loading.
For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the EDGs are started from standby conditions. Standby conditions
 
for an EDG mean that the diesel engine coolant and oil are
 
being continuously circulated, as required, and temperature
 
is being maintained consistent with manufacturer
 
recommendations.
In order to reduce stress and wear on diesel engines, the
 
manufacturer recommends a modified start in which the starting speed of EDGs is limited, warmup is limited to this lower speed, and the EDGs are gradually accelerated to
 
synchronous speed prior to loading. These start procedures
 
are the intent of Note 2.SR 3.8.1.7 requires that the EDG starts from standby conditions and achieves required voltage and frequency
 
within 10 seconds. The 10 second start requirement supports the assumptions of the design basis LOCA analysis in the
 
UFSAR, Chapter 15 (Ref. 5).(continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-23Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.2 and SR 3.8.1.7 (continued)
The 10 second start requirement is not applicable to SR 3.8.1.2 (see Note
: 2) when a modified start procedure as described above is used. If a modified start is not used, the
 
10 second start requirement of SR 3.8.1.7 applies.
Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2.In addition to the SR requirements, the time for the EDG to
 
reach steady state operation, unless the modified EDG start
 
method is employed, is periodically monitored and the trend
 
evaluated to identify degradation of governor and voltage
 
regulator performance.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.1.3 This Surveillance verifies that the EDGs are capable of
 
synchronizing with the offsite electrical system and
 
accepting loads greater than or equal to the equivalent of
 
90% to 100% of continuous rating (2500 to 2600 kW). A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the EDG is
 
connected to the offsite source.
Although no power factor requirements are established by
 
this SR, the EDG is normally operated at a power factor
 
between 0.8 lagging and 1.0. The 0.8 value is the design
 
rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The
 
load band is provided to avoid routine overloading of the
 
EDG. Routine overloading may result in more frequent
 
teardown inspections in accordance with vendor
 
recommendations in order to maintain EDG OPERABILITY.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.(continued)
North Anna Units 1 and 2B 3.8.1-24Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.1.3 (continued)
This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that
 
mechanical stress and wear on the diesel engine are
 
minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test.
 
Similarly, momentary power factor transients above the limit
 
do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one EDG at a time in order to avoid common cause failures that might result from
 
offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A
 
successful EDG start must precede this test to credit
 
satisfactory performance.
SR  3.8.1.4 This SR provides verification that the level of fuel oil in
 
the day tank is at or above the level which is required. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 1 hour of EDG operation at full load plus 10%.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.1.5 Microbiological fouling is a major cause of fuel oil
 
degradation. There are numerous bacteria that can grow in
 
fuel oil and cause fouling, but all must have a water
 
environment in order to survive. Removal of water from the
 
fuel oil day tanks eliminates the necessary environment for
 
bacterial survival. This is the most effective means of
 
controlling microbiological fouling. In addition, it
 
eliminates the potential for water entrainment in the fuel
 
oil during EDG operation. Water may come from any of several
 
sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by
 
bacteria. Frequent checking for and removal of accumulated
 
water minimizes fouling and provides data regarding the
 
watertight integrity of the fuel (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-25Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.5 (continued) oil system. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
This SR is for preventative maintenance. The presence of
 
water does not necessarily represent failure of this SR, provided the accumulated water is removed during the
 
performance of this Surveillance.
SR  3.8.1.6 This Surveillance demonstrates that each required fuel oil
 
transfer pump operates and transfers fuel oil from its
 
associated storage tank to its associated day tank. This is
 
required to support continuous operation of standby power
 
sources. This Surveillance provides assurance that the fuel oil transfer pump is OPER ABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the
 
controls and control systems for fuel transfer systems are
 
OPERABLE. Only one fuel oil transfer subsystem is required
 
to support an OPERABLE EDG.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.1.7 See SR 3.8.1.2.SR  3.8.1.8Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit
 
demonstrates the OPERABILITY of the alternate circuit
 
distribution network to power the shutdown loads for Unit 1 only. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.(continued)
North Anna Units 1 and 2B 3.8.1-26Revision 38 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.1.8 (continued)
This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 1 only. The SR is not applicable to Unit 2 because it does not have an alternate offsite feed for the emergency buses. The reason for Note 2 is that, during operation with the reactor critical, performance of this SR
 
could cause perturbations to the electrical distribution
 
systems that could challenge continued steady state
 
operation and, as a result, unit safety systems. This
 
restriction from normally performing the Surveillance in
 
MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing
 
OPERABILITY (e.g., post work testing following corrective
 
maintenance, corrective modification, deficient or
 
incomplete surveillance testing, and other unanticipated
 
OPERABILITY concerns) provided an assessment determines unit
 
safety is maintained or enhanced. This assessment shall, as
 
a minimum, consider the potential outcomes and transients
 
associated with a failed Surveillance, a successful
 
Surveillance, and a perturbation of the offsite or onsite
 
system when they are tied togethe r or operated independently for the Surveillance; as well as the operator procedures
 
available to cope with these outcomes. These shall be
 
measured against the avoided risk of a unit shutdown and
 
startup to determine that unit safety is maintained or
 
enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this
 
assessment.
SR  3.8.1.9Each EDG is provided with an engine overspeed trip to prevent
 
damage to the engine. Recovery from the transient caused by
 
the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine.
 
This Surveillance demonstrates the EDG load response
 
characteristics and capability to reject the largest single
 
load without exceeding predetermined voltage and frequency
 
and while maintaining a specified margin to the overspeed
 
trip. For this unit, the single load for each EDG is 610 kW. This Surveillance may be accomplished by:a.Tripping the EDG output breaker with the EDG carrying greater than or equal to its associated single largest
 
post-accident load while paralleled to offsite power, or
 
while solely supplying the bus; or (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-27Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.9 (continued)b.Tripping its as sociated single largest post-accident load with the EDG solely supplying the bus.
As required by IEEE-308 (Ref. 11), the load rejection test is acceptable if the increase in diesel speed does not exceed
 
75% of the difference between synchronous speed and the
 
overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.
The time, voltage, and frequency tolerances specified in this SR are derived from Safety Guide 9 (Ref. 3)
 
recommendations for response during load sequence intervals.The 3 seconds specified is equal to 60% of a typical 5 second load sequence interval associated with sequencing of the
 
largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by
 
the EDG. SR 3.8.1.9.a corresponds to the maximum frequency
 
excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady
 
state voltage and frequency values to which the system must
 
recover following load rejection. The Surveillance Frequency
 
is based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
This SR is modified by a Note. The Note ensures that the EDG
 
is tested under load conditions that are as close to design
 
basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of  0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis
 
accident conditions. Under certain conditions, however, the
 
Note allows the surveillance to be conducted at a power
 
factor other than  0.9. These conditions occur when grid voltage is high, and the additional field excitation needed
 
to get the power factor to  0.9 results in voltages on the emergency busses that are too high. Under these conditions, the power factor should be maintained as close as
 
practicable to 0.9 while still maintaining acceptable
 
voltage limits on the emergency busses. In other
 
circumstances, the grid voltage may be such that the EDG
 
excitation levels needed to obtain a power factor of 0.9 may
 
not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained
 
as close as practicable to 0.9 without exceeding the EDG
 
excitation limits.
North Anna Units 1 and 2B 3.8.1-28Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE (continued)
SR  3.8.1.10 Consistent with the recommendations of Regulatory
 
Guide 1.108 (Ref.
8), paragraph 2.a.(1), this Surveillance demonstrates the as designed operation of the standby power
 
sources during loss of the offsite source. This test
 
verifies all actions encountered from the loss of offsite
 
power, including shedding of the nonessential loads and
 
energization of the emergency buses and respective loads
 
from the EDG. It further demonstrates the capability of the
 
EDG to automatically achieve the required voltage and
 
frequency within the specified time.
The EDG autostart time of 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance should be continued
 
for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability is achieved.The requirement to verify the connection and power supply of
 
permanent and autoconnected loads is intended to
 
satisfactorily show the relationship of these loads to the
 
EDG loading logic. In certain circumstances, many of these
 
loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are
 
not desired to be stroked open, or high pressure injection
 
systems are not capable of being operated at full flow, and not desired to be realigned to the ECCS mode of operation. In
 
lieu of actual demonstration of connection and loading of
 
loads, testing that adequately shows the capability of the
 
EDG systems to perform these functions is acceptable. This
 
testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading
 
sequence is verified.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the
 
purpose of this testing, the EDGs must be started from
 
standby conditions, that is, with the engine coolant and oil continuously circulated, as required, and temperature (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-29Revision 38 SURVEILLANCE REQUIREMENTS SR  3.8.1.10 (continued) maintained consistent with manufacturer recommendations. The
 
reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the
 
electrical distribution system, and challenge safety
 
systems. This restriction from normally performing the
 
Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the
 
purpose of reestablishing OPERABILITY (e.g., post work
 
testing following corrective maintenance, corrective
 
modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an
 
assessment determines unit safety is maintained or enhanced.
 
This assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed partial
 
Surveillance, a successful partial Surveillance, and a
 
perturbation of the offsite or onsite system when they are
 
tied together or operated independently for the partial
 
Surveillance; as well as the operator procedures available
 
to cope with these outcomes. These shall be measured against
 
the avoided risk of the unit shutdown and startup to
 
determine that unit safety is maintained or enhanced when
 
portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic meth ods may be used for this assessment.
SR  3.8.1.11 This Surveillance demonstrates that the EDG automatically
 
starts and achieves the required voltage and frequency
 
within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for  5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.11.d and SR 3.8.1.11.e ensure that permanently connected loads and emergency loads are
 
energized from the offsite electrical power system on an ESF signal without loss of offsite power.
The requirement to verify the connection of permanent and
 
autoconnected loads is intended to satisfactorily show the
 
relationship of these loads to the EDG loading logic. In
 
certain circumstances, many of these loads cannot actually
 
be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves
 
are not desired to be stroked open, or high pressure (continued)
North Anna Units 1 and 2B 3.8.1-30Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.1.11 (continued) injection systems are not capable of being operated at full
 
flow. In lieu of actual demonstration of connection and
 
loading of loads, testing that adequately shows the
 
capability of the EDG system to perform these functions is
 
acceptable. This testing may include any series of
 
sequential, overlapping, or total steps so that the entire
 
connection and loading sequence is verified.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the
 
purpose of this testing, the EDGs must be started from
 
standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained
 
consistent with manufacturer recommendations. The reason for
 
Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations
 
to the electrical distribution systems that could challenge
 
continued steady state operation and, as a result, unit
 
safety systems. This restriction from normally performing
 
the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the
 
purpose of reestablishing OPERABILITY (e.g., post work
 
testing following corrective maintenance, corrective
 
modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an
 
assessment determines unit safety is maintained or enhanced.
 
This assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed partial
 
Surveillance, a successful partial Surveillance, and a
 
perturbation of the offsite or onsite system when they are
 
tied together or operated independently for the partial
 
Surveillance; as well as the operator procedures available
 
to cope with these outcomes. These shall be measured against
 
the avoided risk of the unit shutdown and startup to
 
determine that unit safety is maintained or enhanced when
 
portions of the Surveillance are performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this
 
assessment.
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-31Revision 46 SURVEILLANCE (continued)
SR  3.8.1.12 This Surveillance demonstrates that EDG noncritical protective functions (e.g., high jacket water temperature)
 
are bypassed on actual or simulated signals from an ESF
 
actuation, a loss of voltage, or a loss of voltage signal
 
concurrent with an ESF actuation test signal, and critical
 
protective functions (engine overspeed and generator
 
differential current) trip the EDG to avert substantial
 
damage to the EDG unit. The noncritical trips are bypassed
 
during DBAs and provide an alarm on an abnormal engine
 
condition. This alarm provides the operator with sufficient
 
time to react appropriately. The EDG availability to mitigate the DBA is more critical than protecting the engine
 
against minor problems that are not immediately detrimental
 
to emergency operation of the EDG.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Note is
 
that performing the Sur veillance would remove a required EDG from service. This restriction from normally performing the
 
Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of
 
reestablishing OPERABILITY (e.g., post work testing
 
following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other
 
unanticipated OPERABILITY concerns) provided an assessment
 
determines unit safety is maintained or enhanced. This
 
assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed
 
Surveillance, a successful Surveillance, and a perturbation
 
of the offsite or onsite system when they are tied together
 
or operated independently for the Surveillance; as well as
 
the operator procedures available to cope with these
 
outcomes. These shall be measured against the avoided risk
 
of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.
North Anna Units 1 and 2B 3.8.1-32Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS (continued)
SR  3.8.1.13 Regulatory Guide 1.108 (Ref.
8), paragraph 2.a.(3), provides an acceptable method to demonstrate once per 18 months that the EDGs can start and run continuously at full load
 
capability for an interval of not less than 24 hours,  2 hours of which is at a load equivalent from 105% to 110%
of the continuous duty rating and the remainder of the time
 
at a load equivalent from 90% to 100% of the continuous duty
 
rating of the EDG. The EDG starts for this Surveillance can
 
be performed either from standby or hot conditions. The
 
provisions for prelubricating and warmup, discussed in
 
SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.The load band is provided to avoid routine overloading of the
 
EDG. Routine overloading may result in more frequent
 
teardown inspections in accordance with vendor
 
recommendations in order to maintain EDG OPERABILITY.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This Surveillance is modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not
 
invalidate this test. Similarly, momentary power factor
 
transients above the power factor limit will not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could
 
cause perturbations to the electrical distribution systems
 
that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from
 
normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed
 
for the purpose of reestablishing OPERABILITY (e.g., post
 
work testing following corrective maintenance, corrective
 
modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an
 
assessment determines unit safety is maintained or enhanced.
 
This assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed
 
Surveillance, a successful Surveillance, and a perturbation
 
of the offsite or onsite system when they are tied together
 
or operated independently for the Surveillance; as well as (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-33Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.13 (continued) the operator procedures available to cope with these
 
outcomes. These shall be measured against the avoided risk
 
of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may
 
be used for this assessment. Note 3 ensures that the EDG is
 
tested under load conditions that are as close to design
 
basis conditions as possible. When synchronized with offsite
 
power, testing should be performed at a power factor of 0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis
 
accident conditions. Under certain conditions, however, Note 3 allows the surveillance to be conducted at a power
 
factor other than  0.9. These conditions occur when grid voltage is high, and the additional field excitation needed
 
to get the power factor to  0.9 results in voltages on the emergency busses that are too high. Under these conditions, the power factor should be maintained as close as
 
practicable to 0.9 while still maintaining acceptable
 
voltage limits on the emergency busses. In other
 
circumstances, the grid voltage may be such that the EDG
 
excitation levels needed to obtain a power factor of 0.9 may
 
not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained
 
as close as practicable to 0.9 without exceeding the EDG
 
excitation limits.
SR  3.8.1.14 This Surveillance demonstrates that the diesel engine can
 
restart from a hot condition, such as subsequent to shutdown
 
from normal Surveillances, and achieve the required voltage
 
and frequency within 10 seconds. The 10 second time is
 
derived from the requirements of the accident analysis to
 
respond to a design basis large break LOCA. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load
 
band is provided to avoid routine overloading of the EDG.
 
