ML13302B892: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
Line 15: Line 15:
| page count = 732
| page count = 732
}}
}}
=Text=
{{#Wiki_filter:TECHNICAL SPECIFICATIONS BASESFOR NORTH ANNA UNITS 1 & 2
TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iRevision 39 B 2.1SAFETY LIMITS (SLs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 2.1.1-1B 2.1.1Reactor Core SLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 2.1.1-1 B 2.1.2Reactor Coolant System (RCS) Pressure SL . . . . . . . . . . . . . . . . . .B 2.1.2-1B 3.0LIMITING CONDITION FOR OPERATION (LCO)APPLICABILITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3.0-1B 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITY . . . . . . . . B 3.0-12B 3.1REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.1-1B 3.1.1SHUTDOWN MARGIN (SDM) . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.1-1 B 3.1.2Core Reactivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.2-1 B 3.1.3Moderator Temperature Coefficient (MTC). . . . . . . . . . . . . . . . . . .B 3.1.3-1 B 3.1.4Rod Group Alignment Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.4-1 B 3.1.5Shutdown Bank Insertion Limits . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.5-1B 3.1.6Control Bank Insertion Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.6-1B 3.1.7Rod Position Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.7-1 B 3.1.8Primary Grade Water Flow Path IsolationValves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.8-1B 3.1.9PHYSICS TESTS Exceptions-MODE2 . . . . . . . . . . . . . . . . . . . .B 3.1.9-1B 3.2POWER DISTRIBUTION LIMITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.2.1-1B 3.2.1Heat Flux Hot Channel Factor (F Q(Z)). . . . . . . . . . . . . . . . . . . . . . .B 3.2.1-1B 3.2.2Nuclear Enthalpy Rise Hot Channel Factor () . . . . . . . . . . . . . . .B 3.2.2-1 B 3.2.3AXIAL FLUX DIFFERENCE (AFD) . . . . . . . . . . . . . . . . . . . . . . .B 3.2.3-1B 3.2.4QUADRANT POWER TILT RATIO (QPTR). . . . . . . . . . . . . . . . .B 3.2.4-1B 3.3INSTRUMENTATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.1-1 B 3.3.1Reactor Trip System (RTS) Instrumentation . . . . . . . . . . . . . . . . . .B 3.3.1-1B 3.3.2Engineered Safety Feature Actuation System(ESFAS) Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.2-1B 3.3.3Post Accident Monitoring (PAM)Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.3-1B 3.3.4Remote Shutdown System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.4-1 B 3.3.5Loss of Power (LOP) Emergency Diesel Generator(EDG) Start Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.5-1B 3.3.6Main Control Room/Emergency Switchgear Room (MCR/ESGR) Envelope Isolation ActuationInstrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.6-1B 3.4REACTOR COOLANT SYSTEM (RCS) . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.1-1 B 3.4.1RCS Pressure, Temperat ure, and Flow Departurefrom Nucleate Boiling (DNB) Limits. . . . . . . . . . . . . . . . . . . .B 3.4.1-1B 3.4.2RCS Minimum Temperature for Criticality . . . . . . . . . . . . . . . . . . .B 3.4.2-1 B 3.4.3RCS Pressure and Temperature (P/T) Limits . . . . . . . . . . . . . . . . . .B 3.4.3-1B 3.4.4RCS Loops-MODES1 and2. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.4-1 B 3.4.5RCS Loops-MODE3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.5-1B 3.4.6RCS Loops-MODE4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.6-1B 3.4.7RCS Loops-MODE5, Loops Filled. . . . . . . . . . . . . . . . . . . . . . . .B 3.4.7-1B 3.4.8RCS Loops-MODE5, Loops Not Filled . . . . . . . . . . . . . . . . . . . .B 3.4.8-1B 3.4.9Pressurizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.9-1 FNH North Anna Units 1 and 2iiRevision 39 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSB 3.4REACTOR COOLANT SYSTEM (RCS) (continued)B 3.4.10Pressurizer Safety Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.10-1 B 3.4.11Pressurizer Power Operated Relief Valves(PORVs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.11-1B 3.4.12Low Temperature Overpressure Protection(LTOP) System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.12-1B 3.4.13RCS Operational LEAKAGE. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.13-1 B 3.4.14RCS Pressure Isolation Valve (PIV) Leakage. . . . . . . . . . . . . . . . .B 3.4.14-1 B 3.4.15RCS Leakage Detection Instrumentation. . . . . . . . . . . . . . . . . . . .B 3.4.15-1 B 3.4.16RCS Specific Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.16-1 B 3.4.17RCS Loop Isolation Valves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.17-1 B 3.4.18RCS Isolated Loop Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.18-1B 3.4.19RCS Loops-Test Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.19-1 B 3.4.20Steam Generator (SG) Tube Integrity. . . . . . . . . . . . . . . . . . . . . . .B 3.4.20-1B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS) . . . . . . . . . . . . .B 3.5.1-1 B 3.5.1Accumulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.1-1 B 3.5.2ECCS-Operating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.2-1 B 3.5.3ECCS-Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.3-1 B 3.5.4Refueling Water Storage Tank (RWST) . . . . . . . . . . . . . . . . . . . . . .B 3.5.4-1 B 3.5.5Seal Injection Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.5-1 B 3.5.6Boron Injection Tank (BIT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.6-1B 3.6CONTAINMENT SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.1-1B 3.6.1Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.1-1B 3.6.2Containment Air Locks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.2-1 B 3.6.3Containment Isolation Valves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.3-1 B 3.6.4Containment Pressure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.4-1 B 3.6.5Containment Air Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.5-1 B 3.6.6Quench Spray (QS) System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.6-1 B 3.6.7Recirculation Spray (RS) System. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.7-1B 3.6.8Chemical Addition System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.8-1B 3.7PLANT SYSTEMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.1-1B 3.7.1Main Steam Safety Valves (MSSVs) . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.1-1 B 3.7.2Main Steam Trip Valves (MSTVs). . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.2-1 B 3.7.3Main Feedwater Isolation Valves (MFIVs), MainFeedwater Pump Discharge Valves (MFPDVs),
Main Feedwater Regulating Valves (MFRVs),
and Main Feedwate r Regulating BypassValves (MFRBVs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.3-1B 3.7.4Steam Generator Power Operated Relief Valves(SG PORVs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.4-1B 3.7.5Auxiliary Feedwater (AFW) System . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.5-1B 3.7.6Emergency Condensate Storage Tank (ECST). . . . . . . . . . . . . . . . .B 3.7.6-1 B 3.7.7Secondary Specific Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.7-1B 3.7.8Service Water (SW) System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.8-1B 3.7.9Ultimate Heat Sink (UHS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.9-1 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iiiRevision 39 B 3.7PLANT SYSTEMS (continued)B 3.7.10Main Control Room/Emergency Switchgear Room(MCR/ESGR) Emergency Ventilation System (EVS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.10-1B 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS). . . . . . . . . . .B 3.7.11-1B 3.7.12Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS). . . . . . . . . . .B 3.7.12-1B 3.7.13Not Used B 3.7.14Not Used B 3.7.15Fuel Building Ventilation System (FBVS). . . . . . . . . . . . . . . . . . .B 3.7.15-1B 3.7.16Fuel Storage Pool Water Level. . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.16-1 B 3.7.17Fuel Storage Pool Boron Concentration. . . . . . . . . . . . . . . . . . . . .B 3.7.17-1B 3.7.18Spent Fuel Pool Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.18-1 B 3.7.19Component Cooling Water (CC) System. . . . . . . . . . . . . . . . . . . .B 3.7.19-1B 3.8ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.1-1 B 3.8.1AC Sources-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.1-1B 3.8.2AC Sources-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.2-1B 3.8.3Diesel Fuel Oil and Starting Air. . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.3-1B 3.8.4DC Sources-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.4-1B 3.8.5DC Sources-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.5-1B 3.8.6Battery Cell Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.6-1B 3.8.7Inverters-Operating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.7-1B 3.8.8Inverters-Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.8-1B 3.8.9Distribution Systems-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.9-1 B 3.8.10Distribution Systems-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.10-1B 3.9REFUELING OPERATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.1-1 B 3.9.1Boron Concentration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.1-1 B 3.9.2Primary Grade Water Flow Path IsolationValves-MODE6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.2-1B 3.9.3Nuclear Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.3-1B 3.9.4Containment Penetrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.4-1B 3.9.5Residual Heat Removal (RHR) and CoolantCirculation-High Water Level . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.5-1B 3.9.6Residual Heat Removal (RHR) and CoolantCirculation-Low Water Level. . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.6-1B 3.9.7Refueling Cavity Water Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.7-1 Intentionally Blank North Anna Units 1 and 2B 2.1.1-1Revision 13 Reactor Core SLs B 2.1.1B 2.1SAFETY LIMITS (SLS)B 2.1.1Reactor Core SLsBASESBACKGROUNDGDC10 (Ref.1) requires that specified acceptable fuel design limits are not exceeded during steady state opera tion, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (the 95/95DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.
The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant.
Overheating of the fuel is prevented by maintaining the steady st ate peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. The maximum fuel centerline temperatures are given by the best
-estimate relationships defined in SL2.1.1.2 and are dependent upon whether the Westinghouse or Framatome fuel is evalua ted. Overheating of the fu el cladding is prevented by restricting fuel operation to with in the nucleate boiling regime, where the heat transfer coefficient is large and the cladding su rface temperature is slightly above the coolant saturation temperature.
Fuel centerline melting occurs when th e local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline
melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.
Operation above the boundary of the nu cleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient.
Inside the steam film, high cladding temperatures are reache d, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally (continued)
North Anna Units 1 and 2B 2.1.1-2Revision 9 Reactor Core SLs B 2.1.1BASESBACKGROUND (continued)weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.The proper functioning of the Reactor Protection System (RPS) and main steam safety valves prevents vi olation of the reactor core SLs.APPLICABLE SAFETY ANALYSESThe fuel cladding must not sustain da mage as a result of normal operation and AOOs. The reactor core SLs are es tablished to preclude violation of the following fuel design criteria:a.There must be at least 95% probabili ty at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; andb.The hot fuel pellet in the core must not experience centerline fuel melting.The Reactor Trip System allowable values (Ref.2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and flow, AFD, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.
Automatic enforcement of these re actor core SLs is provided by the appropriate operation of the RPS a nd the main steam safety valves.
The SLs represent a design requireme nt for establishing the RPS trip allowable values identified previously (as indicated in the UFSAR, Ref.2). LCO3.4.1, "RCS Pressure, Temperat ure, and Flow Departure from Nucleate Boiling (DNB) Limits," or th e assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not exceeded.SAFETY LIMITSThe figure provided in the CO LR shows the loci of points of THERMAL POWER, RCS pressure, and average temperature for which the minimum DNBR is not less than the safety analyses limit, that fuel centerline temperature remains below (continued)
Reactor Core SLs B 2.1.1BASESNorth Anna Units 1 and 2B 2.1.1-3Revision 9 SAFETY LIMITS (continued) melting, that the average enthalpy in the hot leg is less than or equal to the enthalpy of saturated liquid, or that the exit quality is within the limits defined by the DNBR correlation.The reactor core SLs are established to preclude violation of the following fuel design criteria:
a.There must be at least a 95% probability at a 95%
confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; andb.There must be at leas t a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.The reactor core SLs are us ed to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipate d operational occurrences (AOOs). To ensure that the RPS precludes the viol ation of the above criteria, additional criteria are applied to the Overtemperature and Overpower T reactor trip functions. That is, it must be demonstr ated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and that the core exit quality is within the limits define d by the DNBR correlation. Appropriate functioning of the RPS and main steam safety valves ensures that for variations in the THERMAL POWER, RCS pressure, RCS average
temperature, RCS flow rate, and AFD that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and
AOOs.APPLICABILITYSL2.1.1 only applies in MODES1 and2 because these are the only MODES in which the reactor is critical. Automatic protec tion functions are required to be OPERABLE during MODES1 and2 to ensure operation within the reactor core SLs. The main steam safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor tr ip function, which forces the unit into MODE3. Allowable values for the reactor trip functions are specified in LCO3.3.1, "Reactor Trip System (RTS) Instrumentation." In MODES3, 4, 5, and6, Applicability is not required since the re actor is not generating significant THERMAL POWER.
North Anna Units 1 and 2B 2.1.1-4Revision 0 Reactor Core SLs B 2.1.1BASESSAFETY LIMIT VIOLATIONSIf SL2.1.1 is violated, the requirement to go to MODE3 places the unit in a MODE in which this SL is not applicable.The allowed Completion Time of 1 hour recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probabil ity of fuel damage.REFERENCES1.UFSAR, Section3.1.6.2.UFSAR, Section7.2.
North Anna Units 1 and 2B 2.1.2-1Revision 20RCS Pressure SL B 2.1.2B 2.1  SAFETY LIMITS (SLs)B 2.1.2Reactor Coolant Syst em (RCS) Pressure SLBASESBACKGROUNDThe SL on RCS pressure protects the inte grity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant.
The RCS then serves as the primary barrier in preventing the release of fi ssion products into the atmosphere. By establishing an upper li mit on RCS pressure during operating conditions, the continued integrity of the RCS is ensured. According to GDC14, "Reactor Coolant Pressure Boundary," and GDC15, "Reactor Coolant System Design" (Ref.1), the reacto r coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs). Also, in accordance with GDC28, "Reactivity Limits" (Ref.1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.
The design pressure of the RCS is 2500psia. During norma l operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with SectionIII of the ASME Code (Ref.2). To ensure system integrity, all RCS components are hydrostatically tested
at 125% of design pressure, accordi ng to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS component s shall be pressure tested, in accordance with the requirements of ASME Code, SectionXI (Ref.3).Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission
products could enter the containment at mosphere, raising concerns relative to limits on radioactive releases specified in 10CFR50.67 (Ref.4).APPLICABLE SAFETY ANALYSESThe RCS pressurizer safety valves, the main steam safety valves (MSSVs),
and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded.
(continued)
North Anna Units 1 and 2B 2.1.2-2Revision 0RCS Pressure SL B 2.1.2BASESAPPLICABLE SAFETY ANALYSES(continued)The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in SectionIII of the ASME Code for Nuclear Power Plant Components (Ref.2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control actions are assumed, except that the sa fety valves on the secondary plant are assumed to open when the steam pr essure reaches the secondary plant safety valve settings, and nominal feedwater supply is maintained.The Reactor Trip System allowable values (Ref.5), together with the
settings of the MSSVs, provide pre ssure protection for normal operation and AOOs. The reactor high pressure trip allowable value is specifically determined to provide protection against overpressurization (Ref.5). The
safety analyses for both the high pres sure trip and the RCS pressurizer safety valves are performed using c onservative assumptions relative to pressure control devices.More specifically, no credit is ta ken for operation of the following:a.Pressurizer power operated relief valves (PORVs);b.Steam Generator PORVs;c.Steam Dump System;d.Reactor Control System;e.Pressurizer Level Control System; orf.Pressurizer spray valve.SAFETY LIMITSThe maximum transient pressure allowed in the RCS pressure vessel under the ASME Code, SectionIII, is 110%
of design pressure. The maximum transient pressure allowed in the RCS piping, valves, and fittings under USAS, SectionB31.1 (Ref.6) is 120%
of design pressure. The most limiting of these two allowances is the 110% of design pressure; therefore, the SL on maximum allowable RCS pressure is 2735psig.APPLICABILITYSL2.1.2 applies in MODES1, 2, 3, 4, and5 because this SL could be approached or exceeded in these MODES due to overpressurization events.
The SL is not applicable in MODE6 because the reactor vessel head closure bolts are not fully tightened, making it unl ikely that the RCS can be pressurized.
RCS Pressure SL B 2.1.2BASESNorth Anna Units 1 and 2B 2.1.2-3Revision 20 SAFETY LIMIT VIOLATIONSIf the RCS pressure SL is violated when the reactor is in MODE1 or2, the requirement is to restore compliance and be in MODE3 within 1hour.Exceeding the RCS pressure SL ma y cause immediate RCS failure and create a potential for radioactive releases in excess of 10CFR50.67 limits (Ref.4).The allowable Completion Time of 1hour recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.
If the RCS pressure SL is exceeded in MODE3, 4, or5, RCS pressure must be restored to within the SL value within 5minutes. Exceeding the RCS pressure SL in MODE3, 4, or5 is more severe than exceeding this SL in MODE1 or2, since the reactor vessel temperature may be lower and the vessel material, consequently, less ducti le. As such, pressure must be reduced to less than the SL within 5minutes. The action does not require reducing MODES, since this would re quire reducing temperature, which would compound the problem by adding th ermal gradient stresses to the existing pressure stress.REFERENCES1.UFSAR, Sections3.1.10, 3.1.11, and 3.1.24.2.ASME, Boiler and Pressure Vessel Code, SectionIII, ArticleNB-7000.3.ASME, Boiler and Pressure Vessel Code, SectionXI, ArticleIWX-5000.4.10CFR50.67.5.UFSAR, Section7.2.
6.USASB31.1, Standard Code for Pre ssure Piping, American Society of Mechanical Engineers,1967.
Intentionally Blank North Anna Units 1 and 2B 3.0-1Revision 44 LCO Applicability B 3.0B 3.0LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITYBASESLCOsLCO3.0.1 through LCO3.0.9 establish the general requirements applicable to all Specifications a nd apply at all times
, unless otherwise stated.LCO3.0.1LCO3.0.1 establishes the Applicability statemen t within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the
Applicability statement of each Specification).LCO3.0.2LCO3.0.2 establishes that upon discovery of a fail ure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applic able from the point in time that
an ACTIONS Condition is entered. Th e Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:a.Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; andb.Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.
There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedi al measures that permit continued operation of the (continued)
North Anna Units 1 and 2B 3.0-2Revision 0 LCO Applicability B 3.0BASESLCO3.0.2(continued)unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.
Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherw ise stated in the individual Specifications.
The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Re quired Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Ac tions where this is the case. An example of this is in LCO3.4.3, "RCS Pressure and Temperature (P/T)
Limits."The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons
for intentionally relying on the ACTI ONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of ope rational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTION S should not be ma de for operational convenience. Additionally, if intenti onal entry into ACTIONS would result in redundant equipment be ing inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety
function are inoperable and limits th e time conditions exist which may result in LCO3.0.3 being entered. I ndividual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this ti me limit expires, if the equipment remains removed from service or bypassed.
When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of th e associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-3Revision 0LCO3.0.3LCO3.0.3 establishes the actions that must be implemented when an LCO is not met and:a.An associated Required Action and Completion Time is not met and no other Condition applies; orb.The condition of the unit is not speci fically addressed by the associated ACTIONS. This means that no combin ation of Conditions stated in the ACTIONS can be made that exactl y corresponds to the actual condition of the unit. Sometimes, possible co mbinations of Conditions are such that entering LCO3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corres ponding to such combinations and also that LCO3.0.3 be entered immediately.
This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition wh en operation cannot be maintained within the limits for safe opera tion as defined by the LCO and its ACTIONS. It is not intended to be us ed as an operational convenience that permits routine voluntary removal of redundant systems or components
from service in lieu of other alternatives that w ould not result in redundant systems or components being inoperable.Upon entering LCO3.0.3, 1hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation.
This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to re ach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well
within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor
Coolant System and the potential fo r a unit upset that could challenge safety systems under conditions to wh ich this Specification applies. The use and interpretation of specified times to complete the actions of LCO3.0.3 are consistent with the discussion of Section1.3, Completion Times.(continued)
North Anna Units 1 and 2B 3.0-4Revision 0 LCO Applicability B 3.0BASESLCO3.0.3(continued)
A unit shutdown required in accordance with LCO3.0.3 may be terminated and LCO3.0.3 exited if any of the following occurs:a.The LCO is now met.b.A Condition exists for which the Required Actions have now been performed.c.ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable fr om the point in time that the Condition is initially entered and not from the time LCO3.0.3 is exited.The time limits of Specification3.0.3 allow 37hours for the unit to be in MODE5 when a shutdown is required during MODE1 operation. If the unit is in a lower MODE of opera tion when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE5, or other applicable MODE, is not reduced. For example, if MODE3 is reached in 2hours, then the time allowed for reaching MODE4 is the next 11hours, because the total time for reaching MODE4 is not reduced from the allowable limit of 13hours. Theref ore, if remedial measures are completed that would permit a return to MODE1, a penalty is not incurred by having to reach a lo wer MODE of operation in less than the total time allowed.In MODES1, 2, 3, and4, LCO3.0.3 provi des actions for Conditions not covered in other Specifications. The requirements of LCO3.0.3 do not apply in MODES5 and6 because the unit is already in the most restrictive Condition required by LCO3.0.3. The requirements of LCO3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.Exceptions to LCO3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO3.7.16, "Fuel Storage Pool Water Level." LCO3.7.16 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO (continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-5Revision 0LCO3.0.3(continued) can be applicable in any or all MODES. If the LCO and the Required Actions of LCO3.7.16 are not met while in MODE1, 2, or3, there is no safety benefit to be ga ined by placing the unit in a shutdown condition. The Required Action of LCO3.7.16 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO3.0.3. These exceptions are
addressed in the individual Specifications.LCO3.0.4LCO3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing the unit in a MODE or other specified condition stated in that Applicability (e.g., Applicability desired to be entered) when the following exist:a.Unit conditions are such that the requirements of the LCO would not be met in the Applicability desired to be entered; andb.Continued noncompliance with the LCO requirements, if the Applicability were entered, would re sult in the unit being required to exit the Applicability desired to be entered to comply with the Required Actions.Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an accep table level of safety for continued operation.
This is without regard to the status of the unit before or after the MODE
change. Therefore, in such cases, en try into a MODE or other specified
condition in the Applicability may be made in accordance with the provisions of the Required Actions.When an LCO is not met, LCO3.0.4 al so allows entering MODES or other specified conditions in th e Applicability following assessment of the risk impact and determination that the impact can be managed. The risk evaluation may use quantitative, qualita tive, or blended approaches, and the risk evaluation will be conducted using the plant program, procedures, and criteria in place to implement 10CFR50.65(a)(4), which requires that risk impacts of maintenance activi ties to be assessed and managed. The risk evaluations will be condu cted using the procedures and (continued)
North Anna Units 1 and 2B 3.0-6Revision 0 LCO Applicability B 3.0BASESLCO3.0.4(continued) guidance endorsed by Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activi ties at Nuclear Power Plants."
The results of the risk evaluation sha ll be considered in determining the
acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions.
Consideration will be given to the pr obability of comp leting restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times th at would require exiting the Applicability.A risk assessment and establishment of risk management actions, as appropriate, are required for determin ation of acceptable risk for entering MODES or other specified conditions in the Applicability when an LCO is not met. The elements of the risk as sessment and risk management actions are included in Regulatory Guide1.182 which addresses general guidance for conduct of the risk evaluation, quantitative and qualitative guidelines
for establishing risk management act ions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and
management personnel, actions to reduce the duration of the condition, actions to minimize the ma gnitude of risk increas es (establishment of backup success paths or co mpensatory measures), and determination that the proposed MODE change is acceptable.
A quantitative, qualitative, or blended risk evaluation must be performed to assess the risk impact of entering the MODE or other specified condition in the Applicability, based on the specific plant configuration at that time and the risk impacts must be managed in accordance with the assessment results.From generic evaluations, systems/components can be identified which are equally or more important to risk in MODE1 than in the transition MODES. The Technical Specifications allow continued operation with this equipment unavailable during MODE1 operation for the duration of the Completion Time. Since this is allowa ble, and since the risk impact bounds the risk of transitioning up in MODE and entering the Conditions and
Required Actions, the use of the LCO3.0.4 allowance for these systems should be generally accepta ble, as long as the risk is assessed and managed as(continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-7Revision 0LCO3.0.4(continued)stated above. However, there is a small subset of systems/components that have been generically determined to be more important to risk in MODES2-5 and do not have the LCO3.0.4 allowance. These system/components are listed below.
The Applicability should be reviewed with respect to the actual plant configuration at that time. Each individual application of LCO3.0.4.b, whether due to one or more than one LCO3.0.4.b allowance at the same time, is required to be evaluated under the auspices of 10CFR50.65(a)(4) and consideration of risk manageme nt actions discussed in Regulatory Guide1.182. For those cases where the ri sk of the MODE change may be greater (i.e., the systems and component s listed below), prior NRC review and approval of a specific LCO3.0.4 allowance is required.The LCO3.0.4.b allowance typically only applies to systems and
components. The values and parameters of the Technical Specifications (e.g., Containment Air Temperature, Containment Pressure, Moderator Temperature Coefficient, etc.) ar e typically not addressed by this LCO3.0.4.b allowance. These values a nd parameters are addressed by the LCO3.0.4.c allowance.A list of the LCO3.0.4.c specific value and parameter allowances approved by the NRC is provided below.LCO3.4.16, RCS Sp ecific Activity In order to support the conduct of the appropriate assessments, each Owners Group has performed an evaluation to identify plant systems or components which are more important to risk in the transition MODES than in MODE1. To apply the LCO3.0.4 allowance to these systems and
components, prior NRC re view and approval is required. These systems are listed in the following table.
(continued)
North Anna Units 1 and 2B 3.0-8Revision 0 LCO Applicability B 3.0BASESLCO3.0.4(continued)NUMARC93-01, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"
states that the rigor of the risk analysis should be commensurate with the risk impact of the proposed configuration. For unavailable plant systems or components listed on the above table, a plant MODE change has been determined, through generic evaluation, to result in a potential risk increase. Therefore, prior NRC review and approval is required to apply the LCO3.0.4 allowance to these systems and components.
For unavailable plant systems or co mponents not appearing in the above table, proposed plant MODE changes will generally not involve a risk increase greater than the system or component being unavailable in MODE1. The risk assessment performed to support use of LCO3.0.4.b for systems or components not appeari ng on the above table must meet all considerations of NUMARC93-01, but need not be documented.LCO3.0.4.b may be used with single, or multiple systems or components unavailable. NUMARC93-01 provides gui dance relative to consideration of simultaneous unavailability of multiple systems or components.
The provisions of this Specification s hould not be interpreted as endorsing
the failure to exercise the good practice of restor ing systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
(continued)
System*MODE or Other Specified
Condition in the Applicability RCS Loops (RHR) 5LTOP System 4, 5ECCS Shutdown (ECCS High
Head Subsystem) 4AFW System 1AC Sources (Diesel Generators)1, 2, 3, 4, 5, 6*Including systems supporting the OPERABILITY of the listed systems.
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-9Revision 0LCO3.0.4(continued)The provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in th e Applicability th at are required to comply with ACTIONS. In addition, the provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.LCO 3.0.4 is only applicable when entering MODE 4 from MODE5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from
MODE 2. Furthermore, LCO 3.0.4 is a pplicable when entering any other specified condition in the Applicabili ty only while operating in MODES 1, 2, 3, or 4. The requirements of LCO 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.
Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, in compliance with LCO3.0.4, is not a violation of SR3.0.1 or SR3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.LCO3.0.5LCO3.0.5 establishes the allowanc e for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO3.0.2 (e.g., to not comply with the applicable Required Action(
s)) to allow the performance of required testing to demonstrate:
a.The OPERABILITY of the equipment being returned to service; orb.The OPERABILITY of other equipment.
(continued)
North Anna Units 1 and 2B 3.0-10Revision 0 LCO Applicability B 3.0BASESLCO3.0.5(continued)
The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perfor m the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance.
An example of demonstrating the OP ERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Acti ons and must be reopened to perform the required testing.An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip sy stem out of the tripped condition to prevent the trip function from oc curring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPER ABILITY of other equipment is
taking an inoperable channel or trip sy stem out of the tripped condition to permit the logic to function and indi cate the appropriate response during the performance of required testing on another channel in the same trip system.LCO3.0.6LCO3.0.6 establishes an exception to LCO3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO3.0.2 would require that the Conditions and
Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperab ility of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Ac tions may include entering the supported system's Conditions and Required Actions or may specify other
Required Actions.
When a support system is i noperable and there is an LCO specified for it in the TS, the supported system(s) are requ ired to be declared inoperable if determined to be inoperabl e as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unl ess directed to do so by the support system's Required Actions. The potential c onfusion and inconsistency of requirements related to the entry into multiple support and supported (continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-11Revision 0LCO3.0.6(continued)systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the supp ort system's Required Actions.However, there are instances where a support system's Required Action
may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Ac tions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whet her it is immediate or after some delay, when a support system's Requir ed Action directs a supported system to be declared inoperable or direct s entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO3.0.2.Specification5.5.14, "Safety Function Determination Program (SFDP),"
ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability an d corresponding exception to entering supported system Conditions and Re quired Actions. The SFDP implements the requirements of LCO3.0.6.
Cross train checks to identify a loss of safety function for those support systems that support multiple and re dundant safety systems are required.
The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPER ABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and:a.A required system redundant to sy stem(s) supported by the inoperable support system is also inoperable; or (EXAMPLE B3.0.6-1)b.A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable; or (EXAMPLE B3.0.6-2)
(continued)
North Anna Units 1 and 2B 3.0-12Revision 0 LCO Applicability B 3.0BASESLCO3.0.6(continued)c.A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable. (EXAMPLE B3.0.6-3)EXAMPLE B3.0.6-1If System 2 of Train A is inoperable, and System 5 of Trai n B is inoperable, a loss of safety function exists in supported System 5.EXAMPLE B3.0.6-2If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.EXAMPLE B3.0.6-3If System 2 of Train A is inoperable, and System 1 of Trai n B is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.
If this evaluation determines that a loss of safety function exists, the appropriate Conditions a nd Required Actions of th e LCO in which the loss of safety function exists are required to be entered.
(continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-13Revision 0LCO3.0.6(continued)
(continued)TRAIN ATRAIN BSystem 8System 8System 4System 4System 9System 9System 2System 2System 10System 10 System 5System 5System 11System 11 System 1System 1System 12System 12 System 6System 6System 13System 13 System 3System 3System 14System 14 System 7System 7System 15System 15 North Anna Units 1 and 2B 3.0-14Revision 0 LCO Applicability B 3.0BASESLCO3.0.6(continued)
This loss of safety function does not require consideration of additional single failures or loss of offsite power. Since operati on is being restricted in accordance with the ACTIONS of the support system, this accounts for any temporary loss of redundancy or single failure protection. Similarly, the ACTIONS for inoperable offsite ci rcuit(s) and i noperable diesel generator(s) provide the ne cessary restriction for cr oss train inoperabilities.
This explicit cross train verificati on for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency
electrical power source (refer to the definition of OPERABILITY).When a loss of safety function is determined to exist, and the SFDP
requires entry into the appropriate C onditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be
given to the specific type of function affected. Where a loss of function is solely due to a single Technical Sp ecification support system (e.g., loss of
automatic start due to inoperable inst rumentation, or loss of pump suction source due to low tank level) the a ppropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple
support systems, the appr opriate LCO is the LCO for the supported system.LCO3.0.7There are certain special tests and operations required to be performed at various times over the life of the unit.
These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical
Specification (TS) require ments to be changed to permit performances of these special tests and operations, whic h otherwise could not be performed if required to comply with the require ments of these TS. Unless otherwise specified, all the other TS require ments remain unchanged. This will
ensure all appropriate requirements of the MODE or other specified condition not directly associated with or require d to be changed to perform the special test or operation will remain in effect.
(continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-15Revision32LCO3.0.7(continued)The Applicability of a Test Excep tion LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other appl icable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.LCO3.0.8LCO3.0.8 establishes conditions u nder which systems are considered to remain capable of performing thei r intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not cap able of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical
Specifications (TS) unde r licensee control. The snubber requirements do not meet the criteria in 10CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.
If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the C onditions and Required Actions entered in accordance with LCO3.0.2.LCO3.0.8.a applies when one or mo re snubbers are not capable of providing their associated support functi on(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable. The 72hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of
performing their associated support function and due to the availability of the redundant train of the supported system.
(continued)
North Anna Units 1 and 2B 3.0-16Revision 38 LCO Applicability B 3.0BASESLCO3.0.8(continued)LCO3.0.8.b applies when one or mo re snubbers are not capable of providing their associated support function(s) to mo re than one train or subsystem of a multiple train or subsystem supported system. LCO3.0.8.b allows 12hours to restore the snubbe r(s) before declaring the supported system inoperable. The 12hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported syst em occurring while the snubber(s) are not capable of performing th eir associated support function.In order to use LCO3.0.8 for an inoperable snubber(s) the following conditions required by the NRC must be satisfied:
?When applying LCO3.0.8.a, at least one train of Aux iliary Feedwater (AFW) System must be OPERAB LE during MODES when AFW is required to be OPERABLE. When applying LCO3.0.8.a during MODES when AFW is not required to be OPERABLE, at least one train of the mode specific credited core cooling method (i.e., Residual Heat Removal System) must be OPERABLE.
Reliance on the availability of credited core cooling source during modes where AFW is not required to be OPERABLE, provides an equivalent safety margin for plant
operations and meets the intent of Technical Specification Task Force (TSTF) 372.
?When applying LC0 3.0.8.b, at leas t one AFW train (including a minimum set of supporting equipmen t required for its successful operation) not associated with the inoperable snubber(s) shall be OPERABLE, or some alternative means of core cooling (e.g., feed and
bleed, fire water system, or "aggres sive secondary cooldown" using the steam generators) must be available.
?Confirm that at least one train (or subsystem) of systems supported by the inoperable snubbers would rema in capable of performing their required safety or support functions for postulated design loads other than seismic loads. LCO3.0.8 does not apply to non-seismic snubbers.In addition, LCO3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10CFR50.65(a)(4)
(the Maintenance Rule) does not address seismic risk. However, use of LCO3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the exis ting Maintenance Rule process to the extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and com ponents when one or more snubbers
are not able to perform their associated support function.
North Anna Units 1 and 2B 3.0-17Revision 44 LCO Applicability B 3.0LCO3.0.9LCO3.0.9 establishes conditions which under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providi ng their related support function(s).Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications, that support the perf ormance of the safety function of systems described in Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO3.0.9 allows 30days before declaring the supported system(s) inoperable and the LCO(s) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored. However, the allowable duration may be less than the specified maximum time based on risk assessment.
If the allowed time expires and the barriers are unable to perform their related support function(s), the supported system's LCO(s) must be
declared not met and the Conditions and Required Actions entered in accordance with LCO3.0.2.
This provision can be applied to barriers that protect against the initiating events listed below. The provision can not be applied to the TS ventilation systems since specific Conditions are provided for an inoperable barrier.
The provision cannot be applied to a fire barrier. However, if the barrier performs multiple functions (e.g., fire and HELB) and if the fire barrier program requirements can be satisfied then LCO3.0.9 can be applied to the barrier for the HELB function. This provision does not apply to barriers which are not required to suppor t system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, "Contro l of Hazard Barriers," dated April2,2001).The provisions of LCO3.0.9 are just ified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following uniting event categories:
?Loss of coolant accidents; (continued)
North Anna Units 1 and 2B 3.0-18Revision 44 LCO Applicability B 3.0BASESLCO3.0.9(continued)
?High energy line breaks;
?Feedwater line breaks;
?Internal flooding;
?External flooding;
?Turbine missile ejection; and
?Tornado or high wind The risk impact of the barriers whic h cannot perform their related support function(s) must be a ddressed pursuant to the risk assessment and management provision of the Maintenance Rule, 10CFR50.65(a)(4), and the associated implementation guidance, Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide1.182 endorses the guidance in Section11 of NUMARC93-01, "Industr y Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." This guidance
provides for the consideration of dynamic plant configuration issues, emergent conditions, and ot her aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).
The resultant risk management actions may impose time limits for barrier removal. In addition, other considera tions, such as the administrative provisions for controlling fire barriers and the plant technical
specifications, may place limitations on continued reactor operation with a hazard barrier removed. It may be possi ble to take compensatory measures to maintain SSC operability and avoid entering the technical specifications action statement for shutting down the reactor (e.g., installing a temporary barrier that provides equivalent protection or establishing administrative controls). Also, if the hazard does not exist at the time, the SSC would remain operable.LCO3.0.9 may be applied to one or more trains or subsystems of a system supported by barriers th at cannot provide their (continued)
LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-19Revision 44LCO3.0.9(continued) related support function(s), provided th at risk is assessed and managed (including consideration of the effects on Large Early Release and from external events.) LCO3.0.9 cannot be applied concurrently to more than
one train or subsystem of a multiple train or subs ystem supported system, if the barrier supporting each of these trains or subsys tems provides it related support function(s) for same category of initiating events. If applied
concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting each of these trains or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO3.0.9 may be applied for up to 30days for more than one train of a multiple train supported system if the affected barrier for one train pr otects against internal flooding and the affected barrier for the other train prot ects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection f unctions for each train.If during the time that LCO3.0.9 is being used, the required OPERABLE
train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24hours. Otherwise, th e train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be
declared inoperable and the associat ed LCOs declared not met. This 24hour period provides time to respond to emergent conditions that would likely lead to entry into LCO3.0.3 a nd a rapid plant shutdown, which is not justified given the low probability of an initiating event which would
require the barrier(s) not capable of performing their related support function(s). During this 24hour period, th e plant risk associated with the existing conditions is assessed a nd managed in accordance with 10CFR50.65(a)(4).
North Anna Units 1 and 2B 3.0-20Revision 44 SR Applicability B 3.0BASESB 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITYBASESSRsSR3.0.1 through SR3.0.4 establish the ge neral requirements applicable to all Specifications and apply at all times, unless otherwise stated.SR3.0.1SR3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise spec ified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency.
Systems and components are assume d to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE
when:a.The systems or components are known to be inoperable, although still meeting the SRs; orb.The requirements of the Surveillance(s) are known not to be met between required Survei llance performances.
Surveillances do not have to be perform ed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the re quirements of a Specification.
Unplanned events may satisfy the requirements (incl ude applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normall y precluded in a given MODE or other specified condition.
(continued)
SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-21Revision 44SR3.0.1(continued)Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inopera ble equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR3.0.2, prior to returning equipment to OPERABLE status.
Upon completion of maintenance, appropr iate post mainte nance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR3.0.2. Post main tenance testing may not be possible
in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters no t having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This
will allow operation to proceed to a MODE or other specified condition
where other necessary post mainte nance tests can be completed.SR3.0.2SR3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..."
interval.SR3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillan ce scheduling and considers unit operating c onditions that may not be suitable for conducting the Surveillance (e.g., transi ent conditions or other ongoing Surveillance or maintenance activities).
The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular
Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR3.0.2 are thos e Surveillances for which the 25%
extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications.
The requirements of regulations take precedence over the TS. An example of where SR3.0.2 does not apply is the Containment Leakage Rate Testing (continued)
North Anna Units 1 and 2B 3.0-22Revision 44 SR Applicability B 3.0BASESSR3.0.2(continued)
Program. This program establishes testing requirem ents and Frequencies in accordance with the requirements of regulations.As stated in SR3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25% extensi on applies to each performance after the initial performance.
The initial performanc e of the Required Action, whether it is a particular Surveillan ce or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.The provisions of SR3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.SR3.0.3SR3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24hours or up to the limit of the specified Frequency, whichever is greater, applie s from the point in time that it is di scovered that the Surveillance has not been performed in accordance with SR3.0.2, and
not at the time that the sp ecified Frequency was not met.
This delay period provides adequate time to complete Surveillances that have been missed. This delay pe riod permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.
The basis for this delay period incl udes consideration of unit conditions, adequate planning, availability of pe rsonnel, the time required to perform the Surveillance, the safety significance of the delay in completing the
required Surveillance, and the recognition that the most probable result of
any particular Su rveillance being (continued)
SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-23Revision 44SR3.0.3(continued) performed is the verification of conformance with the requirements.When a Surveillance with a Frequenc y based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE1 after eac h fuel loading, or in accordance with 10CFR50, AppendixJ, as modified by approved exemptions, etc.) is discov ered to not have been performed when specified, SR3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.SR3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.
Failure to comply with specified Freque ncies for SRs is expected to be an infrequent occurrence. Use of the de lay period established by SR3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillan ce will be performed at the first reasonable opportunity.
The determination of the first reasonable opportunity should include c onsideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required to perform the Surveillance or shutting the plan t down to perform the Surveillance) and impact on any analysis assumptions
, in addition to unit conditions, planning, availability of personnel, and th e time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10CFR50.65(a)(4) and its implementation guidance, NRC Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activities at Nu clear Power Plants."
This Regulatory Guide addresses consideration of temporary and aggregate risk impacts,
determination of risk management act ion thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide.
The risk evaluation may use quantitativ e, qualitative, or blended methods.
The degree of depth and rigor of th e evaluation should be commensurate with the(continued)
North Anna Units 1 and 2B 3.0-24Revision 44 SR Applicability B 3.0BASESSR3.0.3(continued)importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk
evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.
If a Surveillance is not completed wi thin the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the
equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO
Conditions begin immediately upon th e failure of the Surveillance.
Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR3.0.1.SR3.0.4SR3.0.4 establishes the requirement th at all applicable SRs must be met
before entry into a MODE or other specified condition in the Applicability.This Specification ensures that sy stem and component OPERABILITY requirements and variable limits are me t before entry into MODES or other specified conditions in the Applicability for which these systems and
components ensure safe operation of the unit.
The provisions of this Specification s hould not be interpreted as endorsing the failure to exercise the good practi ce of restoring syst ems or component to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
A provision is included to allow entr y into a MODE or other specified condition in the Applicability:
a.When the associated ACTIONS to be entered permit continued operation in the MODE or other specific condition in the Applicability for an unlimited period of time, (continued)
SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-25Revision 44SR3.0.4(continued)b.After performance of a risk evaluation, consider ation of the results, determination of the acceptabil ity of the MODE change, and establishment of risk manageme nt actions, if appropriate, orc.When a specific value or parame ter allowance has been approved by the NRC.However, in certain circumstances, faili ng to meet an SR will not result in SR3.0.4 restricting a MODE change or other specified condition change.
When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the as sociated SR(s) are not required to be performed, per SR3.0.1, which states that surveillances do
not have to be performed on inopera ble equipment. When equipment is inoperable, SR3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be perfor med is removed. Therefore, failing to perform the Surveillance(s) within th e specified Frequency does not result in an SR3.0.4 restriction to ch anging MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO3.0.4 will govern any re strictions that may (or may not) apply to MODE or other specified condition changes.The provisions of SR3.0.4 shall not prevent changes in MODES or other
specified conditions in th e Applicability th at are required to comply with ACTIONS. In addition, the provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that
result from any unit shutdown.
The precise requirements for performance of SRs are specified such that exceptions to SR3.0.4 are not necessary. The specific time frames and conditions necessary for me eting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specifi ed condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that c ould not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not (continued)
North Anna Units 1 and 2B 3.0-26Revision 44 SR Applicability B 3.0BASESSR3.0.4(continued) required (to be met or pe rformed) until a particul ar event, condition, or time has been reached. Further discus sion of the specific formats of SRs' annotation is found in Section1.4, Frequency.SR3.0.4 is only applicable when entering MODE4 from MODE5, MODE3 from MODE4, MODE2 from MODE3, or MODE1 from MODE2. Furthermore, SR 3.0.4 is appl icable when entering any other specified condition in the Applicabili ty only while operating in MODES 1, 2, 3, or4. The requirements of SR3.0.4 do not apply in MODES5 and6,
or in other specified conditions of the Applicability (unless in MODES1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.
North Anna Units 1 and 2B 3.1.1-1Revision 0 SDMB 3.1.1B 3.1REACTIVITY CONTROL SYSTEMSB 3.1.1SHUTDOWN MARGIN (SDM)BASESBACKGROUNDAccording to GDC26 (Ref.1), the reactivity control systems must be independent and one must be capable of holding the reactor core subcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity even ts will not damage the fuel.SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (
AOOs). As such, the SDM defines the
degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest reactivity worth is fully withdrawn.
The system design requires that two i ndependent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions
. These requirements are provided by the use of movable control assemblies and soluble boric acid in the Reactor Coolant System (RCS). The Rod Control System can compensate for the reactivity effects of the fuel and wa ter temperature changes accompanying
power level changes over th e range from full load to no load. In addition, the Rod Control System, together with the boration system, provides the
SDM during power operation and is capable of maki ng the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rod of highest reactivity worth remains fully withdrawn.
The soluble boron system can compen sate for fuel depletion during operation and all xenon burnout reactivit y changes and maintain the reactor subcritical under cold conditions.
During power operation, SDM control is ensured by operating with the
shutdown banks fully withdr awn and the control banks within the limits of LCO3.1.6, "Control Bank In sertion Limits." When the unit is in the shutdown and refueling m odes, the SDM requirement s are met by means of adjustments to the RCS boron concentration.
North Anna Units 1 and 2B 3.1.1-2Revision 0 SDMB 3.1.1BASESAPPLICABLE SAFETY ANALYSESThe minimum required SDM is assumed as an initial condition in safety analyses. The safety analysis (Ref.2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal
operation and AOOs, with the assumpti on of the highest worth rod stuck out on scram.
The acceptance criteria for the SD M requirements are that specified acceptable fuel design limits are main tained. This is done by ensuring that:a.The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;b.The reactivity transients associated with postulated accident conditions are controllable within acceptabl e limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limits for AOOs, and 225cal/gm energy deposition to unirradiated fuel and 200cal/gm energy deposition to irradiated fuel for the rod ejection accident); andc.The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.
The most limiting accident for the SD M requirements is based on a main steam line break (MSLB), as described in the accident analysis (Ref.2). The increased steam flow resulting fr om a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG), and consequently the RC S. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As RCS temperature decreases, the severity of an MSLB decreases until the MODE5 value is reached. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The
positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the MS LB, a post trip return to power may occur; however, no fuel (continued)
SDMB 3.1.1BASESNorth Anna Units 1 and 2B 3.1.1-3Revision 0APPLICABLE SAFETY ANALYSES(continued) damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL) requirement of SL2.1.1.In addition to the limiting MSLB transient, the SDM requirement must also protect against:a.An uncontrolled rod withdrawal from subcritical or low power condition;b.Startup of an inactive reactor coolant pump (RCP); andc.Rod ejection.Each of these events is discussed below.
Depending on the system initial conditions and reactivity in sertion rate, the uncontrolled rod withdrawal transient is terminated by either a high source range trip or a high power range neut ron flux trip, an intermediate range neutron flux trip, a high pressurizer pressure or water level trip, or an OTT. In all cases, power level, RCS pr essure, linear heat rate, and the DNBR do not exceed allowable limits.
The startup of an inactive loop even t is defined as an uncontrolled reduction in SHUTDOWN MARGIN resul ting from the startup of an RCP on an idle loop containing a reduc ed coolant temperature or boron concentration. Adherence to LCO3.4.18, "RCS Isolated Loop Startup,"
ensures that the preconditions necessary for significant reactivity insertion during the startup of an inactive loop (i.e., reduced coolant temperature or boron concentration on an idle and unisolated loop) cannot be achieved under credible circumstan ces. Recirculation of reactor coolant in an isolated loop through a loop stop valve bypass line prior to loop unisolation
when performed in accordance with LCO3.4.18 does not constitute an
uncontrolled boron dilution event. The a ccident analysis demonstrates that sufficient time exists for corrective operator action in response to a
postulated reactivity insertion resulting from the recirculation activity.
(continued)
North Anna Units 1 and 2B 3.1.1-4Revision 20 SDMB 3.1.1BASESAPPLICABLE SAFETY ANALYSES(continued)The ejection of a control rod rapidly adds reactivity to the reactor core, causing both the core power level and heat flux to increase with
corresponding increases in reactor cool ant temperatures and pressure. The ejection of a rod also produces a time dependent redistribution of core power.SDM satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Even though it is not directly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.LCOSDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through
the soluble boron concentration.The MSLB (Ref.2) accident is the most limiting analysis that establishes the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed Regulatory Guide1.183 limits (Ref.3).APPLICABILITYIn MODE2 with keff <1.0 and in MODES3, 4, and5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE6,
the shutdown reactivity requirements are given in LCO3.9.1, "Boron Concentration." In MODES1 and2 with keff>1.0, SDM is ensured by complying with LCO3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6, "Control Bank Insertion Limits."ACTIONSA.1If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly
align and start the required systems an d components. It is assumed that boration will be continued until the SDM requirements are met.
In the determination of the required co mbination of boration flow rate and boron concentration, there is no unique re quirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon
as(continued)
SDMB 3.1.1BASESNorth Anna Units 1 and 2B 3.1.1-5Revision 0ACTIONSA.1 (continued) possible, the boron concentration shoul d be a highly concentrated solution, such as that normally found in the bor ic acid storage tank, or the Refueling Water Storage Tank. The operator should borate with the best source available for the unit conditions.
In determining the boration flow rate
, the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle when the boron concentration may approach or exceed 2000ppm. Assuming that a value of 1%k/k must be recovered and a boration flow rate of 10gpm, it is possible to increase the boron concentration of the RCS by 100ppm in approximately 59minutes. If a boron worth of 10pcm/ppm is assumed, this combination of parameters will increase the SDM by 1%k/k. These boration parameters of 10gpm and 12,950ppm represent typical values and are provided for the purpose of offering a specific example.SURVEILLANCE
REQUIREMENT
SSR3.1.1.1In MODES1 and2 with keff1.0, SDM is verified by observing that the requirements of LCO3.1.5 and LCO3.1.6 are met. In the event that a rod is known to be untrippable, however, SDM verification must account for the worth of the untrippable rod as we ll as another rod of maximum worth.In MODE2 with keff<1.0 and MODES3, 4, and5, the SDM is verified by performing a reactivity balance cal culation, considering the listed reactivity effects:a.RCS boron concentration;b.Control and shutdown bank position;c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation; e.Xenon concentration;f.Samarium concentration; andg.Isothermal temperature coefficient (ITC).
North Anna Units 1 and 2B 3.1.1-6Revision 46 SDMB 3.1.1BASESSURVEILLANCE REQUIREMENT
SSR3.1.1.1 (continued)
Using the ITC accounts for Doppler re activity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.22.2.UFSAR, Chapter15.3.Regulatory Guide1.183, July2000.
North Anna Units 1 and 2B 3.1.2-1Revision 0 Core Reactivity B 3.1.2B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.2Core ReactivityBASESBACKGROUNDAccording to GDC26, GDC28, and GDC29 (Ref.1), reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of
unanticipated changes in fuel, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity
validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be brought safely to cold, subcritical conditions.
When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady stat e power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron
leakage, and materials in the core th at absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an
indication of the soluble boron conc entration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS
boron concentration for comparison with the predicted value with other
variables fixed (such as rod height, temperature, pressure, and power),
provides a convenient method of ensuri ng that core reactivity is within design expectations and that the calcul ational models used to generate the safety analysis are adequate.
(continued)
North Anna Units 1 and 2B 3.1.2-2Revision 0Core Reactivity B 3.1.2BASESBACKGROUND (continued)In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the
previous cycle, provides excess posi tive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperat ure, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and
the RCS boron concentration.
When the core is producing THER MAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduc ed to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be
evaluated.APPLICABLE SAFETY ANALYSESThe acceptance criteria for core reactivity are that the reactivity balance limit ensures unit operation is maintain ed within the assumptions of the safety analyses.
Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis ev aluations. Every accident evaluation (Ref.2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating unit data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods pr ovide an accurate representation of the core reactivity.
Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining r eactivity behavior and the RCS boron concentration requirement s for reactivity control during fuel depletion.
The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and (continued)
Core Reactivity B 3.1.2BASESNorth Anna Units 1 and 2B 3.1.2-3Revision 0APPLICABLE SAFETY ANALYSES(continued) predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict
soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration.
Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculati onal model is not adequate for core burnups beyond BOC, or that an unexp ected change in core conditions has occurred.
The normalization of pred icted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performe d at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.
Core reactivity satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).
LCOLong term core reactivity behavior is a result of the core physics design and cannot be easily controlled onc e the core design is fixed. During operation, therefore, the LCO can onl y be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that
the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the reactivity balance of +/-1%k/k has been established based on engin eering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.When measured core reactivity is within 1%k/k of the predicted value at steady state thermal conditions, the co re is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between (continued)
North Anna Units 1 and 2B 3.1.2-4Revision 0Core Reactivity B 3.1.2BASESLCO(continued)measured and predicted values would be approximately 100ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.APPLICABILITYThe limits on core reactivity must be maintained during MODES1 and2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fu el depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES3, 4, and5 because the reactor is shut down and the reactivity balance is not changing.In MODE6, fuel loading results in a continually changing core reactivity.
Boron concentration requirements (LCO3.9.1, "Boron C oncentration") ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have al tered core reactivity (e.g., fuel movement, control rod replacement, control rod shuffling).ACTIONSA.1 and A.2 Should an anomaly develop betwee n measured and predicted core reactivity, an evaluation of the core design and safety analysis must be
performed. Core conditions are evalua ted to determine their consistency with input to design calculations. M easured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculat ional models are re viewed to verify that they are adequate for repres entation of the core conditions. The required Completion Time of 7days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and co mplete the evaluation of the core design and safety analysis.Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity
anomaly is a (continued)
Core Reactivity B 3.1.2BASESNorth Anna Units 1 and 2B 3.1.2-5Revision 0ACTIONSA.1 and A.2 (continued) mismatch in core conditions at th e time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity a nomaly is in the calculation technique, then the calculational models must be revised to provide mo re accurate predictions. If any of these results are demonstrated
, and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve
may be renormalized and power oper ation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.The required Completion Time of 7days is adequate for preparing
whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.
B.1If the core reactivity cannot be restored to within the 1%k/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours. If the SDM for MODE3 is not met, then the boration required by SR3.1.1.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.1.2.1 Core reactivity is verified by pe riodic comparisons of measured and predicted RCS boron concentrations. Th e comparison is made, considering that other core conditions are fixe d or stable, including control rod
position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentrat ion. The Surveillan ce is performed prior to entering MODE1 as an init ial check on core conditions and design calculations at BOC. The SR is modified by a Note. The Note indicates that any normalization of predicted core reactivity to the (continued)
North Anna Units 1 and 2B 3.1.2-6Revision 46Core Reactivity B 3.1.2BASESSURVEILLANCE REQUIREMENT
SSR3.1.2.1 (continued) measured value must take place within the first 60effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establ ishing a benchmark for the design calculations. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.22, 3.1.24, and 3.1.25.2.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.1.3-1Revision 0 MTCB 3.1.3B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.3Moderator Temperature Coefficient (MTC)BASESBACKGROUNDAccording to GDC11 (Ref.1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with
increasing moderator temperature; conversely, a ne gative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolan t temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increase s that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.
MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less than or equal to zero when THERMAL POWER is at RTP. The actual value of the MTC is dependent on core characteristics, such as fuel loading
and reactor coolant soluble boron c oncentration. The core design may require additional fixed distributed pois ons to yield an MTC at BOC within the range analyzed in the unit accident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles are evaluated to ensure that the MTC does not exceed the EOC limit.
The limitations on MTC are provided to ensure that the value of this coefficient remains within the limi ting conditions assumed in the UFSAR accident and transient analyses.
(continued)
North Anna Units 1 and 2B 3.1.3-2Revision 0 MTCB 3.1.3BASESBACKGROUND (continued)
If the LCO limits are not met, the uni t response during transients may not be as predicted. For example, the core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violate d, which could lead to a loss of the fuel cladding integrity.
The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits, since this coefficient changes slowly, due principally to the reduction in RCS boron concentra tion associated with fuel burnup.APPLICABLE SAFETY ANALYSESThe acceptance criteria for the specified MTC are:a.The MTC values must remain within the bounds of those used in the accident analysis (Ref.2); andb.The MTC must be such that inhere ntly stable power operations result during normal operation and accide nts, such as overheating and overcooling events.The UFSAR, Chapter15 (Ref.2), contains analyses of accidents that result in both overheating and overc ooling of the reactor co re. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure th at the accident results are bounding (Ref.3).The consequences of accidents that cause core overheating must be evaluated when the MTC is positive. Such accidents include the rod withdrawal transient from either zero or RTP, loss of main feedwater flow,
and loss of forced reactor coolant flow
. The consequences of accidents that cause core overcooling must be evaluated when the MTC is negative. Such accidents include sudden feedwater flow increase and sudden decrease in feedwater temperature.
In order to ensure a bo unding accident analysis, th e MTC is assumed to be its most limiting value for the analys is conditions appropriate to each accident. The bounding value is dete rmined by considering rodded and unrodded conditions, whether the reactor is at full or zero power, and whether it (continued)
MTCB 3.1.3BASESNorth Anna Units 1 and 2B 3.1.3-3Revision 0APPLICABLE SAFETY ANALYSES(continued)is the BOC or EOC life. The most conservative combination appropriate to the accident is then used for the analysis (Ref.2).
MTC values are bounded in reload safety evaluations assuming steady state conditions at BOC and EOC. An EOC measurement is conducted at conditions when the RCS boron conc entration reaches approximately 300ppm. The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.MTC satisfies Criterion2 of 10CFR 50.36(c)(2)(ii). Even though it is not directly observed and cont rolled from the control r oom, MTC is considered an initial condition process variable because of its dependence on boron concentration.LCOLCO3.1.3 requires the MTC to be with in specified limits of the COLR to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to
determine that its values remain with in the bounds of the original accident analysis during operation.Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positi ve than a given lower bound. The MTC is most positive at BOC; th is upper bound must not be exceeded.
This maximum upper limit occurs at BO C, all rods out (ARO), hot zero power conditions. At EOC the MTC takes on its most negative value, when the lower bound becomes important. This LCO exists to ensure that both the upper and lower bounds are not exceeded.
During operation, therefore, the conditi ons of the LCO can only be ensured through measurement. The Surveillan ce checks at BOC and EOC on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met.
The LCO establishes a maximum posit ive value that cannot be exceeded.
The upper limit and the lower limit are established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating schedule.
North Anna Units 1 and 2B 3.1.3-4Revision 0 MTCB 3.1.3BASESAPPLICABILITYTechnical Specifications place both LCO and SR values on MTC, based on the safety analysis assu mptions described above.In MODE1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL PO WER operation will not violate the design assumptions of the accident analysis. In MODE2 with the reactor critical, the upper limit must also be maintained to ensure that startup and
subcritical accidents (such as the unc ontrolled control rod assembly or group withdrawal) will not violate the assumptions of the accident analysis. The lower MTC limit must be maintained in MODES2 and3, in addition to MODE1, to ensure that cooldow n accidents will not violate the assumptions of the accident analysis. In MODES4, 5, and6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.ACTIONSA.1 If the upper MTC limit is violated, ad ministrative withdr awal limits for control banks must be established to maintain the MTC within its limits.
The MTC becomes more negative wi th control bank insertion and decreased boron concentration. A Completion Time of 24hours provides
enough time for evaluating the MTC measurement and computing the required bank withdrawal limits.
As cycle burnup is increased, the RC S boron concentration will be reduced. The reduced boron concentration causes the MTC to become more negative. Using physics calculations
, the time in cycle life at which the calculated MTC will meet the LCO requirement can be determined. At this point in core life ConditionA no longer exists. The unit is no longer in the Required Action, so the administrati ve withdrawal li mits are no longer in effect.
B.1If the required administrative withdrawal limits at BOC are not established within 24hours, the unit must be brought to MODE2 with keff <1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.
(continued)
MTCB 3.1.3BASESNorth Anna Units 1 and 2B 3.1.3-5Revision 0ACTIONSB.1 (continued)The allowed Completion Time of 6hour s is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.