Routine overloads may result in more frequent teardown
 
inspections in accordance with vendor recommendations in
 
order to maintain EDG OPERABILITY. The requirement that the (continued)
North Anna Units 1 and 2B 3.8.1-34Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.1.14 (continued) diesel has operated for at least 2 hours at full load conditions, or after operating temperatures reach a
 
stabilized state, prior to performance of this Surveillance
 
is based on manufacturer recommendations for achieving hot
 
conditions. Momentary transients due to changing bus loads
 
do not invalidate this test. Note 2 allows all EDG starts to be preceded by an engine prelube period to minimize wear and
 
tear on the diesel during testing.
SR  3.8.1.15 Consistent with the recommendations of Regulatory
 
Guide 1.108 (Ref.
8), paragraph 2.a.(6), this Surveillance ensures that the manual synchronization and load transfer
 
from the EDG to the offsite source can be made and the EDG
 
can be returned to ready to load status when offsite power is
 
restored. It also ensures that the autostart logic is reset
 
to allow the EDG to reload if a subsequent loss of offsite
 
power occurs. The EDG is considered to be in ready to load
 
status when the EDG is at rated speed and voltage, the output
 
breaker is open and can receive an autoclose signal on bus
 
undervoltage, and the load sequencing timing relays are reset. EDG loading of the emergency bus is limited to normal energized loads.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required
 
offsite circuit from service, perturb the electrical
 
distribution system, and challenge safety systems. This
 
restriction from normally performing the Surveillance in
 
MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of
 
reestablishing OPERABILITY (e.g., post work testing
 
following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other
 
unanticipated OPERABILITY concerns) provided an assessment
 
determines unit safety is maintained or enhanced. This
 
assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed
 
Surveillance, a successful Surveillance, and a perturbation (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-35Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.15 (continued) of the offsite or onsite system when they are tied together
 
or operated independently for the Surveillance; as well as
 
the operator procedures available to cope with these
 
outcomes. These shall be measured against the avoided risk
 
of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or
: 4. Risk insights or deterministic methods may be used for this assessment.
SR  3.8.1.16 Under accident conditions, with a loss of offsite power, safety injection, containment spray, or recirculation spray, loads are sequentially connected to the bus by the automatic
 
load sequencing timing relays. The sequencing timing relays
 
control the permissive and starting signals to motor breakers to prevent overloading of the EDGs due to high motor starting currents. The load sequence time interval
 
tolerances, listed in the Technical Requirements Manual (Ref. 12), ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next
 
load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required
 
offsite circuit from service, perturb the electrical
 
distribution system, and challenge safety systems. This
 
restriction from normally performing the Surveillance in
 
MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of
 
reestablishing OPERABILITY (e.g., post work testing
 
following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other
 
unanticipated OPERABILITY concerns) provided an assessment
 
determines unit safety is maintained or enhanced. This
 
assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed (continued)
North Anna Units 1 and 2B 3.8.1-36Revision 46 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.1.16 (continued)
Surveillance, a successful Surveillance, and a perturbation
 
of the offsite or onsite system when they are tied together
 
or operated independently for the Surveillance; as well as
 
the operator procedures available to cope with these
 
outcomes. These shall be measured against the avoided risk
 
of a unit shutdown and startup to determine that unit safety is maintained or enhanced wh en the Surveillance is performed in MODE 1, 2, 3, or
: 4. Risk insights or deterministic methods may be used for this assessment.
SR  3.8.1.17 In the event of a DBA coincident with a loss of offsite power, the EDGs are required to supply the necessary power to
 
ESF systems so that the fuel, RCS, and containment design
 
limits are not exceeded.
This Surveillance demonstrates the EDG operation, as
 
discussed in the Bases for SR 3.8.1.10, during a loss of offsite power actuation test signal in conjunction with an
 
ESF actuation signal. In lieu of actual demonstration of
 
connection and loading of loads, testing that adequately
 
shows the capability of the EDG system to perform these
 
functions is acceptable. This testing may include any series
 
of sequential, overlapping, or total steps so that the
 
entire connection and loading sequence is verified.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the
 
purpose of this testing, the EDGs must be started from
 
standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained
 
consistent with manufacturer recommendations for EDGs. The
 
reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from
 
service, perturb the electrical distribution system, and
 
challenge safety systems. This restriction from normally performing the Survei llance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be
 
performed for the purpose of reestablishing OPERABILITY (continued)
AC Sources-Operating B 3.8.1 BASESNorth Anna Units 1 and 2B 3.8.1-37Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.1.17 (continued)(e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete
 
surveillance testing, and other unanticipated OPERABILITY
 
concerns) provided an assessment determines unit safety is maintained or enhanced.
This assessment shall, as a minimum, consider the potential outcomes and transients associated
 
with a failed partial Surveillance, a successful partial
 
Surveillance, and a perturbation of the offsite or onsite
 
system when they are tied together or operated independently for the partial Surveillance; as well as the operator
 
procedures available to cope with these outcomes. These
 
shall be measured against the avoided risk of the unit
 
shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or
: 4. Risk insights or deterministic methods may be used for this assessment.
SR  3.8.1.18 This Surveillance demonstrates that the EDG starting
 
independence has not been compromised. Also, this
 
Surveillance demonstrates that each engine can achieve
 
proper speed within the specified time when the EDGs are
 
started simultaneously.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.This SR is modified by a Note. The reason for the Note is to
 
minimize wear on the EDG during testing. For the purpose of
 
this testing, the EDGs must be started from standby
 
conditions, that is, with the engine coolant and oil
 
continuously circulated and temperature maintained
 
consistent with manufacturer recommendations.
REFERENCES1.UFSAR, Chapter 3.2.UFSAR, Chapter 8.3.Safety Guide 9, March 1971.4.UFSAR, Chapter 6.5.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.8.1-38Revision 21 AC Sources-Operating B 3.8.1 BASES REFERENCES (continued)6.Regulatory Guide 1.93, Rev.
0, December 1974.7.Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability,"
July 2, 1984.8.Regulatory Guide 1.108, Rev.
1, August 1977.9.Regulatory Guide 1.137, Rev.
1, October 1979.10.ASME Code for Operation an d Maintenance of Nuclear Power Plants.11.IEEE Standard 308-1971.12.Technical Requirements Manual.
North Anna Units 1 and 2B 3.8.2-1Revision 0 AC Sources-Shutdown B 3.8.2 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.2AC Sources-Shutdown BASES BACKGROUNDA description of the AC sources is provided in the Bases for
 
LCO 3.8.1, "AC Sources-Operating." APPLICABLE
 
SAFETY ANALYSES The OPERABILITY of the minimum AC sources during MODES 5 and 6 and during movement of recently irradiated fuel assemblies ensures that:a.The unit can be maintained in the shutdown or refueling condition for extended periods;b.Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status;
 
andc.Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel
 
handling accident involving handling recently irradiated
 
fuel. Due to radioactive decay, AC electrical power is
 
only required to mitigate fuel handling accident
 
involving handling recently irradiated fuel. (i.e., fuel
 
that has occupied part of a critical reactor core within a
 
time frame established by analysis. The term recently is
 
defined as all irradiated fuel assemblies, until analysis
 
is performed to determine a specific time frame.)
In general, when the unit is shut down, the Technical
 
Specifications requirements ensure that the unit has the
 
capability to mitigate the consequences of postulated
 
accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The
 
rationale for this is based on the fact that many Design
 
Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure
 
boundary, reactor coolant temperature and pressure, and the
 
corresponding stresses result in the probabilities of
 
occurrence being significantly reduced or eliminated, and in (continued)
North Anna Units 1 and 2B 3.8.2-2Revision 0 AC Sources-Shutdown B 3.8.2 BASES APPLICABLE
 
SAFETY ANALYSES (continued) minimal consequences. These deviations from DBA analysis
 
assumptions and design requirements during shutdown
 
conditions are allowed by the LCO for required systems.
During MODES 1, 2, 3, and 4, various deviations from the
 
analysis assumptions and design requirements are allowed
 
within the Required Actions. This allowance is in
 
recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not
 
exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is
 
also required. In MODES 5 and 6, the activities are generally planned and administratively controlled.
 
Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:a.The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.b.Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical
 
design requirements applied to systems credited in
 
operating MODE analyses, or both.c.Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.d.Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.In the event of an a ccident during shutdown, this LCO ensures the capability to support systems necessary to avoid
 
immediate difficulty, assuming either a loss of all offsite
 
power or a loss of all onsite emergency diesel generator (EDG) power.
The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.10, "Distribution Systems-Shutdown," ensures that all required loads are (continued)
AC Sources-Shutdown B 3.8.2 BASESNorth Anna Units 1 and 2B 3.8.2-3Revision 0 LCO (continued) powered from offsite power. An OPERABLE EDG, associated with the distribution system trains required to be OPERABLE by
 
LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the
 
offsite circuit. Together, OPERABILITY of the required
 
offsite circuit and EDG ensures the availability of
 
sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during
 
shutdown (e.g., fuel handling accidents involving handling
 
recently irradiated fuel).The qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads
 
during an accident, while con nected to the Engineered Safety Feature (ESF) bus(es). Qualified offsite circuits are those
 
that are described in the UFSAR and are part of the licensing basis for the unit.
Offsite circuits consist of 34.5 kV buses 3, 4, and 5 supplying the Reserve Station Service Transformer(s) (RSST)
 
which feed the transfer buses. The D, E, and F transfer buses supply the onsite electrical power to the four emergency
 
buses for the two units. Unit 1 emergency bus H is fed through the F transfer bus from the C RSST. Unit 1 emergency bus J is fed through the D transfer bus from the A RSST. Unit 1 station service bus 1B can be an alternate feed for Unit 1 H emergency bus, while Unit 1 J bus may be fed from Unit 2 station service bus 2B. Unit 2 emergency bus H is fed through the E transfer bus from the B RSST. Unit 2 emergency bus J is fed through the F transfer bus from the C RSST. The RSSTs can be fed by any 34.5 kV bus (3, 4, or
: 5) provided RSSTs A and B are fed from a different 34.5 kV bus than RSST C.The EDG must be capable of starting, accelerating to rated
 
speed and voltage, and connecting to its respective ESF bus
 
on detection of bus undervoltage or degraded voltage. The
 
EDG must be capable of accepting required loads within the
 
assumed loading sequence intervals, and continue to operate
 
until offsite power can be restored to the ESF bus. These
 
capabilities are required to be met from a variety of initial
 
conditions such as EDG in standby with the engine hot and the EDG in standby at ambient conditions.
Proper sequencing of loads is a required function for EDG
 
OPERABILITY.(continued)
North Anna Units 1 and 2B 3.8.2-4Revision 20 AC Sources-Shutdown B 3.8.2 BASES LCO (continued)It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circuit to
 
supply all required trains.
APPLICABILITY The AC sources required to be OPERABLE in MODES 5 and 6 and during movement of recently irradiated fuel assemblies
 
provide assurance that:a.Systems to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel
 
that has occupied part of a critical reactor core within
 
the previous 300 hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available;
 
andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown
 
condition or refueling condition.
The AC power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.1.ACTIONS A.1 An offsite circuit would be considered inoperable if it were
 
not available to the necessary portions of the electrical
 
power distribution subsystem(s). One train with offsite
 
power available may be capable of supporting sufficient
 
required features to allow continuation of CORE ALTERATIONS
 
and recently irradiated fuel movement. By the allowance of
 
the option to declare required features inoperable, with no
 
offsite power available, appropriate restrictions will be
 
implemented in accordance with the affected required
 
features LCO's ACTIONS.
AC Sources-Shutdown B 3.8.2 BASESNorth Anna Units 1 and 2B 3.8.2-5Revision 0 ACTIONS (continued)
A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 With the offsite circuit not available to all required trains, the option would still exist to declare all required features inoperable. Since this option may involve undesired
 
administrative efforts, the allowance for sufficiently
 
conservative actions is made. With the required EDG
 
inoperable, the minimum required diversity of AC power
 
sources is not available. It is, therefore, required to
 
suspend CORE ALTERATIONS, movement of recently irradiated
 
fuel assemblies, and operations involving positive
 
reactivity additions that could result in loss of required
 
SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure
 
to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of
 
coolant inventory must be from sources that have a boron
 
concentration greater than what wo uld be required in the RCS for minimum SDM or refueling boron concentration. This may
 
result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical
 
operation. Introduction of temperature changes including
 
temperature increases when operating with a positive MTC
 
must also be evaluated to ensure they do not result in a loss of required SDM.
Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These
 
actions minimize the probability or the occurrence of
 
postulated events. It is further required to immediately
 
initiate action to restore the required AC sources and to
 
continue this action until restoration is accomplished in
 
order to provide the necessary AC power to the unit safety
 
systems.The Completion Time of immediately is consistent with the
 
required times for actions requiring prompt attention. The
 
restoration of the required AC electrical power sources
 
should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be
 
without sufficient power.
Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are
 
inoperable, resulting in de-energization. Therefore, the
 
Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to (continued)
North Anna Units 1 and 2B 3.8.2-6Revision 0 AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) any required ESF bus, the ACTIONS for LCO 3.8.10 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or
 
not a train is de-energized. LCO 3.8.10 would provide the appropriate restrictions for the situation involving a
 
de-energized train.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.2.1 SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in
 
other than MODES 1, 2, 3, and
: 4. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be
 
OPERABLE. SR 3.8.1.11 and SR 3.8.1.17 are not required because the ESF actuation signals are not required to be
 
OPERABLE. SR 3.8.1.18 is excepted because starting independence is not required with the EDG(s) that is not
 
required to be OPERABLE.This SR is modified by a Note. The reason for this Note is to
 
preclude requiring the required OPERABLE EDG(s) from being
 
paralleled with the offsite power network or otherwise
 
rendered inoperable during performance of SRs, and to
 
preclude de-energizing a required 4160 V ESF bus or
 
disconnecting a required offsite circuit during performance
 
of SRs. With limited AC sources available, a single event
 
could compromise both the required circuit and the EDG. It is
 
the intent that these SRs must still be capable of being met, but actual performance is not required during periods when
 
the EDG and offsite circuit is required to be OPERABLE. Refer
 
to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.REFERENCES None.
North Anna Units 1 and 2B 3.8.3-1Revision 31 Diesel Fuel Oil and Starting Air B 3.8.3 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.3Diesel Fuel Oil and Starting Air BASES BACKGROUND The fuel oil storage system has sufficient capacity to
 
operate two EDGs for a period of 7 days with each supplying the maximum post loss of coolant accident load demand
 
discussed in the UFSAR, Section 9.5.4.2 (Ref.
1). This onsite fuel oil capacity is sufficient to operate the EDGs
 
for longer than the time to replenish the onsite supply from
 
outside sources.
The fuel oil storage system consists of two underground
 
tanks. Fuel oil is transferred from an underground tank to
 
each EDG day tank by a lead fuel oil transfer pump. An
 
additional underground tank and fuel oil transfer pump is
 
associated with each EDG day tank to provide a redundant
 
subsystem. Independent level switches on the day tank
 
operate the lead and backup fuel oil transfer subsystems.
 
Only one fuel oil transfer subsystem is required for the EDG
 
to be considered OPERABLE. All outside tanks, pumps, and
 
piping are located underground or in a missile protected
 
area.For proper operation of the standby EDGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory
 
Guide 1.137 (Ref.
: 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref.
3). The fuel oil properties governed by these SRs are the water and
 
sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level.
Each EDG has an air start system that contains two separate
 
and independent subsystems. Normally, each subsystem is
 
aligned to provide starting air to the associated EDG. Each
 
subsystem consists of a receiver and a compressor, however, the receiver pressurized to  175 psig is th e only component required to maintain op erability of each diesel starting air subsystem. Only one air start receiver is required for the
 
EDG to be considered OPERABLE.
APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 4), and in the UFSAR, Chapter 15 (Ref. 5), assume Engineered Safety (continued)
North Anna Units 1 and 2B 3.8.3-2Revision 31 Diesel Fuel Oil and Starting Air B 3.8.3 BASES APPLICABLE
 
SAFETY ANALYSES (continued)Feature (ESF) systems are OPERABLE. The EDGs are designed to
 
provide sufficient capacity, capability, redundancy, and reliability to ensure t he availability of necessary power to ESF systems so that fuel, Reactor Coolant System and
 
containment design limits are not exceeded. These limits are
 
discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.
The DBA and transient analyses assume the operation of one
 
EDG associated with the unit on which an accident is postulated to occur and the operation of one EDG on the unit
 
which is unaffected by the accident to support shared
 
systems. LCO 3.8.1 requires two EDGs to be OPERABLE and one EDG from the other unit to be OPERABLE. However, only
 
sufficient fuel oil to operate one EDG and one EDG on the other unit is required to satisfy the assumptions of the DBA
 
and transient analysis and to support EDG OPERABILITY.
Since diesel fuel oil and the air start subsystem support the
 
operation of the standby AC power sources, they satisfy
 
Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Stored diesel fuel oil is required to have sufficient supply
 
for 7 days of full load operation for two EDGs. It is also required to meet specific standards for quality. This
 
requirement, in conjunction with an ability to obtain
 
replacement supplies within 2 days, supports the availability of EDGs required to shut down the reactor and to
 
maintain it in a safe condition for an anticipated
 
operational occurrence (AOO) or a postulated DBA with loss
 
of offsite power. EDG day ta nk fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."
One air start receiver is required to ensure EDG
 
OPERABILITY. The required starting air receiver is required
 
to have a minimum of 175 psig to provide the EDG with more than one start attempt without recharging the air start
 
receivers.
APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition (continued)
Diesel Fuel Oil and Starting Air B 3.8.3 BASESNorth Anna Units 1 and 2B 3.8.3-3Revision 37 APPLICABILITY (continued) after an AOO or a postulated DBA. Since stored diesel fuel oil and the starting air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil and starting air are required to be within limits when the EDG(s) is required to
 
be OPERABLE.
All four EDGs (two per unit) are normally associated with
 
both tanks which make up the fuel oil storage system. All EDGs that are required to be OPERABLE are associated with the
 
fuel oil storage system. The determination of which EDGs are
 
required to be OPERABLE is based on the requirements of
 
LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."
ACTIONS The ACTIONS Table is modified by a Note indicating that
 
separate Condition entry is allowed for each EDG. This is
 
acceptable, since the Required Actions for each Condition
 
provide appropriate compensatory actions for each inoperable EDG subsystem. Complying with the Required Actions for one
 
inoperable EDG subsystem may allow for continued operation, and subsequent inoperable EDG subsystem(s) are governed by
 
separate Condition entry and application of associated
 
Required Actions.
A.1, A.2, A.3, and A.4 In this Condition, an underground fuel oil storage tank is
 
not within limits for the purpose of tank repair or
 
inspection. Every ten years each fuel oil tank must be
 
inspected. Because both tanks are the source of fuel oil for all EDGs on both units, a dual unit outage would be required
 
in order to provide the necessary time to complete the
 
required maintenance or inspection. Prior to removal of the
 
tank for repairs or inspection, verify 50,000 gallons of replacement fuel oil is available offsite and transportation
 
is available to deliver that volume of fuel oil within
 
48 hours. Restrictions are placed on the remaining fuel oil storage tank and the 210,000-gallon above ground tank. Under
 
this Condition, verification of the redundant fuel oil tank
 
is required to confirm the required minimum amount of diesel
 
fuel oil. In addition, the above ground tank, used to supply make up to the underground tanks, is required to be verified
 
to contain the minimum level corresponding to
 
100,000 gallons. Verifications of onsite fuel oil are required on a 12 hour frequency to ensure an adequate source (continued)
North Anna Units 1 and 2B 3.8.3-4Revision 37 Diesel Fuel Oil and Starting Air B 3.8.3 BASES ACTIONS (continued) of fuel oil to the EDGs remains available. The underground
 
fuel oil tank that is being inspected or repaired must be
 
restored within limits in 7 days. This time is considered reasonable based on the required maintenance and the
 
requirements provided by the Required Actions.A note is provided which per mits a one-time extension of the 7-day Completion Time to 14 days for each fuel oil storage tank. To extend the Completion Time from 7 to 14 days, the Incremental Conditional Core Damage Probability and
 
incremental conditional large early release probability
 
limits of RG 1.177 were used as the criteria to identify potentially risk significant configurations. The results of
 
the analysis identified several components that should not
 
be scheduled for planned maintenance during the one-time
 
extended Completion Time. The following components will not
 
be scheduled for planned maintenance during the extended
 
Completion Time nor will the 14-day Completion Time be
 
entered with any of the following components out of service:Reserve Station Service Transformers 1-EP-ST 2A, 2B, and 2CTransfer Buses D, E, and FBuses 1 and 2Transformers 1 and 2Breakers L102 and L202Emergency Diesel Generators 1/2 EE-EG-1/2 H and JEmergency Switchgear Air Handlers 1/2-HV-AC-6/7Charging Pumps 1/2 CH-P-1A/B/C (two pumps on the same
 
unit)In the event one of the components above become inoperable
 
during the extended Completion Time the risk will be managed
 
in accordance with the Tier 3, Risk-Informed Plant Configuration Control Management practices.(continued)
Diesel Fuel Oil and Starting Air B 3.8.3 BASESNorth Anna Units 1 and 2B 3.8.3-5Revision 37 ACTIONS (continued)
In addition, the following compensatory measure will be established and implemented prior to entry and while in the
 
extended AOT:1.The condition of the of fsite power supply and switchyard will be evaluated prior to entering the extended EDG
 
UFOST CT for elective maintenance.2.Determine acceptable grid conditions for entering an extended EDG UFOST CT to perform elective maintenance.
 
An extended EDG UFOST CT will not be entered to perform
 
elective maintenance when grid stress conditions are
 
high.3.No elective maintenance will be scheduled in the switchyard that would challenge offsite power
 
availability and no elective maintenance will be
 
scheduled on the main, auxiliary [station service], or
 
startup [reserve station service] transformers
 
associated with the unit during the proposed extended
 
EDG UFOST CT.4.The system dispatcher will be contacted once per day to ensure no significant grid perturbations are expected
 
during the extended EDG UFOST CT.5.The turbine-driven AFW pump will not be removed from service for planned maintenance activities during the
 
extended EDG UFOST CT.6.Operating crews will be briefed on the EDG UFOST work plan and procedural actions regarding:
LOOP and Station Black Out 4 kV safeguards bus cross-tie [Unit 2 emergency bus cross-tie]
Reactor Coolant System bleed and feed7.Weather conditions will be evaluated prior to entering the extended EDG CT for elective maintenance. An
 
extended EDG UFOST CT will not be entered for elective
 
maintenance purposes if official weather forecasts are
 
predicting severe conditions (tornado or thunderstorm
 
warnings).8.No elective maintenance will be scheduled for the plant DC system.(continued)
North Anna Units 1 and 2B 3.8.3-6Revision 37 Diesel Fuel Oil and Starting Air B 3.8.3 BASES ACTIONS (continued)9.Perform an assessment of the overall impact of maintenance on plant risk using a Configuration Risk
 
Management Program before entering TS for planned EDG
 
UFOST maintenance activities.
B.1 In this Condition, the 7 day fuel oil supply is not available. The EDG fuel oil transfer pumps are aligned so
 
that the lead pump for each EDG takes suction on the
 
'A' tank. The backup pumps are aligned to take suction on the
'B' tank. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply.
These circumstances may be caused by events, such as full
 
load operation required after an inadvertent start while at
 
minimum required level, or feed and bleed operations, which
 
may be necessitated by increasing particulate levels or any
 
number of other oil quality degradations. This restriction
 
allows sufficient time for obtaining the requisite
 
replacement volume and performing the analyses required
 
prior to addition of fuel oil to the tank. A period of
 
48 hours is considered sufficient to complete restoration of the required level prior to declaring the EDG inoperable.
 
This period is acceptable based on the remaining capacity
 
(> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event
 
during this brief period. Th is Condition applies for reasons other than Condition A.C.1 This Condition is entered as a result of a failure to meet
 
the acceptance criterion of SR 3.8.3.2. Normally, trending of particulate levels a llows sufficient time to correct high particulate levels prior to reaching the limit of
 
acceptability. Poor sample procedures (bottom sampling),
contaminated sampling equipment, and errors in laboratory
 
analysis can produce failures that do not follow a trend.
 
Since the presence of particulates does not mean failure of
 
the fuel oil to burn properly in the diesel engine, and
 
particulate concentration is unlikely to change
 
significantly between Surveillance Frequency intervals, and
 
proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated EDG inoperable. The 7 day Completion Time allows for further evaluation, resampling
 
and re-analysis of the EDG fuel oil stored in the below
 
ground tanks.
Diesel Fuel Oil and Starting Air B 3.8.3 BASESNorth Anna Units 1 and 2B 3.8.3-7Revision 37 ACTIONS (continued)
D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.2 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when
 
mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This
 
restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if an EDG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the EDG would still be capable of performing
 
its intended function.
E.1 With the one required starting air receiver pressure
 
< 175 psig, sufficient capacity for several EDG start attempts does not exist. However, as long as the receiver
 
pressure is >
150 psig, there is adequate capacity for at least one start attempt, and the EDG can be considered
 
OPERABLE while the air receiver pressure is restored to the
 
required limit. A period of 48 hours is considered sufficient to complete restoration to the required pressure
 
prior to declaring the EDG inoperable. This period is
 
acceptable based on the remaining air start capacity, the
 
fact that most EDG starts are accomplished on the first
 
attempt, and the low probability of an event during this
 
brief period.
F.1 With a Required Action and associated Completion Time not
 
met, or one or more EDG's fuel oil or the required starting
 
air receiver not within limits for reasons other than
 
addressed by Conditions A through E, the associated EDG(s) may be incapable of performing its intended function and
 
must be immediately declared inoperable. Only one starting
 
air receiver is required.
North Anna Units 1 and 2B 3.8.3-8Revision 46 Diesel Fuel Oil and Starting Air B 3.8.3 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.3.1 This SR provides verification that there is an adequate
 
inventory of fuel oil in the storage tanks to support two
 
EDGs' operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown
 
condition and to bring in replenishment fuel from an offsite
 
location.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.3.2 The tests listed below are a means of determining whether new
 
fuel oil is of the appropriate grade and has not been
 
contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results
 
from these tests are within acceptable limits, the fuel oil
 
may be added to the storage tanks without concern for
 
contaminating the entire volume of fuel oil in the storage
 
tanks. These tests are to be conducted prior to adding the
 
new fuel to the storage tank(s), but in no case is the time
 
between receipt of new fuel and conducting the tests to
 
exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:a.Sample the new fuel oil in accordance with ASTM D4057-88 (Ref. 6);b.Verify in accordance with the tests specified in ASTM D975-89 (Ref.
: 6) that the sample has an absolute specific gravity at 60/60
&deg;F of  0.83 and  0.89 or an API gravity at 60&deg;F of  27x and  39x when tested in accordance with ASTM D287-82 (Ref.
6), a kinematic viscosity at 40&deg;C of  1.9 centistokes and  4.1 centistokes, and a flash point of  125&deg;F; andc.Verify that the new fuel oil is checked for water and sediment content within limits when tested in accordance
 
with ASTM D1796-83 (Ref.
6).(continued)
Diesel Fuel Oil and Starting Air B 3.8.3 BASESNorth Anna Units 1 and 2B 3.8.3-9Revision 37 SURVEILLANCE REQUIREMENTS SR  3.8.3.2 (continued)
Failure to meet any of the above limits is cause for
 
rejecting the new fuel oi l, but does not represent a failure to meet the LCO concern since the fuel oil is not added to
 
the storage tanks.
Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other
 
properties specified in Table 1 of ASTM D975-89 (Ref.
: 7) are met for new fuel oil when tested in accordance with
 
ASTM D975-89 (Ref.
6), except that the analysis for sulfur may be performed in accordance with ASTM D4294-98 (Ref.
6), ASTM D1552-88 (Ref.
: 6) or ASTM D2622-82 (Ref.
6). The 31 day period is acceptable because the fuel oil properties of
 
interest, even if they were not within stated limits, would
 
not have an immediate effect on EDG operation. This
 
Surveillance ensures the availability of high quality fuel
 
oil for the EDGs.
Fuel oil degradation during long term storage shows up as an
 
increase in particulate, due mostly to oxidation. The
 
presence of particulate does not mean the fuel oil will not
 
burn properly in a diesel engine. The particulate can cause
 
fouling of filters and fuel oil injection equipment, however, which can cause engine failure.
Particulate concentrations should be determined in
 
accordance with ASTM D6217-98 (Ref.
6). This method involves a gravimetric determination of total particulate
 
concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent
 
laboratory testing in lieu of field testing. Each tank is
 
considered and tested separately.
The Frequency of this test takes into consideration fuel oil
 
degradation trends that indicate that particulate
 
concentration is unlikely to change significantly between
 
Frequency intervals.
SR  3.8.3.3 This Surveillance ensures that, without the aid of the
 
refill compressor, sufficient air start capacity for each
 
EDG is available. The system design requirements were
 
verified for a minimum of five engine start cycles without
 
recharging. A start cycle is measured in terms of time (continued)
North Anna Units 1 and 2B 3.8.3-10Revision 46 Diesel Fuel Oil and Starting Air B 3.8.3 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.3.3 (continued)(seconds of cranking).
With receiver pressurized >
150 psig, there is adequate capacity for at least one start. The
 
pressure specified in this SR is intended to reflect the
 
lowest value at which more than one start can be
 
accomplished.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.3.4 Microbiological fouling is a major cause of fuel oil
 
degradation. There are numerous bacteria that can grow in
 
fuel oil and cause fouling, but all must have a water
 
environment in order to survive. Removal of water from the
 
fuel storage tanks eliminates the necessary environment for
 
bacterial survival. This is the most effective means of
 
controlling microbiological fouling. In addition, it
 
eliminates the potential for water entrainment in the fuel
 
oil during EDG operation. Water may come from any of several
 
sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil
 
by bacteria. Frequent checking for and removal of
 
accumulated water minimizes fouling and provides data
 
regarding the watertight integrity of the fuel oil system.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 9.5.4.2.2.Regulatory Guide 1.137.3.ANSI N195-1976, Appendix B.4.UFSAR, Chapter 6.5.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.8.3-11Revision 37 Diesel Fuel Oil and Starting Air B 3.8.3 BASES REFERENCES (continued)6.ASTM Standards: D4057-88; D975-89; D1522-88; D2622-82; D2276-82; D4292-98; D6217-98; D287-82; D1796-83.7.ASTM Standards, D975, Table 1, 1989.
Intentionally Blank North Anna Units 1 and 2B 3.8.4-1Revision 0 DC Sources-Operating B 3.8.4 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.4DC Sources-Operating BASES BACKGROUND The station DC electrical power system provides the AC
 
emergency power system with control power. It also provides
 
both motive and control power to selected safety related
 
equipment and preferred AC vital bus power (via inverters).
 
As required by Reference 1, the DC electrical power system is designed to have sufficient independence, redundancy, and
 
testability to perform its safety functions, assuming a
 
single failure. The DC electrical power system also conforms to the recommendations of Safety Guide 6 (Ref. 2) and IEEE-308 (Ref.
3).The 125 VDC electrical power system consists of two independent and redundant safety related Class 1E DC electrical power subsystems (Train H and Train J). Each subsystem consists of two 125 VDC batteries, the associated battery charger(s) for each battery, and all the associated
 
control equipment and interconnecting cabling. A spare
 
battery charger is installed on each train and can be
 
substituted for either of the train's chargers.
During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the
 
system. In case of loss of normal power to the battery
 
charger, the DC load is automatically powered from the
 
station batteries.
The Train H and Train J DC electrical power subsystems provide the control power for its associated Class 1E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.
The DC power distribution system is described in more detail
 
in Bases for LCO 3.8.9, "Distribution Systems-Operating,"
and LCO 3.8.10, "Distribution Systems-Shutdown."
Each battery has adequate storage capacity to carry the
 
required load continuously for at least 2 hours.(continued)
North Anna Units 1 and 2B 3.8.4-2Revision 8 DC Sources-Operating B 3.8.4 BASES BACKGROUND (continued)
Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each
 
subsystem is located in an area separated physically and
 
electrically from the other subsystem to ensure that a
 
single failure in one subsystem does not cause a failure in a
 
redundant subsystem. There is no sharing between redundant
 
Class 1E subsystems, such as batteries, battery chargers, or distribution panels.
The criteria for sizing large lead storage batteries are
 
defined in IEEE-485 (Ref.
5).Each Train H and Train J DC electrical power subsystem has ample power output capacity for the steady state operation
 
of connected loads required during normal operation, while
 
at the same time maintaining its battery bank fully charged.
 
Each battery charger also ha s sufficient capacity to restore the battery from the design minimum charge to its fully
 
charged state within 24 hours while supplying normal steady state loads discussed in the UFSAR, Chapter 8 (Ref. 4).The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the
 
required DC voltage to allow the associated EDG components
 
to perform the required safety function.
For the other unit, the DC electrical power system provides control power for breakers a nd electrical power for solenoid operated valves that are needed to support operation of each
 
required Service Water (SW) pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation
 
System (EVS) fan, Auxiliary Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC are shared
 
systems.APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 6), and in the UFSAR, Chapter 15 (Ref. 7), assume that Engineered Safety Feature (ESF) sy stems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical
 
power for the emergency auxiliaries and control and
 
switching during all MODES of operation.(continued)
DC Sources-Operating B 3.8.4 BASESNorth Anna Units 1 and 2B 3.8.4-3Revision43 APPLICABLE SAFETY ANALYSES (continued)
The OPERABILITY of the DC sources is consistent with the
 
initial assumptions of the accident analyses and is based
 
upon meeting the design basis of the unit. This includes
 
maintaining the DC sources OPERABLE during accident
 
conditions in the event of:a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.
The OPERABILITY of the EDG DC electrical power system
 
ensures the EDG may perform its required safety function.
The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The DC electrical power subsystems, each subsystem
 
consisting of two batteries, battery charger for each
 
battery and the corresponding control equipment and
 
interconnecting cabling supplying power to the associated
 
bus within the train are required to be OPERABLE to ensure
 
the availability of the required power to shut down the
 
reactor and maintain it in a safe condition after an
 
anticipated operational occurrence (AOO) or a postulated
 
DBA. Loss of any train DC electrical power subsystem does not
 
prevent the minimum safety function from being performed (Ref. 4).The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the
 
required DC voltage to allow the associated EDG components
 
to perform the required safety function.
An OPERABLE DC electrical power subsystem requires all
 
required batteries and respective chargers to be operating
 
and connected to the associated DC bus(es).
Additionally, the unit's electrical sources must include DC sources from the other un it that are required to support the SW, MCR/ESGR EVS, or CC safety functions. Control power for
 
breakers and electrical power for solenoid operated valves
 
are examples of support systems required to be OPERABLE that
 
are needed for the operation of each required SW pump, MCR/ESGR EVS fan, (continued)
North Anna Units 1 and 2B 3.8.4-4Revision43 DC Sources-Operating B 3.8.4 BASES LCO (continued)
Auxiliary Building central exhaust fan, and CC pump. SW, MCR/ESGR EVS, and CC are shared systems.
APPLICABILITY The DC electrical power sources are required to be OPERABLE
 
in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of
 
AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment integrity and other vi tal functions are maintained in the event of a postulated DBA.
The EDG DC system is required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure the OPERABILITY of the associated EDG in accordance with LCO 3.8.1. In MODES 5 or 6, the OPERABILITY requirements of the EDG DC system are determined by the EDGs
 
that they support in accordance with LCO 3.8.2.The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources-Shutdown."
ACTIONS A.1 Condition A represents one train with a loss of ability to completely respond to an event, and a potential loss of
 
ability to remain energized during normal operation. It is, therefore, imperative that the operator's attention focus on
 
stabilizing the unit, minimizing the potential for complete
 
loss of DC power to the affected train. The 2 hour limit is consistent with the allowed time for an inoperable DC
 
distribution system train.
If one of the required LCO 3.8.4.a DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger
 
and associated inoperable battery), the remaining
 
LCO 3.8.4.a DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident
 
condition. For the Station batteries, a spare battery
 
charger may be substituted for the normal charger without (continued)
DC Sources-Operating B 3.8.4 BASESNorth Anna Units 1 and 2B 3.8.4-5Revision43 ACTIONS A.1 (continued) entry into Condition A. Since a subsequent worst case single failure would, however, result in the complete loss of the
 
remaining 125 VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not
 
exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref.
: 8) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power
 
subsystem is not restored to OPERABLE status, to prepare to
 
effect an orderly and safe unit shutdown.
B.1 and B.2 If the inoperable DC electrical power subsystem cannot be
 
restored to OPERABLE status within the required Completion
 
Time, the unit must be brought to a MODE in which the LCO
 
does not apply. To achieve this status, the unit must be
 
brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems. The
 
Completion Time to bring the unit to MODE 5 is consistent with the time required in Regulatory Guide 1.93 (Ref.
8).C.1 Condition C represents the loss of the ability of the EDG DC system (e.g., inoperable battery charger or inoperable battery) to supply necessary power to the associated EDG. In this condition, the associated EDG is immediately declared
 