C.1Exceeding the lower MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To
achieve this status, the unit must be brought to at least MODE4 within 12hours.The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.1.3.1This SR requires measurement of the MTC at BOC prior to entering MODE1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering MODE1 ensures that the limit will also be met at higher power levels.The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measuremen ts obtained during the physics tests after refueling. The ARO value can be directly compared to the upper MTC limit of the LCO. If required, meas urement results and predicted design values can be used to establish admini strative withdrawal limits for control banks.
SR3.1.3.2 In similar fashion, the LCO demands th at the MTC be less negative than the specified value for EOC full pow er conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated to the conditions of RTP and all banks withdrawn in order to make a proper comparison with the LCO value. Because the RTP MTC (continued)
North Anna Units 1 and 2B 3.1.3-6Revision 9 MTCB 3.1.3BASESSURVEILLANCE REQUIREMENT
SSR3.1.3.2 (continued) value will gradually become more nega tive with further core depletion and boron concentration reduction, a 300ppm SR value of MTC should necessarily be less negative than the lower LCO limit. The 300ppm SR value is sufficiently less negative than the lower LCO limit value to ensure that the LCO limit will be met when the 300ppm Surveillance criterion is met.SR3.1.3.2 is modified by three Note s that include the following requirements:
a.The SR is not required to be performed until 7Effective Full Power Days (EFPDs) after reaching the equivalent of an equilibrium RTP all rods out (ARO) boron concentration of 300ppm.b.If the 300ppm Surveillance limit is exceeded, it is possible that the lower limit on MTC could be reac hed before the planned EOC. Because the MTC changes slowly with core depletion, the Frequency of 14EFPDs is sufficient to avoid exceeding the EOC limit.c.The Surveillance limit for RTP boron concentration of 60ppm is conservative. If the measured MTC at 60ppm is more positive than the 60ppm Surveillance limit, the lower limit will not be exceeded because of the gradual manner in which MTC changes with core burnup.REFERENCES1.UFSAR, Section 3.1.7.2.UFSAR, Chapter15.3.VEP-FRD-42-A, "Reload Nuclear Design Methodology."
North Anna Units 1 and 2B 3.1.4-1Revision 0 Rod Group Alignment Limits B 3.1.4B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.4Rod Group Alignment LimitsBASESBACKGROUNDThe OPERABILITY (i.e
., trippability) of the s hutdown and control rods is an initial assumption in all safety an alyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly af fects core power distributions and assumptions of available SDM.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Capability" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergenc y Core Cooling Systems for Light Water Nuclear Power Plants" (Ref.2).
Mechanical or electrical failures may cause a control or shutdown rod to become inoperable or to become misaligned from its group. Rod inoperability or misalignment may ca use increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.
Limits on rod alignment have been es tablished, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defi ned by the design power peaking and
SDM limits are preserved.
Rod cluster control asse mblies (RCCAs), or r ods, are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its RCCA one step (approximately 5/8inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.
The RCCAs are divided among contro l banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. If a bank of RCCAs consists of two groups,(continued)
North Anna Units 1 and 2B 3.1.4-2Revision 0 Rod Group Alignment Limits B 3.1.4BASESBACKGROUND (continued) the groups are moved in a staggered fash ion, but always with in one step of each other. There are four cont rol banks and two shutdown banks.
The shutdown banks are maintained eith er in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, using the following withdrawal sequence: When control bankA reaches a predetermined height in the core, control bankB begins to move out with control bankA. Control bankA stops at the position of maximum withdrawal, and control bankB cont inues to move out. When control bankB reaches a predetermi ned height, control bank C begins to move out with control bankB. This sequence continues until control banksA, B, andC are at the fully withdrawn position, and control bankD is approximately halfway wi thdrawn. The insertion sequence is the opposite of the withdrawal sequence. The cont rol rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.
The axial position of shutdown rods a nd control rods is indicated by two separate and independent systems, which are the Bank Demand Position
Indication System (comm only called group step counters) and the Rod Position Indication (RPI) System.
The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods
. There is one step counter for each group of rods. Individual rods in a gr oup all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication
System is considered highly precise (+/-1step or +/-5/8inch). If a rod does not move one step for each demand pulse
, the step counter will still count the pulse and incorrectly reflect the position of the rod.The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a
hollow tube. The RPI system is capabl e of monitoring rod position within at least +/-12steps.
Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-3Revision 0APPLICABLE SAFETY ANALYSESRod misalignment accidents are analyzed in the safety analysis (Ref.3). The acceptance criteria for addressing rod inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System (RCS) pressure boundary integrity; andb.The core remains subcritical after accident transients.Two types of misalignment are distinguished. During movement of a rod
group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking. The second
type of misalignment occurs if one rod fails to inse rt upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity wo rth is held in the rods to meet the SDM requirement, with the maximum worth rod stuck fully withdrawn.Two types of analysis are performed in regard to static rod misalignment (Ref.4). With control and shutdown ba nks at their insertion limits, one type of analysis considers the case wh en any one rod is completely inserted
into the core. The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit.
Satisfying limits on departure from nuc leate boiling ratio in both of these cases bounds the situation when a r od is misaligned from its group by 12steps.Another type of misalignment occurs if one RCCA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition is assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref.5).
The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the requirements on SDM and ejected rod worth are preserved.
(continued)
North Anna Units 1 and 2B 3.1.4-4Revision 0 Rod Group Alignment Limits B 3.1.4BASESAPPLICABLE SAFETY ANALYSES(continued)
Continued operation of the reactor wi th a misaligned rod is allowed if power is reduced or if the heat flux hot channel factor (F Q(Z)) and the nuclear enthalpy rise hot channel factor  are verified to be within their limits in the COLR and the safety an alysis is verified to remain valid.
When a rod is misaligned, the assumpti ons that are used to determine the rod insertion limits, AFD limits, a nd quadrant power tilt limits are not preserved. Therefore, the limits ma y not preserve the design peaking factors, and F Q(Z) and  must be verified directly by incore mapping. Bases Section3.2 (Power Distribution Limits) contains more complete discussions of the relation of F Q(Z) and  to the operating limits.
Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed in safety analyses. Therefore they satisfy Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe limits on shutdown or contro l rod alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on rod OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be inserted. The rod OPERABILITY requirements (i.e., trippability) ar e separate from the alignment
requirements which ensure that the RCCAs and banks maintain the correct power distribution and rod ali gnment. The rod OPERABILITY requirement is satisfied provided the rod will fully insert in the required rod drop time assumed in the safety anal ysis. Rod control malfunctions that result in the inability to move a rod (e
.g., rod lift coil failures), but that do not impact trippability, do not result in rod inoperability.
The requirement to maintain the rod alignment to within plus or minus 12steps is conservative. The minimum misalignment assumed in safety analysis is 24steps (15inches), and in some cases a total misalignment from fully withdrawn to fully inserted is assumed.
Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, a ll of which may constitute initial conditions incons istent with the safety analysis.
(continued)
FHNFHNFHN Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-5Revision 0 LCO(continued)
The LCO has been modified by a Note. The Note permits a wider tolerance on indicated rod position for a maximum of one hour in every 24hours to allow stabilization of known thermal drift in the individual rod position indicator channels. This thermal so ak time is available both for a continuous one hour period or several disc rete intervals as long as the total time does not exceed 1 hour in any 24hour period and the indicated rod position does not exceed 24steps from the group step counter demand position. This allowance applies to the indicated position of the rod, not its actual position. If the actual position is known to be greater than 12steps
from the group step counter demand pos ition, the Conditions and Required Actions of the specificat ion must be followed.APPLICABILITYThe requirements on RCCA OPERABILITY and alignment are applicable in MODES1 and2 because these are the only MODES in which neutron
(or fission) power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the unit. In MODES3, 4, 5, and6, the alignment limits do not apply because the rods
are normally bottomed and the reactor is shut down and not producing fission power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron
concentration of the RCS. See LCO3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES3, 4, and5 and LCO3.9.1, "Boron
Concentration," for boron concentrat ion requirements during refueling.ACTIONSA.1.1 and A.1.2 When one or more rods are inopera ble (i.e., untrippable), there is a possibility that the required SDM may be adversely affected. Under these
conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1hour is adequate for determining SDM and, if necessary, for initiating emerge ncy boration and restoring SDM.
In this situation, SDM verification must include the worth of the
untrippable rod, as well as a rod of maximum worth.
North Anna Units 1 and 2B 3.1.4-6Revision 0 Rod Group Alignment Limits B 3.1.4BASESACTIONS(continued)
A.2If the inoperable rod(s) cannot be restored to OPERABLE status, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this st atus, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from fu ll power conditions in an orderly manner and without challenging unit systems.
B.1.1 and B.1.2With a misaligned rod, SDM must be veri fied to be within limit or boration must be initiated to restore SDM to within limit.
In many cases, realigning the remainde r of the group to the misaligned rod may not be desirable. For example, realigning control bankC to a rod that is misaligned 15steps from the top of the core would require a significant power reduction, since control bankD must be moved in significantly to
meet the overlap requirements.
Power operation may continue with one RCCA OPERABLE but misaligned, provided that SDM is verified within 1hour. The Completion Time of 1hour represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration. Si nce the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12hours is sufficient to ensure this requirement continues to be met.
B.2.1, B.2.2.1, B.2.2.2, and B.3 For continued operation with a misaligned rod, RTP must be reduced or hot channel factors (F Q(Z) and ) must be verified within limits, and the safety analyses must be re-evaluat ed to confirm continued operation is permissible.
Reduction of power to 75%RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core design criteria to be exceeded (Ref.4). The Completion Time (continued)
FHN Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-7Revision 0ACTIONSB.2.1, B.2.2.1, B.2.2.2, and B.3 (continued)of 2hours gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor Protection System.Alternatively, verifying that F Q(Z) and  are within the required limits ensures that current operation with a rod misaligned does not result in power distributions that may invalida te safety analysis assumptions. The Completion Time of 72hours allows suffic ient time to obtain flux maps of the core power distribution using th e incore flux mappi ng system and to calculate F Q(Z) and .
Once current conditions have been verified acceptable, time is available to perform evaluations of acci dent analysis to determin e that core limits will not be exceeded during a Design Basi s Event for the duration of operation under these conditions. The accident analyses presented in UFSAR, Chapter15 (Ref.3) that may be adversely affected will be evaluated to ensure that the analysis results rema in valid for the dur ation of continued operation under these conditions. A Completion Time of 5days is sufficient time to obtain the required input data and to perform the analysis.
C.1When Required Actions cannot be co mpleted within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to at least MODE3 within 6 hours, which obviates concerns about the development of unde sirable xenon or power di stributions. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching MODE3 from full power c onditions in an or derly manner and without challenging the unit systems.
D.1.1 and D.1.2 More than one rod becoming misaligne d from its group average position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. One hour allows the ope rator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as (continued)
FHNFHN North Anna Units 1 and 2B 3.1.4-8Revision 46 Rod Group Alignment Limits B 3.1.4BASESACTIONSD.1.1 and D.1.2 (continued)described in the Bases or LCO3.1.1. The required Completion Time of 1hour for initiating boration is reasona ble, based on the time required for
potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required valves and start the boric acid pumps.
Boration will continue until th e required SDM is restored.
D.2If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from fu ll power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.1.4.1Verification that individual rod posi tions are within alignment limits provides a history that allows the opera tor to detect a rod that is beginning to deviate from its expected position. If an individual rod position is not within the alignment limit of the group step counter demand position, a
determination must be ma de whether the problem is the actual rod position or the indicated rod position. If the act ual rod position is not within the alignment limit, follow the Condi tions and Requir ed Actions in Specification3.1.4. If the indicated, not actual, r od position is not within the alignment limit, follow the Conditions and Required Actions of Specification3.1.7, Rod Position Indi cation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and
is controlled under the Surveill ance Frequency Control Program.
Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-9Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.1.4.2Verifying each rod is OPERABLE would require that each rod be tripped. However, in MODES1 and2, tripping each rod would result in radial or axial power tilts, or oscillations.
Exercising each indi vidual rod provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each rod by 10steps will not ca use radial or axia l power tilts, or oscillations, to occur. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Between required performances of SR3.1.4.2 (determination of rod OP ERABILITY by movement), if a rod(s) is discovered to be immovable, but remains trippable, the rod(s) is considered to be OPERABLE. At any time, if a rod(s) is immovable, a determination of the trippability (O PERABILITY) of the rod(s) must be made, and appropriate action taken.SR3.1.4.3Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is c onsistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect rod motion or drop time. This test ing is performed with all RCPs operating and the average moderator temperature 500F to simulate a reactor trip under actual conditions. Fo r this surveillance, a fully withdrawn position of 230steps is used in order to provide consistent test
conditions to facilitate trending. This rod position is not necessarily the same as the cycle-dependent fully wi thdrawn rod position specified in the COLR and will yield conservative drop times relative to the COLR position. The surveillance procedure limi ts for rod drop time ensure that the Surveillance Requirement criterion and the Safety Analysis Limit are met.This Surveillance is performed during a unit outage, due to the unit conditions needed to perform the SR and the potential for an unplanned unit transient if the Surveillance were performed with the reactor at power.
North Anna Units 1 and 2B 3.1.4-10 Revision 3 Rod Group Alignment Limits B 3.1.4BASESREFERENCES1.UFSAR, Sections3.1.6 and 3.1.22.2.10CFR50.46.3.UFSAR, Chapter15.
4.UFSAR, Section15.2.3.
5.UFSAR, Section4.3.1.5.
North Anna Units 1 and 2B 3.1.5-1Revision 0 Shutdown Bank Insertion Limits B 3.1.5B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.5Shutdown Bank Insertion LimitsBASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses th at assume rod insertion upon reactor trip. The insertion limits directly affect co re power and fuel burnup distributions and assumptions of av ailable ejected rod worth, SDM and initial reactivity insertion rate.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Protecti on," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion ha ve been established, a nd all rod positions are monitored and controlled during power operation to ensure that the power
distribution and reactivity limits defi ned by the design power peaking and
SDM limits are preserved.
The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for prec ise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that ar e moved in a staggered fashion, but always within one step of each other. There are f our control banks and two shutdown banks. See LCO3.1.4, "Rod Gr oup Alignment Limits," for control and shutdown rod OPERABIL ITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication
requirements.
The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally automatically controlled by the Rod Control System, but they can also be manually controlled. They are capable of adding negative reactivity very quickly (compared to borating).
The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.
(continued)
North Anna Units 1 and 2B 3.1.5-2Revision 0 Shutdown Bank Insertion Limits B 3.1.5BASESBACKGROUND (continued)
Hence, they are not capable of adding a large amount of positive reactivity.
Boration or dilution of the Reactor C oolant System (RCS) compensates for the reactivity changes associated with large changes in RCS temperature.
The design calculations are performed with the assumption that the shutdown banks are withdrawn first.
The shutdown banks can be fully withdrawn without the core going critic al. This provides av ailable negative reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted.
The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left in this position until the reactor is shut down.
They add negative reactivity to s hut down the reactor upon receipt of a reactor trip signal.APPLICABLE SAFETY ANALYSESOn a reactor trip, all RCCAs (shut down banks and control banks), except the most reactive RCCA, are assumed to insert into the core. The shutdown
banks shall be at or above their insertion limits a nd available to insert the maximum amount of negative reactiv ity on a reactor trip signal. The control banks may be partially inserted in the core, as allowed by LCO3.1.6, "Control Bank Insertion Limits." The shutdown bank and
control bank insertion limits are established to ensure that a sufficient amount of negative reactivity is avai lable to shut down the reactor and maintain the required SDM (see LCO3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of control banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref.3). The shutdown bank insertion limit also limit s the reactivity worth of an ejected shutdown rod.The acceptance criteria for addressi ng shutdown rod bank insertion limits and inoperability or misalignment is that:a.There be no violations of:1.specified acceptable fuel design limits, or 2.RCS pressure boundary integrity; andb.The core remains subcritical after accident transients.
Shutdown Bank Insertion Limits B 3.1.5BASESNorth Anna Units 1 and 2B 3.1.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)
As such, the shutdown bank insertion limits affect safety analysis involving core reactivity and SDM (Ref.3).
The shutdown bank insertion limits pres erve an initial condition assumed in the safety analyses and, as such, satisfy Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is avai lable to shut down the reactor and
maintain the required SDM following a reactor trip.
The shutdown bank insertion limit s are defined in the COLR.APPLICABILITYThe shutdown banks must be within their insertion limits, with the reactor in MODES1 and2. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE3, unless an approach to criticality is being made. In MODE3, 4, or5, the shut down banks are fully inserted in the core and contribute to the SDM. Refer to LCO3.1.1 for SDM requirements in MODES3, 4, and5. LCO3.9.1, "Boron Concentration," ensures adequate SDM in MODE6.
The Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR3.1.4.2. This SR verifies the freedom of the rods to move, and requires the shutdown bank to move below the LCO limits, which would nor mally violate the LCO. Should the SR testing be suspended due to e quipment malfunction with a rod bank below the insertion limit, the appl icable Condition should be entered.ACTIONSA.1.1, A.1.2 and A.2 When one or more shutdow n banks is not within insertion limits, except as allowed by ConditionB, 2hours is allo wed to restore the shutdown banks to within the insertion limits. This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion li mits. Also, verification (continued)
North Anna Units 1 and 2B 3.1.5-4Revision 0 Shutdown Bank Insertion Limits B 3.1.5BASESACTIONSA.1.1, A.1.2 and A.2 (continued)of SDM or initiation of boration within 1hour is required, since the SDM in MODES1 and2 is ensured by adhering to the control and shutdown
bank insertion limits (see LCO3.1.1).If shutdown banks are not within their insertion limits, then SDM will be
verified by performing a reactivity balance calculati on, considering the effects listed in the BASES for SR3.1.1.1.The allowed Completion Time of 2hours provides an acceptable time for evaluating and repairing minor probl ems without allowing the unit to remain in an unacceptable condition for an extended period of time.
B.1 and B.2 If a shutdown bank is inserted below the insertion limits, power operation may continue for up to 72hours provided that the bank is not inserted more than 18steps below the insertion limi ts, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO3.1.4, and the control banks are within the insertion limits provided in LCO3.1.6. The requirement to be in compliance with LCO3.1.4 and LCO3.1.6 ensures that the rods are trippable, and power distribution is
acceptable during the time allowed to restore the inserted rod. If any of these Conditions are not met, Condition A must be applied.The Completion Time of 72hours is based on operating experience and provides an acceptable time for evaluating and repairing problems with the
rod control system.
C.1If the Required Action and associated Completion Time of ConditionsA orB are not met, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full
power conditions in an orderly manner and without challenging unit
systems.
Shutdown Bank Insertion Limits B 3.1.5BASESNorth Anna Units 1 and 2B 3.1.5-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.1.5.1Verification that the shutdown banks are within their insertion limits prior to an approach to criticality ensures th at when the reactor is critical, or being taken critical, the s hutdown banks will be availa ble to shut down the reactor, and the required SDM will be maintained following a reactor trip.
This SR and Frequency ensure that the shutdown banks are withdrawn before the control banks are withdrawn during a unit startup.Since the shutdown banks are positioned manually by the control room operator, a verification of shutdown bank position, afte r the reactor is taken critical, is adequate to ensure that th ey are within their insertion limits. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.6, 3.1.22, and 3.1.24.2.10CFR50.46.3.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.1.6-1Revision 0 Control Bank Insertion Limits B 3.1.6B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.6Control Bank Insertion LimitsBASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses th at assume rod insertion upon reactor trip. The insertion limits directly affect co re power and fuel burnup distributions and assumptions of available SDM, and initial reactivity insertion rate.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Protecti on," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion ha ve been established, a nd all rod positions are monitored and controlled during power operation to ensure that the power
distribution and reactivity limits defi ned by the design power peaking and
SDM limits are preserved.
The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for prec ise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that ar e moved in a staggered fashion, but always within one step of each other. There are f our control banks and two shutdown banks. See LCO3.1.4, "Rod Gr oup Alignment Limits," for control and shutdown rod OPERABIL ITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication
requirements.
The control bank insertion limits are specified in the COLR. An example is provided for information only in FigureB3.1.6-1. The control banks are required to be at or above the insertion limit lines.
FigureB3.1.6-1 also indicates how th e control banks are sequenced and moved in an overlap pattern. Overlap is the distance travelled together by two control banks. Sequencing is the order in which the banks are moved. For example, if the fully withdrawn position is 231steps, as in (continued)
North Anna Units 1 and 2B 3.1.6-2Revision 0 Control Bank Insertion Limits B 3.1.6BASESBACKGROUND (continued)FigureB3.1.6-1, control bankD will begin to move with bankC on a withdrawal when control bankC is at 128steps. The fully withdrawn position, as well as proper overlap and sequence, are defined in the COLR.
The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally controlled automatically by the Rod Control System, but can also be manually controlled. They are capable of adding reactivity ve ry quickly (compared to borating or diluting).
The power density at any poi nt in the core must be limited, so that the fuel design criteria are maintained. Together, LCO3.1.4, LCO3.1.5, "Shutdown Bank Insertion Limits," LCO3.1.6, LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," provide limit s on control component operation and on monitored process variables, which ensure that the core operates within the fuel design criteria.
The shutdown and control bank inserti on and alignment limits, AFD, and QPTR are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident
, and the shutdown and control bank insertion limits ensure the required SDM is maintained.
Operation within the subject LCO limit s will limit fuel cladding failures that would breach the primary fissi on product barrier a nd release fission products to the reactor coolant to with in acceptable limits in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.APPLICABLE SAFETY ANALYSESThe shutdown and control bank insertion limits, AFD, and QPTR LCOs
are required to maintain power distributi ons that limit fuel cladding failures to within acceptable limits in the event of a LOCA, loss of flow, ejected
rod, or other accident requiring termination by an RTS trip function.
(continued)
Control Bank Insertion Limits B 3.1.6BASESNorth Anna Units 1 and 2B 3.1.6-3Revision 0APPLICABLE SAFETY ANALYSES(continued)The acceptance criteria for addressing control bank insertion limits and inoperability or mi salignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System pres sure boundary integrity; andb.The core remains subcritical after accident transients.
As such, the shutdown and control bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref.3).
The SDM requirement is ensured by limiting the control bank insertion limits so that allowable inserted worth of the RCCAs is such that sufficient reactivity is available in the rods to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth RCCA remains fully withdrawn upon trip (Ref.3).
Operation at the insertion limits or AFD limits ma y approach the maximum allowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the inse rtion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficien tly high ejected RCCA worths.
The control bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and powe r distribution peaking factors are preserved (Ref.3).
The insertion limits satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).
LCOThe limits on control banks sequenc e, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensu ring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate
negative reactivity insertion is av ailable on trip. The overlap between control banks provides more uniform rates of (continued)
North Anna Units 1 and 2B 3.1.6-4Revision 0 Control Bank Insertion Limits B 3.1.6BASESLCO(continued)reactivity insertion and withdrawal and is imposed to maintain acceptable power peaking during control bank motion.APPLICABILITYThe control bank sequence, overl ap, and physical insert ion limits shall be maintained with the reactor in MODES1 and2 with keff1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions. Applicability in MODE2 with keff<1.0, and MODES3, 4, and5 is not required, since neither the power distribution nor ejected rod
worth assumptions would be exceeded in these MODES.The applicability requirements have been modified by a Note indicating the LCO requirements are suspe nded during the performance of SR3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the
LCO. Should the SR testing be susp ended due to equipment malfunction with a rod bank below the insertion limits, the applicable Condition should
be entered.ACTIONSA.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2If the control banks are found to be out of sequence or in the wrong overlap
configuration, they must be restored to meet the limits.
Operation beyond the LCO limits is al lowed for a short time period in order to take conservative action beca use the simultaneous occurrence of either a LOCA, loss of flow accide nt, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.
Also, verification of SDM or initia tion of boration to regain SDM is required within 1hour, since the SDM in MODES1 and2 normally ensured by adhering to the control a nd shutdown bank insertion limits (see LCO3.1.1, "SHUTDOWN MARGIN (SDM)"
) has been upset. If control banks are not within their limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR3.1.1.1.
(continued)
Control Bank Insertion Limits B 3.1.6BASESNorth Anna Units 1 and 2B 3.1.6-5Revision 0ACTIONSA.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 (continued)
When the control banks are outside th e acceptable insertion limits, except as allowed by ConditionC, they must be restored to within those limits.
This restoration can occur in two ways:a.Reducing power to be consis tent with rod position; orb.Moving rods to be consistent with power.The allowed Completion Time of 2hours for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor probl ems without allowing the unit to remain in an unacceptable condition for an extended period of time.
C.1 and C.2If Control BanksA, B, orC are insert ed below the insertion limits, power operation may continue for up to 72 hours provided that the bank is not inserted more than 18steps below the insertion limits, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO3.1.4, and the shutdown banks are within the insertion limits provided in LCO3.1.5. The requirement to be in compliance with LCO3.1.4 and LCO3.1.5 ensures that the rods are trippable, and power distribution is acceptable during the time allowed to restore the inserted rod. If any of th ese Conditions are not met, Condition B must be applied.The Completion Time of 72hours is based on operating experience and provides an acceptable time for evaluating and repairing problems with the
rod control system.
D.1If Required ActionsA.1 andA.2, B.1 andB.2, or C.1 andC.2 cannot be completed within the associated Completion Times, the unit must be brought to MODE2 with keff<1.0, where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.
North Anna Units 1 and 2B 3.1.6-6Revision 46 Control Bank Insertion Limits B 3.1.6BASESSURVEILLANCE REQUIREMENT
SSR3.1.6.1This Surveillance is required to ensu re that the reactor does not achieve criticality with the control banks below their insertion limits.The estimated critical position (ECP) depends upon a number of factors,
one of which is xenon c oncentration. If the ECP wa s calculated long before criticality, xenon concentration could change to make the ECP substantially in error. Verifying th e predicted critical rod bank position within 4hours prior to criticality avoids a large error from changes in
xenon concentration, but al lows the operator some flexibility to schedule the verification with other startup activities.SR3.1.6.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.1.6.3When control banks are maintained within their insertion limits as checked by SR3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with requireme nts provided in the COLR. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.6, 3.1.22, and3.1.24.2.10CFR50.46.
3.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.1.6-7Revision 0 Control Bank Insertion Limits B 3.1.6FigureB 3.1.6-1 (page 1 of 1)
Control Bank Insertion vs. Percent RTP Intentionally Blank North Anna Units 1 and 2B 3.1.7-1Revision 0 Rod Position Indication B 3.1.7B 3.1  REACTIVITY CONTROL SYSTEMB 3.1.7Rod Position IndicationBASESBACKGROUNDAccording to GDC13 (Ref.1), in strumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO3.1.7 is required to ensure OPERABILITY of the rod position indicators to determine rod positions and thereby ensure compliance with the rod alignment and insertion limits.The OPERABILITY, including position indication, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximu m rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of ava ilable SDM. Rod posit ion indication is required to assess OPERABILITY and misalignment.
Mechanical or electrical failures may cause a rod to become inoperable or to become misaligned from its group.
Rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor
shutdown. Therefore, rod alignment and OPERABILITY are related to
core operation in design power peak ing limits and the core design
requirement of a minimum SDM.
Limits on rod alignment and OPERAB ILITY have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the co re (down or inserted) by their control rod drive mechanisms. The RCCAs ar e divided among control banks and shutdown banks. Each bank is furthe r subdivided into two groups to provide for precise reactivity control.
(continued)
North Anna Units 1 and 2B 3.1.7-2Revision 0 Rod Position Indication B 3.1.7BASESBACKGROUND (continued)
The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position
Indication System (comm only called group step counters) and the Rod Position Indication (RPI) System.
The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods
. There is one step counter for each group of rods. Individual rods in a gr oup all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication
System is considered highly precise (+/-1step or +/-5/8inch). If a rod does not move one step for each demand pulse
, the step counter will still count the pulse and incorrectly reflect the position of the rod.The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. The RPI System is capable of monitoring rod position within at least +/-12steps.APPLICABLE SAFETY ANALYSESControl and shutdown rod position accuracy is essential during power operation. Power peaking, ejected rod worth, or SDM limits may be
violated in the event of a Design Basis Accident (Ref.2), with control or shutdown rods operating outside thei r limits undetected. Therefore, the acceptance criteria for rod position indi cation is that rod positions must be known with sufficient accuracy in orde r to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6, "Control Bank Insertion Limits"). The rod positions must also be known in orde r to verify the alignment limits are preserved (LCO3.1.4, "Rod Group Alignment Limits"). Control rod
positions are continuously monitored to provide operators with information that ensures the unit is operating within the bounds of the accident analysis assumptions.The control rod position indicator channels satisfy Criterion2 of 10CFR50.36(c)(2)(ii).
Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-3Revision 0 LCOLCO3.1.7 specifies that the RPI Sy stem and the Bank Demand Position Indication System be OPERABLE fo r each rod. For the rod position indicators to be OPERAB LE requires meeting the SR of the LCO and the following:a.The RPI System indicates within 12 or 24steps of the group step counter demand position as required by LCO3.1.4, "Rod Group Alignment Limits";b.For the RPI System there are no failed coils; andc.The Bank Demand Indication System ha s been calibrated either in the fully inserted position or to the RPI System.
The 12 step agreement li mit between the Bank Demand Position Indication System and the RPI System indicates that the Bank Demand Position Indication System is adequately calib rated, and can be used for indication of the measurement of rod bank position.
A deviation of less than the allowable limit, given in LCO3.1.4, in position indication for a single rod, ensure s high confidence that the position uncertainty of the corresponding rod group is within the assumed values used in the analysis (that speci fied rod group insertion limits).These requirements ensure that rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions
are not challenged.OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositi oned rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.APPLICABILITYThe requirement s on the RPI and step counter s are only applicable in MODES1 and2 (consistent with LCO3.1.4, LCO3.1.5, and LCO3.1.6),
because these are the only MODES in which power is generated, and the
OPERABILITY and alignment of rods have the potential to affect the
safety of the unit. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron
concentration of the Reactor Coolant System.