inoperable and the associated Conditions or Required Actions
 
of LCO 3.8.1 are followed.
D.1 Condition D represents the loss of one or more required LCO 3.8.4.c DC electrical power subsystem(s) needed to support the operation of required shared components on the
 
other unit. SW, MCR/ESGR EVS, and CC are shared systems. In
 
this condition, the associated required shared components
 
are declared inoperable immediately. The associated
 
Conditions or Required Actions of LCO 3.7.8, "Service Water System,"(continued)
North Anna Units 1 and 2B 3.8.4-6Revision 46 DC Sources-Operating B 3.8.4 BASES ACTIONS D.1 (continued)
LCO 3.7.10, "MCR/ESGR Emergency Ventilation Systems,"
LCO 3.7.12, "Emergency Core Cooling System Pump Room Exhaust Air Cleanup System," and LCO 3.7.19, "Component Cooling Water (CC) System," are followed.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.4.1 For Station and EDG batteries, verifying battery terminal
 
voltage while on float charge for the batteries helps to
 
ensure the effectiveness of the charging system and the
 
ability of the batteries to perfo rm their intended function.
Float charge is the condition in which the charger is
 
supplying the continuous charge required to overcome the
 
internal losses of a battery (or battery cell) and maintain
 
the battery (or a battery cell) in a fully charged state. The
 
voltage requirements are based on the nominal design voltage
 
of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surveillance
 
Frequency is based on operating experience, equipment
 
reliability, and plant risk and is controlled under the
 
Surveillance Frequency Control Program.
SR  3.8.4.2 Visual inspection of both Station and EDG batteries to
 
detect corrosion of the battery cells and connections, or
 
measurement of the resistance of each intercell, interrack, intertier, and terminal connection, provides an indication
 
of physical damage or abnormal deterioration that could
 
potentially degrade battery performance.
The presence of visible corrosion does not necessarily
 
represent a failure of this SR provided visible corrosion is
 
removed during performance of SR 3.8.4.4.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
DC Sources-Operating B 3.8.4 BASESNorth Anna Units 1 and 2B 3.8.4-7Revision 46 SURVEILLANCE REQUIREMENTS (continued)
SR  3.8.4.3 Visual inspection of the battery cells, cell plates, and
 
battery racks provides an indication of physical damage or
 
abnormal deterioration that could potentially degrade
 
battery performance. The presence of physical damage or
 
deterioration does not necessarily represent a failure of
 
this SR, provided an evaluation determines that the physical
 
damage or deterioration does not affect the OPERABILITY of
 
the battery (its ability to perform its design function).
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.4.4 and SR  3.8.4.5 Station and EDG battery visual inspection and resistance measurements of intercell, interrack, intertier, and
 
terminal connections provide an indication of physical
 
damage or abnormal deterioration that could indicate
 
degraded battery condition. The anticorrosion material is
 
used to help ensure good electrical connections and to
 
reduce terminal deterioration. The visual inspection for
 
corrosion is not intended to require removal of and
 
inspection under each terminal connection. The removal of
 
visible corrosion is a preventive maintenance SR. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.4.6 and SR  3.8.4.7 SR 3.8.4.6 requires that each Station battery charger be capable of supplying  270 amps and  125 V for  4 hours. These requirements are based on the design capacity of the
 
chargers (Ref.
4). According to Regulatory Guide 1.32 (Ref. 10), the battery charger supply is required to be based on the largest combined demands of the various steady
 
state loads and the charging capacity to restore the battery
 
from the design minimum charge state to the fully charged
 
state, irrespective of the status of the unit during these
 
demand occurrences. The minimum required amperes and
 
duration ensures that these requirements can be satisfied.
SR 3.8.4.7 requires that each EDG battery charger be capable of supplying  10 amps and  125 V for  4 hours. These values are based on the design requirements of the charger.(continued)
North Anna Units 1 and 2B 3.8.4-8Revision 46 DC Sources-Operating B 3.8.4 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.4.6 and SR 3.8.4.7 (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. The spare
 
charger for the Station batteries is required to be tested to
 
the same criteria as the normal charger if it is to be used
 
as a substitute charger.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.8.4.8 A Station battery service test is a special test of battery
 
capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The
 
discharge rate and test length should correspond to the
 
design duty cycle requirements as specified in Reference 4.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
This SR is modified by three Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.
A modified performance discharge test is a test of the
 
battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty
 
cycle). This will confirm the battery's ability to meet the
 
critical period of the load duty cycle, in addition to
 
determining its percentage of rated capacity. Initial
 
conditions for the modified performance discharge test
 
should be identical to those specified for a service test.
It may consist of just two rates; for instance, the one minute rate published for the battery or the largest current
 
load of the duty cycle, followed by the test rate employed
 
for the performance test, both of which envelope the duty
 
cycle of the service test. Since the ampere-hours removed by
 
a one minute discharge represents a very small portion of the
 
battery capacity, the test rate can be changed to that for
 
the performance test without compromising the results of the (continued)
DC Sources-Operating B 3.8.4 BASESNorth Anna Units 1 and 2B 3.8.4-9Revision 46 SURVEILLANCE REQUIREMENTS SR  3.8.4.8 (continued) performance discharge test. The battery terminal voltage for
 
the modified performance discharge test must remain above
 
the minimum battery terminal voltage specified in the
 
battery service test for the duration of time equal to that
 
of the service test.
Note 2 allows the performance discharge test in lieu of the service test.
The reason for Note 3 is that performing the Surveillance on the Station batteries would perturb the electrical
 
distribution system and challenge safety systems. This
 
restriction from normally performing the Surveillance in
 
MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of
 
reestablishing OPERABILITY (e.g., post work testing
 
following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other
 
unanticipated OPERABILITY concerns) provided an assessment
 
determines unit safety is maintained or enhanced. This
 
assessment shall, as a minimum, consider the potential
 
outcomes and transients associated with a failed partial
 
Surveillance, a successful partial Surveillance, and a
 
perturbation of the offsite or onsite system when they are
 
tied together or operated independently for the partial
 
Surveillance; as well as the operator procedures available
 
to cope with these outcomes. These shall be measured against
 
the avoided risk of the unit shutdown and startup to
 
determine that unit safety is maintained or enhanced when
 
portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic meth ods may be used for this assessment.
SR  3.8.4.9 A battery performance discharge test for Station and EDG batteries is a test of constant current capacity of a battery
 
to detect any change in the capacity determined by the
 
acceptance test. The test is intended to determine overall
 
battery degradation due to age and usage.
A battery modified performance discharge test is described
 
in the Bases for SR 3.8.4.8. Either the battery performance
 
discharge test or the modifie d performance discharge test is acceptable for satisfying SR 3.8.4.9.(continued)
North Anna Units 1 and 2B 3.8.4-10Revision 46 DC Sources-Operating B 3.8.4 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.4.9 (continued)
The acceptance criteria for this Surveillance are consistent
 
with IEEE-450 (Ref.
: 9) and IEEE-485 (Ref.
5). These references recommend that the battery be replaced if its
 
capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration
 
is increasing, even if there is ample capacity to meet the
 
load requirements.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. If the
 
battery shows degradation, or if the battery has reached 85%
 
of its expected life, the Surveillance Frequency is reduced
 
to 18 months. Degradation is indicated, according to IEEE-450 (Ref.
9), when the battery capacity drops by more than 10% relative to its capacity on the previous
 
performance test or when it is  10% below the manufacturer's rating. The 60 month Frequency is consistent with the recommendations in IEEE-450 (Ref.
: 9) and the 18 month Frequency is consistent with operating experience.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the
 
electrical distribution system and challenge safety systems
 
for the Station batteries. This restriction from normally performing the Survei llance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be
 
performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete
 
surveillance testing, and other unanticipated OPERABILITY
 
concerns) provided an assessment determines unit safety is maintained or enhanced.
This assessment shall, as a minimum, consider the potential outcomes and transients associated
 
with a failed partial Surveillance, a successful partial
 
Surveillance, and a perturbation of the offsite or onsite
 
system when they are tied togethe r or operated independently for the partial Surveillance; as well as the operator
 
procedures available to cope with these outcomes. These
 
shall be measured against the avoided risk of the unit
 
shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or
: 4. Risk insights or deterministic methods may be used for this assessment.
DC Sources-Operating B 3.8.4 BASESNorth Anna Units 1 and 2B 3.8.4-11Revision 0 REFERENCES1.UFSAR, Chapter 3.2.Safety Guide 6, March 10, 1971.3.IEEE-308-1971.4.UFSAR, Chapter 8.5.IEEE-485-1983, June 1983.6.UFSAR, Chapter 6.7.UFSAR, Chapter 15.8.Regulatory Guide 1.93, December 1974.9.IEEE-450-1987.10.Regulatory Guide 1.32, February 1977.11.Regulatory Guide 1.129, December 1974.
Intentionally Blank North Anna Units 1 and 2B 3.8.5-1Revision 0 DC Sources-Shutdown B 3.8.5 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.5DC Sources-Shutdown BASES BACKGROUNDA description of the DC sources is provided in the Bases for
 
LCO 3.8.4, "DC Sources-Operating." APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system
 
provides normal and emergency DC electrical power for the
 
emergency auxiliaries and control and switching during all
 
MODES of operation. The EDG DC system provides power for the required EDG as described in LCO 3.8.2, "AC Sources-Shutdown."
The OPERABILITY of the DC subsystems is consistent with the
 
initial assumptions of the accident analyses and the
 
requirements for the supported systems' OPERABILITY.
The OPERABILITY of the minimum DC electrical power sources
 
during MODES 5 and 6 and during movement of recently irradiated fuel assemblies ensures that:a.The unit can be maintained in the shutdown or refueling condition for extended periods;b.Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status;
 
andc.Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel
 
handling accident involving handling recently irradiated
 
fuel. Due to radioactive decay, DC electrical power is
 
only required to mitigate fuel handling accidents
 
involving handling recently irradiated fuel. (i.e., fuel
 
that has occupied part of a critical reactor core within a
 
time frame established by analysis. The term recently is
 
defined as all irradiated fuel assemblies, until analysis
 
is performed to determine a specific time frame.)
North Anna Units 1 and 2B 3.8.5-2Revision 20 DC Sources-Shutdown B 3.8.5 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The DC electrical power subsystem(s), each subsystem
 
consisting of two batteries, one battery charger per
 
battery, and the corresponding control equipment and
 
interconnecting cabling within the train, are required to be
 
OPERABLE to support required trains of the distribution
 
systems required OPERABLE by LCO 3.8.10, "Distribution Systems-Shutdown." The EDG DC system, consisting of a
 
battery, battery charger, and the corresponding control
 
equipment and interconnection cabling for the EDG, are
 
required to be OPERABLE to support the EDG required by
 
LCO 3.8.2, "AC Sources-Shutdown." This ensures the availability of sufficient DC electrical power sources to
 
operate the unit in a safe manner and to mitigate the
 
consequences of postulated events during shutdown (e.g.,
fuel handling accidents involving handling recently
 
irradiated fuel).
APPLICABILITY The DC electrical power sources and EDG DC system required to
 
be OPERABLE in MODES 5 and 6, and during movement of recently irradiated fuel assemblies, provide assurance that:a.Required features to provide adequate coolant inventory makeup are available for the recently irradiated fuel
 
assemblies in the core;b.Required features needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor
 
core within the previous 300 hours) are available;c.Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are
 
available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown
 
condition or refueling condition.
The DC electrical power and EDG DC system requirements for
 
MODES 1, 2, 3, and 4 are covered in LCO 3.8.4.
DC Sources-Shutdown B 3.8.5 BASESNorth Anna Units 1 and 2B 3.8.5-3Revision 20 ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 The train with DC power available may be capable of supporting sufficient systems to allow continuation of CORE
 
ALTERATIONS and recently irradiated fuel movement. By
 
allowing the option to declare required features inoperable
 
with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance
 
with the affected required features LCO ACTIONS. In many
 
instances, this option may involve undesired administrative
 
efforts. Therefore, the allowance for sufficiently
 
conservative actions is made (i.e., to suspend CORE
 
ALTERATIONS, movement of recently irradiated fuel
 
assemblies, and operations involving positive reactivity
 
additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure
 
to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of
 
coolant inventory must be from sources that have a boron
 
concentration greater than what wo uld be required in the RCS for minimum SDM or refueling boron concentration. This may
 
result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical
 
operation. Introduction of temperature changes including
 
temperature increases when operating with a positive MTC
 
must also be evaluated to ensure they do not result in a loss of required SDM.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These
 
actions minimize probability of the occurrence of postulated
 
events. It is further required to immediately initiate
 
action to restore the required DC electrical power
 
subsystems and to continue this action until restoration is accomplished in order to prov ide the necessary DC electrical power to the unit safety systems.
The Completion Time of immediately is consistent with the
 
required times for actions requiring prompt attention. The
 
restoration of the required DC electrical power subsystems
 
should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be
 
without sufficient power.
North Anna Units 1 and 2B 3.8.5-4Revision 0 DC Sources-Shutdown B 3.8.5 BASES ACTIONS (continued)
B.1 With the required EDG's DC system inoperable, the EDG is not OPERABLE and the applicable Conditions and Required Actions
 
of LCO 3.8.2, "AC Sources-Shutdown," must be entered immediately.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.5.1 SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.9. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.This SR is modified by a Note. The reason for the Note is to
 
preclude requiring the required OPERABLE DC sources or EDG
 
DC system from being discharged below their capability to
 
provide the required power supply or otherwise rendered
 
inoperable during the performance of SRs. It is the intent
 
that these SRs must still be capable of being met, but actual performance is not required.
REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.8.6-1Revision 0 Battery Cell Parameters B 3.8.6 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.6Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the Station
 
and EDG batteries. A discussion of these batteries and their
 
OPERABILITY requirements is provided in the Bases for
 
LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown." APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system
 
provides normal and emergency DC electrical power for the
 
emergency auxiliaries, and control and switching during all
 
MODES of operation. The EDG DC electrical power system
 
consists of the battery, battery charger, and
 
interconnecting cabling supplying power to the associated
 
EDG components to supply the required DC voltage to allow the
 
EDG to perform the required safety function.
The OPERABILITY of the DC subsystems is consistent with the
 
initial assumptions of the accident analyses and is based
 
upon meeting the design basis of the unit. This includes
 
maintaining at least one train of DC sources OPERABLE during
 
accident conditions, in the event of:a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.
Battery cell parameters satisfy the Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Battery cell parameters must remain within acceptable limits
 
to ensure availability of the required DC power to shut down
 
the reactor and maintain it in a safe condition after an
 
anticipated operational occurrence or a postulated DBA.
 
Electrolyte limits are conservatively established, allowing
 
continued DC electrical system function even with Category A and B limits not met.
North Anna Units 1 and 2B 3.8.6-2Revision 0 Battery Cell Parameters B 3.8.6 BASES APPLICABILITY The battery cell parameters are required solely for the
 
support of the associated DC electrical power subsystem(s)
 
and EDG DC system(s). Therefore, the battery is only required when the DC power source is required to be OPERABLE.
Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.ACTIONS A.1, A.2, and A.3 With one or more cells in one or more batteries not within
 
limits (i.e., Category A limits not met, Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1 in the accompanying LCO, the battery is degraded but there is still sufficient capacity to perform the intended function.
 
Therefore, the affected battery is not required to be
 
considered inoperable solely as a result of Category A or B
 
limits not met and operation is permitted for a limited
 
period.The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour (Required Action A.1). This check will provide a quick indication of the status of the remainder of the
 
battery cells. One hour provides time to inspect the
 
electrolyte level and to confirm the float voltage of the
 
pilot cells. One hour is considered a reasonable amount of
 
time to perform the required verification.
Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended
 
function. A period of 24 hours is allowed to complete the initial verification because specific gravity measurements
 
must be obtained for each connected cell. Taking into
 
consideration both the time required to perform the required
 
verification and the assurance that the battery cell
 
parameters are not severely degraded, this time is
 
considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A
 
or B limits. This periodic verification is consistent with the normal Frequency of pilot cell Surveillances.(continued)
Battery Cell Parameters B 3.8.6 BASESNorth Anna Units 1 and 2B 3.8.6-3Revision 46 ACTIONS A.1, A.2, and A.3 (continued)
Continued operation is only permitted for 31 days before battery cell parameters must be restored to within
 
Category A and B limits. With the consideration that, while
 
battery capacity is degraded, sufficient capacity exists to
 
perform the intended function and to allow time to fully
 
restore the battery cell parameters to normal limits, this
 
time is acceptable prior to declaring the battery
 
inoperable.
B.1 With one or more batteries with one or more battery cell parameters outside the Category C limit for any connected
 
cell, sufficient capacity to supply the maximum expected
 
load requirement is not assured and the corresponding DC
 
electrical power subsystem or EDG DC system must be declared inoperable. Additionally, other potentially extreme
 
conditions, such as not completing the Required Actions of
 
Condition A within the required Completion Time or average
 
electrolyte temperature of representative cells falling
 
below 60&deg;F for the Station batteries, are also cause for immediately declaring the associated DC electrical power
 
subsystem inoperable. Representative cells will consist of
 
at least 10 cells.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.6.1This SR verifies that Category A battery cell parameters are
 
consistent with IEEE-450 (Ref. 3), which recommends regular
 
battery inspections (at least one per month) including
 
voltage, specific gravity, and electrolyte level of pilot
 
cells. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
SR  3.8.6.2 The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program. In
 
addition, within 24 hours of a battery discharge <
110 V or a battery overcharge >
150 V, the battery must be demonstrated to meet Category B limits. Transients, such as motor starting transients, which may momentarily cause
 
battery voltage to drop to  110 V, do not constitute a battery discharge provided the battery terminal voltage and
 
float current return to pre-transient values. This
 
inspection is also (continued)
North Anna Units 1 and 2B 3.8.6-4Revision 46 Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.6.2 (continued) consistent with IEEE-450 (Ref.
3), which recommends special inspections following a severe discharge or overcharge, to
 
ensure that no significant degradation of the battery occurs
 
as a consequence of such discharge or overcharge.
SR  3.8.6.3 This Surveillance verification that the average temperature
 
of representative cells of the Station batteries is >
60&deg;F, is consistent with a recommendation of IEEE-450 (Ref.
3). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
Lower than normal temperatures act to inhibit or reduce
 
battery capacity. This SR ensures that the operating
 
temperatures remain within an acceptable operating range.
 
This limit is based on manufacturer recommendations.
Table 3.8.6-1 This table delineates the li mits on electrolyte level, float voltage, and specific gravity for three different
 
categories. The meaning of each category is discussed below.
Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose level, voltage, and electrolyte
 
specific gravity approximate the state of charge of the
 
entire battery.
The Category A limits specified for electrolyte level are based on manufacturer recommendations and are consistent
 
with the guidance in IEEE-450 (Ref.
3), with the extra 1/4 inch allowance above the high water level indication for operating margin to account for temperatures and charge
 
effects. In addition to this allowance, footnote a to
 
Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided
 
it is not overflowing. These limits ensure that the plates
 
suffer no physical damage, and that adequate electron
 
transfer capability is maintained in the event of transient
 
conditions. IEEE-450 (Ref.
: 3) recommends that electrolyte level readings should be made only after the battery has been
 
at float charge for at least 72 hours.(continued)
Battery Cell Parameters B 3.8.6 BASESNorth Anna Units 1 and 2B 3.8.6-5Revision 0 SURVEILLANCE REQUIREMENTS Table 3.8.6-1 (continued)
The Category A limit specified for float voltage is  2.13 V per cell. This value is based on the recommendations of
 
IEEE-450 (Ref.
3), which states that prolonged operation of cells < 2.13 V can reduce the life expectancy of cells.
The Category A limit specified for specific gravity for each pilot cell is  1.200 (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging
 
current that had stabilized at a low value). This value is
 
characteristic of a charged cell with adequate capacity.
 
According to IEEE-450 (Ref.
3), the specific gravity readings are based on a temperature of 77
&deg;F (25&deg;C).The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3
&deg;F (1.67&deg;C) above 77&deg;F (25&deg;C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3
&deg;F below 77
&deg;F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.
Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any
 
battery cell that may be jumpered out.
The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells
 
> 1.205 (0.010 below the manufacturer fully charged, nominal specific gravity). These values are based on manufacturer's
 
recommendations. The minimum specific gravity value required for each cell ensures that th e effects of a highly charged or newly installed cell will not mask overall degradation of
 
the battery.
Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient
 
capacity exists to perform the intended function and
 
maintain a margin of safety. When any battery parameter is
 
outside the Category C limits, the assurance of sufficient capacity described above no longer exists, and the battery
 
must be declared inoperable.(continued)
North Anna Units 1 and 2B 3.8.6-6Revision 0 Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE
 
REQUIREMENTS Table 3.8.6-1 (continued)
The Category C limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the
 
plates suffer no physical damage and maintain adequate
 
electron transfer capability. The Category C limits for float voltage is based on IEEE-450 (Ref.
3), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the
 
cell, indicates internal cell problems and may require cell
 
replacement.
The Category C limit of average specific gravity  1.195 is based on manufacturer recommendations (0.020 below the
 
manufacturer recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit
 
ensures that the effect of a highly charged or new cell does
 
not mask overall degradation of the battery.
The footnotes to Table 3.8.6-1 are applicable to Category A, B, and C specific gravity. Footnote (b) to Table 3.8.6-1 requires the above mentioned correction for electrolyte
 
level and temperature, with the exception that level
 
correction is not required when Station battery charging
 
current is <
2 amps on float charge. This current provides, in general, an indication of overall battery condition.
Because of specific gravity gradients that are produced
 
during the recharging process, delays of several days may
 
occur while waiting for the specific gravity to stabilize. A
 
stabilized charger current is an acceptable alternative to
 
specific gravity measurement for determining the state of
 
charge. This phenomenon is discussed in IEEE-450 (Ref.
3). Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up
 
to 7 days following a Station battery recharge. Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor
 
battery recharge (such as equalizing charge that does not
 
follow a deep discharge) specific gravity gradients are not
 
significant, and confirming measurements may be made in less
 
than 7 days.
Battery Cell Parameters B 3.8.6 BASESNorth Anna Units 1 and 2B 3.8.6-7Revision 0 REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter 15.3.IEEE-450-1980.
Intentionally Blank North Anna Units 1 and 2B 3.8.7-1Revision 0 Inverters-Operating B 3.8.7 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.7Inverters-Operating BASES BACKGROUND The inverters are the preferred source of power for the AC
 
vital buses because of the stability and reliability they
 
achieve. The function of the inverter is to provide AC
 
electrical power to the vital buses. The inverters can be
 
powered from a battery charger or from the station battery.
 
The station battery provides an uninterruptible power source
 
for the instrumentation and controls for the Reactor Trip
 
System (RTS) and the Engineered Safety Feature Actuation
 
System (ESFAS). Specific details on inverters and their
 
operating characteristics are found in the UFSAR, Chapter 8 (Ref. 1).APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide
 
the required capacity, capability, redundancy, and reliability to ensure t he availability of necessary power to the RTS and ESFAS instrumentation and controls so that the
 
fuel, Reactor Coolant System, and containment design limits
 
are not exceeded. These limits are discussed in more detail
 
in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.
The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes
 
maintaining required AC vital buses OPERABLE during accident
 
conditions in the event of:a.An assumed loss of all offsite AC electrical power or all onsite AC electrical power; andb.A worst case single failure.
Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.8.7-2Revision 0 Inverters-Operating B 3.8.7 BASES LCOThe inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the
 
reactor and maintain it in a safe condition after an
 
anticipated operational occurrence (AOO) or a postulated
 
DBA.Maintaining the required inverters OPERABLE ensures that the
 
redundancy incorporated into the d esign of the RPS and ESFAS instrumentation and controls is maintained. The four
 
inverters (two per train) ensure an uninterruptible supply
 
of AC electrical power to the AC vital buses even if the
 
4.16 kV safety buses are de-energized.
OPERABLE inverters require the associated vital bus to be
 
powered by the inverter with output voltage within
 
tolerances, and power input to the inverter from a 125 VDC station battery. Alternatively, power supply may be from a
 
battery charger as long as the station battery is available
 
as the uninterruptible power supply.This LCO is modified by a Note that allows one inverter to be disconnected from its associated battery for  24 hours, if the vital bus is powered from a constant voltage transformer
 
and all other inverters are OPERABLE. This allows an
 
equalizing charge to be placed on the associated battery. If
 
the inverters were not disconnected, the resulting voltage
 
condition might damage the inverters. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The 24 hour time period for the allowance minimizes the time during which a loss of offsite
 
power could result in the loss of equipment energized from
 
the affected AC vital bus while taking into consideration
 
the time required to perform an equalizing charge on the
 
battery bank.
The intent of this Note is to limit the number of inverters
 
that may be disconnected. Only those inverters associated
 
with the single battery undergoing an equalizing charge may
 
be disconnected. All other inverters must be aligned to
 
their associated batteries, regardless of the number of
 
inverters or unit design.
Inverters-Operating B 3.8.7 BASESNorth Anna Units 1 and 2B 3.8.7-3Revision 11 APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of
 
AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in
 
the event of a postulated DBA.
Inverter requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.8, "Inverters-Shutdown."
ACTIONS A.1 With a required inverter inoperable, its associated AC vital
 
bus becomes inoperable until it is re-energized from its
 
constant voltage source transformer.
For this reason a Note has been included in Condition A requiring the entry int o the Conditions and Required Actions of LCO 3.8.9, "Distribution Systems-Operating." This ensures that the vital bus is re-energized within 2 hours.Required Action A.1 allows 7 days to fix the inoperable inverter and return it to service. The 7 day limit is based upon a risk evaluation, taking into consideration the time
 
required to repair an inverter and the additional risk to
 
which the unit is exposed because of the inverter
 
inoperability. This has to be balanced against the risk of an
 
immediate shutdown, along with the potential challenges to
 
safety systems such a shutdown might entail. When the AC vital bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to
 
the AC vital buses is the preferred source for powering
 
instrumentation trip setpoint devices.
The following compensatory measures will be implemented when
 
an instrument bus inverter is unavailable:a.Entry into Condition A will not be planned concurrent with EDG maintenance, and (continued)
North Anna Units 1 and 2B 3.8.7-4Revision46 Inverters-Operating B 3.8.7 BASES ACTIONS A.1 (continued)b.Entry into Condition A will not be planned concurrent with planned maintenance on another RPS/ESFAS channel
 
that results in that channel being in a tripped
 
condition.
B.1 With one or more required LCO 3.8.7.b inverters inoperable, the reliability of the shared component(s) on the other unit
 
is degraded. In this condition, the associated shared
 
component is declared inoperable within 7 days. Service Water, Main Control Room/Emergency Switchgear Room Emergency
 
Ventilation System, and Component Cooling Water are shared
 
systems.C.1 and C.2 If the inoperable devices or components cannot be restored
 
to OPERABLE status within the required Completion Time, the
 
unit must be brought to a MODE in which the LCO does not
 
apply. To achieve this status, the unit must be brought to at
 
least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on
 
operating experience, to reach the required unit conditions
 
from full power conditions in an orderly manner and without
 
challenging unit systems.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.7.1 This Surveillance verifies that the inverters are
 
functioning properly with all required circuit breakers
 
closed and AC vital buses energized from the inverter. The
 
verification of proper voltage output ensures that the
 
required power is readily available for the instrumentation
 
of the RTS and ESFAS connected to the AC vital buses. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 8.2.UFSAR, Chapter 6.3.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.8.8-1Revision 0 Inverters-Shutdown B 3.8.8 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.8Inverters-Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for
 
LCO 3.8.7, "Inverters-Operating." APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to
 
provide the required capacity, capability, redundancy, and reliability to ensure t he availability of necessary power to the Reactor Trip System and Engineered Safety Features
 
Actuation System instrumentation and controls so that the
 
fuel, Reactor Coolant System, and containment design limits
 
are not exceeded.
The OPERABILITY of the inverters is consistent with the
 
initial assumptions of the accident analyses and the
 
requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 ensures that:a.The unit can be maintained in the shutdown or refueling condition for extended periods;b.Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status;
 
andc.Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident
 
involving handling recently irradiated fuel. Due to
 
radioactive decay, the inverter(s) are only required to
 
mitigate fuel handling accidents involving handling
 
recently irradiated fuel. (i.e., fuel that has occupied
 
part of a critical core within a time frame established by
 
analysis. The term recently is defined as all irradiated
 
fuel assemblies, until analysis is performed to determine
 
a specific time frame.)
North Anna Units 1 and 2B 3.8.8-2Revision 20 Inverters-Shutdown B 3.8.8 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The inverters were previously identified as part of the
 
distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The required inverter(s) ensure the availability of
 
electrical power for the instrumentation for systems
 
required to shut down the reactor and maintain it in a safe
 
condition after an anticipated operational occurrence or a
 
postulated DBA. The battery powered inverters provide
 
uninterruptible supply of AC electrical power to the AC
 
vital buses even if the 4.16 kV safety buses are de-energized. OPERABILITY of the inverters requires that the
 
AC vital bus be powered by the inverter. This ensures the
 
availability of sufficient inverter power sources to operate
 
the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling
 
accidents involving handling recently irradiated fuel).
 
Supported system(s) that do not provide automatic
 
function(s) may be connected to a vital bus that is powered
 
by a constant voltage transformer (example: Low Temperature
 
Overpressure Protection, when not in automatic).
APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of recently irradiated fuel assemblies
 
provide assurance that:a.Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel
 
that has occupied part of a critical core within the
 
previous 300 hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available;
 
andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown
 
condition or refueling condition.
Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7.
Inverters-Shutdown B 3.8.8 BASESNorth Anna Units 1 and 2B 3.8.8-3Revision 20 ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 The required OPERABLE Inverters are capable of supporting sufficient required features to allow continuation of CORE
 
ALTERATIONS, recently irradiated fuel movement, and
 
operations with a potential for positive reactivity
 
additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in
 
accordance with the affected required features LCOs' Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance
 
for sufficiently conservative actions is made (i.e., to
 
suspend CORE ALTERATIONS, movement of recently irradiated
 
fuel assemblies, and operations involving positive
 
reactivity additions) that could result in loss of required
 
SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure
 
to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of
 
coolant inventory must be from sources that have a boron
 
concentration greater than what wo uld be required in the RCS for minimum SDM or refueling boron concentration. This may
 
result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical
 
operation. Introduction of temperature changes including
 
temperature increases when operating with a positive MTC
 
must also be evaluated to ensure they do not result in a loss of required SDM.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These
 
actions minimize the probability of the occurrence of
 
postulated events. It is further required to immediately
 
initiate action to restore the required inverters and to
 
continue this action until restoration is accomplished in
 
order to provide the necessary inverter power to the unit
 
safety systems.
The Completion Time of immediately is consistent with the
 
required times for actions requiring prompt attention. The restoration of the requ ired inverters should be completed as quickly as possible in order to minimize the time the unit
 
safety systems may be without power or powered from a
 
constant voltage source transformer.
North Anna Units 1 and 2B 3.8.8-4Revision 46 Inverters-Shutdown B 3.8.8 BASES SURVEILLANCE
 
REQUIREMENTS SR  3.8.8.1 This Surveillance verifies that the inverters are
 
functioning properly with all required circuit breakers
 
closed and AC vital buses energized from the inverter. The
 
verification of proper voltage output ensures that the
 
required power is readily available for the instrumentation
 
connected to the AC vital buses. The Surveillance Frequency
 
is based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.8.9-1Revision 0 Distribution Systems-Operating B 3.8.9 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.9Distribution Systems-Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant
 
and independent AC, DC, and AC vital bus electrical power
 
distribution subsystems.
The AC electrical power subsystem for each train consists of
 
a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 480 V buses and load centers. Each 4.16 kV ESF bus has at least one separate and independent offsite source of
 
power as well as a dedicated onsite emergency diesel
 
generator (EDG) source. Unit 1 has a normal offsite source and an alternate offsite source. Transfer to the alternate
 
offsite source is a manual operation. Unit 2 has a normal offsite source, and no alternate source. In the event of a
 
loss of offsite power, the EDGs for the affected buses will
 
start and load. The EDGs for Unit 1 will continue to run until (a) the safety bus is transferred to the alternate offsite source, or (b) the normal offsite source is restored. The Unit 2 EDGs will continue to run until the normal offside source is restored. If offsite sources are
 
unavailable, the onsite EDG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources-Operating," and the Bases for LCO 3.8.4, "DC Sources-Operating."
The secondary AC electrical power distribution subsystem for
 
each train includes the safety related buses and load
 
centers shown in Table B 3.8.9-1.The 120 VAC vital buses are arranged in two load groups per train and are normally powered from the inverters. The
 
alternate power supply for the vital buses are constant
 
voltage source transformers powered from the same train as
 
the associated inverter, and its use is governed by
 
LCO 3.8.7, "Inverters-Operating." Each constant voltage source transformer is powered from a Class 1E AC bus.
There are two independent 125 VDC electrical power distribution subsystems for each train.(continued)
North Anna Units 1 and 2B 3.8.9-2Revision43 Distribution Systems-Operating B 3.8.9 BASES BACKGROUND (continued)
For the other unit, one AC and DC bus on that unit is needed
 
to support operation of each required Service Water (SW)
 
pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation System (EVS) fan, Auxiliary
 
Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, and CC are shared systems.
Two trains of electrical circuits on the AC Vital buses
 
provide power to the Auxiliary Building Central exhaust
 
subsystem filter and bypass dampers. One circuit is
 
associated with the manual control switch on the Unit 1 ventilation Panel is powered from the Vital Bus 1-I. The
 
other circuit is associated with the manual control switch
 
on the Unit 2 Ventilation Panel is powered from Vital Bus 2-III. Either circuit will realign all associated dampers to the filter position. Vital power is not required as the
 
system is aligned to operate the dampers to the filter (accident) position upon loss of power.
The list of all required distribution buses is presented in
 
Table B 3.8.9-1.APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 1), and in the UFSAR, Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power
 
distribution systems are designed to provide sufficient
 
capacity, capability, redundancy, and reliability to ensure
 
the availability of necessary power to ESF systems so that
 
the fuel, Reactor Coolant System, and containment design
 
limits are not exceeded. These limits are discussed in more
 
detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.
The OPERABILITY of the AC, DC, and AC vital bus electrical
 
power distribution systems is consistent with the initial
 
assumptions of the accident analyses and is based upon
 
meeting the design basis of the unit. This includes
 
maintaining power distribution systems OPERABLE during
 
accident conditions in the event of:a.An assumed loss of all offsite power or all onsite AC electrical power; andb.A worst case single failure.
Distribution Systems-Operating B 3.8.9 BASESNorth Anna Units 1 and 2B 3.8.9-3Revision 35 The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
The required power distribution subsystems listed in
 
Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut
 
down the reactor and maintain it in a safe condition after an
 
anticipated operational occurrence (AOO) or a postulated
 
DBA. The AC, DC, and AC vital bus electrical power
 
distribution subsystems are required to be OPERABLE.
Maintaining the Train H and Train J AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures
 
that the redundancy incorporated into the design of ESF is
 
not defeated. Therefore, a single failure within any system
 
or within the electrical power distribution subsystems will
 
not prevent safe shutdown of the reactor.OPERABLE AC electrical power distribution subsystems require
 
the associated buses and load centers to be energized to
 
their proper voltages. OPERABLE DC electrical power
 
distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE vital bus electrical power
 
distribution subsystems require the associated buses to be
 
energized to their proper voltage from the associated
 
inverter via inverted DC voltage, or constant voltage
 
transformer.
In addition, tie breakers between redundant safety related
 
AC, DC, and AC vital bus power distribution subsystems, if
 
they exist, must be open. This prevents any electrical
 
malfunction in any power distribution subsystem from propagating to the redu ndant subsystem, that could cause the failure of a redundant subsystem and a loss of essential
 
safety function(s). If any tie breakers are closed, the
 
affected redundant electrical power distribution subsystems
 
are considered inoperable. This applies to the onsite, safety related redundant electrical power distribution
 
subsystems. It does not, however, preclude redundant
 
Class 1E 4.16 kV buses from being powered from the same offsite circuit.
North Anna Units 1 and 2B 3.8.9-4Revision 35 Distribution Systems-Operating B 3.8.9 BASES APPLICABILITYThe electrical power distribution subsystems are required to
 
be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of
 
AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in
 
the event of a postulated DBA.
Electrical power distribution subsystem requirements for
 
MODES 5 and 6 are covered in the Bases for LCO 3.8.10, "Distribution Systems-Shutdown."
ACTIONS A.1 With one or more LCO 3.8.9.a AC electrical power distribution subsystem(s) inoperable, the minimum safety
 
functions can still be accomplished, assuming no single
 
failure, as long as one set of redundant required equipment (AC buses and load centers) supporting each safety function
 
remains energized to their proper voltages. Redundant required equipment is listed in Table B 3.8.9-1. The overall reliability is reduced, however, because a single failure in
 
the remaining power distribution subsystems could result in
 
the minimum required ESF functions not being supported.
 