North Anna Units 1 and 2B 3.1.7-4Revision 0 Rod Position Indication B 3.1.7BASESACTIONSThe ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because the Required Actions for each Condition provide a ppropriate compensatory actions for each inoperable position indicator.
A.1When one RPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable incore detectors. The Required Action may also be satisfied by ensuring at least once per 8hours that FQ(Z) satisfies LCO3.2.1, satisfies LCO3.2.2, and SHUTDOWN MARGIN is within the limits pr ovided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. If a bank has been significantly moved, the Required Action of C.1 orC.2 below is required. Therefore, verification of RCCA position within the Completion Time of 8hours is adequate for al lowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.
A.2Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factors (Ref.2).The allowed Completion Time of 8hour s is reasonable, based on operating experience, for reducing power to 50%RTP from full power conditions without challenging unit system s and allowing for rod position determination by Required ActionA.1 above.
B.1, B.2, B.3, and B.4 When more than one RPI per group fail
, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident analyses are lim ited. Placing the Rod Control System in manual assures unplanned rod motion will not occur. Together with the indirect position determin ation available via movable incore detectors will minimize the potential for rod (continued)
FHN Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-5Revision 0ACTIONSB.1, B.2, B.3, and B.4 (continued)misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod
motion must be prevented while in this Condition.
Monitoring and recording reactor coolant T avg help assure that significant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at stea dy state plant operating conditions.
The position of the rods may be dete rmined indirectly by use of the movable incore detectors. The Requi red Action may also be satisfied by ensuring at least once per 8hours that F Q(Z) satisfies LCO3.2.1, satisfies LCO3.2.2, and SHUTDOWN MARGIN is within the limits
provided in the COLR, provided the nonindicating rods have not been moved. Verification of control rod position once per 8hours is adequate for allowing continued full power operation for a limited, 24hour period, since the probability of simultaneously havi ng a rod significantly out of position and an event sensitive to that rod position is small. The 24hour Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with a shutdown without fu ll rod position indication.
Based on operating experience, norma l power operation does not require excessive rod movement. If one or more rods has been significantly moved, the Required Action of C.1 orC.2 below is required.C.1 andC.2 These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24steps in one direction, since the position was last determ ined, the Required Actions of A.1 andA.2, or B.1, as applicable, are sti ll appropriate but must be initiated promptly under Required ActionC.1 to be gin verifying that these rods are still properly positio ned, relative to their group positions.
(continued)
FHN North Anna Units 1 and 2B 3.1.7-6Revision 0 Rod Position Indication B 3.1.7BASESACTIONSC.1 andC.2 (continued)If, within 4hours, the rod positions have not been determined, THERMAL POWER must be reduced to 50%RTP within 8hours to avoid undesirable power distributi ons that could result from continued operation at >50%RTP, if one or more rods are misaligned by more than 24steps. The allowed Completion Time of 4hours provides an acceptable period of time to verify the rod positions.
D.1.1 and D.1.2With one demand position indicator pe r bank inoperable, the rod positions can be determined by the RPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indicat ors are OPERABLE and the most withdrawn rod and the least withdrawn rod are 12steps apart within the allowed Completion Time of once every 8hours is adequate.
D.2Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits (Ref.2). The allowed Completion Time of 8 hours provides an acceptable period of time to veri fy the rod positions per Required ActionsD.1.1 andD.1.2 or reduce power to 50%RTP.E.1If the Required Actions cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status
, the unit must be brought to at least MODE3 within 6hours. The allowed Completion Time is reasonable, based on operating experience, for reaching the required
MODE from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.1.7.1Performing a CHANNEL CALIBRATION on each RPI channel ensures
that the RPI electronics are operating properly. This CHANNEL CALIBRATION involves injecting a test signal into the RPI electronics
and verifying or adjusting the (continued)
Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.1.7.1 (continued) calibration from that point forward. The CHANNEL CALIBRATION also verifies all alarms and indications, such as the Rod Bottom lights. The CHANNEL CALIBRATION does not include the coil stack, as it cannot be adjusted. The indicated RP I position is adjusted as needed to compensate for thermal drift. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.9.2.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.1.8-1Revision 8Primary Grade Water Flow Path Isolation Valves B 3.1.8B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.8Primary Grade Water Flow Path Isolation ValvesBASESBACKGROUNDDuring MODES3, 4, and5 operati ons, the isolation valves for primary grade water flow paths that are conne cted to the Reactor Coolant System (RCS) must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves must be locked, sealed, or otherwise secured in the closed position.The Chemical and Volume Control Syst em is capable of supplying borated and unborated water to the RCS th rough various flow paths. Since a positive reactivity addition made by an uncontrolled reduction of the boron concentration is inappropriate during MODES3, 4 and5, isolation of all primary grade water flow paths pr events an unplanned boron dilution.APPLICABLE SAFETY ANALYSESThe possibility of an inadvertent boron dilution event (Ref.1) occurring during MODES3, 4, or5 is precluded by adherence to this LCO, which requires that the primary grade water flow path be isolated. Closing the required valves prevents the flow of significant volumes of primary grade water to the RCS. The valves are used to isolate primary grade water flow
paths. These valves have the potential to indirectly al low dilution of the RCS boron concentration. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODES3, 4 or5.The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that primary grade water be isolated from the RCS to prevent unplanned boron dilution during MODES3, 4, and5.For Unit1, primary grade water flow pa ths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be used in lieu of 1-CH-217. For Unit2, primary grade water (continued)
North Anna Units 1 and 2B 3.1.8-2Revision 8Primary Grade Water Flow Path Isolation Valves B 3.1.8BASESLCO(continued)flow paths may be isolated from the RCS by closing valve 2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be us ed in lieu of 2-CH-140.
The LCO is modified by a Note which allows the primary grade water flow path isolation valves to be opened unde r administrative control for planned boron dilution or makeup activities.APPLICABILITYThis LCO is applicable in MODES3, 4, and5 to prevent an inadvertent boron dilution event by ensuring closure of all primary grade water flow
path isolation valves.In MODE6, LCO3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6," requires al l primary grade water is olation valves to be closed to prevent an inadvertent boron dilution.In MODES1 and2, the boron dilution accident was analyzed and was found to be capable of being mitigated.ACTIONSA.1, A.2, and A.3 Preventing inadvertent dilution of the reactor coolant boron concentration
is dependent on maintaining the primary grade water flow path isolation valves locked, sealed, or otherwise s ecured closed, except as allowed under administrative control by the LCO Note. Because of the possibility of an
inadvertent boron dilution, Required ActionA.1 prohibits other positive
reactivity additions while securing th e isolation valves on the primary grade water system. The Completion Time of "Immediately" for
suspending positive reactivity addi tions reflects the importance of preventing known positive reactivity addi tions so that any boron dilution event can be readily identified and terminated.The Required ActionA.2 Completion Time of 15minutes for securing the isolation valves provides sufficient ti me to close and secure the isolation valves on the primary grade wate r flow paths while minimizing the probability of an unintentional dilution during the Completion Time.
Securing the valves in th e closed position ensures th at the valves cannot be inadvertently opened.
(continued)
Primary Grade Water Flow Path Isolation Valves B 3.1.8BASESNorth Anna Units 1 and 2B 3.1.8-3Revision 8ACTIONSA.1, A.2, and A.3 (continued)ConditionA has been modified by a Note to require that Required ActionA.3 be completed whenever ConditionA is entered.
The performance of Surveillance3.1.1.1 under Required ActionA.3 verifies that the SDM is within the limits provided in the COLR. It is performed to verify that the required SDM still exists and any inadvertent boron dilution that may have occurred has been detected and corrected. The Completion Time of 4hours is r easonable, based on the time required to request and analyze an RCS water sample to determine the boron concentration and to compute the SDM.SURVEILLANCE REQUIREMENT
SSR3.1.8.1The primary grade water flow path isolation valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODES3, 4, and5 is remote due to the large mass of borated water in the RCS and the fact that the specified primary grade water flow paths are isolated, precluding a dilution. The SHUTDOWN MARGIN is verified every 24hours during MODES3, 4, and5 under SR3.1.1.1. The Frequency is based on the time required to verify that the isolation valves
in the utilized flow path are locked, sealed, or otherwise secured in the closed position following a boron dilution or makeup activity.REFERENCES1.UFSAR, Section15.2.4.
Intentionally Blank North Anna Units 1 and 2B 3.1.9-1Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9B 3.1  REACTIVITY CONTROL SYSTEMSB 3.1.9PHYSICS TESTS Exceptions-MODE2BASESBACKGROUNDThe primary purpose of the MODE2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.SectionXI of 10CFR50, AppendixB (Ref.1), requires that a test program be established to ensure that stru ctures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditi ons are not exceeded dur ing normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the unit.
Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10CFR50.59 (Ref.2).
The key objectives of a test program are to (Ref.3):a.Ensure that the facility has been adequately designed;b.Validate the analytical models used in the design and analysis;c.Verify the assumptions used to predict unit response; d.Ensure that installation of equipment in the facility has been accomplished in accordance with the design; ande.Verify that the operating and emergency procedures are adequate.To accomplish these objectives, test ing is performed prior to initial criticality, during st artup, during low power operations, during power ascension, at high power, and after ea ch refueling. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the de sign predictions and that the core can be operated as designed (Ref.4).
(continued)
North Anna Units 1 and 2B 3.1.9-2Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESBACKGROUND (continued)PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of the test ing required to ensu re that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test re sults are approved prior to continued power escalation and long term power operation.The PHYSICS TESTS required for reload fuel cycles (Ref.5) are listed below:
a.Critical Boron Concentration-All Banks Withdrawn;b.Differential Boron Worth;c.Bank Worth;d.Isothermal Temperature Coefficient (ITC); and e.Neutron Flux Symmetry.
The first four tests are performed in MODE2, and the last test is performed in MODE1. These and other supplementary tests may be required to calibrate the nuclear instrumentation or to diagnose operational problems. These tests may cause the operating c ontrols and process variables to deviate from their LCO requireme nts during their performance.a.The Critical Boron Concentration-Control Rods Withdrawn Test measures the critical boron concen tration at hot zero power (HZP). With all rods out, the lead control ba nk is at or near its fully withdrawn position. HZP is where the core is critical (keff=1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Performance of this test shoul d not violate any of the referenced LCOs.b.The Differential Boron Worth Test determines if the measured differential boron worth is consistent with the predicted value. With the core at HZP, the change in e quilibrium boron concentration is determined at different rod bank pos itions. As the rod bank or banks are
moved, the reactivity change is measured using a reactivity computer. The measured reactivity change is divided by the difference in
measured critical boron (continued)
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-3Revision 24BACKGROUNDb.(continued) concentrations to determine the differential boron worth. The insertion of the rod bank could result in violation of LCO3.1.4, "Rod Group Alignment Limits," LOC3.1.5, "Shut down Bank Insertion Limits," or LCO3.1.6, "Control Bank Insertion Limits."c.The Bank Worth Test is used to meas ure the reactivity worth of selected banks. This test is performed at HZP and has three alternative methods of performance. The first method, the Boron Exchange Method, varies the reactor coolant boron concentrat ion and moves the selected bank in response to the changing boron conc entration. The reactivity changes are measured with a reactivity computer. This sequence is repeated for the remaining banks. The second method, the Rod Swap Method, measures the worth of a predetermi ned reference bank using the Boron
Exchange Method above. The refere nce bank is then nearly fully inserted into the core. The selected ba nk is then inserted into the core as the reference bank is withdrawn. The HZP critical conditions are then determined with the selected bank fully inserted (0-2steps withdrawn) into the core. The worth of the selected bank is inferred, based on the
position of the reference bank with respect to the selected bank. This sequence is repeated as necessary for the remaining banks. The third method, the Boron Endpoint Method, moves the selected bank over its
entire length of travel and then varies the reactor coolant boron concentration to achieve HZP criticality again. The difference in boron concentration is the worth of th e selected bank. This sequence is repeated for the remaining banks. Perf ormance of this test could violate LCO3.1.4, LCO3.1.5, or LCO3.1.6.d.The ITC Test measures the ITC of the reactor. This test is performed at HZP and has two methods of perfor mance. The first method, the Slope Method, varies RCS temperature in a slow and continuous manner. The reactivity change is measured with a reactivity computer as a function of the temperature change. The ITC is the slope of the reactivity versus the temperature plot. The test is re peated by reversing the direction of the temperature change, a nd the final ITC is the av erage of two or more calculated ITCs. The second method, the Endpoint Method, (continued)
North Anna Units 1 and 2B 3.1.9-4Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESBACKGROUNDd.(continued) changes the RCS temperature and measures the reactivity at the beginning and end of the temperature change. The ITC is the total reactivity change divided by the tota l temperature change. The test is repeated by reversing the direction of the temperature change, and the
final ITC is the average of the two or more calculated ITCs.
Performance of this test could violate LCO3.4.2, "RCS Minimum Temperature for Criticality."e.The Flux Symmetry Test measures the degree of azimuthal symmetry of the neutron flux at as low a power level as practical. The Flux Distribution Method uses the incore flux detectors to measure the azimuthal flux distributi on at selected locations with the core at 30%RTP.APPLICABLE SAFETY ANALYSESThe fuel is protected by LCOs that preserve the initial conditions of the core assumed during the safety analys es. The methods for development of the LCOs that are excepted by this LCO are described in Reference6. The above mentioned PHYSICS TE STS, and other tests that may be required to calibrate nuclear instrume ntation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.The UFSAR defines requirements for initial testing of the facility, including PHYSICS TESTS. Tables14.1-1, 14.1-2, and14.1-3 summarize the zero, low power, and power tests. Requirements for reload fuel cycle
PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref.4).
Although these PHYSICS TESTS are ge nerally accomplished within the limits for all LCOs, condi tions may occur when one or more LCOs must be suspended to make completion of PH YSICS TESTS possibl e or practical.
This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO3.1.3, "Moderator Temperature Coefficient (MTC)," LCO3.1.4, LCO3.1.5, LCO3.1.6, and LCO3.4.2 are suspended for PHYSICS TEST S, the fuel design criteria are preserved as long as the pow er level is limited to 5%RTP, the reactor coolant temperature is kept 531F, and SDM is within the limits provided in the COLR.
(continued)
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-5Revision 24APPLICABLE SAFETY ANALYSES(continued)The PHYSICS TESTS include measuremen t of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are AF D and QPTR, which represent initial conditions of the unit safety analys es. Also involved are the movable control components (control and shut down banks), which are required to shut down the reactor. The limits for these variable s are specified for each fuel cycle in the COLR. As described in LCO3.0.7, compliance with Test Exception LCOs is optional and, therefore, no criteria of 10CFR 50.36(c)(2)(ii) apply.Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.Reference7 allows special test excepti ons (STEs) to be included as part of the LCO that they affect. It was decided, however, to retain this STE as a separate LCO because it was less cumbersome and provided additional clarity.LCOThis LCO allows the reactor parameters of MTC and minimum temperature for criticality to be outside their specifi ed limits. In addition, it allows selected control and shutdown banks to be positioned outside of their specified alignment and insert ion limits. One Power Range Neutron Flux channel may be bypassed, reducing the number of required channels from "4" to "3" to provide input to the reactivity computer. Operation beyond specified limits is permitted for the purpose of performing
PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.The requirements of LCO3.1.3, LCO3.1.4, LCO3.1.5, LCO3.1.6, andLCO 3.4.2 may be suspended duri ng the performance of PHYSICS
TESTS provided:a.RCS lowest loop average temperature is 531F;b.SDM is within the limits provided in the COLR; andc.THERMAL POWER is 5% RTP.APPLICABILITYThis LCO is a pplicable when performing low power PHYSICS TESTS. The Applicability stated as "dur ing PHYSICS TESTS initiated in MODE2" to ensure that the 5% RTP maximum power (continued)
North Anna Units 1 and 2B 3.1.9-6Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESAPPLICABILITY (continued) level is not exceeded. Should the THERMAL POWER exceed 5%RTP and, consequently, enter MODE 1, this Applicability statement prevents exiting the Specification and its Required Action.ACTIONSA.1 andA.2 If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly
align and start the required systems and components. The operator should begin boration with the best source available for the unit conditions.
Boration will be continued until SDM is within limit.
Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.
B.1When THERMAL POWER is >5%RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor
beyond its design limits. Immediately opening the RT Bs will shut down the reactor and prevent operation of the reactor outside of its design limits.
C.1When the RCS lowest T avg is <531F, the appropriate action is to restore Tavg to within its specified limit. The allowed Completion Time of 15minutes provides time for restoring T avg to within limits without allowing the unit to remain in an unacceptable condition for an extended period of time. Operation with the reactor critical and with temperature below 531F could violate the assumptions for accidents analyzed in the safety analyses.
D.1If the Required Actions and associated Completion Times cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within an additional 15minutes. The Completion Time of 15additional minutes is
reasonable, based on operating experience, for reaching MODE3 in an orderly manner and without challenging unit systems.
PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.1.9.1 The power range and interm ediate range neutron det ectors must be verified to be OPERABLE in MODE2 by LCO3.3.1, "Reactor Trip System (RTS)
Instrumentation." A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel prior to initiation of the PHYSICS TESTS. This will ensure that the RTS is properly aligned to
provide the required degree of core protection during the performance of the PHYSICS TESTS. Performance of the normally scheduled COT is sufficient to ensure the equipment is OPERABLE. LCO3.3.1 requires a COT on the power range and intermediate range channels every 92days.
These Frequencies have been determined to be sufficient for verification that the equipment is working properly. Because initiation of PHYSICS TESTS does not affect the ability of the equipment to perform its function or the RTS trip capability, and does not invalidate the previous
Surveillances, requiring the testing to be performed at a fixed time prior to the initiation of PHYSICS TESTS has no benefit.SR3.1.9.2Verification that the RCS lowest loop T avg is 531F will ensure that the unit is not operating in a condition that could invalidate the safety analyses.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.1.9.3Verification that th e THERMAL POWER is 5% RTP will ensure that the unit is not operating in a condition that could invalidate the safety analyses.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.1.9.4The SDM is verified by performing a reactivity ba lance calculation, considering the following reactivity effects:
a.RCS boron concentration;b.Rod bank position; North Anna Units 1 and 2B 3.1.9-8Revision 46 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESSURVEILLANCE REQUIREMENT
SSR3.1.9.4 (continued)c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration;f.Samarium concentration; g.Isothermal temperature coefficien t (ITC), when below the point of adding heat (POAH);h.Moderator Defect when above the POAH; and i.Doppler Defect when above the POAH.
Using the ITC accounts for Doppler reactivity in this calculation when the reactor is subcritical or critical but below the POAH, and the fuel temperature will be changing at the same rate as the RCS.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixB, SectionXI.2.10CFR50.59.3.Regulatory Guide1.68, Revision2, August,1978.
4.ANSI/ANS-19.6.1-1997, August22, 1997.
5.Letter from W.L. Stewart to NRC, "Virginia Electric and Power Company, Surry Power Station, Units1 and2, North Anna Power Station, Units1 and2, Modification of Startup Physics Testing
Program Inspector Follow-Up Item280, 281/88-29-01," dated 12/8/89.6.VEP-FRD-42-A, "Reload Nuclear Design Methodology."7.WCAP-11618, including Addendum1, April1989.
North Anna Units 1 and 2B 3.2.1-1Revision 0 FQ(Z)B 3.2.1B 3.2POWER DISTRIBUTION LIMITSB 3.2.1Heat Flux Hot Channel Factor (F Q(Z))BASESBACKGROUNDThe purpose of the limits on the values of F Q(Z) is to limit the local (i.e.,pellet) peak power density. The value of F Q(Z) varies along the axial height(Z) of the core.
FQ(Z) is defined as the maximum local fuel rod linea r power density divided by the average fuel rod linear power density, assuming nominal fuel pellet and fuel rod dimensions. Therefore, F Q(Z) is a measure of the peak fuel pellet power within the reactor core.
During power operation, the global pow er distribution is limited by LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPT R)," which are directly and continuously measured process variables. These LCOs, along with LCO3.1.6, "Control Bank Inse rtion Limits," mainta in the core limits on power distributions on a continuous basis.
FQ(Z) varies with fuel loading patter ns, control bank inse rtion, fuel burnup, and changes in axial power distribution.
FQ(Z) is measured periodi cally using the incore detector system. These measurements are generall y taken with the core at or near steady state conditions.
Using the measured three dimensional pow er distributions, it is possible to derive a measured value for F Q(Z), (Z). However, because this value represents a steady state condition, it does not encompass the variations in the value of F Q(Z) that are present during none quilibrium situations, such as load changes.
To account for these possible variat ions, the steady state limit for F Q(Z) is adjusted by an elevation dependent fact or that accounts for the calculated worst case transient conditions.
Core monitoring and control unde r nonsteady state conditions are accomplished by operating the core within the limits of the appropriate LCOs, including the limits on AFD, QPTR, and control rod insertion.
FQM North Anna Units 1 and 2B 3.2.1-2Revision 13 FQ(Z)B 3.2.1BASESAPPLICABLE SAFETY ANALYSESThis LCO precludes core pow er distributions that violate the following fuel design criteria:a.During a loss of coolant accide nt (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200&deg;F, and there must be a high level of pr obability that the peak cladding
temperature does not exceed 2200&deg;F for the large breaks (Ref.1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleat e boiling (DNB) condition;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.3).
Limits on F Q(Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains valid. Other criteria must also be met (e.g., maximum cladding oxida tion, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.
FQ(Z) limits assumed in the LOCA anal ysis are typically limiting relative to (i.e.,lowerthan) the F Q(Z) limit assumed in safety analyses for other postulated accidents. Therefore, this LCO provides conserva tive limits for other postulated accidents.
FQ(Z) satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-3Revision 13 LCOThe Measured Heat Flux Hot Channel Factor, (Z), shall be limited by the following relationships, as described in Reference4:
(Z) for P > 0.5 (Z) for P  0.5where:CFQ is the F Q(Z) limit at RTP provided in the COLR, K(Z) is the normalized F Q(Z) as a function of core height provided in the COLR, N(Z) is a cycle dependent f unction that accounts for power distribution transients encountered during normal operation.
N(Z) is included in the COLR; andP is the fraction of RATED THERMAL POWER defined as P =The actual values of CFQ, K(Z),
and N(Z) are given in the COLR; however, CFQ is normally approximately 2, K(Z) is a function that looks like the one provided in FigureB3.2.1-1, and N(Z) is a value greater than 1.0.An (Z) evaluation requires obtaining an incore flux map in MODE1.
From the incore flux map results we obtain the measured value of F Q(Z). Then, the measured (Z) is increased by 1.03 which is a factor that
accounts for fuel manufacturing tolerances and 1.05 which accounts for flux map measurement uncertainty (Ref.4).The FQ(Z) limits define limiting values for core power peaking that precludes peak cladding temperatures above 2200&deg;F during a small break LOCA and assures with a high level of probability that the peak cladding temperature does not exceed 2200&deg;F for large breaks (Ref.1).
This LCO requires operation within the bounds assumed in the safety analyses. Calculations ar e performed in the core design process to confirm that the core can be controlled in (continued)
FQMFQMCFQKZ()PNZ()--------------
-------------
-FQMCFQKZ()0.5NZ()--------------
-------------
-HERMAL POWE RTP-------------------------------------------
FQMFQM North Anna Units 1 and 2B 3.2.1-4Revision 13 FQ(Z)B 3.2.1BASESLCO(continued) such a manner during operation that it can stay within the LOCA F Q(Z) limits. If F Q(Z) cannot be maintained within the LCO limits, reduction of the core power is required.Violating the LCO limits for F Q(Z) produces unacceptable consequences if a design basis event occurs while F Q(Z) is outside its specified limits.APPLICABILITYThe F Q(Z) limits must be maintained in MODE1 to prevent core power distributions from exceeding the limits assumed in the safety analyses.
Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require a limit on the distribution of core power.ACTIONSA.1If (Z) exceeds its specified limits, reducing the AFD limit by 1% for each 1% by which (Z) exceeds its l imit within the allowed Completion Time of 15minutes, restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded. The maximum AFD limits initially determined by Required ActionA.1 may be affected by subsequent determinations of (Z
) and would require AFD reductions with 15minutes of the (Z) determination, if necessary.
A.2.1Reducing THERMAL POWER by 1%RTP for each 1% by which (Z) exceeds its limit, maintains an acceptable absolute power density. The percent that (Z) exceeds the limit can be determined from: for P>0.5 for P0.5(continued)
FQMFQMFQMFQMFQMFQMmaximum over z FQMZ()CFQKZ()PNZ()------------------------
-------------
-----------1.0-100maximum over z FQMZ()CFQKZ()0.5NZ()------------------------
-------------
-----------
1.0-
100 FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-5Revision 13ACTIONSA.2.1 (continued)
(Z) is the measured F Q(Z) multiplied by factors accounting for manufacturing tolerances and measurement uncertainties. (Z) is the measured value of F Q(Z). The Completion Time of 15minutes provides an acceptable time to reduce power in an orderly manner and without allowing the unit to remain in an unacceptable condition for an extended period of time. The maximum allowable power level initially determined by Required ActionA.2.1 may be affected by subsequent determinations of (Z) and would require power reductions within 15minutes of the (Z) determination, if necessary to co mply with the decreased maximum allowable power level. Decreases in (Z) would allow increasing the
maximum allowable power level and in creasing power up to this revised limit.A.2.2A reduction of the Power Range Ne utron Flux-High trip setpoints by 1% for each 1% by which (Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72hours is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required ActionA
.2.1. The maximum allowable Power Range Neutron Flux-High trip setpoint s initially determined by Required ActionA.2.2 may be affected by subsequent determinations of (Z) and
would require Power Range Neutron Flux-High trip setpoint reductions within 72hours of the (Z) determina tion, if necessary to comply with the decreased maximum allowable Po wer Range Neutron Flux-High trip setpoints. Decreases in (Z) w ould allow increasing the maximum allowable Power Range Neutr on Flux-High trip setpoints.
A.2.3Reduction in the Overpower T trip setpoints (value of K
: 4) by 1% (in T span) for each 1% by which (Z) excee ds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72hours is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER in accordance with Required ActionA.2.1. The (continued)
FQMFQMFQMFQMFQMFQMFQMFQMFQMFQM North Anna Units 1 and 2B 3.2.1-6Revision 13 FQ(Z)B 3.2.1BASESACTIONSA.2.3 (continued) maximum allowable Overpower T trip setpoints initially determined by Required ActionA.2.3 may be affected by subsequent determinations of (Z) and would require Overpower T trip setpoint reductions within 72hours of the (Z) determination, if necessary to comply with the decreased maximum allowable Overpower T trip setpoints. Decreases in (Z) would allow increasing the maximum Overpower T trip setpoints.
A.2.4Verification that (Z) has been restored to within its limit, by performing SR3.2.1.1 prior to increasing THERMAL POWER above the limit imposed by Required ActionA.2.1, ensu res that core conditions during operation at higher power levels are consistent with safety analyses assumptions.
B.1If Required ActionsA.1, A.2.1, A.2.2, A.2.3, orA.2.4 are not met within their associated Completion Times, the unit must be placed in a MODE or
condition in which the LCO requirement s are not applicable. This is done by placing the unit in at least MODE2 within 6hours.This allowed Completion Time is reasonable based on operating experience regarding the amount of time it takes to reach MODE2 from full power operation in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENT
SSR3.2.1.1 is modified by a Note. It states that THERMAL POWER may be increased until a power level for extended operation has been achieved at which a power distribution map can be obtained. This allowance is modified, however, by one of the Frequency conditions that requires verification that (Z) is within its sp ecified limit after a power rise of more than 10%RTP over the THERMAL POWER at which it was last
verified to be within specified limi ts. In the absence of this Frequency condition, it is possible to increase power to RTP and operate for 31days without verification of (Z). The Frequency condition is not intended to
require verification of these parameters after every 10%increase in power level above the last verification. It only requires (continued)
FQMFQMFQMFQMFQMFQM FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-7Revision 46SURVEILLANCE REQUIREMENT
S(continued) verification after a power level is achieved for extended operation that is 10%higher than that power at which F Q was last measured.SR3.2.1.1 The nuclear design process includes ca lculations performed to determine that the core can be operated within the F Q(Z)limits. Because flux maps are taken in steady state conditions, th e variations in power distribution resulting from normal operational mane uvers are not present in the flux map data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation, Z, is called N(Z).The limit with which (Z) is compared varies inversely with power above 50% RTP and N(Z) and directly with a function called K(Z) provided in the COLR.Performing this Surveillance in MODE1 prior to exceeding 75% RTP ensures that the (Z) limit is met wh en RTP is achieved, because peaking factors generally decrease as power level is increased.
If THERMAL POWER has been increased by 10%RTP since the last determination of (Z), another eval uation of this f actor is required 12hours after achieving equilibrium condi tions at this higher power level (to ensure that (Z) values are being reduced sufficiently with power increase to stay within the LCO limits).
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Flux map data are taken for multiple core elevations. (Z) evaluations are not applicable for the following axial core regions, measured in percent of core height:
a.Lower core region, from 0to15% inclusive; andb.Upper core region, from 85to100% inclusive.
FQMFQMFQMFQMFQM North Anna Units 1 and 2B 3.2.1-8Revision 13 FQ(Z)B 3.2.1BASESSURVEILLANCE REQUIREMENT
SSR3.2.1.1 (continued)
The top and bottom 15% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making a precise measurement in these regions.
This Surveillance has been modified by a Note that may require that more frequent surveillances be performe
: d. An evaluation of the expression below is required to account for any increase to (Z) that may occur and cause the (Z) limit to be exceeded before the next required (Z) evaluation.If the two most recent (Z) evaluations show an increase in the expression maximum over z
,it is required to meet the (Z) limit with the last (Z) increased by the appropriate factor, or to evaluate (Z) more frequently, each 7EFPD. These alternative requirements prevent F Q(Z) from exceeding its limit without detection.REFERENCES1.10CFR50.46.2.VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."3.UFSAR, Section3.1.22.4.VEP-NE-1-A, "VEPCO Relaxe d Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications."