Therefore, the required AC buses and load centers must be
 
restored to OPERABLE status within 8 hours.Condition A worst scenario is one train without AC power (i.e., no offsite power to the train and the associated EDG
 
inoperable). In this Condition, the unit is more vulnerable
 
to a complete loss of AC power. It is, therefore, imperative
 
that the unit operator's attention be focused on minimizing
 
the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour time limit before requiring a unit shutdown in this Condition is acceptable because of:a.The potential for decr eased safety if the unit operator's attention is diverted from the evaluations and actions
 
necessary to restore power to the affected train, to the
 
actions associated with taking the unit to shutdown
 
within this time limit; and
 
Distribution Systems-Operating B 3.8.9 BASESNorth Anna Units 1 and 2B 3.8.9-5Revision 35 ACTIONS A.1 (continued)b.The potential for an event in conjunction with a single failure of a redundant component in the train with AC
 
power.The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any
 
combination of required distribution subsystems to be
 
inoperable during any single contiguous occurrence of
 
failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored
 
OPERABLE, the LCO may already have been not met for up to 2 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the AC distribution
 
system. At this time, a DC circuit could again become
 
inoperable, and AC distribution restored OPERABLE. This
 
could continue indefinitely.
The Completion Time allows for an exception to the normal
 
"time zero" for beginning the allowed outage time "clock."
This will result in establishing the "time zero" at the time
 
the LCO was initially not met, instead of the time
 
Condition A was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the
 
LCO indefinitely.
Required Action A.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO 3.8.4, "DC Sources-Operating," to be entered for DC train(s) made inoperable power distribution subsystem(s). This is an
 
exception to LCO 3.0.6 and ensures the proper actions are taken for these components. Inoperability of a distribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that
 
appropriate attention is given to restoring charging power
 
to batteries, if necessary, after loss of distribution
 
systems.B.1 With one or more LCO 3.8.9.a AC vital buses inoperable and a loss of function has not yet occurred, the remaining
 
OPERABLE AC vital buses are capable of supporting the
 
minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall
 
reliability is reduced, however, since an additional single North Anna Units 1 and 2B 3.8.9-6Revision 35 Distribution Systems-Operating B 3.8.9 BASES ACTIONS B.1 (continued) failure could result in the minimum required ESF functions
 
not being supported. Therefore, the required AC vital bus
 
must be restored to OPERABLE status within 2 hours by powering the bus from the associated inverter via inverted
 
DC, or constant voltage transformer.
Condition B represents one or more AC vital buses without power; potentially both the DC source and the associated AC
 
source are nonfunctioning. In this situation, the unit is
 
significantly more vulnerable to a complete loss of all
 
noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining
 
vital buses and restoring power to the affected vital bus.
This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components that are without
 
adequate vital AC power. Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have
 
the Required Action Completion Times shorter than 2 hours if declared inoperable, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not
 
allowing stable operations to continue;b.The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without adequate vital AC power and not
 
providing sufficient time for the operators to perform
 
the necessary evaluations and actions for restoring power
 
to the affected train; andc.The potential for an event in conjunction with a single failure of a redundant component.
The 2 hour Completion Time t akes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE
 
vital buses, and the low probability of a DBA occurring
 
during this period.
The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any
 
combination of required distribution subsystems to be Distribution Systems-Operating B 3.8.9 BASESNorth Anna Units 1 and 2B 3.8.9-7Revision 35 ACTIONS B.1 (continued) inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned
 
OPERABLE, the LCO may already have been not met for up to
 
8 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the vital bus
 
distribution system. At this time, an AC train could again
 
become inoperable, and vital bus distribution restored
 
OPERABLE. This could continue indefinitely.
This Completion Time allows for an exception to the normal
 
"time zero" for beginning the allowed outage time "clock."
This will result in establishing the "time zero" at the time
 
the LCO was initially not met, instead of the time
 
Condition B was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the
 
LCO indefinitely.
C.1 With one or more LCO 3.8.9.a DC buses inoperable and a loss of function has not yet occurred, the remaining DC
 
electrical power distribution subsystems are capable of
 
supporting the minimum safety functions necessary to shut
 
down the reactor and maintain it in a safe shutdown
 
condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in
 
the remaining DC electrical power distribution subsystem
 
could result in the minimum required ESF functions not being
 
supported. Therefore, the DC bus(es) must be restored to
 
OPERABLE status within 2 hours by powering the bus(es) from the associated battery or charger.
Condition C represents one or more DC buses without adequate DC power; potentially both with the battery significantly
 
degraded and the associated charger nonfunctioning. In this
 
situation, the unit is significantly more vulnerable to a
 
complete loss of all DC power. It is, therefore, imperative
 
that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining
 
trains and restoring power to the affected train.
North Anna Units 1 and 2B 3.8.9-8Revision 35 Distribution Systems-Operating B 3.8.9 BASES ACTIONS C.1 (continued)
This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components that would be
 
without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while
 
allowing stable operations to continue; b.The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions
 
for components without DC power and not providing
 
sufficient time for the operators to perform the
 
necessary evaluations and actions for restoring power to
 
the affected train; andc.The potential for an event in conjunction with a single failure of a redundant component.
The 2 hour Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref.
3).The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any
 
combination of required distribution subsystems to be
 
inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned
 
OPERABLE, the LCO may already have been not met for up to
 
8 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the DC distribution
 
system. At this time, an AC train could again become
 
inoperable, and DC distribution restored OPERABLE. This
 
could continue indefinitely.
This Completion Time allows for an exception to the normal
 
"time zero" for beginning the allowed outage time "clock."
This will result in establishing the "time zero" at the time
 
the LCO was initially not met, instead of the time
 
Condition C was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the
 
LCO indefinitely.
 
Distribution Systems-Operating B 3.8.9 BASESNorth Anna Units 1 and 2B 3.8.9-9Revision43 ACTIONS D.1 With one or more required LCO 3.8.9.b AC electrical power distribution subsystem(s) inoperable, the shared
 
component(s) on the other unit is not capable of operating.
 
In this condition, the associated shared component is
 
declared inoperable immediately. SW, MCR/ESGR EVS, and CC
 
are shared systems. The associated Conditions or Required
 
Actions of LCO 3.7.8, "Service Water System," LCO 3.7.10, "MCR/ESGR Emergency Ventilation System," and LCO 3.7.19, "Component Cooling Water (CC) System," are followed.
E.1 With one or more required LCO 3.8.9.b DC electrical power distribution subsystem(s) inoperable, the shared
 
component(s) on the other unit is not capable of operating.
 
In this condition, the associated shared component is
 
declared inoperable immediately. SW, MCR/ESGR EVS, and CC
 
are shared systems. The associated Conditions or Required
 
Actions of LCO 3.7.8, 3.7.10, 3.7.12, and 3.7.19 are followed.F.1 With one or more required LCO 3.8.9.b AC vital electrical power distribution subsystem(s) inoperable, the shared
 
component(s) on the other unit is not capable of operating.
 
In this condition, the associated shared component is
 
declared inoperable immediately. SW, MCR/ESGR EVS, and CC
 
are shared systems.
G.1 and G.2 If the inoperable LCO 3.8.9.a distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which
 
the LCO does not apply. To achieve this status, the unit must
 
be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the
 
required unit conditions from full power conditions in an
 
orderly manner and without challenging unit systems.
 
North Anna Units 1 and 2B 3.8.9-10Revision46 Distribution Systems-Operating B 3.8.9 BASES ACTIONS H.1 Condition H corresponds to a level of degradation in the electrical power distribution system that causes a required
 
safety function to be lost. When more than one inoperable
 
LCO 3.8.9.a electrical power distribution subsystem results in the loss of a required function, the unit is in a
 
condition outside the accident analysis. Therefore, no
 
additional time is justified for continued operation.
 
LCO 3.0.3 must be entered immediately to commence a controlled shutdown.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.9.1 This Surveillance verifies that the required AC, DC, and AC
 
vital bus electrical power distribution systems are
 
functioning properly, with the correct circuit breaker
 
alignment. The correct breaker alignment ensures the
 
appropriate separation and independence of the electrical
 
divisions is maintained, and the appropriate voltage is
 
available to each required bus. The verification of proper
 
voltage availability on the buses ensures that the required
 
voltage is readily available for motive as well as control
 
functions for critical system loads connected to these
 
buses. Verification of proper voltage availability for
 
480 volt buses and load centers may be performed by indirect methods. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter 15.3.Regulatory Guide 1.93, December 1974.
North Anna Units 1 and 2B 3.8.9-11Revision 0 Distribution Systems-Operating B 3.8.9* Each train of the AC and DC electrical power distribution systems is a subsystem.
Table B 3.8.9-1 (page 1 of 1)AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN H*TRAIN J*Unit 1 Unit 2 Unit 1 Unit 2 AC emergency buses 4160 V ESF Bus ESF Bus 1H 2H 1J 2J 480 V Load Centers Load Centers 1H 2H 1J 2J 1H1 2H1 1J1 2J1 DC buses 125 V Bus 1-I 2-I Bus 1-III 2-III Bus 1-II 2-II Bus 1-IV 2-IV AC vital buses 120 V Bus 1-1 2-1 Bus 1-3 2-3 Bus 1-2 2-2 Bus 1-4 2-4 Intentionally Blank North Anna Units 1 and 2B 3.8.10-1Revision 0 Distribution Systems-Shutdown B 3.8.10 B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.10Distribution Systems-Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical
 
power distribution systems is provided in the Bases for
 
LCO 3.8.9, "Distribution Systems-Operating." APPLICABLE
 
SAFETY ANALYSES The initial conditions of Design Basis Accident and
 
transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide
 
sufficient capacity, capability, redundancy, and reliability
 
to ensure the availability of necessary power to ESF systems
 
so that the fuel, Reactor Coolant System, and containment
 
design limits are not exceeded.
The OPERABILITY of the AC, DC, and AC vital bus electrical
 
power distribution system is consistent with the initial
 
assumptions of the accident analyses and the requirements
 
for the supported systems' OPERABILITY.
The OPERABILITY of the minimum AC, DC, and AC vital bus
 
electrical power distribution subsystems during MODES 5 and 6, and during movement of recently irradiated fuel assemblies ensures that:a.The unit can be maintained in the shutdown or refueling condition for extended periods;b.Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status;
 
andc.Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident
 
involving handling recently irradiated fuel. Due to
 
radioactive decay, the AC and DC electrical power is only required to mitigate fuel handling accidents involving
 
handling recently irradiated fuel. (i.e., fuel that has
 
occupied part of a critical core within a time frame
 
established by analysis. The term recently is defined as
 
all irradiated fuel assemblies, until analysis is
 
performed to determine a specific time frame.)
North Anna Units 1 and 2B 3.8.10-2Revision 20 Distribution Systems-Shutdown B 3.8.10 BASES APPLICABLE
 
SAFETY ANALYSES (continued)
The AC and DC electrical power distribution systems satisfy
 
Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Various combinations of subsystems, equipment, and
 
components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements
 
is the required OPERABILITY of necessary support required
 
features. This LCO explicitly requires energization of the
 
portions of the electrical distribution system necessary to
 
support OPERABILITY of required systems, equipment, and
 
components-all specifically addressed in each LCO and
 
implicitly required via the definition of OPERABILITY.
Maintaining these portions of the distribution system
 
energized ensures the availability of sufficient power to
 
operate the unit in a safe manner to mitigate the
 
consequences of postulated events during shutdown (e.g.,
fuel handling accidents involving handling recently
 
irradiated fuel).
APPLICABILITY The AC and DC electrical power distribution subsystems
 
required to be OPERABLE in MODES 5 and 6, and during movement of recently irradiated fuel assemblies, provide
 
assurance that:a.Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel
 
that has occupied part of a critical core within the
 
previous 300 hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available;
 
andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown
 
condition and refueling condition.
The AC, DC, and AC vital bus electrical power distribution
 
subsystems requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.9.
Distribution Systems-Shutdown B 3.8.10 BASESNorth Anna Units 1 and 2B 3.8.10-3Revision 20 ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant trains of electrical power distribution subsystems to be
 
OPERABLE, one OPERABLE distribution subsystem train may be
 
capable of supporting sufficient required features to allow
 
continuation of CORE ALTERATIONS and recently irradiated
 
fuel movement. By allowing the option to declare required
 
features associated with an inoperable distribution
 
subsystem inoperable, appropriate restrictions are
 
implemented in accordance with the affected distribution
 
subsystem LCO's Required Actions. In many instances, this
 
option may involve undesired administrative efforts.
 
Therefore, the allowance for sufficiently conservative
 
actions is made (i.e., to suspend CORE ALTERATIONS, movement
 
of recently irradiated fuel assemblies, and operations
 
involving positive reactivity additions) that could result
 
in loss of required SDM (MODE
: 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron
 
concentration limit is required to assure continued safe
 
operation. Introduction of coolant inventory must be from
 
sources that have a boron concentration greater than what
 
would be required in the RCS for minimum SDM or refueling
 
boron concentration. This may result in an overall reduction
 
in RCS boron concentration, but provides acceptable margin
 
to maintaining subcritical operation. Introduction of
 
temperature changes including temperature increases when
 
operating with a positive MTC must also be evaluated to
 
ensure they do not result in a loss of required SDM.
Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These
 
actions minimize the probability of the occurrence of
 
postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical
 
power distribution subsystems and to continue this action
 
until restoration is accomplished in order to provide the
 
necessary power to the unit safety systems.
Notwithstanding performance of the above conservative
 
Required Actions, a required residual heat removal (RHR)
 
subsystem may be inoperable. In this case, Required Actions
 
A.2.1 through A.2.4 do not adequately address the concerns
 
relating to coolant circulation and heat removal. Pursuant
 
to LCO 3.0.6, the RHR ACTIONS would not be entered.(continued)
North Anna Units 1 and 2B 3.8.10-4Revision 46 Distribution Systems-Shutdown B 3.8.10 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)
Therefore, Required Action A.2.5 is provided to direct
 
declaring RHR inoperable, which results in taking the
 
appropriate RHR actions.
The Completion Time of immediately is consistent with the
 
required times for actions requiring prompt attention. The
 
restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.
SURVEILLANCE
 
REQUIREMENTS SR  3.8.10.1 This Surveillance verifies that the required AC, DC, and AC
 
vital bus electrical power distribution subsystems are
 
functioning properly, with all the buses energized. The
 
verification of proper voltage availability on the buses
 
ensures that the required power is readily available for
 
motive as well as control functions for critical system
 
loads connected to these buses. Verification of proper
 
voltage availability for 480 volt buses and load centers may be performed by indirect methods. The Surveillance Frequency
 
is based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
REFERENCES1.UFSAR, Chapter 6.2.UFSAR, Chapter
: 15.
North Anna Units 1 and 2B 3.9.1-1Revision 0 Boron Concentration B 3.9.1 B 3.9  REFUELING OPERATIONSB 3.9.1Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant
 
System (RCS), the refueling canal, and the refueling cavity
 
during refueling ensures that the reactor remains
 
subcritical during MODE
: 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of
 
these volumes having direct access to the reactor core
 
during refueling.
The soluble boron concentration offsets the core reactivity
 
and is measured by chemical analysis of a representative
 
sample of the coolant in each of the volumes. The refueling
 
boron concentration limit is specified in the COLR. Plant
 
procedures ensure the specified boron concentration in order
 
to maintain an overall core reactivity of k eff  0.95 during fuel handling, with control r ods and fuel assemblies assumed to be in the most adverse configuration (least negative
 
reactivity) allowed by plant procedures.
GDC 26 requires that two independent reactivity control systems of different design principles be provided (Ref.
1). One of these systems must be capable of holding the reactor
 
core subcritical under cold conditions. The Chemical and
 
Volume Control System (CVCS) is the system capable of
 
maintaining the reactor subcritical in cold conditions by
 
maintaining the boron concentration.
The reactor is brought to shutdown conditions before
 
beginning operations to open the reactor vessel for
 
refueling. After the RCS is cooled and depressurized and the
 
vessel head is unbolted, the head is slowly removed to form
 
the refueling cavity. The refueling canal and the refueling
 
cavity are then flooded with borated water from the
 
Refueling Water Storage Tank through the open reactor vessel by gravity feeding or by the use of the Low Head Safety
 
Injection System pumps.
The pumping action of the Residual Heat Removal (RHR) System in the RCS and the natural circulation due to thermal driving
 
heads in the reactor vessel and refueling cavity mix the
 
added concentrated boric acid with the water in the
 
refueling canal. The RHR System is in operation during (continued)
North Anna Units 1 and 2B 3.9.1-2Revision 0 Boron Concentration B 3.9.1 BASES BACKGROUND (continued) refueling (see LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low
 
Water Level") to provide forced circulation in the RCS and
 
assist in maintaining the boron concentrations in the RCS, the refueling canal, and the refueling cavity above the COLR
 
limit.APPLICABLE
 
SAFETY ANALYSES During refueling operations, the reactivity condition of the
 
core is established to protect against inadvertent positive
 
reactivity addition and is conservative for MODE
: 6. The boron concentration limit specified in the COLR is based on
 
the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.
The required boron concentration and the plant refueling
 
procedures that verify the correct fuel loading plan (including full core mapping) ensure that the k eff of the core will remain  0.95 during the refueling operation.
Hence, at least a 5% k/k margin of safety is established during refueling.
During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling
 
cavity, and the reactor vessel form a single mass. As a
 
result, the soluble boron concentration is relatively the
 
same in each of these volumes.
The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requires that a minimum boron concentration be
 
maintained in the RCS, the refueling canal, and the
 
refueling cavity while in MODE
: 6. The boron concentration limit specified in the COLR ensures that a core k eff of  0.95 is maintained during fuel handling operations.
Violation of the LCO could lead to an inadvertent
 
criticality during MODE 6.APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required
 
boron concentration ensures a k eff  0.95. Above MODE 6, (continued)
Boron Concentration B 3.9.1 BASESNorth Anna Units 1 and 2B 3.9.1-3Revision 0 APPLICABILITY (continued)
LCO 3.1.1, "SHUTDOWN MARGIN (SDM)" ensures that an adequate amount of negative reactivity is available to shut down the
 
reactor and maintain it subcritical.
The applicability is modified by a Note. The Note states that
 
the limits on boron concentration are only applicable to the
 
refueling canal and refueling cavity when those volumes are
 
connected to the RCS. When the refueling canal and refueling
 
cavity are isolated from the RCS, no potential path for boron
 
dilution exists.
ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity
 
additions (including actions to reduce boron concentration)
 
is contingent upon maintaining the unit in compliance with
 
the LCO. If the boron concentration of any coolant volume in
 
the RCS, the refueling canal, or the refueling cavity is less
 
than its limit, all operations involving CORE ALTERATIONS or
 
positive reactivity additions must be suspended immediately.
Suspension of CORE ALTERATIONS and positive reactivity
 
additions shall not preclude moving a component to a safe
 
position. Operations that individually add limited positive
 
reactivity (e.g., temperature fluctuations from inventory
 
addition or temperature control fluctuations), but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative
 
reactivity addition, are not precluded by this action.
A.3 In addition to immediately suspending CORE ALTERATIONS and
 
positive reactivity additions, boration to restore the
 
concentration must be initiated immediately.
In determining the required combination of boration flow
 
rate and concentration, no unique Design Basis Event must be
 
satisfied. The only requirement is to restore the boron
 
concentration to its required value as soon as possible. In
 
order to raise the boron concentration as soon as possible, the operator should begin boration with the best source
 
available for unit conditions.(continued)
North Anna Units 1 and 2B 3.9.1-4Revision 46 Boron Concentration B 3.9.1 BASES ACTIONS A.3 (continued)
Once actions have been initiated, they must be continued
 
until the boron concentration is restored. The restoration
 
time depends on the amount of boron that must be injected to
 
reach the required concentration.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.1.1 This SR ensures that the coolant boron concentration in the
 
RCS, and connected portions of the refueling canal and the
 
refueling cavity, is within the COLR limits. The boron
 
concentration of the coolant in each required volume is
 
determined periodically by chemical analysis. Prior to
 
re-connecting portions of the refueling canal or the
 
refueling cavity to the RCS, this SR must be met per
 
SR 3.0.1. If any dilution activity has occurred while the cavity or canal were disconnected from the RCS, this SR
 
ensures the correct boron concentration prior to
 
communication with the RCS.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Section 3.1.22.
North Anna Units 1 and 2B 3.9.2-1Revision 8 Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 B 3.9  REFUELING OPERATIONSB 3.9.2Primary Grade Water Flow Path Isolation Valves-MODE 6 BASES BACKGROUND During MODE 6 operations, the isolation valves for primary grade water flow paths that are connected to the Reactor
 
Coolant System (RCS) must be closed to prevent unplanned
 
boron dilution of the reactor coolant. The isolation valves
 
must be locked, sealed or otherwise secured in the closed
 
position.The Chemical and Volume Control System is capable of
 
supplying borated and unborated water to the RCS through
 
various flow paths. Since a positive reactivity addition
 
made by uncontrolled reduction of the boron concentration is inappropriate during MODE 6, isolation of all primary grade water flow paths prevents an unplanned boron dilution.
APPLICABLE
 
SAFETY ANALYSES The possibility of an inadvertent boron dilution event (Ref. 1) occurring during MODE 6 refueling operations is precluded by adherence to this LCO, which requires that
 
primary grade water flow paths be isolated. Closing the
 
required valves during refueling operations prevents the
 
flow of unborated water to th e filled portion of the RCS. The valves are used to isolate primary grade water flow paths.
 
These valves have the potential to indirectly allow dilution of the RCS boron concentration in MODE
: 6. By isolating primary grade water flow paths, a safety analysis for an
 
uncontrolled boron dilution accident is not required for
 
MODE 6.The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that flow paths to the RCS from primary
 
grade water sources be isolated to prevent unplanned boron
 
dilution during MODE 6 and thus avoid a reduction in SDM.
For Unit 1, primary grade water flow paths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be
 
used in lieu of 1-CH-217. For Unit 2, primary grade water (continued)
North Anna Units 1 and 2B 3.9.2-2Revision 8 Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 BASES LCO (continued) flow paths may be isolated from the RCS by closing valve
 
2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be used in lieu of 2-CH-140.
The LCO is modified by a Note which allows the primary grade
 
water flow path isolation valves to be opened under
 
administrative control for planned boron dilution or makeup
 
activities.
APPLICABILITY In MODE 6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of primary grade
 
water flow paths to the RCS.
In MODES 3, 4, and 5, LCO 3.1.8, Primary Grade Water Flow Path Isolation Valves, requires the primary grade water flow
 
paths to the RCS to be isolated to prevent an inadvertent
 
boron dilution.
In MODES 1 and 2, the boron dilution accident was analyzed and was found to be capable of being mitigated.
ACTIONS A.1 Continuation of CORE ALTERATIONS is contingent upon
 
maintaining the unit in compliance with this LCO. With any
 
valve used to isolate primary grade water flow paths not
 
locked, sealed or otherwise secured in the closed position, all operations involving CORE ALTERATIONS must be suspended immediately. The Completion Time of "immediately" for
 
performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.
Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.A.2 Preventing inadvertent dilution of the reactor coolant boron
 
concentration is dependent on maintaining the primary grade
 
water flow path isolation valves secured closed. Locking, sealing, or securing the valves in the closed position
 
ensures that the valves cannot be inadvertently opened. The
 
Completion Time of 15 minutes provides sufficient time to close, lock, seal, or otherwise secure the flow path
 
isolation valve.
Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 BASESNorth Anna Units 1 and 2B 3.9.2-3Revision 46 ACTIONS (continued)
A.3 Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.9.1.1 (verification of boron concentration) must be performed to
 
demonstrate that the required boron concentration exists.
 
The Completion Time of 4 hours is sufficient to obtain and analyze a reactor coolant sample for boron concentration.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.2.1 These valves are to be locked, sealed, or otherwise secured
 
closed to isolate possible dilution paths. The likelihood of
 
a significant reduction in the boron concentration during
 
MODE 6 operations is remote due to the large mass of borated water in the refueling cavity and the fact that the primary
 
grade water flow paths are isolated, precluding a dilution.
 
The boron concentration is checked during MODE 6 under SR 3.9.1.1. The Frequency is based on verifying that the isolation valves are locked, sealed, or otherwise secured
 
within 15 minutes following a boron dilution or makeup activity. This Frequency is based on engineering judgment
 
and is considered reasonable in view of other administrative controls that will ensure that the valve opening is an
 
unlikely possibility.
REFERENCES1.UFSAR, Section 15.2.4.
Intentionally Blank North Anna Units 1 and 2B 3.9.3-1Revision 0 Nuclear Instrumentation B 3.9.3 B 3.9  REFUELING OPERATIONSB 3.9.3Nuclear Instrumentation BASES BACKGROUND The source range neutron flux monitors are used during
 
refueling operations to monitor the core reactivity
 
condition. The installed source range neutron flux monitors
 
are part of the Nuclear Instrumentation System (NIS). These
 
detectors are located external to the reactor vessel and
 
detect neutrons leaking from the core.
The installed source range neutron flux monitors are BF3
 
detectors operating in the proportional region of the gas
 
filled detector characteristic curve. The detectors monitor
 
the neutron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6 cps). The detectors also provide continuous visual indication and an audible
 
alarm in the control room to alert operators to a possible
 
dilution accident. The NIS is designed in accordance with
 
the criteria presented in Reference 1.APPLICABLE
 
SAFETY ANALYSES Two OPERABLE source range neutron flux monitors are required to provide a signal to alert the operator to unexpected
 
changes in core reactivity such as with a boron dilution accident (Ref.
: 2) or an improperly loaded fuel assembly. The need for a safety analysis for an uncontrolled boron
 
dilution accident is eliminated by isolating all unborated water sources as required by LCO 3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6." The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that two source range neutron flux
 
monitors be OPERABLE to ensure that redundant monitoring
 
capability is available to detect changes in core
 
reactivity.
North Anna Units 1 and 2B 3.9.3-2Revision 0 Nuclear Instrumentation B 3.9.3 BASES APPLICABILITY In MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are
 
no other direct means available to check core reactivity
 
levels. In MODES 2, 3, 4, and 5, these same installed source range detectors and circuitry are also required to be
 
OPERABLE by LCO 3.3.1, "Reactor Trip System (RTS)
Instrumentation." ACTIONS A.1 and A.2 With only one source range neutron flux monitor OPERABLE, redundancy has been lost. Since these instruments are the
 
only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS
 
with boron concentration less than required to meet the
 
minimum boron concentration of LCO 3.9.1 must be suspended immediately. Suspending positive reactivity additions that
 
could result in failure to meet the minimum boron
 
concentration limit is required to assure continued safe
 
operation. Introduction of coolant inventory must be from
 
sources that have a boron concentration greater than that what would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in
 
RCS boron concentration, but provides acceptable margin to
 
maintaining subcritical operations. Performance of Required
 
Action A.1 shall not preclude completion of movement of a
 
component to a safe position.
B.1 With no source range neutron flux monitor OPERABLE, action
 
to restore a monitor to OPERABLE status shall be initiated
 
immediately. Once initiated, action shall be continued until
 
a source range neutron flux monitor is restored to OPERABLE
 
status.B.2 With no source range neutron flux monitor OPERABLE, there
 
are no direct means of detecting changes in core reactivity.
 
However, since CORE ALTERATIONS and positive reactivity
 
additions are not to be made, the core reactivity condition
 
is stabilized until the source range neutron flux monitors
 
are OPERABLE. This stabilized condition is determined by
 
performing SR 3.9.1.1 to ensure that the required boron concentration exists.(continued)
Nuclear Instrumentation B 3.9.3 BASESNorth Anna Units 1 and 2B 3.9.3-3Revision 46 ACTIONS B.2 (continued)
The Completion Time of once per 12 hours is sufficient to obtain and analyze a reactor coolant sample for boron
 
concentration and ensures that unplanned changes in boron
 
concentration would be identified. The 12 hour Frequency is reasonable, considering the low probability of a change in
 
core reactivity during this time period.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.3.1 SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a
 
similar parameter on other channels. It is based on the
 
assumption that the two indication channels should be
 
consistent with core co nditions. Changes in fuel loading and core geometry can result in significant differences between
 
source range channels, but ea ch channel should be consistent with its local conditions.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.9.3.2 SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The
 
CHANNEL CALIBRATION for the source range neutron flux
 
monitors consists of obtaining the detector plateau or
 
preamp discriminator curves, evaluating those curves, and
 
comparing the curves to the manufacturer's data. The
 
18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit
 
outage. The Surveillance Frequency is based on operating
 
experience, equipment reliability, and plant risk and is
 
controlled under the Surveillance Frequency Control Program.
REFERENCES1.UFSAR, Chapter 3.2.UFSAR, Chapter
: 15.
Intentionally Blank North Anna Units 1 and 2B 3.9.4-1Revision 20 Containment Penetrations B 3.9.4 B 3.9  REFUELING OPERATIONSB 3.9.4Containment Penetrations BASES BACKGROUND During movement of recently irradiated fuel assemblies
 
within containment, a release of fission product
 
radioactivity within containment will be restricted from
 
escaping to the environment when the LCO requirements are
 
met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1, "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely;
 
therefore, requirements to isolate the containment from the
 
outside atmosphere can be less stringent. The LCO
 
requirements are referred to as "containment closure" rather
 
than "containment OPERABILITY." Containment closure means
 
that all potential escape paths are closed or capable of
 
being closed. Since there is no potential for containment
 
pressurization, the Appendix J leakage criteria and tests are not required.
The containment serves to contain fission product
 
radioactivity that may be released from the reactor core
 
following an accident, such that offsite radiation exposures
 
are maintained within the requirements of Regulatory
 
Guide 1.183 (Ref.
2). Additionally, the containment provides radiation shielding from the fission products that may be
 
present in the containment atmosphere following accident
 
conditions.
The containment equipment hatch, which is part of the
 
containment pressure boundary, provides a means for moving
 
large equipment and components into and out of containment.
 
During movement of recently irradiated fuel assemblies
 
within containment, the equipment hatch must be held in
 
place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be
 
approximately equally spaced.
The containment air locks, which are also part of the
 
containment pressure boundary, provide a means for personnel
 
access during MODES 1, 2, 3, and 4 unit operation in accordance with LCO 3.6.2, "Containment Air Locks." One of the containment air locks is an integral part of the
 
containment equipment hatch. During refueling the air lock (continued)
North Anna Units 1 and 2B 3.9.4-2Revision 20 Containment Penetrations B 3.9.4 BASES BACKGROUND (continued) that is part of the containment equipment hatch is typically
 
replaced by a temporary hatch plate. While the temporary
 
hatch plate is installed, there is only one air lock by which to enter containment. The LCO only applies to containment
 
air locks that are installed. Each air lock has a door at
 
both ends. The doors are normally interlocked to prevent
 
simultaneous opening when containment OPERABILITY is
 
required. During periods of unit shutdown when containment closure is not required, the door interlock mechanism may be
 
disabled, allowing both doors of an air lock to remain open
 
for extended periods when frequent containment entry is
 
necessary. During movement of recently irradiated fuel
 
assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain
 
disabled, but one air lock door must always remain closed.
The requirements for containment penetration closure ensure
 
that a release of fission product radioactivity within
 
containment will be restricted from escaping to the
 
environment. The closure restrictions are sufficient to
 
restrict fission product radioactivity release from the
 
containment due to a fuel handling accident involving
 
handling of recently irradiated fuel.
The Containment Purge and Exhaust System includes a 36 inch purge penetration and a 36 inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the purge and exhaust flow paths are secured in the closed position. The
 