FQMFQMFQMFQMFQMZ()KZ()-----------------
FQMFQMFQM North Anna Units 1 and 2B 3.2.1-9Revision 13 FQ(Z)B 3.2.1FigureB 3.2.1-1 (page 1 of 1)
K(Z)-Normalized F Q(Z) as a Function of Core Height(6, 1.0)(12, .925) 0.00.10.20.30.40.5 0.60.70.80.91.01.11.20123456789101112 CORE HEIGHT (FT)
K(Z)DO NOT OPERATE IN THIS AREATHIS FIGURE FOR ILLUSTRATION ONLY. DO NOT USE FOR OPERATIONCORE HEIGHT* FOR CORE HEIGHT OF 12FEETFT.(*)%16.633.350.066.783.3100 Intentionally Blank North Anna Units 1 and 2B 3.2.2-1Revision 0 B 3.2.2FHNB 3.2  POWER DISTRIBUTION LIMITSB 3.2.2Nuclear Enthalpy Rise Hot Channel Factor ()BASESBACKGROUNDThe purpose of this LCO is to es tablish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are expressed in terms of hot channel factors. Control of th e core power distribution with respect to these factors ensures th at local conditions in th e fuel rods and coolant channels do not challenge core inte grity at any locat ion during either normal operation or a postulated accident analyzed in the safety analyses.
is defined as the ratio of the integral of the linear power along the fuel rod with the highest inte grated power to the average integrated fuel rod power. Therefore, is a measure of the maximum total power produced in a fuel rod.
is sensitive to fuel loading patterns, bank inse rtion, and fuel burnup. typically increases with c ontrol bank insertion and typically decreases with fuel burnup.
is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by a computer to determine . This fact or is calculated at least every 31EFPD. However, during power opera tion, the global power distribution is monitored by LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which address directly and continuously me asured process variables.
The COLR provides peaking factor limits that ensu re that the design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and a ny transient condition arising from events of moderate frequency. Th e DNB design basis precludes DNB and is met by limiting the minimum local DNB heat flux ratio to a value greater than the design limits. All DNB limited transient events are assumed to begin with an value that satisfies the LCO requirements.
(continued)
FHNFHNFHNFHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-2Revision 13 B 3.2.2BASESFHNBACKGROUND (continued)Operation outside the LCO limits ma y produce unacceptable consequences if a DNB limiting event occurs. The DNB design basis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission produc ts to the reactor coolant.APPLICABLE SAFETY ANALYSESLimits on preclude core power distri butions that exceed the following fuel design limits:a.There must be at least 95% probabil ity at the 95% confidence level (the 95/95DNB criterion) that the hottest fuel rod in the core does not experience a DNB condition;b.During a loss of coolant accident (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200&deg;F, and there must be a high level of pr obability that the peak cladding temperature does not exceed 2200&deg;F for large breaks;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.1); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.2).For transients that may be DNB limited, the Reactor Coolant System flow, temperature, and pressure, and are th e parameters of most importance. The limits on ensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from events of moderate frequency. The DNB de sign basis is met by limiting the minimum DNBR to a value which provide s a high degree of assurance that the hottest fuel rod in the core does not experience a DNB.The allowable limit increases with decreasing power level. This functionality in is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL2.1.1. Th erefore, any DNB events in which the calculation of the core limits is modeled implicitly use this variable value of in the analyses. Likewise, all transients that (continued)
FHNFHNFHNFHNFHNFHN B 3.2.2BASESFHNNorth Anna Units 1 and 2B 3.2.2-3Revision 9APPLICABLE SAFETY ANALYSES(continued)may be DNB limited are a ssumed to begin with an initial as a function of power level defined by the COLR limit equation.
The LOCA safety analysis indirectly models as an input parameter.
The Nuclear Heat Flux Hot Channel Factor (F Q(Z)) and the axial peaking factors are inserted directly into the LOCA safety analyses that verify the
acceptability of the resulting peak cladding temperature (Ref.3).The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the sa fety and accident analyses remain valid. The following LCOs ensure this: LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO3.1.6, "Control Bank Insertion Limits," LCO3.2.2,
"Nuclear Enthalpy Rise Hot Channel Factor ()," LCO3.2.1, "Heat Flux Hot Channel Factor (F Q(Z))," and LCO3.4.1, "RCS Pressure, Temperature, and Flow DNB Limits."
and FQ(Z) are measured periodically using the movable incore detector system. Measurements are ge nerally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition1 events) are acc omplished by operating the core within the limits of the LCOs on AF D, QPTR, and Bank Insertion Limits. satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCO shall be maintained within the limi ts of the relationship provided in the COLR.The limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has th e highest probability for a DNB.The limiting value of , described by the equation contained in the COLR, is the design radial peaking factor used in the unit safety analyses.A power multiplication factor in this equation includes an additional margin for higher radial peaking fr om reduced thermal feedback and greater control rod insertion at low power levels.
FHNFHNFHNFHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-4Revision 0 B 3.2.2BASESFHNAPPLICABILITYThe limits must be maintained in MODE1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT.
Applicability in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. The design bases events that are sensitive to in other modes (MODES2 through5) have sufficient margin to DNB, and therefore, there is no need to restrict in these modes.ACTIONSA.1 and A.2ConditionA is modified by a Note that requires that Required ActionsA.3 andA.4 must be completed whenever ConditionA is entered. Thus, because even if is restored to within limits, Required ActionA.3 nevertheless requires another measurement and calculation of within 24hours in accordance with SR3.2.2.1.However, if power is reduced below 50%RTP, Required ActionA.4 requires that another determination of must be done prior to exceeding 50%RTP, prior to exceeding 75%RTP, and within 24hours after reaching or exceeding 95%RTP. In addition, Required ActionA.3 is performed if power ascension is delayed past 24hours.If the value of is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, the alternative option is to reduce THERMAL POWER to <50%RTP in accordance with Required ActionA.1 and reduce the Power Range
Neutron Flux-High to 55%RTP in accordance with Required ActionA.2. Reducing RTP to <50%RTP increases the DNB margin and
does not likely cause the DNBR limi t to be violated in steady state operation. The reduction in tr ip setpoints ensures th at continuing operation remains at an acceptable low power level with adequate DNBR margin.
The allowed Completion Time of 4hours for Required ActionA.1
provides an acceptable time to reach the required power level from full power operation without allowing the uni t to remain in an unacceptable condition for an extended period of time.The allowed Completion Time of 72hour s to reset the tr ip setpoints per Required ActionA.2 recognizes that, once power is reduced, the safety analysis assumptions are (continued)
FHNFHNFHNFHNFHNFHNFHN B 3.2.2BASESFHNNorth Anna Units 1 and 2B 3.2.2-5Revision 0ACTIONSA.1 and A.2 (continued)satisfied and there is no urgent need to reduce the trip setpoints. This is a sensitive operation that may inadve rtently trip the Reactor Protection System.A.3Once the power level has been reduced to <50%RTP per Required ActionA.1, an incore flux map (SR3.2.2.1) must be obtained and the measured value of verified not to ex ceed the allowed limit at the lower power level. The unit is provided 20a dditional hours to perform this task over and above the 4hours allowed by ActionA.1. The Completion Time of 24hours is acceptable because of the increase in the DNB margin, which is obtained at lower power levels, a nd the low probability of having a DNB
limiting event within this 24hour period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain the incore flux map, perform the required calculations, and evaluate .
A.4Verification that is within its specified limits after an out of limit occurrence ensures that the cause that led to the exceeding its limit is corrected, and that subsequent operation proceeds within the LCO limit. This Action demonstrates that the limit is within the LCO limits prior to exceeding 50%RTP, again prior to exceeding 75%RTP, and within 24hours after THERMAL POWER is 95%RTP.This Required Action is modified by a Note that states that THERMAL POWER does not have to be reduced prior to performing this Action.
B.1When Required ActionsA.1 throughA.4 cannot be completed within their required Completion Times, the unit must be placed in a mode in which the LCO requirements are not applicable. This is done by placi ng the unit in at least MODE2 within 6hour
: s. The allowed Completion Time of 6hours is reasonable, based on opera ting experience regardi ng the time required to reach MODE2 from full power conditions in an orderly manner and
without challenging unit systems.
FHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-6Revision 46 B 3.2.2BASESFHNSURVEILLANCE REQUIREMENT
SSR3.2.2.1The value of is determined by us ing the movable incore detector system to obtain a flux distributi on map. A data re duction computer program then calculates the maximum value of from the measured flux distributions. The limit contai ns an allowance of 1.04 to account for measurement uncertainty.After each refueling, must be determined in MODE1 prior to exceeding 75%RTP. This requirement ensures that limits are met at the beginning of each fuel cycle.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.VEP-NFE-2-A, "VEPCO Ev aluation of the Control Rod Ejection Transient."2.UFSAR, Section3.1.22.3.10CFR50.46.
FHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.3-1Revision 0 AFDB 3.2.3B 3.2  POWER DISTRIBUTION LIMITSB 3.2.3AXIAL FLUX DIFFERENCE (AFD)BASESBACKGROUNDThe purpose of this LCO is to esta blish limits on the values of the AFD in order to limit the amount of axial power distributi on skewing to either the top or bottom of the core. By limit ing the amount of power distribution skewing, core peaking factors are consis tent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.
Relaxed Power Distribution Control (R PDC) is a calculational procedure that defines the allowed operational space of the AFD versus THERMAL POWER. The AFD limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AFD. Subsequently, power peaking fa ctors and power distributions are examined to ensure that the loss of coolant accident (LOCA), loss of flow
accident, and anticipated transient limits are met. Violation of the AFD limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity.
The AFD is monitored on an auto matic basis using the unit process computer, which has an AFD monitor al arm. The computer determines the 1minute average of each of the OP ERABLE excore detector outputs and provides an alarm message immediat ely if the AFD for two or more OPERABLE excore channels is outside its specified limits.APPLICABLE SAFETY ANALYSESThe AFD is a measure of the axial power distribution skewing to either the top or bottom half of the core. The AFD is sensitive to many core related
parameters such as control bank posi tions, core power level, axial burnup, axial xenon distribution, a nd, to a lesser extent, react or coolant temperature and boron concentration.
The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.
(continued)
North Anna Units 1 and 2B 3.2.3-2Revision 0 AFDB 3.2.3BASESAPPLICABLE SAFETY ANALYSES(continued)The RPDC methodology (Ref.1) establ ishes a xenon distribution library with tentatively wide AFD limits. Axial power dist ribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, and for initial conditions of anticipated transients. The tentative limits are adjusted as
necessary to meet the safe ty analysis requirements.
The limits on the AFD ensure that the Heat Flux Hot Channel Factor
(FQ(Z)) is not exceeded during either normal operation or in the event of xenon redistribution follow ing power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition2, 3, or4 ev ents. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important Condition4 event is the LOCA. The most important Condition3 event is the loss of flow accident. The most important Condition2 events
are uncontrolled rod withdr awal, excessive heat re moval, and boration or dilution accidents. Condition2 accidents simulated to begin from within the AFD limits are used to confir m the adequacy of the Overpower T and OvertemperatureT trip setpoints.
The limits on the AFD satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe shape of the power profile in th e axial (i.e., the vertical) direction is largely under the control of the ope rator through the manual operation of the control banks or automatic moti on of control banks. The automatic motion of the control banks is in re sponse to temperature deviations resulting from manual operation of the Chemical and Volume Control System to change boron concentra tion or from power level changes.Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors (Ref.2). Separate signals are taken from the top and bottom detectors. The AFD is defined as the difference in normalized flux signals between the t op and bottom excore detectors in each detector well. For convenience, this flux difference is converted to provide flux difference units expressed as a percentage and labeled as % flux or%I.(continued)
AFDB 3.2.3BASESNorth Anna Units 1 and 2B 3.2.3-3Revision 46 LCO(continued)
The AFD limits are provided in the COLR. FigureB3.2.3-1 shows typical RPDC AFD limits. The AFD limits for RPDC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.Violating this LCO on the AFD could produce unacceptable consequences if a Condition2, 3, or4 event occurs while the AFD is outside its specified limits.The LCO is modified by a Note which states that AFD shall be considered outside its limit when two or more OPERABLE excore channels indicate AFD to be outside its limit.APPLICABILITYThe AFD requirements are applicable in MODE1 greater than or equal to 50%RTP when the combination of THERMAL POWER a nd core peaking factors are of primary importance in safety analysis.
For AFD limits developed using RPDC methodology, the value of the AFD does not affect the limiting accide nt consequences with THERMAL POWER <50%RTP and for lower operating power MODES.ACTIONSA.1As an alternative to restoring the AFD to within its specified limits, Required ActionA.1 requires a THERMAL POWER reduction to
<50%RTP. This places the core in a condition for which the value of the
AFD is not important in the applicable safety analyses. A Completion Time of 30minutes is reasonable, base d on operating experience, to reach 50%RTP without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.2.3.1This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limit
: s. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.
North Anna Units 1 and 2B 3.2.3-4Revision 9 AFDB 3.2.3BASESREFERENCES1.VEP-NE-1-A, "VEPCO Re laxed Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications."2.UFSAR, Chapter7.
North Anna Units 1 and 2B 3.2.3-5Revision 0 AFDB 3.2.3FigureB 3.2.3-1 (page 1 of 1)AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER Intentionally Blank North Anna Units 1 and 2B 3.2.4-1Revision 13 QPTRB 3.2.4B 3.2  POWER DISTRIBUTION LIMITSB 3.2.4QUADRANT POWER TILT RATIO (QPTR)BASESBACKGROUNDThe QPTR limit ensures that th e gross radial power distribution remains consistent with the design values used in the safety analyses. Precise radial power distribution measurements are made during startup testing, after refueling, and periodically during power operation by using the movable incore detector system to obtain full core flux maps. Between these full core flux maps, the excore neutron detectors are used to monitor QPTR,
which is a measure of changes in th e radial power dist ribution. QPTR is defined in Section1.1 in terms of rati os of excore detector calibrated output. However, the movable incore detector system can measure changes in the relative power of symmetrically located incore locations or changes in the incore tilt, which can be used to calculate an equivalent QPTR.
The power density at any point in the co re must be limited so that the fuel design criteria are maintained. Together, LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO3.2.4, and LCO3.1.6, "Control Rod Insertion Limits," provide limits on process variable s that characterize and control the three dimensional power distribution of the reactor core.
Control of these variables ensures that the core operates within the fuel
design criteria and that the power distribution remains within the bounds used in the safety analyses.APPLICABLE SAFETY ANALYSESThis LCO precludes core pow er distributions that violate the following fuel design criteria:a.During a loss of coolant accide nt (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200&deg;F, and there must be a high level of pr obability that the peak cladding temperature does not exceed 2200&deg;F for large breaks (Ref.1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% c onfidence level (the 95/95 departure from nucleate boiling (DNB) criterion) th at the hot fuel rod in the core does not experience a DNB condition; (continued)
North Anna Units 1 and 2B 3.2.4-2Revision 9QPTRB 3.2.4BASESAPPLICABLE SAFETY ANALYSES(continued)c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.3).The LCO limits on the AFD, the QPTR
, the Heat Flux Hot Channel Factor (FQ(Z)), the Nuclear Enthalpy Rise Hot Channel Factor (), and control bank insertion are established to pr eclude core power distributions that exceed the safety analyses limits.The QPTR limits ensure that  and F Q(Z) remain below their limiting values by preventing an undetected change in the gross radial power distribution.In MODE1, the  and F Q(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.The QPTR satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
LCOThe QPTR limit of 1.02, at which co rrective action is re quired, provides a margin of protection for both the DNB ra tio and linear heat generation rate contributing to excessive power peak s resulting from X-Y plane power tilts. A limiting QPTR of 1.02 can be tolerated before the margin for uncertainty in F Q(Z) and () is possibly challenged.APPLICABILITYThe QPTR limit must be maintained in MODE1 with THERMAL POWER >50%RTP to prevent core pow er distributions from exceeding the design limits.Applicability in MODE1 50%RTP and in other MO DES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, ther efore, not important. Note that the  and FQ(Z) LCOs still apply, but allo w progressively higher peaking factors at 50%RTP or lower.
FHNFHNFHNFHNFHN QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-3Revision 0ACTIONSA.1With the QPTR exceeding its li mit, a power level reduction of 3% from RTP for each 1% by which the QP TR exceeds 1.00 is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2hours allows sufficient time to id entify the cause and correct the tilt. Note that the power reduction itself may cause a change in the tilted condition.The maximum allowable power level initially determined by Required ActionA.1 may be affected by subs equent determinations of QPTR.
Increases in QPTR would require power reduction within 2hours of QPTR determination, if necessary to co mply with the decreased maximum allowable power level. Decreases in QPTR would allow increasing the maximum allowable power level and increasing power up to the revised limit.A.2After completion of Required Action A
.1, the QPTR alarm may still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12hours thereafter. A 12hour Completion Time is sufficient becau se any additional change in QPTR would be relatively slow.
A.3The peaking factors  and F Q(Z) are of primary im portance in ensuring that the power distributio n remains consistent with the initial conditions used in the safety analyses. Performing SRs on  and F Q(Z) within the Completion Time of 24hours after achi eving equilibrium conditions from a THERMAL POWER reduction per Required ActionA.1 ensures that these primary indicators of power di stribution are within their respective limits. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to support flux mapping. A Completion Time of 24hours after achi eving equilibrium conditions from
a THERMAL POWER reduction per Required ActionA.1 takes into consideration the rate at which peaking factors are likely to change, and the time required to stabiliz e the unit and perform a flux map. If these peaking factors are not within their limi ts, the Required Actions of these Surveillances provide an appropriate response for the abnormal condition.
(continued)
FHNFHN North Anna Units 1 and 2B 3.2.4-4Revision 0QPTRB 3.2.4BASESACTIONSA.3 (continued)If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7days thereafter to evaluate  and F Q(Z) with changes in power distribution.Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.
A.4Although  and F Q(Z) are of primary importance as initial conditions in the safety analyses, other changes in the power distribution may occur as the QPTR limit is exceeded and may ha ve an impact on the validity of the safety analysis. A change in the power distribution can affect such reactor parameters as bank worths and pe aking factors for rod malfunction accidents. When the QPTR exceeds its limit, it doe s not necessarily mean a safety concern exists. It does mean that there is an indication of a change in the gross radial power distribution that requires an investigation and evaluation that is accomplished by examining the incore power distribution. Specifically, the core pe aking factors and the quadrant tilt must be evaluated because they are the factors that best characterize the core power distribution. This re-evalu ation is required to ensure that, before increasing THERMAL POWER to above the limit of Required ActionA.1, the reactor core conditions are consistent with the assumptions in the safety analyses.
A.5If the QPTR has exceeded the 1.02 limit and a re-evaluation of the safety analysis is completed and shows that safety requirements are met, the excore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL POWER to above the limit of Required ActionA.1. Normalization is accomplished in su ch a manner that the indicated QPTR following normalization is ne ar 1.00. This is done to detect any subsequent significant changes in QPTR.Required ActionA.5 is modified by two Notes. Note1 states that the QPTR is not restored to within limits until after the re-evaluation of the safety analysis has determined that core conditions at RTP are within the
safety analysis assumptions (i.e., Required ActionA.4). Note2 states that (continued)
FHNFHN QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-5Revision 0ACTIONSA.5 (continued)if Required ActionA.5 is performed, the Required ActionA.6 shall be performed. Required ActionA.5 normalizes the excore detectors to restore QPTR to within limits, which restores compliance with LCO3.2.4. Thus, Note2 prevents exiting the Actions prior to completing flux mapping to
verify peaking factors, per Required ActionA.6. These notes are intended to prevent any ambiguity about the required sequence of actions.
A.6Once the flux tilt is restored to with in limits (i.e., Required Action A.5 is performed), it is acceptable to return to full power operation. However, as an added check that the core power distribution is consistent with the safety analysis assumptions, Required ActionA.6 requires verification that F Q(Z) and  are within their specified limits within 24hours of reaching equilibrium conditions at RTP. As an added precaution, if the core power does not reach equilibrium conditions at RTP within 24hours, but is increased slowly, then the peaking fact or surveillances must be performed within 48hours after increasing po wer above the limit of Required ActionA.1. These Completion Times are intended to allow adequate time to increase THERMAL POWER to above the limit of Required ActionA.1, while not permitting the core to remain with unconfirmed power distributions for extended periods of time.Required ActionA.6 is modified by a Note that states that the peaking factor surveillances may only be done after the exco re detectors have been normalized to restore QPTR to within limits (i.e., Required ActionA.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, wh ich can only be accomplished after the excore detectors are normalized to restore QPTR to within limits and the core returned to power.
B.1If Required ActionsA.1 throughA.6 are not completed within their associated Completion Times, the un it must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to 50%RTP within 4hours. The allowed Completion Time of (continued)
FHN North Anna Units 1 and 2B 3.2.4-6Revision 46QPTRB 3.2.4BASESACTIONSB.1 (continued)4hours is reasonable, based on operati ng experience regarding the amount of time required to reach the reduced power level without challenging unit systems.SURVEILLANCE REQUIREMENT
SSR3.2.4.1SR3.2.4.1 is modified by two Notes. Note 1 allows QPTR to be calculated with three power range cha nnels if THERMAL POWER is 75%RTP and the input from one Power Range Neutr on Flux channel is inoperable. Note 2 allows performance of SR 3.2.4.2 in lieu of SR 3.2.4.1.This Surveillance verifies that th e QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
For those causes of QPT that occu r quickly (e.g., a dropped rod), there typically are other indications of abnor mality that prompt a verification of core power tilt.
SR3.2.4.2This Surveillance verifies that the QP TR, as determined using the movable incore detectors, is within its limits
. This Surveillance may be performed in lieu of SR3.2.4.1, as provided by a SR3.2.4.1 Note. SR3.2.4.2 is modified by a Note, which states that it is not required until 12hours after the inputs from one or more Power Range Neutron Flux channels are
inoperable and the THERMAL POWER is >75%RTP. Therefore, this Surveillance is only required to be performed when one or more Power Range Neutron Flux channels are inope rable, but may be performed to satisfy the routine monitoring of QPTR.With an NIS power range channel inoperable, tilt moni toring for a portion of the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capabili ty for detection of small power tilts in some quadrants is decreased. Performing SR3.2.4.2 provides an accurate alternative means for ensuring that any tilt remains within its limits.(continued)
QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.2.4.2 (continued)
QPTR is determined using the movabl e incore detectors performing a full core incore flux map or by monitoring two sets of four thimble locations with quarter core symmetry. The two se ts of four symmetric thimbles is a set of eight unique detector locations. These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, andN-8. The symmetric thimble flux map can be
used to generate symmetric thimble tilt. This can be compared to a reference symmetric thimble tilt, taken from the most recent full core flux map used to normalize the excore dete ctors, to calculate QPTR. If a full core flux map is used to determine QPTR, the measured incore tilt values from the full core flux map are compared to those from the most recent full core flux map used to normalize the excore detectors. The difference between these tilt values is the QP TR for the current core conditions.
Therefore, the movable incore detectors can be used to confirm that QPTR is within limits.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50.46.2.VEP-NFE-2-A, "VEPCO Evaluati on of the Control Rod Ejection Transient."3.UFSAR, Section3.1.22.
Intentionally Blank North Anna Units 1 and 2B 3.3.1-1Revision 0RTS Instrumentation B 3.3.1B 3.3INSTRUMENTATIONB 3.3.1Reactor Trip System (RTS) InstrumentationBASESBACKGROUNDThe RTS initiates a unit shutdown, based on th e values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.
The protection and monitoring systems have been designed to assure safe operation of the reactor. This is ach ieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.Technical specifications are required by 10CFR50.36 to contain LSSS defined by the regulation as "- setti ngs for automatic protective devices
- so chosen that automatic protecti ve action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Anal ytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety an alysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more
conservative than the Analytic Li mit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.The Trip Setpoint is a predetermined se tting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the Trip Setpoint accounts for unc ertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g.,
repeatability), changes in the point of action of the device over time (e.g.,
drift during surveillance intervals)
, and any other factors which may influence its actual perfo rmance (e.g., harsh accident environments). In this manner, the Trip Setpoint plays an im portant role in ensuring the SLs are not exceeded. As such, (continued)
North Anna Units 1 and 2B 3.3.1-2Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUND (continued)the Trip Setpoint meets the definition of an LSSS (Ref.9) and could be used to meet the requirement that they be contained in the technical specifications.Technical specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in technical specifications as
"- being capable of performing its safety function(s)." For automatic pr otective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10CFR50.36 is the same as the OPERABILITY limit for these devices. However, use of the Trip Se tpoint to define OPERABILITY in technical specifications and its corresponding designation as the LSSS required by 10CFR50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY li mit for the "as found" value of a protective device se tting during a surveillance. This would result in technical specification co mpliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic prot ective device with a setting that has been found to be different from the Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the Trip Setpoint and thus the automatic protective action would st ill have ensured that the SL would not be exceeded with the "as f ound" setting of the protective device. Therefore, the device would still be OPERABLE si nce it would have performed its safety function and the only corrective action required would be to reset the device to the Trip Setpoint to account for further drift during the next surveillance interval.Use of the Trip Setpoint to defi ne "as found" OPER ABILITY and its designation as the LSSS under the expe cted circumstances described above would result in actions required by both the rule and technical specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its
function due, for example, to greater than expected drift. This value needs to be specified in the technical specifications in order to define
OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-3Revision 20BACKGROUND (continued)The Allowable Value specified in Table3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT).
As such, the Allowable Value differs from the Trip Setpoint by an amount
primarily equal to the expected instrume nt loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the
device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable for a technical specification perspective. This requires corrective action in cluding those actions required by 10CFR50.36 when automatic protective devices do not function as
required. Note that, although the channel is "OPERABLE" under these
circumstances, the trip set point should be left adjust ed to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced set point methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.
During AOOs, which are those events e xpected to occur one or more times during the unit life, the acceptable limits are:
1.The Departure from Nucleate Bo iling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);2.Fuel centerline melt shall not occur; and3.The RCS pressure SL of 2750 psia shall not be exceeded.
Operation within the SLs of Specification2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10CFR50 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10CFR50.67 limits. Different accident categories are allowed a different fraction of these limits, based on probability of (continued)
North Anna Units 1 and 2B 3.3.1-4Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUND (continued)occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.The RTS instrumentation is segmented in to four distinct but interconnected modules as described in UFSAR, Chapter7 (Ref.1), and as identified below:
1.Field transmitters or process sens ors: provide a meas urable electronic signal based upon the physical characteristics of the parameter being measured;2.Signal Process Control and Pr otection System, including Analog Protection System, Nuclear Instru mentation System (NIS), field
contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, proc ess algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscel laneous indications;3.Solid State Protection System (
SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process c ontrol and protection system; and4.Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods
," to trip, or de-energize, and fall into the core and shut down the reactor. Th e bypass breakers allow testing of the RTBs at power.
Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the ca libration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoints and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessme nt of field transmitter or sensor as related to the channel behavi or during performance of CHANNEL CHECK.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-5Revision 0BACKGROUND (continued)
Signal Process Control and Protection SystemGenerally, three or four channels of process control equipment are used for the signal processing of uni t parameters measured by the field instruments.
The process control equipment provi des signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter7 (Ref.1), Chapter6 (Ref.2), and Chapter15 (Ref.3). If the measured value of a unit parameter exceeds the predetermined set point, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit
parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while
others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
When a parameter is used only for i nput to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fail s, such that a partial Function trip occurs, a trip will not occur and th e Function is still OPERABLE with a one-out-of-two logic.
When a parameter is used for input to the SSPS and a co ntrol function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the
protection function actuation. Again, a si ngle failure will neither cause nor prevent the protection f unction actuation. These requi rements are described in IEEE-279-1971 (Ref.4). The actual number of channe ls required for each unit parameter is specified in Reference1.Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. Th e logic channels are designed such that testing required while the (continued)
North Anna Units 1 and 2B 3.3.1-6Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUNDSignal Process C ontrol and Protection System (continued) reactor is at power may be accomplis hed without causing trip. Provisions to allow removing logic channels fr om service during maintenance are unnecessary because of the logic system's designed reliability.
Allowable Values and RTS Setpoints The trip setpoints used in the bistables are based on the analytical limits cited in Reference3. The selection of these trip setpoints is such that adequate protection is pr ovided when all sensor a nd processing ti me delays are taken into account. To allow for calibration tole rances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10CFR50.49 (Ref.5), the Allowable Values specified in Table3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits. The methodology used to calcul ate the trip setpoints and Allowable Values, including their explicit uncertainties, is cited in the "RTS/ESFAS Setpoint Methodology Study" (Ref.6) wh ich incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the de termination of each trip setpoint and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interv al. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.The trip setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration.
The trip setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted based on stated channel uncertainties.
Any bistable is considered to be properly adjusted when the "as left"
setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/-rack calibration + comparator setting uncertainties). The trip (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-7Revision 0BACKGROUNDAllowable Valu es and RTS Setpoints (continued) setpoint value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.Trip setpoints consistent with the requirements of the Allowable Value ensure that SLs are not violated dur ing AOOs (and that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at th e onset of the AOO or DBA and the equipment functions as designed).
Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Table3.3.1-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field
instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.Solid State Protection System The SSPS equipment is used for the d ecision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide re actor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy sepa ration and independence requirements.
The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.
The SSPS performs the decision logic fo r actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the
required trip or actuation, and provi des the status, permissive, and
annunciator output signals to th e main control room of the unit.
(continued)
North Anna Units 1 and 2B 3.3.1-8Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUNDSolid State Protection System (continued)
The bistable outputs from the signa l processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the uni t to a safe condition. Ex amples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.Reactor Trip SwitchgearThe RTBs are in the electrical power s upply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and
control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.