Containment Purge and Exhaust System is not subject to a
 
Specification in MODE 5.In MODE 6, large air exchanges are necessary to conduct refueling operations. The 36 inch purge system is used for this purpose.
The containment penetrations that provide direct access from
 
containment atmosphere to outside atmosphere must be
 
isolated on at least one side. Isolation may be achieved by
 
an OPERABLE automatic isolation valve, or by a manual
 
isolation valve, blind flange, or equivalent. Equivalent
 
isolation methods must be approved and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the other containment penetrations
 
during recently irradiated fuel movements.
Containment Penetrations B 3.9.4 BASESNorth Anna Units 1 and 2B 3.9.4-3Revision 20 APPLICABLE SAFETY ANALYSES During movement of irradiated fuel assemblies within
 
containment, the most severe radiological consequences
 
result from a fuel handling accident involving handling
 
recently irradiated fuel. The fuel handling accident is a
 
postulated event that involves damage to irradiated fuel (Ref. 1). Fuel handling accidents, analyzed in Reference 2, involve dropping a single irradiated fuel assembly and
 
handling tool. The requirements of LCO 3.9.7, "Refueling Cavity Water Level," in conjunction with a minimum decay
 
time of 100 hours prior to movement of irradiated fuel (i.e., fuel that has not been recently irradiated) without
 
containment closure capability ensures that the release of
 
fission product radioactivity, subsequent to a fuel handling
 
accident, results in doses that are within the guideline
 
values specified in Regulatory Guide 1.183 (Ref.
2).Containment penetrations satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO limits the consequences of a fuel handling accident
 
involving handling recently irradiated fuel in containment
 
by limiting the potential escape paths for fission product
 
radioactivity released within containment. The LCO requires
 
any penetration providing direct access from the containment
 
atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations. For
 
the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by a
 
containment purge and exhaust isolation valve.
The LCO is modified by a Note allowing penetration flow paths
 
with direct access from the containment atmosphere to the
 
outside atmosphere to be unisolated under administrative
 
controls. Administrative controls ensure that 1) appropriate personnel are aware of the open status of the penetration
 
flow path during movement of recently irradiated fuel
 
assemblies within containment, and 2) specified individuals are designated and readily available to isolate the flow
 
path in the event of a fuel handling accident.
APPLICABILITY The containment penetration requirements are applicable
 
during movement of recently irradiated fuel assemblies
 
within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1, 2, 3, (continued)
North Anna Units 1 and 2B 3.9.4-4Revision 46 Containment Penetrations B 3.9.4 BASES APPLICABILITY (continued) and 4, containment penetration requirements are addressed by LCO 3.6.1. In MODES 5 and 6, when movement of irradiated fuel assemblies within containment is not being conducted, the potential for a design basis fuel handling accident does
 
not exist. Additionally, due to radioactive decay, containment closure capability is only required during a
 
fuel handling accident involving handling recently
 
irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours). A fuel handling accident involving fuel with a minimum decay time
 
of 100 hours prior to mo vement will result in doses that are within the guideline values specified in Regulatory
 
Guide 1.183 (Ref.
: 2) even without containment closure capability. Therefore, under these conditions no
 
requirements are placed on containment penetration status.
ACTIONS A.1 If the containment equipment hatch, air locks, or any
 
containment penetration that provides direct access from the
 
containment atmosphere to the outside atmosphere is not in
 
the required status, including the Containment Purge and
 
Exhaust Isolation System not capable of manual actuation
 
when the purge and exhaust valves are open, the unit must be
 
placed in a condition where the isolation function is not
 
needed. This is accomplished by immediately suspending
 
movement of recently irradiated fuel assemblies within
 
containment. Performance of these actions shall not preclude
 
completion of movement of a component to a safe position.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.4.1 This Surveillance demonstrates that each of the containment
 
penetrations required to be in its closed position is in that
 
position. The Surveillance on the open purge and exhaust
 
valves will demonstrate that the valves are not blocked from
 
closing. Also the Surveillance will demonstrate that each valve operator has motive power, which will ensure that each
 
valve is capable of being manually closed.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
Containment Penetrations B 3.9.4 BASESNorth Anna Units 1 and 2B 3.9.4-5Revision 46 SURVEILLANCE REQUIREMENTS SR  3.9.4.2 This Surveillance demonstrates that each containment purge
 
and exhaust valve actuates to its isolation position on
 
manual initiation. The Surveillance Frequency is based on
 
operating experience, equipment reliability, and plant risk
 
and is controlled under the Surveillance Frequency Control
 
Program. This Surveillance will ensure that the valves are
 
capable of being closed after a postulated fuel handling
 
accident involving handling recently irradiated fuel to
 
limit a release of fission product radioactivity from the
 
containment. The SR is modified by a Note stating that this
 
Surveillance is not required to be met for valves in isolated
 
penetrations. The LCO provides the option to close
 
penetrations in lieu of requiring manual initiation
 
capability.
REFERENCES1.UFSAR, Section 15.4.7.2.Regulatory Guide 1.183, July 2000.
Intentionally Blank North Anna Units 1 and 2B 3.9.5-1Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5 B 3.9  REFUELING OPERATIONSB 3.9.5Residual Heat Removal (RHR) and Coolant Circulation-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS)
 
to provide mixing of borated coolant and to prevent boron
 
stratification (Ref.
1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat
 
exchanger(s), where the heat is transferred to the Component
 
Cooling Water System. The coolant is then returned to the RCS
 
via the RCS cold leg(s). Operation of the RHR System for
 
normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through
 
the RHR heat exchanger(s) and the bypass. Mixing of the
 
reactor coolant is maintained by this continuous circulation
 
of reactor coolant through the RHR System.
APPLICABLE
 
SAFETY ANALYSES If the reactor coolant temperature is not maintained below
 
200&deg;F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel.
 
Additionally, boiling of the reactor coolant co uld lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling
 
activity. The loss of reactor coolant and the reduction of
 
boron concentration in the reactor coolant would eventually
 
challenge the integrity of the fuel cladding, which is a
 
fission product barrier. One train of the RHR System is
 
required to be operational in MODE 6, with the water level  23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit removal of the
 
RHR loop from operation for short durations, under the
 
condition that the boron concentration is not diluted. This
 
conditional removal from operation of the RHR loop does not
 
result in a challenge to the fission product barrier.
The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO Only one RHR loop is required for decay heat removal in
 
MODE 6, with the water level  23 ft above the top of the reactor vessel flange. Only one RHR loop is required to be (continued)
North Anna Units 1 and 2B 3.9.5-2Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5 BASES LCO (continued)
OPERABLE, because the volume of water above the reactor
 
vessel flange provides backup decay heat removal capability.
 
At least one RHR loop must be OPERABLE and in operation to
 
provide:a.Removal of decay heat;b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and controls to ensure an
 
OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs
 
and is returned to at least one of the RCS cold legs.
The LCO is modified by a Note that allows the required
 
operating RHR loop to be removed from operation for up to
 
1 hour per 8 hour period, provided no operations are permitted that would dilute the RCS boron concentration by
 
introduction of coolant into the RCS with boron
 
concentration less than required to meet the minimum boron
 
concentration of LCO 3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to
 
assure the RCS boron concentration is maintained is prohibited because uniform concentration distribution cannot
 
be ensured without forced circulation. This permits
 
operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR
 
isolation valve testing. During this 1 hour period, decay heat is removed by natural convection to the large mass of
 
water in the refueling cavity.
APPLICABILITY One RHR loop must be OPERABLE and in operation in MODE 6, with the water level  23 ft above the top of the reactor vessel flange, to provide decay heat removal. The 23 ft water level was selected because it corresponds to the 23 ft requirement established for fuel movement in LCO 3.9.7, "Refueling Cavity Water Level." Requirements for the RHR
 
System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in
 
MODE 6 with the water level <
23 ft are located in LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level."
RHR and Coolant Circulation-High Water Level B 3.9.5 BASESNorth Anna Units 1 and 2B 3.9.5-3Revision 0 ACTIONSRHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as p ermitted in the Note to the LCO.
A.1 If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron
 
concentrations. Suspending positive reactivity additions
 
that could result in failure to meet the minimum boron
 
concentration limit is required to assure continued safe
 
operation. Introduction of coolant inventory must be from
 
sources that have a boron concentration greater than what
 
would be required in the RCS for minimum refueling boron
 
concentration. This may result in an overall reduction in
 
RCS boron concentration, but provides acceptable margin to
 
maintaining subcritical operation.
A.2 If RHR loop requirements are not met, actions shall be taken
 
immediately to suspend loading of irradiated fuel assemblies
 
in the core. With no forced circulation cooling, decay heat
 
removal from the core occurs by natural convection to the
 
heat sink provided by the water above the core. A minimum
 
refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending
 
any operation that would increase decay heat load, such as
 
loading a fuel assembly, is a prudent action under this
 
condition.
A.3 If RHR loop requirements are not met, actions shall be
 
initiated and continued in order to satisfy RHR loop
 
requirements. With the unit in MODE 6 and the refueling water level  23 ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.
A.4, A.5, A.6.1, and A.6.2 If LCO 3.9.5 is not met, the following actions must be taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; and (continued)
North Anna Units 1 and 2B 3.9.5-4Revision 46 RHR and Coolant Circulation-High Water Level B 3.9.5 BASES ACTIONS A.4, A.5, A.6.1, and A.6.2 (continued)c.each penetration providing direct access from the containment atmosphere to the outside atmosphere must be
 
either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust
 
Isolation system.
With RHR loop requirements not met, the potential exists for
 
the coolant to boil and release radioactive gas to the
 
containment atmosphere. Performing the actions described
 
above ensures that all containment penetrations are either
 
closed or can be closed so that the dose limits are not
 
exceeded.The Completion Time of 4 hours allows fixing of most RHR
 
problems and is reasonable, based on the low probability of
 
the coolant boiling in that time.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.5.1 This Surveillance demonstrates that the RHR loop is in
 
operation and circulating reactor coolant. The flow rate is
 
determined by the flow rate necessary to provide sufficient
 
decay heat removal capability and to prevent thermal and
 
boron stratification in the core. The Surveillance Frequency
 
is based on operating experience, equipment reliability, and
 
plant risk and is controlled under the Surveillance
 
Frequency Control Program.
REFERENCES1.UFSAR, Section 5.5.4.
North Anna Units 1 and 2B 3.9.6-1Revision 0 RHR and Coolant Circulation-Low Water Level B 3.9.6 B 3.9  REFUELING OPERATIONSB 3.9.6Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS)
 
to provide mixing of borated coolant, and to prevent boron
 
stratification (Ref.
1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers
 
where the heat is transferred to the Component Cooling Water
 
System. The coolant is then returned to the RCS via the RCS
 
cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manuall y accomplished from the control room. The heat removal rate is adjusted by controlling the
 
flow of reactor coolant through the RHR heat exchanger(s)
 
and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant
 
through the RHR System.
APPLICABLE
 
SAFETY ANALYSES If the reactor coolant temperature is not maintained below
 
200&deg;F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel.
 
Additionally, boiling of the reactor coolant co uld lead to a reduction in boron concentration in the coolant due to the
 
boron plating out on components near the areas of the boiling
 
activity. The loss of reactor coolant and the reduction of
 
boron concentration in the reactor coolant will eventually
 
challenge the integrity of the fuel cladding, which is a
 
fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.
The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO In MODE 6, with the water level <
23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE.
 
Additionally, one loop of RHR must be in operation in order
 
to provide:a.Removal of decay heat;(continued)
North Anna Units 1 and 2B 3.9.6-2Revision 0 RHR and Coolant Circulation-Low Water Level B 3.9.6 BASES LCO (continued)b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.
This LCO is modified by two Notes. Note 1 permits the RHR pumps to be removed from operation for  15 minutes when switching from one train to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperature is
 
maintained >
10&deg;F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR
 
forced flow is stopped. Note 2 allows one RHR loop to be inoperable for a period of 2 hours provided the other loop is OPERABLE and in operation. Prior to declaring the loop
 
inoperable, consideration should be given to the existing
 
unit configuration. This consideration should include that
 
the core time to boil is short, there is no draining
 
operation to further reduce RCS water level and that the
 
capability exists to inject borated water into the reactor
 
vessel. This permits surveillance tests to be performed on
 
the inoperable loop during a time when these tests are safe
 
and possible.
An OPERABLE RHR loop consists of an RHR pump, a heat
 
exchanger, valves, piping, instruments and controls to
 
ensure an OPERABLE flow path and to determine the RHR
 
discharge temperature. The flow path starts in one of the RCS
 
hot legs and is returned to at least one of the RCS cold
 
legs.APPLICABILITY Two RHR loops are required to be OPERABLE, and one RHR loop must be in operation in MODE 6, with the water level <
23 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES
 
are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with the water level  23 ft are located in LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level." ACTIONS A.1 and A.2 If less than the required number of RHR loops are OPERABLE, action shall be immediately initiated and continued until
 
the RHR loop is restored to OPERABLE status and to operation (continued)
RHR and Coolant Circulation-Low Water Level B 3.9.6 BASESNorth Anna Units 1 and 2B 3.9.6-3Revision 0 ACTIONS A.1 and A.2 (continued) or until  23 ft of water level is established above the reactor vessel flange. When the water level is  23 ft above the reactor vessel flange, th e Applicability changes to that of LCO 3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is
 
necessary for an operator to initiate corrective actions.
B.1 If no RHR loop is in operation, there will be no forced
 
circulation to provide mixing to establish uniform boron
 
concentrations. Reduced boron concentrations cannot occur by
 
the addition of water with a lower boron concentration than
 
that contained in the RCS, because all of the unborated water
 
sources are isolated.
B.2 If no RHR loop is in operation, actions shall be initiated
 
immediately, and continued, to restore one RHR loop to
 
operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE RHR loops and
 
one operating RHR loop should be accomplished expeditiously.
B.3, B.4, B.5.1, and B.5.2 If no RHR is in operation, the following actions must be
 
taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; andc.each penetration providing direct access from the containment atmosphere to the outside atmosphere must be
 
either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust
 
Isolation system.
With RHR loop requirements not met, the potential exists for
 
the coolant to boil and release radioactive gas to the
 
containment atmosphere. Performing the actions described (continued)
North Anna Units 1 and 2B 3.9.6-4Revision 46 RHR and Coolant Circulation-Low Water Level B 3.9.6 BASES ACTIONS B.3, B.4, B.5.1, and B.5.2 (continued) above ensures that all containment penetrations are either
 
closed or can be closed so that the dose limits are not
 
exceeded.The Completion Time of 4 hours allows fixing of most RHR
 
problems and is reasonable, based on the low probability of
 
the coolant boiling in that time.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.6.1 This Surveillance demonstrates that one RHR loop is in
 
operation and circulating reactor coolant. The flow rate is
 
determined by the flow rate necessary to provide sufficient
 
decay heat removal capability and to prevent thermal and
 
boron stratification in the core. In addition, during
 
operation of the RHR loop with the water level lowered to the level of the reactor vessel nozzles, the RHR pump net
 
positive suction head requirements must be met. The
 
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
SR  3.9.6.2 Verification that the required pump is OPERABLE ensures that
 
an additional RCS or RHR pump can be placed in operation, if
 
needed, to maintain decay heat removal and reactor coolant
 
circulation. Verification is performed by verifying proper
 
breaker alignment and power available to the required pump.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
The SR is modified by a Note that states the SR is not
 
required to be performed until 24 hours after a required pump is not in operation.
REFERENCES1.UFSAR, Section 5.5.4.
North Anna Units 1 and 2B 3.9.7-1Revision 20 Refueling Cavity Water Level B 3.9.7 B 3.9  REFUELING OPERATIONSB 3.9.7Refueling Cavity Water Level BASES BACKGROUND The movement of irradiated fuel assemblies within
 
containment requires a minimum water level of 23 ft above the top of the reactor vessel flange. During refueling, this
 
maintains sufficient water level in the containment, refueling canal, fuel transfer canal, refueling cavity, and
 
spent fuel pool. Sufficient water is necessary to retain
 
iodine fission product activity in the water in the event of
 
a fuel handling accident (Refs.
1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the
 
accident to the limits of Regulatory Guide 1.183.APPLICABLE
 
SAFETY ANALYSES During movement of irradiated fuel assemblies, the water
 
level in the refueling canal and the refueling cavity is an
 
initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by
 
Regulatory Guide 1.183 (Ref.
1). A minimum water level of 23 ft allows an effective iodine decontamination factor of 200 (Appendix B Assumption 2 of Ref. 1) to be used in the accident analysis for i odine. This relates to the assumption that 99.5% of the total iodine released from the pellet to
 
cladding gap of all the dropped fuel assembly rods is
 
retained by the refueling cavity water. The fuel pellet to
 
cladding gap is assumed to contain 8% of the fuel rod I-131
 
inventory and 5% of all other iodine isotopes, which are
 
included as other halogens (Ref.
1).The fuel handling accident analysis inside containment is
 
described in Reference
: 2. With a minimum water level of 23 ft, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is
 
adequately captured by the water and offsite doses are
 
maintained within allowable limits (Ref.
1).Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the
 
radiological consequences of a postulated fuel handling
 
accident inside containment are within acceptable limits.
North Anna Units 1 and 2B 3.9.7-2Revision 46 Refueling Cavity Water Level B 3.9.7 BASES APPLICABILITY LCO 3.9.7 is applicable when moving irradiated fuel assemblies within containment. The LCO minimizes the
 
possibility of a fuel handling accident in containment that
 
is beyond the assumptions of the safety analysis. If
 
irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a
 
result of a postulated fuel handling accident. Requirements
 
for fuel handling accidents in the spent fuel pool are
 
covered by LCO 3.7.16, "Fuel Storage Pool Water Level." ACTIONS A.1 With a water level of <
23 ft above the top of the reactor vessel flange, all operations involving movement of
 
irradiated fuel assemblies within the containment shall be
 
suspended immediately to ensure that a fuel handling
 
accident cannot occur.
The suspension of fuel movement shall not preclude
 
completion of movement of a component to a safe position.
SURVEILLANCE
 
REQUIREMENTS SR  3.9.7.1 Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis
 
for the analysis of the postulated fuel handling accident
 
during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to
 
result from a fuel handling accident inside containment (Ref. 2).The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled
 
under the Surveillance Frequency Control Program.
REFERENCES1.Regulatory Guide 1.183, July 2000.2.UFSAR, Section 15.4.7.}}

Revision as of 16:45, 13 October 2018

North Anna, Units 1 & 2, Technical Specifications Bases
ML11298A216
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 10/08/2011
From:
Virginia Electric & Power Co (VEPCO)
To:
Office of Nuclear Reactor Regulation
References
11-557
Download: ML11298A216 (731)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML11298A216&oldid=1101542"