During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use.
When the required logic matrix comb ination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each RTB is also equipped with a shunt trip
attachment device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS.
Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providi ng a diverse trip mechanism.
The logic Functions are described in the functional diagrams included in Reference2. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in te sting device that can automatically test the logic Functions and the actuation devices while the unit is at power.
When any one train is taken out of se rvice for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-9Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITYThe RTS functions to maintain the SL s during all AOOs and mitigates the consequences of DBAs in all MODES in which the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.Each of the analyzed accidents and tr ansients can be detected by one or more RTS Functions. The accident anal ysis described in Reference3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide pr otection for conditions that do not require dynamic transient analysis to demonstrate Function performance.
They may also serve as backups to RTS trip Functions that were credited in
the accident analysis.The LCO requires all instrumentation performing an RTS Function, listed in Table3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel
is OPERABLE with a trip setpoint va lue outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip set point "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the
nominal trip setpoint. A tr ip setpoint may be set more conservative than the nominal trip setpoint as necessary in respons e to the unit conditions.
Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in
each logic Function, and two trains in each Automatic Trip Logic Function. Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other thr ee protection and channels. Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interact ion that could simultaneously create a need for RTS trip and disable one RTS channel. The (continued)
North Anna Units 1 and 2B 3.3.1-10 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)two-out-of-three and two-out-of-four configurations allow one channel to
be tripped during maintenance or te sting without causing a reactor trip.
Specific exceptions to the above gene ral philosophy exist and are discussed below.Reactor Trip Sy stem FunctionsThe safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:
1.Manual Reactor TripThe Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the au tomatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any
parameter is rapidly trending toward its trip setpoint.The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is cont rolled by a manual reactor trip switch. Each channel activates the r eactor trip breaker in both trains.
Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.In MODE1 or2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully wit hdrawn from the core. In MODE3, 4, or5, the manual initiation Function must also be
OPERABLE if one or more shut down rods or control rods are
withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE3, 4, or5, manual
initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or
control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need to be able to trip the reactor. In MODE6, neither the shutdown rods nor the control rods are pe rmitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods.
Therefore, the manual initia tion Function is not required.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-11Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)2.Power Range Neutron FluxThe NIS power range detectors are located external to the reactor vessel and measure neutrons leak ing from the core. The NIS power range detectors provide input to the Rod Control System and the
Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiti ng further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.a.Power Range Neutron Flux-High The Power Range Neutron Flux-Hi gh trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations.
These can be caused by rod withdrawal or reductions in RCS
temperature.
The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.In MODE1 or2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be
OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE3, 4, 5, or6, the NIS
power range detectors ca nnot detect neutron levels in this range.
In these MODES, the Power Ra nge Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and
reactivity excursions into the power range are extremely unlikely.
Other RTS Functions and admini strative controls provide protection against reactivity additions when in MODE3, 4, 5, or6.
North Anna Units 1 and 2B 3.3.1-12 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY2.Power Range Neutron Flux (continued)b.Power Range Neutron Flux-Low The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protec tion is provided against a positive reactivity excursion from low power conditions.
The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.In MODE1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE2, the Power Range Neutron Flux-Low trip must be OPERABLE. This Function may be manually
blocked by the operator when two out of four power range channels are greater than approxi mately 10% RTP (P-10 setpoint).
This Function is automatically unb locked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity addi tions are mitigated by the Power Range Neutron Flux-High trip Function.In MODE3, 4, 5, or6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactor is
shut down and the NIS power ra nge detectors cannot detect neutron levels in this range.
Other RTS trip Functions and administrative controls provi de protection against positive reactivity additions or power excursions in MODE3, 4, 5, or6.3.Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trips use the same channels as discussed for Function2 above.a.Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux-H igh Positive Rate trip Function ensures that protecti on is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accom panying ejection of the RCCA.
This Function compliments the Power Range Neutron (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-13Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)a.Power Range Neutron Flux-High Positive Rate (continued)
Flux-High and Low Setpoint trip Functions to ensure that the
criteria are met for a rod ej ection from the power range.
The LCO requires all four of the Power Range Neutron
Flux-High Positive Rate ch annels to be OPERABLE.In MODE1 or2, when there is a potential to add a large amount of positive reactivity from a r od ejection accident (REA), the Power Range Neutron Flux-High Po sitive Rate trip must be OPERABLE. In MODE3, 4, 5, or6, the Power Range Neutron
Flux-High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks may be fully withdrawn in MODE3, 4, or5, the remaining complement of
control bank (partial withdraw al allowed) worth ensures a sufficient degree of SDM in the event of an REA. In MODE6, no rods are withdrawn and the SDM is increased during refueling
operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.b.Power Range Neutron Flux-High Negative Rate The Power Range Neutron Flux-H igh Negative Rate trip Function ensures that protection is provided for multiple rod drop accidents. At high power levels
, a multiple rod drop accident could cause local flux peaking that would result in an
unconservative local DNBR. DNBR is defined as the ratio of the
heat flux required to cause a DNB at a particular location in the core to the local heat flux. The DNBR is indicative of the margin
to DNB. No credit is taken for the operation of this Function for
those rod drop accidents in which the local DNBRs will be greater than the limit.
(continued)
North Anna Units 1 and 2B 3.3.1-14 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)b.Power Range Neutron Flux-High Negative Rate (continued)
The LCO requires all four Po wer Range Neutron Flux-High Negative Rate channels to be OPERABLE.In MODE1 or2, when there is potential for a multiple rod drop accident to occur, the Power Range Neutron Flux-High Negative Rate trip must be OPERABLE. In MODE3, 4, 5, or6, the Power
Range Neutron Flux-High Negative Rate trip Function does not have to be OPERABLE because the core is not critical and DNB
is not a concern. Also, since onl y the shutdown banks may be fully withdrawn in MODE3, 4, or5, the remaining complement of
control bank (partial withdraw al allowed) worth ensures a sufficient degree of SDM in the event of an REA. In MODE6, no
rods are withdrawn and the re quired SDM is increased during refueling operations. In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.4.Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that
protection is provided against an uncontrolled RCCA bank rod
withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from th e core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may
terminate the transient and eliminate the need to trip the reactor.
The LCO requires two channels of Intermediate Range Neutron Flux
to be OPERABLE. Two OPERABLE channels are sufficient to
ensure no single random failure wi ll disable this trip Function.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-15Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY4.Intermediate Range Neutron Flux (continued)Because this trip Function is important only during startup, there is
generally no need to disable channels for testi ng while the Function is required to be OPERABLE. Therefor e, a third channel is unnecessary.In MODE1 below the P-10 setpoint, and in MODE2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range
Neutron Flux-High Positive Rate tr ip provide core protection for a rod withdrawal accident. In MODE2 below the P-6 setpoint, the Source Range Neutron Flux Trip provides the core protection for reactivity accidents. In MODE3, 4, or5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because Source
Range Instrumentation channels provide the required reactor trip protection. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron
levels present in this MODE.5.Source Range Neutron Flux The LCO requirement for the S ource Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accide nt from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low trip Function. In MODES3, 4, and5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS sour ce range detect ors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detect ors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES3, 4, and5 when rods are
capable of withdrawal or one or more rods are not fully inserted. Therefore, the functional capability at the trip setpoint is assumed to
be available.
(continued)
North Anna Units 1 and 2B 3.3.1-16 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY5.Source Range Neutron Flux (continued)
The Source Range Neutron Flux F unction provides protection for control rod withdrawal from subcritical, bor on dilution and control rod ejection events.In MODE2 when below the P-6 setpoint and in MODES3, 4, and5 when there is a potential for an uncontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be
OPERABLE. Two OPERABLE channels are sufficient to ensure no
single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power
Range Neutron Flux-Low Setpoint tr ip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energ ized and inoperable.In MODES3, 4, and5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE6, the outputs of the Function to RTS logic ar e not required OPERABLE. The requirements for the NIS source ra nge detectors to monitor core neutron levels and provide indication of reactivity changes that may
occur as a result of events lik e a boron dilution are addressed in LCO3.9.3, "Nuclear Instrumentation," for MODE6.6.Overtemperature TThe Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection.
The inputs to the Overtemperature T trip include pressurizer pressure, coolant temperature, ax ial power distribution, and reactor
power as indicated by loop T assuming full reactor coolant flow.
Protection from violating the DN BR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function m onitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-17Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY6.Overtemperature T (continued)
Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:
?reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity
with changes in coolant temperature;
?pressurizer pressure-the trip set point is varied to correct for changes in system pressure; and
?axial power distribution-f(I), the trip setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range de tectors. If axial peaks are
greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the trip setpoint is reduced in accordance with Note1 of Table3.3.1-1.
Dynamic compensation is included fo r system piping delays from the core to the temperature measurement system.
The Overtemperature T trip Function is calculated for each loop as described in Note1 of Table3.3.1-1.
Trip occurs if Overtemperature T is indicated in two loops. The pr essure and temper ature signals are used for other control functions. The actuation logic must be able to withstand an input failure to th e control system, which may then require the protection function actua tion, and a single failure in the other channels providing the protec tion function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the trip setpoint. A tu rbine runback will reduce turbine power and reactor power
. Additionally, the turb ine runback setpoint blocks automatic and manual rod withdrawal. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.
The LCO requires all three channels of the Overtemperature T trip Function to be OPERABLE. Note that the Overtemperature T Function receives input from (continued)
North Anna Units 1 and 2B 3.3.1-18 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY6.Overtemperature T (continued) channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.In MODE1 or2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.7.Overpower TThe Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less
than 1% cladding strain) under al l possible overpower conditions.
This trip Function also limits the required range of the
Overtemperature T trip Function and provide s a backup to the Power Range Neutron Flux-High Set point trip. The Overpower T trip Function ensures that the allowable h eat generation rate (kW/ft) of the fuel is not exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:
?reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and
?rate of change of reactor coolant average temperature-including dynamic compensation for the delays between the core and the temperature measurement system
. The function generated by the rate lag controller for T avg dynamic compensation is represented by the expression: 3s/1+3s. The time constant utilized in the rate lag controller for T avg is 3.The Overpower T trip Function is calculated for each loop as per Note2 of Table3.3.1-1. Trip occurs if Overpower T is indicated in two loops. Note that this Function al so provides a signa l to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-19Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY7.Overpower T (continued)Additionally, the turbine runback setpoint blocks automatic and
manual rod withdrawal. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.The LCO requires three cha nnels of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require en try into the Conditions applicable to all affected Functions.In MODE1 or2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned a bout the heat generation rates and overheating of the fuel. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel
overheating and fuel damage.8.Pressurizer Pressure The same sensors provide input to the Pressurizer Pr essure-High and
-Low trips and the OvertemperatureT trip.a.Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that
protection is provided against violating the DNBR limit due to low pressure.
The LCO requires three channels of Pressurizer Pressure-Low to be OPERABLE.
In MODE1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OP ERABLE. This trip Function is
automatically enabled on increa sing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full pow er equivalent (P-13)). On decreasing power, this trip Func tion is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power
distributions can occur that would cause DNB concerns.
North Anna Units 1 and 2B 3.3.1-20 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY8.Pressurizer Pressure (continued)b.Pressurizer Pressure-High The Pressurizer Pressure-High trip Function ensures that
protection is provided against overpressurizing the RCS. This trip Function operates in conjunction w ith the pressurizer relief and safety valves to prevent RCS overpressure conditions.The LCO requires three cha nnels of the Pressurizer Pressure-High to be OPERABLE.
The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuati on pressure and above the power operated relief valve (PORV) se tting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the
PORVs.In MODE1 or2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and
minimize challenges to the relief and safety valves. In MODE3, 4, 5, or6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the
operator will have sufficient time to evaluate unit conditions and take corrective actions. A dditionally, low temperature overpressure protection systems provide overpressure protection when below MODE4.9.Pressurizer Water Level-HighThe Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides protection against water relief through the pressurizer safety valves.
These valves are designed to pass steam in order to achieve their
design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. Th e LCO requires three channels of Pressurizer Water Level-High to be OPERABLE. The pressurizer
level channels are used as input to the Pressurizer Level Control
System. A fourth channel is not re quired to address control/protection (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-21Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY9.Pressurizer Water Level-High (continued)interaction concerns. The level ch annels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve
setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failur e cannot cause the safety valve to lift before reactor high pressure trip.In MODE1, when there is a potentia l for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enab led on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 set point, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit co nditions and take corrective actions.10.Reactor Coolant Flow-Low The Reactor Coolant Flow-Low trip Function ensures that protection is provided against violating the DNBR limit due to low
flow in one or more RCS loops, while avoiding reactor trips due to
normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled.
Above the P-8 setpoint, which is a pproximately 30% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow si gnals are not used for any control system input.The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE1 above P-7.
In MODE1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat
production to generate DNB conditions.
North Anna Units 1 and 2B 3.3.1-22 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)11.Reactor Coolant Pump (RCP) Breaker Position Both RCP Breaker Position trip Func tions operate from three pairs of auxiliary contacts, with one pa ir on each RCP breaker with one contact supplying each train. These Functions anticipate the Reactor Coolant Flow-Low trips to avoid RCS heatup that would occur
before the low flow trip actuates.
The RCP Breaker Position (Single L oop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The position of each RCP breaker is
monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is initiated. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Single Loop) trip setpoint is reached.The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this trip Function because the RCS Flow-Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to antici pate the low flow trip, minimizing the thermal transient associated with loss of a pump.
This Function measures only the disc rete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.In MODE1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be OPERABLE. In MODE1 below
the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip be cause of the lower power level and the greater margin to the design limit DNBR.
The RCP Breaker Position (Two L oops) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops
. The position of each RCP breaker is monitored. Above the P-7 setpoi nt and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-23Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY11.Reactor Coolant Pump (RCP) Breaker Position (continued) trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached.
The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow-Low trip al one provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of an RCP.
This Function measures only the disc rete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.In MODE1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.12.Undervoltage Reactor Coolant PumpsThe Undervoltage RCPs reactor trip Function ensures that protection
is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP bus is monitored.
Above the P-7 setpoint, a loss of vol tage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor C oolant Flow-Low (Two Loops) trip setpoint is reached. Time dela ys are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.
(continued)
North Anna Units 1 and 2B 3.3.1-24 Revision 8RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY12.Undervoltage Reactor Coolant Pumps (continued)
The LCO requires three Undervol tage RCPs channels to be OPERABLE. Each channel monitors one RCP bus voltage with two sensors. One sensor monitors from A to B phases, while the other sensor senses from the B to C phases.In MODE1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocke d since no conceivable power distributions could occur that woul d cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor tr ip on loss of flow in two or more RCS loops is automatically enabled.13.Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss
of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency c ondition will slow down the pumps, thereby reducing their coastdown ti me following a pump trip. The proper coastdown time is required so that reacto r heat can be removed immediately after reactor trip. Th e frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip befo re the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached. Time delays are incorporated
into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.
The LCO requires three Underfrequency RCPs channels to be OPERABLE with each cha nnel monitoring one bus.In MODE1 above the P-7 setpoint
, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 se tpoint, all reactor trips on loss of flow are automatically bloc ked since no conceivable power distributions could occur that woul d cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor tr ip on loss of flow in two or more RCS loops is automatically enabled.Regarding RCP Underfrequency Testing, it should be noted that test circuits have not been installed on Unit1, therefore, such testing can only be performed on Unit2.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-25Revision 50APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)14.Steam Generator Water Level-Low LowThe SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the Auxiliary Feedwater (AFW) System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low
level in any SG is indicative of a lo ss of heat sink for the reactor. The
level transmitters provide input to the SG Level Control System.
Therefore, the actuation logic must be able to withstand an input
failure to the control system, whic h may then require the protection function actuation, and a single failur e in the other channels providing the protection function actuation. IEEE279 requirement s are satisfied by 2/3 logic for protection function actuation, thus allowing for a single failure of a cha nnel and still performing the protection function. For Unit1, the control/protection in terface is addre ssed with Steam Generator Water Level-Low, Coinci dent with Steam Flow/Feedwater
Flow Mismatch reactor trip function. For Unit2, the control/protection interaction is a ddressed by the use of the Median Signal Selector (MSS) which preven ts a single failure of a channel providing input to the control system requiring protec tive action. That is, a single failure of a channel prov iding input to the control system does not result in the control system initiating a condition requiring
protective action. The Median Signal Selector performs this by not selecting the channels i ndicating the highest or lowest steam generator levels as input to the control system. This Function also performs the
ESFAS function of starting the AFW pumps on low low SG level.The LCO requires three channels of SG Water Level-Low Low per SG to be OPERABLE. These channels for the SGs measure level with a narrow range span.In MODE1 or2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety
related). The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE3, 4, 5, or6, the SG Water Level-Low Low Function does not have to be OPERABLE because the reactor is not operating (continued)
North Anna Units 1 and 2B 3.3.1-26 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)14.Steam Generator Water Level-Low Low (continued) or even critical. Decay heat re moval is normally accomplished by Main Feedwater System or AFW System in MODE3 and by the Residual Heat Removal (RHR) System in MODE4, 5, or6.15.Steam Generator Water Level-Low, Coincident With Steam Flow/Feedwater Flow Mismatch
[Unit 1 only]
SG Water Level-Low, in conjunction with the Steam
Flow/Feedwater Flow Mismatch, ensures that protection is provided against a loss of heat sink. In addi tion to a decreasing water level in the SG, the difference between feed water flow and steam flow is evaluated to determine if feedwate r flow is significantly less than steam flow. With less feedwater flow than steam flow, SG level will
decrease at a rate dependent upon the magnitude of the difference in flow rates. There are two SG level channels and two Steam
Flow/Feedwater Flow Mi smatch channels per SG. One narrow range level channel sensing a low level coincident with one Steam
Flow/Feedwater Flow Mismatch channel sensing flow mismatch (steam flow greater than feed fl ow) will actuate a reactor trip.
The LCO requires two channels of SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.In MODE1 or2, when the reactor requires a heat sink, the SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch trip must be OPERABLE. The normal source of water for the SGs is the MFW System (not safety related). The AFW System is the safety
related backup source of water to ensu re that the SGs remain the heat sink for the reactor. In MODE3, 4, 5, or6, the SG Water Level-Low coincident with Steam Flow/Feedw ater Flow Mismatch Function does not have to be OPERABLE because the reactor is not operating or even critical. Decay heat remova l is normally accomplished by Main Feedwater System or AFW System in MODE3 and by the RHR System in MODE4, 5, or6.16.Turbine Tripa.Turbine Trip-Low Auto Stop Oil Pressure The Turbine Trip-Low Auto Stop Oil Pressure trip Function anticipates the loss of heat rem oval capabilities of the secondary system following a (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-27Revision 50APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)16.Turbine Trip (continued)a.Turbine Trip-Low Auto Stop Oil Pressure (continued) turbine trip. This trip Function acts to minimize the
pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-8 setpoint, approximately 30% power, will not actuate a reactor trip. Three pressure switches
monitor the Auto Stop oil pressure which interfaces with the Turbine Electrohydraulic Control System. A low pressure
condition sensed by two-out-of-th ree pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the turbine control system. The unit is designed to
withstand a complete loss of load and not sustain core damage or challenge the RCS pressure li mitations. Core protection is provided by the Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves.The LCO requires three channels of Turbine Trip-Low Auto Stop Oil Pressure to be OPERABLE in MODE1 above P-8.Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE2, 3, 4, 5, or6, there is no potential for a turbine
trip, and the Turbine Trip-Low Auto Stop Oil Pressure trip Function does not need to be OPERABLE.b.Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat rem oval capabilities of the secondary system following a turbine trip. Any turbine trip from a power
level below the P-8 setpoint, a pproximately 30% power, will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reacto r in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor
. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to wi thstand a complete loss of load and not (continued)
North Anna Units 1 and 2B 3.3.1-28 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)16.Turbine Trip (continued)b.Turbine Trip-Turbine Stop Valve Closure (continued) sustain core damage or challenge the RCS pressure limitations.
Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is en sured by the pressurizer safety valves. This trip Function is di verse to the Turbine Trip-Low Auto Stop Oil Pressure trip Function. Each turbine stop valve is
equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.
The LSSS for this Function is set to assure channe l trip occurs when the associated stop valve is completely closed.
The LCO requires four Turbin e Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE1 above P-8. All four channels must trip to cause reactor trip.
Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE2, 3, 4, 5, or6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not need to be OPERABLE.17.Safety Injection Input from Engineered Safety Feature Actuation SystemThe SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signa l that initiates SI. This is a condition of acceptability for the LOCA. However, other transients and accidents take credit for vary ing levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiate d every time an SI signal is present.Allowable Values are not applicable to this Function. The SI input is provided by logic in the ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-29Revision 50APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)17.Safety Injection Input from Engineered Safety Feature Actuation System (continued)
The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE1 or2.
A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE1 or2, when the reactor is critical, and must be shut down in the event of an accident. In MODE3, 4, 5, or6, the reactor is not critical, and this trip Function does not need to be OPERABLE.18.Reactor Trip Sy stem Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for th e current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions unde r which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock
Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:a.Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated.
The LCO requirement for the P-6 interlock ensures that the following Functions are performed:
?on increasing power, the P-6 inte rlock allows the manual block of the NIS Source Range, Neut ron Flux reactor trip. This prevents a premature block of th e source range trip and allows the operator to ensure that the intermediate range is
OPERABLE prior to leaving the source range. When the source
range trip is blocked, the high vol tage to the detectors is also removed; and
?on decreasing power, the P-6 interlock automatically energizes
the NIS source range detectors and enables the NIS Source
Range Neutron Flux reactor trip.
(continued)
North Anna Units 1 and 2B 3.3.1-30 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)18.Reactor Trip System Interlocks (continued)a.Intermediate Range Neutron Flux, P-6 (continued)
The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE2 when below the P-6 interlock setpoint.
Above the P-6 interlock setpoint
, the NIS Source Range Neutron Flux reactor trip will be blocke d, and this Function will no longer be necessary.
In MODE3, 4, 5, or6, the P-6 interlock does not have to be OPERABLE because the NIS Sour ce Range is providing core protection.b.Low Power Reactor Trips Block, P-7The Low Power Reactor Trips Bloc k, P-7 interlock is actuated by input from either the Power Ra nge Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures th at the following Functions are
performed:(1)on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:
?Pressurizer Pressure-Low;
?Pressurizer Water Level-High;
?Reactor Coolant Flow-Low (l ow flow in two or more RCS loops);
?RCPs Breaker Open (Two Loops);
?Undervoltage RCPs; and
?Underfrequency RCPs.
These reactor trips are only required when operating above
the P-7 setpoint (approximate ly 10% power). The reactor trips provide protection agains t violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing
sufficient natural circulat ion without any RCP running.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-31Revision 50APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)18.Reactor Trip Sy stem Interlocks (continued)b.Low Power Reactor Trips Block, P-7 (continued)(2)on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:
?Pressurizer Pressure-Low;
?Pressurizer Water Level-High;
?Reactor Coolant Flow-Low (low flow in two or more
RCS loops);
?RCP Breaker Posi tion (Two Loops);
?Undervoltage RCPs; and
?Underfrequency RCPs.
Allowable Value is not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.
The P-7 interlock is a logic Func tion with train and not channel identity. Therefore, the LCO re quires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE1.
The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE2, 3, 4, 5, or6, this
Function does not have to be OPERABLE because the interlock performs its Function when pow er level increases above 10% power, which is in MODE1.c.Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at
approximately 30% power as dete rmined by two-out-of-four NIS
power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low and RCP Breaker Position
(Single Loop) reactor tr ips on low flow in one or more RCS loops on increasing power. The LCO requirement for this Function ensures that the Turbine Trip-Low Auto Stop Oil Pressure and
Turbine Trip-Turbine Stop Valve Closure reactor trips are enabled above the P-8 setpoint. Above the P-8 setpoint, a turbine
trip will (continued)
North Anna Units 1 and 2B 3.3.1-32 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)18.Reactor Trip System Interlocks (continued) setpoint. Above the P-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is
above the P-8 setpoint, to minimize the transient on the reactor.
The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that
could result in DNB conditions in the core when greater than
approximately 30% power. On decreasing power, the reactor trip on low flow in any one loop is automatically blocked.
The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE1.In MODE1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Ne utron Flux, P-8 interlock must be OPERABLE. In MODE2, 3, 4, 5, or6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.d.Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at
approximately 10% power, as dete rmined by two-out-of-four NIS power range detectors.
If power level falls below approximately 10%RTP on3 of 4channels, the nuclear instrument low power trips will be automatically unblocked. The LCO requirement for
the P-10 interlock ensures that the following Functions are
performed:
?on increasing power, the P-10 inte rlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reacto r trip also blocks the signal to prevent automatic and manual rod withdrawal;
?on increasing power, the P-10 inte rlock allows the operator to manually block the Power Range Neutron Flux-Low reactor
trip;?on increasing power, the P-10 inte rlock automatically provides a backup signal to block the Sour ce Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors; (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-33Revision 50APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)18.Reactor Trip Sy stem Interlocks (continued)d.Power Range Neutron Flux, P-10 (continued)
?the P-10 interlock provides one of the two inputs to the P-7
interlock; and
?on decreasing power, the P-10 interlock automatically enables
the Power Range Neutron Flux-Low reactor trip and the
Intermediate Range Neutron Fl ux reactor trip (and rod stop).
The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE1 or2.OPERABILITY in MODE1 ensures the Function is available to perform its decreasing power Func tions in the event of a reactor shutdown. This Function must be OPERABLE in MODE2 to
ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE3, 4, 5, or6, this Function does not have to be OPERABLE because the
reactor is not at power and the Source Range Neut ron Flux reactor trip provides core protection.e.Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of th e high pressure turbine is greater than approximately 10% of the rate d full power pressure. This is determined by one-out-of-two pr essure detectors. The LCO
requirement for this Function ensure s that one of the inputs to the P-7 interlock is available.
The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE1.
The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The
interlock Function is not required to be OPERABLE in MODE2, 3, 4, 5, or6 because the turbine generator is not operating.
North Anna Units 1 and 2B 3.3.1-34 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY (continued)19.Reactor Trip BreakersThis trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may
consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two
OPERABLE trains ensure no singl e random failure can disable the RTS trip capability.These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must
be OPERABLE when the Rod Control System is capable of rod
withdrawal or one or more rods are not fully inserted.20.Reactor Trip Breaker Undervol tage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function19 above.
OPERABILITY of both trip mechanis ms on each breaker ensures that no single trip mechanism failure w ill prevent opening any breaker on a valid signal.These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must
be OPERABLE when the Rod Control System is capable of rod
withdrawal or one or more rods are not fully inserted.21.Automatic Trip LogicThe LCO requirement for the RTBs (Functions19 and20) and Automatic Trip Logic (Function21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.
Each RTB is equipped with an undervo ltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-35Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, and APPLICABILITY21.Automatic Trip Logic (continued) bypass breaker to allow testing of th e trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip
Logic cause the RTBs and associat ed bypass breakers to open and shut down the reactor.
The LCO requires two trains of RT S Automatic Trip Logic to be OPERABLE. Having two OPERABLE ch annels ensures that random failure of a single logic channel will not prevent reactor trip.
These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must
be OPERABLE when the Rod Control System is capable of rod
withdrawal or one or more rods are not fully inserted.The RTS instrumentation satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).ACTIONSA Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed in Table3.3.1-1. When the Required Channels in Table3.3.1-1 are specified (e.g., on a per loop, per RCP, per SG, per train, etc., basis)
, then the Condition may be entered separately for each loop, RCP, SG
, train, etc., as appropriate.
In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected
Functions provided by that channel mu st be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.When the number of inoperable channels in a trip Function exceed those
specified in one or other related Conditions associat ed with a trip Function, then the unit is outside the safety analysis. Therefore, LCO3.0.3 must be immediately entered if applicable in the current MODE of operation.
North Anna Units 1 and 2B 3.3.1-36 Revision 0RTS Instrumentation B 3.3.1BASESACTIONS(continued)
A.1ConditionA applies to all RTS protection Functions. ConditionA addresses the situation where one or mo re required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1 and B.2ConditionB applies to the Manual Reactor Trip in MODE1 or2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperabl e channel must be restored to OPERABLE status within 48hours. In this Condition, the remaining
OPERABLE channel is adequate to perform the safety function.The Completion Time of 48hours is r easonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.If the Manual Reactor Trip Functi on cannot be restored to OPERABLE status within the allowed 48hour Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6additional hours (54hours total time). The 6additional hours to reach MODE3 is reasonable, based on operating experience, to reach MODE3 from full power operation in an orderly ma nner and without challenging unit systems. With the unit in MODE3, ActionC would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is
capable of rod withdrawal or one or more rods are not fully inserted.
C.1 and C.2ConditionC applies to the following reactor trip Functions in MODE3, 4, or5 with the Rod Control System capa ble of rod withdr awal or one or more rods not fully inserted:
?Manual Reactor Trip;
?RTBs;(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-37Revision 0ACTIONSC.1 and C.2 (continued)
?RTB Undervoltage and Shunt Trip Mechanisms; and
?Automatic Trip Logic.This action addresses the train orientat ion of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48hours. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48hour Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within 48hours to ensure that all rods are fully inserted, and the Rod
Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are
no longer required.The Completion Time is reasonable cons idering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.
D.1.1, D.1.2, D.2.1, D.2.2, and D.3ConditionD applies to the Power Range Neutron Flux-High Function.The NIS power range detectors provide input to the Rod Control System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in
the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72hours allowed to place the inoperable channel in the tripped condition is justified in Reference7.
In addition to placing the inoperabl e channel in the tripped condition, THERMAL POWER must be reduced to 75% RTP within 78hours. Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. With one of the NIS power range
detectors inoperable, 1/4 of the ra dial power distribution monitoring capability is lost.
(continued)
North Anna Units 1 and 2B 3.3.1-38 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSD.1.1, D.1.2, D.2.1, D.2.2, and D.3 (continued)
As an alternative to the above actions
, the inoperable cha nnel can be placed in the tripped condition within 72hours and the QPTR monitored once every 12hours as per SR3.2.4.2, QPTR verification. Calculating QPTR every 12hours compensates for the lost monitoring capability due to the
inoperable NIS power range channel a nd allows continued unit operation at power levels 75% RTP. The 72hour Completion Time and the 12hour Frequency are consistent with LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)" for the long te rm monitoring requirement.
As an alternative to the above Actions, the unit may be placed in a MODE
where this Function is no longer required OPERABLE. Seventy-eight hours are allowed to place the unit in MODE3. This is a reasonable time, based on operating experience, to reach MODE3 from full power in an
orderly manner and wit hout challenging unit systems. If Required Actionscannot be completed within their allowed Completion Times, LCO3.0.3 must be entered.
The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypass condition for up to 12hours while performing routine surveillance testin g of other channels. The Note also allows placing the inoperable channe l in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12hour time limit is justified in Reference7.
Required Action D.2.2 has been modifi ed by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capabi lity to monitor QPTR. As such, determining QPTR using the movable incore detectors once per 12 hours may not be necessary.
E.1 and E.2ConditionE applies to the foll owing reactor tr ip Functions:
?Power Range Neutron Flux-Low;
?Overtemperature T;(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-39Revision 50ACTIONSE.1 and E.2 (continued)
?Overpower T;?Power Range Neutron Fl ux-High Positive Rate;
?Power Range Neutron Fl ux-High Negative Rate;
?Pressurizer Pressure-High;
?SG Water Level-Low Low; and
?SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch. [Unit 1 only]
A known inoperable channel must be pl aced in the tripped condition within 72hours. Placing the channel in the tr ipped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72hours allo wed to place the inoperable channel in the tripped condition is justified in Reference7.If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit mu st be placed in a MODE where these Functions are not required OPERABLE. An additional 6hours is allowed to place the unit in MODE3.
Six hours is a reasonable time, based on operating experience, to place the unit in MODE3 fr om full power in an orderly manner and without challenging unit systems.
The Required Actions have been modifi ed by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.
F.1 and F.2ConditionF applies to the Intermedia te Range Neutron Flux trip when THERMAL POWER is above the P-6 set point and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. If THERMAL POWER is greater than the (continued)
North Anna Units 1 and 2B 3.3.1-40 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSF.1 and F.2 (continued)
P-6 setpoint but less than the P-10 setpoint, 24hours is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the
capability of the source range, P-6, a nd below the capability of the power range, P-10. If THERMAL POWER is grea ter than the P-10 setpoint, the NIS power range detectors perfor m the monitoring and protection functions and the intermediate range protection function is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE cha nnel, and the low probability of its failure during this period. This action does not require the inoperable
channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only a pplicable when channel failure does not result in reactor trip.
G.1 and G.2ConditionG applies to two inoperabl e Intermediate Range Neutron Flux trip channels in MODE2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint.
Required Actions specified in this Condition are only applicable when cha nnel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. With no intermediate ra nge channels OPERABLE, suspending the introduction into the RCS of reactivity more positive than required to
meet the SDM is required to assure continued safe operation. Introduction of coolant inventory must be from s ources that have a boron concentration greater than what would be required in the RCS for minimum SDM. This may result in an overall reductio n in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation.
Introduction of temperature changes, including temperature increases when operating with a positive MTC, must al so be evaluated to not result in reducing core reactivity below the re quired SDM. This will preclude any power level increase si nce there are no OPERABLE Intermediate Range Neutron Flux channels. The opera tor must also reduce THERMAL POWER below the P-6 setpoint with in two hours. Below P-6, the Source Range(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-41Revision 0ACTIONSG.1 and G.2 (continued)
Neutron Flux channels will be able to monitor the core power level and provides a protection function. The Completion Time of 2hours will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.Required ActionG is modified by a Note to indicate that normal plant control operations that individually a dd limited positive reactivity (e.g.,
temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action,
provided they are accounted for in the calculated SDM.
H.1ConditionH applies to one inoperabl e Source Range Neutron Flux trip channel when in MODE2, below th e P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations i nvolving positive reactivity additions shall be suspended immediately.
This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions
that add positive reactivity to the core must be suspended immediately.Required ActionH is modified by a Note to indicate that normal plant control operations that individually a dd limited positive reactivity (e.g.,
temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action,
provided they are accounted for in the calculated SDM.
I.1ConditionI applies to two inoperable Source Range Neutron Flux trip channels when in MODE2, below the P-6 setpoint, and in MODE3, 4, or5 with the Rod Control System capa ble of rod withdrawal or one or more rod not fully inserted. With th e unit in this Condition, belowP-6, the NIS source range performs the monitoring and protection functions. With both(continued)
North Anna Units 1 and 2B 3.3.1-42 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSI.1 (continued) source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.
J.1 and J.2ConditionJ applies to one inoperable source range channel in MODE3, 4, or5 with the Rod Control System capa ble of rod withdr awal or one or more rods not fully inserted. With the unit in this Condition, belowP-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48hours is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48hours to ensure that all rods are fully inserte d, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The allowance of 48hours to restore the ch annel to OPERABLE status, and the additional hour, are justified in Reference7.
K.1 and K.2Condition K applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODES3, 4, or5 with the Rod Control System is not capable of rod withdrawal. With the unit in this Condition, the NIS source range performs the monitoring function only.
With less than the required number of source range channels OPERABLE, operations involving positive reactivit y additions shall be suspended immediately.
The SDM must be verified within 1 hour and once every 12hours thereafter as per SR3.1.1.1, SDM verification. With no source range channels OPERABLE, the ability to m onitor the core is severely reduced. Verifying the SDM within 1hour allows sufficient time to perform the calculations and determine that th e SDM requirements are met. The SDM must also be verified once per 12hours thereafter to ensure that the core reactivity has not changed. Required ActionK.1 precludes any positive reactivity additions; theref ore, core reactivity s hould not be increasing, and a 12hour Frequency is adequate. The Completion Time of within 1hour and once per 12hours are (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-43Revision 0ACTIONSK.1 and K.2 (continued) based on operating experience in perf orming the Required Actions and the knowledge that unit conditions will change slowly.Required ActionK is modified by a No te which permits unit temperature changes provided the temperature change is accounted for in the calculated
SDM. Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do
not result in a loss of required SDM.
L.1 and L.2ConditionL applies to the foll owing reactor tr ip Functions:
?Pressurizer Pressure-Low;
?Pressurizer Water Level-High;
?Reactor Coolant Flow-Low;
?Undervoltage RCPs; and
?Underfrequency RCPs.With one channel inoperable, the inope rable channel must be placed in the tripped condition within 72hours. For the Pressurizer Pressure-Low, Pressurizer Water Level-High, Under voltage RCPs, a nd Underfrequency RCPs trip Functions, placing the cha nnel in the trippe d condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a r eactor trip. For the Reactor Coolant Flow-Low and RCP Breaker Position (Two Loops) trip Functions, placing the channel in the tripped c ondition results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. For the latter two trip Functions, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8
setpoint and above the P-7 setpoint.
These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips
below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72hours allowed to place the channel in the tripped condition is justified in Reference7. An additional 6hours is allowed (continued)
North Anna Units 1 and 2B 3.3.1-44 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSL.1 andL.2 (continued)to reduce THERMAL POWER to belowP-7 if the inoperable channel cannot be restored to OPERABLE stat us or placed in trip within the specified Completion Time.
Allowance of this time interval ta kes into considerat ion the redundant capability provided by the remaini ng redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with ConditionK.
The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.
M.1 and M.2ConditionM applies to the RCP Break er Position reactor trip Function.
There is one breaker position device per RCP breaker. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 72hours. If the channel cannot be restored to OPERABLE status within the 72hours, then THERMAL POWER must be reduced below the P-7 setpoint within the next 6hours.
This places the unit in a MODE wh ere the LCO is no longer applicable.
This Function does not have to be OPERABLE below the P-7 setpoint because other RTS Functions provide core protection below the P-8 setpoint. The 72hours allowed to restore the channel to OPERABLE status and the 6additional hours allowed to reduce THERMAL POWER to
below the P-7 setpoint are justified by a plant-specific risk assessment consistent with Reference7.
The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified by a plant-specific risk assessment consistent with Reference7.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-45Revision 0ACTIONS(continued)
N.1 and N.2ConditionN applies to Turbine Trip on Low Auto Stop Oil Pressure or on Turbine Stop Valve Closure. With one channel inoperable, the inoperable channel must be placed in the trip condition within 72hours. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a re actor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-8 setpoint within the next 4hours. The 72hours allowed to place the inoperabl e channel in the tripped condition and the 4hours allowed for reducing power are justified in Reference7.
The Required Actions have been modifi ed by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.
O.1 and O.2ConditionO applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES1 and2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24hours are allowed to restore the tr ain to OPERABLE status (Required ActionO.1) or the unit must be placed in MODE3 within the next 6hours. The Completion Time of 24hours (Required ActionO.1) is reasonable considering that in this Condition, the remaining OPERABLE train is
adequate to perform the safety function and given the low probability of an event during this interval. The Completion Time of 6hours (Required ActionO.2) is reasonable, based on operating experience, to reach MODE3 from full power in an orde rly manner and without challenging unit systems.
The Required Actions have been modifi ed by a Note that allows bypassing one train up to 4hours for surveillance testing, provided th e other train is OPERABLE.
P.1 and P.2ConditionP applies to the RTBs in MODES1 and2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 1hour is allowed to (continued)
North Anna Units 1 and 2B 3.3.1-46 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSP.1 andP.2 (continued)restore the train to OPERABLE status or the unit must be placed in MODE3 within the next 6hours. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and wi thout challenging unit systems. The 1hour and 6hour Completion Times ar e equal to the time allowed by LCO3.0.3 for shutdown actions in the event of a complete loss of RTS Function. Placing the unit in MODE3 results in ActionC entry while RTB(s) are inoperable.
The Required Actions have been modified by three Notes. Note1 allows one channel to be bypassed for up to 2hours for surveillance testing, provided the other channel is OPERABLE. Note1 applies to RTB testing that is performed independently from the corresponding logi c train testing.
For simultaneous testing of logic and RTBs, the 4hour test time limit of ConditionO applies. Note2 allows one RTB to be bypassed for up to 2hours for maintenance on undervoltage or shunt trip mechanisms if the other RTB train is OPERABLE. The 2 hour time limit is justified in Reference7. Note3 applies to RTB test ing that is performed concurrently with the corresponding logic train test ing. For concurrent testing of the logic and RTB, the 4hour test time limit of ConditionO applies. The 4hour time limit is justified in Reference7.
Q.1 and Q.2ConditionQ applies to the P-6 and P-10 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1hour or the unit must be placed in MODE3 within the next 6hours. Veri fying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1hour is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and wi thout challenging unit systems. The 1hour and 6hour Completion Times ar e equal to the time allowed by LCO3.0.3 for shutdown actions in the event of a complete loss of RTS Function.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-47Revision 0ACTIONS(continued)
R.1 and R.2ConditionR applies to the P-7, P-8, and P-13 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1hour or the unit must be placed in MODE2 within the next 6hours. Thes e actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1hour is based on operating experience and the minimum amount of time
allowed for manual operator actions. The Completion Time of 6hours is
reasonable, based on operating experience, to reach MODE2 from full power in an orderly manner and without challenging unit systems.
S.1 and S.2ConditionS applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES1 and2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48hours or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE3 within the next 6hours (54hours total time). The Completion Time of 6hours is a
reasonable time, based on operating experience, to reach MODE3 from full power in an orderly manner a nd without challenging unit systems.With the unit in MODE3, ActionC would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the
diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2hours for the reasons stated under ConditionP.The Completion Time of 48hours for Required ActionS.1 is reasonable considering that in this Condition there is one rema ining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low proba bility of an event occurring during
this interval.
North Anna Units 1 and 2B 3.3.1-48 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SThe SRs for each RTS Function are identified by the SRs column of Table3.3.1-1 for that Function.A Note has been added to the SR Table stating that Table3.3.1-1 determines which SRs apply to which RTS Functions.Note that each channel of process pr otection supplies both trains of the RTS. When testing ChannelI, TrainA and TrainB must be examined.
Similarly, TrainA and TrainB must be examined when testing ChannelII, ChannelIII, and ChannelIV. The CHANNEL CALIBRATION and COTs are performed in a manner that is cons istent with the assumptions used in analytically calculating the required channel accuracies.SR3.3.1.1Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parame ter should read approximately the
same value. Significant deviations between the two instrument channels could be an indication of excessive inst rument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus
, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside th e criteria, it may be an indication that the sensor or the signal processing e quipment has drifted outside its limit.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-49Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.3.1.2SR3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the calorimetric heat balance calculation results exceeds the power range channel output by more than +2%RTP, the power range channel is not declared inoperabl e, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceeds the power range channel output by more than +2% RTP. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.
If the calorimetric is performed at part power (<85% RTP), adjusting the power range channel indication in th e increasing power direction will assure a reactor trip below the safety analysis limit (<118% RTP). Making no adjustment to the power range channel in the decreasing power direction due to a part power calorimetr ic assures a reactor trip consistent with the safety analyses.
This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation power is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range
channels are normally adjusted when ope rating at or near full power during steady-state conditions. However, discre tion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (<85% RT P). This action may introduce a non-conservative bias at higher power levels which may re sult in an NIS reactor trip above the safety analysis limit (>118% RTP)
. The cause of the non-conservative bias is the decreased accuracy of the calorimetric at
reduced power conditions. The primary e rror contributor to the instrument uncertainty for a secondary side power calorimetric m easurement is the feedwater flow measurement, which is typically a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty increases as a square term. Thus a 1% flow error at 100% power can approach a 10% flow error at 30% RTP even though the P error has not changed. The ultrasoni c flow meter provides more accurate feedwater flow measurement than the existing venturis. Feedwater flow measurement from the(continued)
North Anna Units 1 and 2B 3.3.1-50 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.2 (continued) ultrasonic flow meter may be used to compute the secondary side power calorimetric. If feedwater ultrasonic flow meter data is used for the calorimetric at reduced flow, the accur acy is also reduced however not as
significantly as with th e feedwater venturi data. An evaluation of extended operation at part power c onditions would conclude that it is prudent to administratively adjust the set point of the Power Range Neutron Flux-High bistables when: (1)the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below 85% RTP; or (2)for a post refueling startup. The evaluation of extended
operation at part power conditions would also conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the
decreasing power direction is quite small, primari ly to address operation in the intermediate range about P-10 (nominally 10% RTP) to allow the enabling of the Power Range Neut ron Flux-Low Setpoint and the
Intermediate Range Neutron Flux reactor trips. Before the Power Range Neutron Flux-High bist ables are reset to 109% RTP, a calorimetric must be performed and the power range channels must be adjusted such that the high flux bistables will trip at &#xa3;109% RTP. Consider ation must be given to calorimetric uncertainty, and its impact on decalibration of the power range channels.The Note clarifies that this Surveillan ce is required only if reactor power is 15%RTP and that 12hours are al lowed for performing the first Surveillance after reaching 15%RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-51Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.3.1.3SR3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference is 3%, the NIS channel is still OPERABLE, but it must be readjusted. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is 3%. The adjustment is a recalibration of the upper and lower Power Range detectors to incorporate the results of the flux map.
If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.A Note clarifies that the Surveillance is required only if reactor power is 15%RTP and that 72hours is allo wed for performing the first Surveillance after reaching 15%RTP.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.4SR3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices. A successful test of the
required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required fo r the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR3.3.1
.14. The test of the bypass breaker is a local shunt trip actuation. A Note has been added to indicate that this (continued)
North Anna Units 1 and 2B 3.3.1-52 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.4 (continued) test must be performed on the bypass breaker. The local manual shunt trip of the RTB bypass shall be conducted immediately after placing the bypass breaker into service.
This test must be conducted prior to the start of testing on the RTS or maintenance on a RTB. This checks th e mechanical operation of the bypass breaker.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.5SR3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation.
Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.6SR3.3.1.6 is the performance of a TADOT. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-53Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.1.6 (continued)
The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and
underfrequency relays, setpoint veri fication requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.Regarding RCP Underfrequency Testing, it should be noted that test
circuits have not been installed on Unit1, therefore, such testing can only be performed on Unit2.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.7 A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.The nominal trip setpoints must be within the Allowable Values specified in Table3.3.1-1.The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shal l be left set consistent with the assumptions of the current unit specific setpoint methodology.
SR 3.3.1.7 is modified by a Note that provides a 4 hour delay in the requirement to perform this Surveill ance for source range instrumentation when entering MODE 3 from MODE2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs
closed for > 4 hours this Surveillance must be performed prior to 4 hours
after entry into MODE 3.
(continued)
North Anna Units 1 and 2B 3.3.1-54 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.7 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.8SR3.3.1.8 is the performance of a COT as described in SR3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. A successful test of the requ ired contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the
other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable ex tensions. The Frequency is modified by a Note that allows this surveillan ce to be satisfied if it has been performed within the frequency specified in the Surveillance Frequency Control Program of the Frequencies prior to reactor startup and four hours
after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations
and applies to the source, intermedia te and power range low instrument channels. The Frequency of "12hour s after reducing power below P-10" (applicable to intermediate and power range low channels) and "4hours after reducing power below P-6" (appl icable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this survei llance without a delay to perform the testing required by this surveillance.
The Frequency applies if the unit remains in the MODE of Applicability after the initial performances of prior to reactor startup and twelve and four hours after reducing power below P-10 orP-6, respectively. The MODE of Applicability for this surveillance is <P-10 for the power range low and intermediate range channels and <P-6 for the source ra nge channels. Once the unit is in MODE3, this surveillance is no longe r required. If power is to be maintained <P-10 for more than 12 hours or < P-6 for more than 4hours, then the testing required by this surveillance must be performed prior to the
expiration of the time limit.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-55Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.1.8 (continued)Twelve hours and four hours are reasona ble times to complete the required testing or place the unit in a MODE wh ere this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (<P-10 or <P-6) for periods >12 and 4hours, respectively. Verification of the surveillance is
accomplished by observing the perm issive annunciator windows on the Main Control board. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.9SR3.3.1.9 is a comparison of the excore ch annels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements.
If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.Two notes modify SR3.3.1.9. Note1 indicates that the excore NIS channels shall be adjusted if the absolute difference between the incore and excore is 3%. Note2 states that this Su rveillance is required only if reactor power is 50% RTP and that 72hours is allowed for performing the first surveillance after reaching 50%RTP.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.10A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be pe rformed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values a nd the previous test "as left" values must be consistent with the drif t allowance used in the setpoint methodology.
(continued)
North Anna Units 1 and 2B 3.3.1-56 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.10 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.10 is modified by a Note stati ng that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.
SR3.3.1.11SR3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR3.3.1.10. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the po wer range neutron detectors consists of a normalization of the de tectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the dete ctor plateau or preamp discriminator curves, evaluating those curves, and comparing those curves to the manufacturer's data. This Surveillan ce is not required for the NIS power range detectors for entry into MODE2 or1, and is not required for the NIS intermediate range detectors for entry into MODE2, because the unit must be in at least MODE2 to perform the test for the intermediate range detectors and MODE1 for the power range detectors. The Surveillance
Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.12SR3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR3.3.1.10. Whenever a sensin g element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.This test will verify the dynamic comp ensation for flow from the core to the RTDs. The OTT function is lead/lag compensated and the OPT function is rate/lag compensated.
(continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-57Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.1.12 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.13SR3.3.1.13 is the performance of a COT of RTS interlocks. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERAT IONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Techni cal Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.14SR3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS. A successful test of
the required contact(s) of a channe l relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable
because all of the other required contact s of the relay are verified by other Technical Specifications and non-Technical Specifi cations tests at least once per refueling interval with applicable extensions. The test shall independently verify the OPERABIL ITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip
Breakers and undervoltage trip mechanism for the Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall incl ude testing of the automatic undervoltage trip.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
North Anna Units 1 and 2B 3.3.1-58 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.14 (continued)
The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with
them.SR3.3.1.15SR3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. A successful test of the required co ntact(s) of a channel relay may be performed by the verification of the cha nge of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed prior to exceeding the P-8 interlock whenever the unit has been in MODE3. Th is Surveillance is not required if
it has been performed within the fre quency specified in the Surveillance Frequency Control program. Verification of the trip setpoint does not have to be performed for this Surveillance. Performance of this test will ensure
that the turbine trip Function is OPERABLE prior to exceeding the P-8 interlock.SR3.3.1.16SR3.3.1.16 verifies that the individual channel/train ac tuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing a cceptance criteria are included in Technical Requirements Manual (Ref.8
). Individual component response
times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip se tpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,
control and shutdown rods fully inserted in the reactor core).
For channels that include dynamic tr ansfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured re sponse time compared to the appropriate UFSAR response time as listed in the TRM. Alternately, the response time test can be performed with the time constants se t to their nominal value, provided the required response (continued)
RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-59Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.1.16 (continued)time is analytically calculated assumi ng the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the en tire response time is measured.
Response time may be veri fied by actual response time tests in any series of sequential, overlapping or tota l channel measurements, or by the summation of allocated sensor, sign al processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor re sponse times may be obtained from: (1)historical records ba sed on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2)i n place, onsite, or offsite (e.g., vendor) test measurements, or (3)utilizing vendor engineering specifications. WCAP-13632-P-A Revision2, "Eliminati on of Pressure Sensor Response Time Testing Requirements" (Ref.10) provides the basis and methodology for using allocated sensor response time s in the overall verification of the channel response time for specific sensors identified in the WCAP.
Response time verification for other se nsor types must be demonstrated by test.WCAP-14036-P-A Revision1 "Elimi nation of Periodic Protection Channel Response Time Tests" (Ref.11) provides the basis and the methodology for using allocated signa l processing and actuation logic response times in the overall verificat ion of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not
impact response time provided the parts used for repair are of the same type and value. Specific component s identified in the WCAP may be replaced without verification testing. One exampl e where response time could be affected is replacing the sensing assembly of a transmitter.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
North Anna Units 1 and 2B 3.3.1-60 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT
SSR3.3.1.16 (continued)SR3.3.1.16 is modified by a Note stat ing that neutron detectors are excluded from RTS RESPONSE TIME te sting. This Note is necessary because of the difficulty in generating an appropriate detector input signal.
Response of neutron flux signal porti on of the channel time shall be measured from the detector or input of the first electronic component in the channel. Excluding the detectors is acce ptable because the principles of detector operation ensure a vi rtually instantaneous response.REFERENCES1.UFSAR, Chapter7.2.UFSAR, Chapter6.3.UFSAR, Chapter15.
4.IEEE-279-1971.
5.10CFR50.49.
6.RTS/ESFAS Setpoint Methodology Study (Technical ReportEE-0116).7.WCAP-10271-P-A, Supplement1, Rev.1, June1990 and WCAP-14333-P-A, Rev.1, October1998.8.Technical Requirements Manual.
9.Regulatory Guide1.105, Revision3, "Setpoints for Safety Related Instrumentation."10.WCAP-13632-P-A, Revision2, "El imination of Pressure Sensor Response Time Testing Requirements," January1996.11.WCAP-14036-P-A, Revision1, "El imination of Periodic Protection Channel Response Time Tests," December1995.
North Anna Units 1 and 2B 3.3.2-1Revision 0ESFAS Instrumentation B 3.3.2B 3.3  INSTRUMENTATIONB 3.3.2Engineered Safety Feature Actuation System (ESFAS) InstrumentationBASESBACKGROUNDThe ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect ag ainst violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:
?Field transmitters or process sens ors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;
?Signal processing equipment includi ng analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comp arison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and
?Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdow n or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal pro cess control and protection system.The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accide nts (DBAs) will be acceptable. The Allowable Value is considered a limiti ng value such that a channel is OPERABLE if the set point is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT).
Note that, although a channel is "OPE RABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFA S setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical
allowances of the uncertainty terms assigned.
North Anna Units 1 and 2B 3.3.2-2Revision 0ESFAS Instrumentation B 3.3.2BASESBACKGROUND (continued)
Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field tr ansmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases,
the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowa nces are provided in the Allowable Values. The OPERABILITY of each tran smitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.
Signal Processing EquipmentGenerally, three or four channels of process contro l equipment are used for the signal processing of uni t parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments loca ted on the main control board, and comparison of measured i nput signals with setpoint s established by safety analyses. These setpoints are defined in UFSAR, Chapter6 (Ref.1), Chapter7 (Ref.2), and Chapter15 (Ref.3
). If the measured value of a unit parameter exceeds the predetermined set point, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit
parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while
others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.These requirements are described in IEEE-279-1971 (Ref.4). The actual number of channels required for each unit parameter is specified in Reference2.
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-3Revision 0BACKGROUND (continued)
Allowable Values and ESFAS Setpoints The trip setpoints used in the bistables are summarized in Reference6. The selection of these trip se tpoints is such that ade quate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instru mentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10CFR50.49 (Ref.5), the Allowable Values specified in Table3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Value and ESFAS
setpoints including their explicit uncertainties, is provided in the unit
specific setpoint methodology study (Ref.6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered
into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the T echnical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in
measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties.
Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., calibra tion tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal" value (i.e.,
expressed as a value without inequali ties) for the purposes of the COT and CHANNEL CALIBRATION.
Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equi pment functions as designed.
(continued)
North Anna Units 1 and 2B 3.3.2-4Revision 0ESFAS Instrumentation B 3.3.2BASESBACKGROUNDAllowable Valu es and ESFAS Setpoints (continued)
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Table3.3.2-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field
instrument signal. The process equipment for the channel in test is then
tested, verified, and calibrated. SRs for the channels are specified in the SR section.Solid State Protection System The SSPS equipment is used for the d ecision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or place d in test, a reactor trip will result.
Each train is packaged in its ow n cabinet for physi cal and electrical separation to satisfy separatio n and independence requirements.
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation;
and provides the status, permissive, and annunciator output signals to the
main control room of the unit.
The bistable outputs from the signa l processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various tr ansients. If a required logic matrix combination is completed, the syst em will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore th e unit to a safe condition.
Examples are given in the Applic able Safety Analyses, LCO, and Applicability secti ons of this Bases.
Each SSPS train has a built in testing de vice that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-5Revision 0BACKGROUNDSolid State Protection System (continued) train is capable of providing unit moni toring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
The actuation of ESF components is accomplished th rough master and slave relays. The SSPS energizes the ma ster relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not
interfere with continued unit operation. For the latter case, actual
component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is ve rified by a continuity check of the circuit containing the slave relay.APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITYEach of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function ma y be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal fo r one or more other accidents. For example, Pressurizer Pressure-LowLow is a primary ac tuation signal for small loss of coolant accidents (LOC As) and a backup actuation signal for steam line breaks (SLBs) outside c ontainment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for
conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref.3).The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provide d the trip setpoint "as-found" value does not exceed (continued)
North Anna Units 1 and 2B 3.3.2-6Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY (continued)its associated Allowable Value and pr ovided the trip setpoint "as-left" value is adjusted to a value within the calibration tolerance band of the nominal trip setpoint. A tr ip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to unit conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped or bypassed during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are require d to ensure no single random failure disables the ESFAS.The required channels of ESFAS instru mentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:
1.Safety Injection Safety Injection (SI) prov ides two primary functions:1.Primary side water addition to en sure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to <2200F); and2.Boration to ensure recovery and maintenance of SDM.These functions are necessary to mi tigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initia te other Functions such as:
?PhaseA Isolation;
?Reactor Trip;
?Turbine Trip;
?Feedwater Isolation;
?Start of all auxiliary feedwater (AFW) pumps; ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-7Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)
?Control room ventilat ion isolation; and
?Enabling automatic switchover of Emergency Core Cooling
Systems (ECCS) suction to containment sump.
These other functions ensure:
?Isolation of nonessential systems through containment penetrations;
?Trip of the turbine and reactor to limit power generation;
?Isolation of main feedwater (MFW
) to limit secondary side mass losses;?Start of AFW to ensure sec ondary side cooling capability;
?Isolation of the control room to ensure habitability; and
?Enabling ECCS suction from the refueling water storage tank (RWST) switchover on lowlow RWST level to ensure continued
cooling via use of the containment sump.a.Safety Injection-Manual InitiationThe LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all
components in the same manner as any of the automatic actuation signals.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS
actuation circuitry to ensure the operator has manual ESFAS initiation capability.
Each channel consists of one switch and the interconnecting wiring to the actuation logic cabin et. Each switch actuates both trains. This configuration does not allow testing at power.
North Anna Units 1 and 2B 3.3.2-8Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)b.Safety Injection-Automatic Actuation Logic and Actuation RelaysThis LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay cont acts responsible for actuating the ESF equipment.
Manual and automatic initiation of SI must be OPERABLE in MODES1, 2, and3. In these MODES, there is sufficient energy
in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE4 even though automatic actuation is not required.
Automatic actuation logic and actuation relays must be
OPERABLE in MODE 4 to support system manual initiation. In
this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the
large number of components ac tuated on a SI, actuation is simplified by the use of the manual actuation switches.
These Functions are not required to be OPERABLE in MODES5 and6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure
and temperature are very lo w and many ESF components are administratively locked out or otherwise prevented from actuating
to prevent inadvertent overpre ssurization of unit systems.c.Safety Injection-Containment Pressure-High This signal provides protection ag ainst the following accidents:
?SLB inside containment;
?LOCA; and
?Feed line break inside containment.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-9Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)c.Safety Injection-Containment Pressure-High (continued)
Containment Pressure-High provi des no input to any control
functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements wi th a two-out-of-three logic. The transmitters (d/p cells) and el ectronics are located outside of
containment with the sensing lin e (high pressure side of the transmitter) located inside containment.Thus, the high pressure Function will not experience any adverse environmental conditions and the trip setpoint reflects only steady
state instrument uncertainties.
Containment Pressure-High must be OPERABLE in MODES1, 2, and3 when there is sufficie nt energy in the primary and secondary systems to pressurize th e containment following a pipe break. In MODES4, 5, and6, there is insufficient energy in the
primary or secondary systems to pressurize the containment.d.Safety Injection-Pressurizer Pressure-LowLow This signal provides protection ag ainst the following accidents:
?Inadvertent opening of a steam generator (SG) relief or safety valve;?SLB;?A spectrum of rod cluster control assembly ejection accidents (rod ejection);
?Inadvertent opening of a pressuri zer relief or safety valve;
?LOCAs; and
?SG Tube Rupture.
(continued)
North Anna Units 1 and 2B 3.3.2-10 Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)d.Safety Injection-Pressurizer Pressure-LowLow (continued)
Three channels are required to sa tisfy the requirements with a two-out-of-three logic. North Anna design utilizes dedicated protection and control channe ls, and only three protection channels are necessary to satisfy the protective requirements.The transmitters are located inside containment, with the taps in the vapor space region of the pr essurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB
inside containment, rod ejection)
. Therefore, the trip setpoint reflects the inclusion of bot h steady state and adverse environmental instrument uncertainties.
This Function must be OPERABLE in MODES1, 2, and3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.This Function is not required to be OPERABLE in MODE3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF system s in this MODE. In MODES4, 5, and6, this Function is not needed for accident
detection and mitigation.e.Steam Line Pressure-High Differential Pressure Between Steam LinesSteam Line Pressure-High Differential Pressure Between Steam Lines provides protection agai nst the following accidents:
?SLB;?Feed line break; and
?Inadvertent opening of an SG relief or an SG safety valve.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-11Revision 0APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)e.Steam Line Pressure-High Differential Pressure Between Steam Lines (continued)
Steam Line Pressure-High Differential Pressure Between Steam Lines provides no input to any control functions. Thus, three OPERABLE channels on each steam li ne are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.
With the transmitters located away from the steam lines, it is not possible for them to experience adverse environm ental conditions during an SLB event. The trip se tpoint reflects only steady state instrument uncertainties. Steam li ne high differential pressure must be OPERABLE in MODES1, 2, and3 when a secondary
side break or stuck open valv e could result in the rapid
depressurization of the steam line(s
). This Function is not required to be OPERABLE in MODE4, 5, or6 because there is not
sufficient energy in the secondary side of the unit to cause an
accident.f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-LowThese Functions(1.f and1.g) provide protection against the
following accidents:
?SLB; and?the inadvertent opening of an SG relief or an SG safety valve.
Two steam line flow channels per steam line are required OPERABLE for these Functions. Th e steam line flow channels are combined in a one-out-of-tw o logic to indicate high steam flow in one steam line. The steam flow transmitters provide
control inputs, but the control function cannot cause the events that the Function must protect ag ainst. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow (continued)
North Anna Units 1 and 2B 3.3.2-12 Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-Low (continued) channel is not sufficient to ca use initiation. High steam flow in two steam lines is acceptable in the case of a single steam line fault due to the fact that the rema ining intact steam lines will pick up the full turbine load. The increased steam flow in the remaining intact lines will actuate the re quired second high steam flow trip. Additional protection is provided by Function1.e, High Differential Pressure Between Steam Lines.
One channel of T avg per loop and one channe l of low steam line pressure per steam line are required OPERABLE. For each parameter, the channels for all loops or steam lines are combined in a logic such that two channels tripped will cause a trip for the parameter. The low steam line pressure channels are combined in
two-out-of-three logic. Thus, th e Function trips on one-out-of-two high flow in any two-out-of-th ree steam lines if there is one-out-of-one lowlow T avg trip in any two-out-of-three RCS loops, or if there is a one-out-o f-one low pressure trip in any two-out-of-three steam lines. Sinc e the accidents that this event protects against cause both low steam line pressure and lowlow Tavg, provision of one channel per loop or steam line ensures no single random failure ca n disable both of these Functions. The steam line pressure channels provide no control inputs. The T avg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate.The Allowable Value for high steam flow is a linear function that varies with power level. The function is a P corresponding to 42% of full steam flow between 0% and 20% load to 111% of full steam flow at 100% load. The nomin al trip setpoint is similarly calculated.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-13Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-Low (continued)With the transmitters located inside the containment (T avg) or near the steam lines (High Steam Flow),
it is possible for them to experience adverse st eady state environmen tal conditions during an SLB event. The trip setpoint reflects only steady state
instrument uncertainties.
This Function must be OPERABLE in MODES1, 2, and3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the stea m line(s). This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked.
This Function is not required OPERABLE below P-12 because
the reactor is not critical, so steam line brea k is not a concern. SLB may be addressed by Containment Pressure High (inside
containment) or by High Stea m Flow in Two Steam Lines coincident with Steam Line Pressure-Low, for Steam Line
Isolation, followed by High Differ ential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE4, 5, or6 because there is insufficient
energy in the secondary side of the unit to cause an accident.2.Containment Spr ay Systems The Containment Spray System s (Quench Spray (QS) and Recirculation Spray (RS)) provi de four primary functions:1.Lowers containment pressure and temperature after an HELB in containment;2.Reduces the amount of radioactive iodine in the containment atmosphere;3.Adjusts the pH of the water in the containment sump after a large break LOCA; and4.Remove heat from containment.
North Anna Units 1 and 2B 3.3.2-14Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY2.Containment Spray Systems (continued)These functions are necessary to:
?Ensure the pressure boundary integrity of the containment structure;
?Limit the release of radioactive io dine to the environment in the event of a failure of the containment structure; and
?Minimize corrosion of the co mponents and systems inside containment following a LOCA.
The containment spray actuation signal starts the QS pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of cont ainment. Water is initially drawn
from the RWST by the QS pumps a nd mixed with a sodium hydroxide solution from the chemical addition tank. When the RWST level reaches the low setpoint coincident with Containment Pressure-High
High, the RS pumps receive a start si gnal. The outside RS pumps start immediately and the inside RS pum ps start after a 120-second delay. Water is drawn from the containment sump through heat exchangers and discharged to the RS nozzle headers. When the RWST reaches the lowlow level setpoint, the Low Head Safety Injection pump suctions are shifted to the containment su mp. Containment sp ray is actuated manually or by Containment Pressure-HighHigh signal. RS is
actuated manually or by RWST Level-Low coincident with
Containment Pressure-High High.a.Containment Spray-Manual Initiation The operator can initiate containm ent spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent
actuation of containment spra y could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-15Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY2.Containment Spray Systems (continued)a.Containment Spray-Manual Initiation (continued)Simultaneously turning the two switches in either set will actuate
containment spray in both trains in the same manner as the
automatic actuation signal. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Init iation Function. Note that Manual Initiation of containment spray also actuates PhaseB containment isolation.b.Containment Spray-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.
Manual and automatic initiation of containment spray must be OPERABLE in MODES1, 2, and3 when there is a potential for an accident to occur, and sufficie nt energy exists in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual in itiation is also required in MODE4, even though automatic actuati on is not required. In this MODE, adequate time is availa ble to manually actuate required components in the event of a DBA.
However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation switches.
Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, there is insufficient energy in the primary and
secondary systems to result in containment overpressure. In MODES5 and6, there is also adequate time for the operators to
evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by ma nually starting individual components.
North Anna Units 1 and 2B 3.3.2-16Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY2.Containment Spray Systems (continued)c.Containment Spray-Containment Pressure This signal provides protection agai nst a LOCA or an SLB inside containment. The transmitters (d
/p cells) are located outside of
containment with the sensing lin e (high pressure side of the transmitter) located inside cont ainment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse enviro nmental conditions and the Allowable Value reflects onl y steady state instrument uncertainties.
This is one of few Functions that requires the bistable output to energize to perform its required acti on. It is not desirable to have a loss of power actuate containmen t spray, since the consequences of an inadvertent actua tion of containment sp ray could be serious.
Note that this Function also has the inoperable channel placed in
bypass rather than trip to d ecrease the probability of an inadvertent actuation.North Anna uses four channels in a two-out-of-four logic configuration and the Containmen t Pressure-High High Setpoint Actuates Containment Spray System
: s. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted
because this Function is en ergize to trip. Containment Pressure-HighHigh must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES4, 5, and6, there is insuffic ient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-HighHigh setpoints.d.RWST Level-Low Coincident wi th Containment Pressure-High HighThis signal starts the RS system to provide protection against a LOCA inside containment. Th e Containment Pressure-High High (ESFAS Function2.c) signal aligns the RS system for spray
flow delivery (e.g., opens isolatio n valves) but does not start the (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-17Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY2.Containment Spray Systems (continued)d.RWST Level-Low Coincident w ith Containment Pressure-High High (continued)
RS pumps. The RWST Level-Low coincident with Containment Pressure-High High provides the automatic start signal for the
inside RS and outside RS pumps. Once the coincidence trip is
satisfied, the outside RS pumps st art immediately and the inside RS pumps start after a 120-se cond delay. The delay time is sufficient to avoid simultaneous starting of the RS pumps on the
same emergency diesel generato
: r. This ESFAS function ensures
that adequate water inventory is present in the containment sump to meet the RS sump strainer functional requirements following a LOCA. The RS system is not required for SLB mitigation.Automatic initiation of RS mu st be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and
sufficient energy exists in the primary and secondary systems to pose a threat to containment integrity due to overpressure conditions. The requirement for automatic initiat ion of RWST Level-Low to be operable in MODES 1, 2, and 3 is consistent with the operability requi rements for Containment Pressure-High High. Manual initia tion of the RS system is required in MODE 4, even though automatic initiation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. In MODES 5
and 6, there is insufficient energy in the primary and secondary
systems to result in containmen t overpressure. In MODES 5 and 6, there is also adequate time fo r the operators to evaluate unit conditions and respond to mitigate the consequences of abnormal
conditions by manually starting individual components. An operator can initiate RS at any time from the control room by using the pump control switch. The manual function would be
used only when adequate water inventory is present in the
containment sump to meet the RS sump strainer functional
requirements.
North Anna Units 1 and 2B 3.3.2-18Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY (continued)3.Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all proc ess systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the
release of radioactivity to the environment in the event of a large
break LOCA.
There are two separate Containment Isolation signals, PhaseA and PhaseB. PhaseA isolation isolates all automatically isolable process lines, except component cooling wate r (CC) and instrument air (IA),
at a relatively low containment pr essure indicative of primary or secondary system leaks. A list of the process lines is provided in the Technical Requirements Manual (Ref.9
). For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs)
and SGs is the preferred (but not required) method of decay heat
removal. Since CC is required to support RCP operation, not isolating CC on the low pressure PhaseA signal enhances unit safety by allowing operators to us e forced RCS circulation to cool the unit.
Isolating CC on the low pressure si gnal may force the use of feed and bleed cooling, which could prove more difficult to control.PhaseA containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CC and IA, are isolated. CC is not isolated at this time to permit continued operation of the RCPs with cooling water fl ow to the thermal barrier heat exchangers and air or oil coolers.
All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE4.Manual PhaseA Containmen t Isolation is accomp lished by either of two switches in the control room. Ei ther switch actuates both trains.The PhaseB signal isolates CC and IA. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no
longer desirable. Isolating the CC at the higher pressu re does not pose a challenge to the containment boundary because the CC (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-19Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY3.Containment Isolation (continued)
System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the PhaseB setpoint. Thus, routine operation
demonstrates the integrity of the system pressure boundary for pressures exceeding the PhaseB setpoint. Furthermore, because system pressure exceeds the PhaseB setpoint, any system leakage prior to initiation of PhaseB isolation would be into containment.
Therefore, the combination of CC and IA Systems design and PhaseB isolation ensures the CC System is not a potential path for radioactive
release from containment.PhaseB containment isolation is actuated by Containment Pressure-HighHigh, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-HighHigh, a large break LOCA or SLB must have occurred. RCP operation will no longer be required and CC to the RCPs is, therefore, no longer
necessary. The RCPs can be operated with seal injection flow alone and without CC flow to the th ermal barrier heat exchanger.Manual PhaseB Containment Isolati on is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, PhaseB Containment Isolation and Containment Spray will be actuated in both trains.a.Containment Isolation-PhaseA Isolation(1)Phase A Isolation-Manual InitiationManual PhaseA Containment Isol ation is actuated by either of two switches in the contro l room. Either switch actuates both trains.(2)Phase A Isolation-Automatic Actuation Logic and Actuation RelaysAutomatic Actuation Logic and Actuation Relays consist of the same features and opera te in the same manner as described for ESFAS Function1.b.
North Anna Units 1 and 2B 3.3.2-20Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY3.Containment Isolation (continued)a.Containment Isolation-PhaseA Isolation (continued)Manual and automatic initiation of PhaseA Containment Isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an accident to occur. Manual initiation is also required in MODE4 even though automatic actuation is not required. In this MODE, adequate time is available to manually
actuate required components in th e event of a DBA, but because of the large number of components actuated on a PhaseA Containment Isolation, actuation is simplified by the use of the
manual actuation switches. Automatic actuation logic and
actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, there is insufficient energy in the primary or seconda ry systems to pressurize the containment to require PhaseA C ontainment Isolation. There also
is adequate time for the operato r to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.(3)Phase A Isolation-Safety InjectionPhaseA Containment Isolation is also initiated by all Functions that initiate SI. The PhaseA Containment Isolation requirements for these Functions are the same as the
requirements for their SI function. Therefore, the
requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced fo r all initiating Functions and requirements.b.Containment Isolation-PhaseB IsolationPhaseB Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and
by Containment Pressure channels (the same channels that actuate Containment Spray Systems, Function2). The Containment Pressure trip of PhaseB Containmen t Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.(1)Phase B Isolation-Manual Initiation ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-21Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY3.Containment Isolation (continued)b.Containment Isolation-PhaseB Isolation (continued)(2)Phase B Isolation-Automatic Actuation Logic and Actuation RelaysManual and automatic initiation of PhaseB containment isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an acci dent to occur. Manual initiation is also required in MODE4 ev en though automatic actuation
is not required. In this MODE, ad equate time is available to
manually actuate required components in the event of a
DBA. However, because of th e large number of components actuated on a PhaseB contai nment isolation, actuation is simplified by the use of the Containment Spray manual actuation switches.
Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, ther e is insufficient energy in the primary or secondary systems to pressurize the containment to require PhaseB containment isolation. There also is adequate time for the operator to evaluate unit
conditions and manually actuate individual isolation valves
in response to abnormal or accident conditions.(3)Phase B Isolation-Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function2.c above.4.Steam Line Isolation Isolation of the main steam lines provides protection in the event of an
SLB inside or outside containment.
Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at
most. For an SLB upstream of the main steam trip valves (MSTVs),
inside or outside of containment, closure of the MSTVs limits the accident to the blowdown from onl y the affected SG. For an SLB downstream of the MSTVs, closure of the MSTVs terminates the accident.
North Anna Units 1 and 2B 3.3.2-22Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY4.Steam Line Isolation (continued)a.Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches for each MSTV in the control room and either switch can initiate action to immediately close that MSTV. Following a SG tube rupture, the operator will isolate the main steam side (close the MSTV) of the ruptured SG. The LCO requires two channels to be OPERABLE
for each MSTV.b.Steam Line Isolation-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.Manual and automatic initiation of steam line isolation must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in
the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantit ies of energy and cause a cooldown of the primary system. The Steam Li ne Isolation Function is required in MODES2 and3 unless all MSTVs are closed and de-activated. In MODES4, 5, and6, there is insufficient energy in the RCS and SGs
to experience an SLB or other accid ent releasing significant quantities of energy.c.Steam Line Isolation-Contai nment Pressure-Intermediate HighHighThis Function actuates closure of the MSTVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure-Intermediate HighHi gh provides no input to any control functions. Thus, two OPER ABLE channels are sufficient to satisfy protective requirement s with one-out-of-two logic.
However, for enhanced reliability, this Function was (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-23Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY4.Steam Line Isolation (continued)c.Steam Line Isolation-Contai nment Pressure-Intermediate HighHigh (continued) designed with three channels a nd a two-out-of-three logic. The transmitters and electronics are located outside of containment.
Thus, they will not experien ce any adverse environmental conditions, and the trip setpoi nt reflects only steady state instrument uncertainties.
Containment Pressure-Intermediate HighHigh must be OPERABLE in MODES1, 2, and3, when there is sufficient energy in the primary and seconda ry side to pressurize the containment follow ing a pipe break.
This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSTVs. The Steam Line Isolation Function remains OPERABLE in MODES2 and3 unless all MSTVs are closed and de-activated. In MODES4, 5, and6, there is not enough energy in the primary and secondary sides to pressurize th e containment to the Containment Pressure-Intermediate HighHigh setpoint.d. e.Steam Line Isolation-High St eam Flow in Two Steam Lines Coincident with T avg-LowLow or Coincident With Steam Line Pressure-Low These Functions (4.d and 4.e) provide closure of the MSTVs
during an SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.
These Functions were discussed previously as Functions1.f. and1.g.These Functions must be OPERABLE in MODES1 and2, and in MODE3, when a secondary side break or stuck open valve could result in the rapid depressurizat ion of the steam lines unless all MSTVs are closed and de-activ ated. These Functions are not required to be OPERABLE in MODES4, 5, and6 because there is insufficient energy in the second ary side of the unit to have an accident.
North Anna Units 1 and 2B 3.3.2-24Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY (continued)5.Turbine Trip and Feedwater Isolation The primary functions of the Turb ine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam
lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a hi gh water level in the SGs, which could result in carryover of water into the steam lines
and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.
The Function is actuated when th e level in any SG exceeds the highhigh setpoint, and perfor ms the following functions:
?Trips the main turbine;
?Trips the MFW pumps;
?Initiates feedwater isolation by closing the Main Feedwater Isolation Valves (MFIVs); and
?Shuts the MFW regulat ing valves and their associated bypass valves.This Function is actuated by SG Water Level-HighHigh, or by an SI signal. In the event of SI, the MF W System is automatically secured and isolated and the AFW System is automatically started. The SI signal was discussed previously.a.Turbine Trip and Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Ac tuation Relays consist of the same features and operate in th e same manner as described for ESFAS Function1.b.b.Turbine Trip and Feedwater Isolation-Steam Generator Water Level-HighHigh (P-14)
This signal provides protection ag ainst excessive feedwater flow.
The ESFAS SG water level instru ments provide input to the SG Water Level Control System. The SG Water Level-HighHigh
trip is provided from the narrow range instrumentation span from each SG.(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-25Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY5.Turbine Trip and Feedwater Isolation (continued)b.Turbine Trip and Feedwater Is olation-Steam Generator Water Level-HighHigh (P-14)
(continued)
North Anna has only three channels that are shared between
protection and control functions a nd justification is provided in NUREG-1218 (Ref.7).The transmitters (d/p cells) ar e located inside containment. However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the trip setpoint reflects only steady st ate instrument uncertainties.c.Turbine Trip and Feedwate r Isolation-Safety Injection Turbine Trip and Feedwater Isol ation is also initiated by all Functions that initiate SI. Th e Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.
Turbine Trip and Feedwater Isolat ion Functions must be OPERABLE in MODES1, 2, and3 when the MFW System is in operation and the
turbine generator may be in operation. These functions are not required to be OPERABLE in MODES2 and3 when all MFW pump discharge valves or all MFIVs, MFRVs, and associated bypass valves
are closed and de-activated or isolated by a closed manual valve. In MODES4, 5, and6, the MFW System and the turbine generator are
not in service and this Function is not re quired to be OPERABLE.6.Auxiliary Feedwater The AFW System is designed to pr ovide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump,
making it available during normal uni t operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.
The normal source of water for the AFW System is the (continued)
North Anna Units 1 and 2B 3.3.2-26Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)Emergency condensate storage tank (ECST). The AFW System is
aligned so that upon a pump start, flow is initiated to the respective SG immediately.a.Auxiliary Feedwater-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.b.Auxiliary Feedwater-Steam Ge nerator Water Level-Low LowSG Water Level-LowLow provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water
Level-Low Low provides input to the SG Level Control System. Three protection channels are nece ssary to satisfy the protective requirements. These channels ar e shared between protection and control functions and justification is provided in Reference7.With the transmitters (d/p cells) located inside containment and thus possibly experiencing adve rse environmental conditions (feed line break), the trip setpoi nt reflects the inclusion of both steady state and adverse environmental instrument uncertainties.c.Auxiliary Feedwater-Safety InjectionAn SI signal starts the motor driven and turbine driven AFW
pumps. The AFW initiation func tions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced for all initiati ng functions and requirements.d.Auxiliary Feedwater-Loss of Offsite Power A loss of offsite power to the tr ansfer buses may be accompanied by a loss of reactor coolant pum ping power and the subsequent need for some method of decay heat removal. The loss of offsite
power is(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-27Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)d.Auxiliary Feedwater-Loss of Offsite Power (continued) detected by a voltage drop on each transfer bus. Loss of power to the transfer bus will start all AF W pumps to ensure that at least one SG contains enough water to se rve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.Functions6.a through6.d must be OPERABLE in MODES1, 2, and3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level-LowLow in any SG will cause all AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to th e SGs. These Functions do not have to be OPERABLE in MODES5 and6 because there is not enough
heat being generated in th e reactor to require the SGs as a heat sink. In MODE4, AFW actuation does not need to be OPERABLE because
either RCS Loop(s) or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.e.Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some me thod of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Motor driven MFW pumps are equipped with a breaker position sensing device. An open s upply breaker indicates that the pump is not running. Two OPERABLE channels pe r pump satisfy redundancy requirements with one-out-of-two logic on each MFW pump. A trip of all MFW pumps starts the motor driven and
turbine driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.Function6.e must be OPERABLE in MODES1 and2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES3, 4, and5, the RCPs and MFW pumps may be
normally shut down, and thus neithe r pump trip is indicative of a condition requiring automatic AFW initiation.
North Anna Units 1 and 2B 3.3.2-28Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY (continued)7.Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will be nearly
empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment sum
: p. The low head safety injection
(LHSI) pumps and inside and outside recirculation spray pumps draw the water from the containment sump, the LHSI pumps pump the water back into the RCS. The Inside and Outside Recirculation Spray
pumps circulate water through the heat exchangers to the spray rings and supplies water to the contai nment sump. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the LHSI pumps and a loss of core cooling capability. For similar reasons, sw itchover must not occur before there is sufficient water in the containment sump to support ESF
pump suction. Furthermore, early swit chover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.a.Automatic Switchover to Containment Sump-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.b.Automatic Switchover to Cont ainment Sump-Refueling Water Storage Tank (RWST) Level-LowLow Coincident With Safety Injection During the injection phase of a LO CA, the RWST is the source of water for all ECCS pumps. A lowlow level in the RWST
coincident with an SI signal pr ovides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions.
Therefore, a two-out-of-four logi c is adequate to initiate the protection function actuation. Al though only three channels would be sufficient, a fourth channe l has been added for increased reliability.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-29Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY7.Automatic Switchover to Containment Sump (continued)b.Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST) Level-LowLow Coincident With Safety Injection (continued)The RWST-LowLow Allowable Value has both upper and
lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage.
The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit
also ensures adequate water invent ory in the containment sump to provide ECCS pump suction.The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditi ons and the Allowable Value reflects only steady state in strument uncertainties.
Automatic switchover occurs only if the RWST lowlow level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempti ng to take suction from an empty sump. The automatic switchover Function requirements for the SI
Functions are the same as the re quirements for th eir SI function.
Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenc ed for all initiating Functions and requirements.These Functions must be OPERABLE in MODES1, 2, 3, and4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES5 and6 because
there is adequate time for the ope rator to evaluate unit conditions and respond by manually starting systems, pumps, and other
equipment to mitigate the conseque nces of an a bnormal condition or accident. System pressure a nd temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent
overpressurization of unit systems.
North Anna Units 1 and 2B 3.3.2-30Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY (continued)8.Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are
included as part of the ESFAS. Thes e interlocks permit the operator to
block some signals, automatically enable other signals, prevent some actions from occurri ng, and cause other actions to occur. The interlock Functions b ack up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, automatic SI reinitiation is blocked after a 60second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once
SI is blocked, automatic actuati on of SI cannot occur until the RTBs have been manually closed, resetting the P-4 interlock. The functions of the P-4 interlock are:
(continued)FunctionPurposeRequired MODESIsolate MFW regulating valves with
coincident low T avgFeedwater isolation1, 2Trip the main turbinePrevents excessive cooldown, thereby
Condition II event
does not propagate to
Condition III event 1, 2 ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-31Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)
(continued)FunctionPurposeRequired MODESPrevent automatic
reactuation of SI after
a manual reset of SI Allows alignment of
ECCS for
recirculation mode,
prevents subsequent
inadvertent alignment
to injection mode by
auto SI1, 2, 3 North Anna Units 1 and 2B 3.3.2-32Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)
(continued)FunctionPurposeRequired MODES Reset high steam flow
setpoint to no-load
value1.SI-High Steam flow in Two Steam Lines
Coincident With
Steam Line
Pressure-Low2.SI-High Steam Flow in Two
Steam Lines
Coincident With
Tavg-LowLow3.Steam Line Isolation-
High Steam Flow in Two Steam Lines Coincident
With Steam Line
Pressure-Low4.Steam Line Isolation-
High Steam Flow
in Two Steam
Lines Coincident
With Tavg-LowLowEnsures setpoint is reset to low/zero
power reference value
following plant trip,
regardless of turbine first stage pressure indication 1, 2, 3 (function not
required if MSTVs are closed and
deactivated)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-33Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)
Each of the above Func tions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of th e RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent
increase in core power. Addition of feedwater to a steam generator associated with a steamline or feedline break could result in excessive containment building pressure. To avoid such a
situation, the noted Functions have been interlocked with P-4 as part of the design of the uni t control and protection system.
The turbine trip Function is exp licitly assumed in the non-LOCA analysis since it is an immediate consequence of the reactor trip Function. Block of the auto SI signals is required to support long-term ECCS operation in the post-LOCA recirculation mode.
The RTB position switches that pr ovide input to the P-4 interlock only function to energize or de-ene rgize or open or close contacts.
Therefore, this Function has no adjustable trip setpoint with which
to associate an Allowable Value.This Function must be OPERABLE in MODES1, 2, and3, as noted above, when the reactor ma y be critical or approaching criticality or support of the (continued)FunctionPurposeRequired MODES Prevent opening of
the MFW regulating
valves if they were
closed on SI or SG
Water Level
-HighHighSeal-in feedwater
isolation to prevent
inadvertent feeding of
depressurized SG 1, 2, 3 North Anna Units 1 and 2B 3.3.2-34Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued) auto SI block function is require
: d. This Function does not have to be OPERABLE in MODES4, 5, or6 because the main turbine
and the MFW System are not required to be in operation.b.Engineered Safety F eature Actuation System Interlocks-Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI. With two-out-of-three
pressurizer pressure channels (dis cussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure-LowLow SI signal.
Additionally, the P-11 signal blocks the automatic opening of the pressurizer power operated relief valves (PORVs).
With two-out-of-three pressurize r pressure channels above the P-11 setpoint, the Pressurizer Pressure-Low Low SI signal is automatically enabled. The operator can also enable this function by use of the respective manual reset switches. The automatic opening capability for the pressurizer PORVs is reinstated above the P-11 setpoint. The ECCS accumu lator isolation valves will receive an automatic open signal when pressurizer pressure exceeds the P-11 setpoint. The Allowable Value reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES1, 2, and3 to
allow an orderly cooldown and depressurization of the unit without the actuation of SI. This Function does not have to be OPERABLE in MODE4, 5, or6 because system pressure must
already be below the P-11 setpoint for the requirements of the
heatup and cooldown curves to be met.c.Engineered Safety F eature Actuation System Interlocks-T avg-LowLow, P-12 On increasing reactor coolant temperature, the P-12 interlock reinstates SI on High Steam Flow Coincident (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-35Revision31APPLICABLE SAFETY
: ANALYSES,
LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)c.Engineered Safety Feature Actuation System Interlocks-T avg-LowLow, P-12 (continued)
With Steam Line Pressure-L ow or Coincident With Tavg-LowLow. On decreasing reactor coolant temperature, the P-12 interlock allows the operato r to manually block SI on High Steam Flow Coincident With Steam Line Pressure-Low or Coincident with T avg-LowLow. On a decreasing temperature, the P-12 interlock also provides a blocking signal to the Steam
Dump System to prevent an excessive cooldown of the RCS due
to a malfunctioning Steam Dump System.
Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. Th ese channels are used in two-out-of-three logic.This Function must be OPERABLE in MODES1, 2, and3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE4, 5, or6 because there is insufficient
energy in the secondary side of the unit to have an accident.The ESFAS instrumentation satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed on Table3.3.2-1.
In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrume nt Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel mu st be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis),
then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
(continued)
North Anna Units 1 and 2B 3.3.2-36Revision31ESFAS Instrumentation B 3.3.2BASESACTIONS(continued)
When the number of inoperable channels in a trip function exceed those specified in one or other related Condi tions associated w ith a trip function,
then the unit is outside the safety analysis. Therefore, LCO3.0.3 should be immediately entered if applicable in the current MODE of operation.
A.1ConditionA applies to all ESFAS protection functions.ConditionA addresses the situation where one or more channels or trains
for one or more Functions are inopera ble at the same time. The Required Action is to refer to Table3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2ConditionB applies to manual initiation of:
?SI;?Containment Spray; and
?PhaseA Isolation.
This action addresses the train orient ation of the SSPS for the functions listed above. If a channel or train is inoperable, 48hours is allowed to return it to an OPERABLE status.
Note that for containment spray isolation, failure of one or both channels in one train renders the train inoperable. The manual initiation for PhaseB Containment isolation is provided by the containment spray manual switches. ConditionB,
therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and
another manual initiation train OPERABLE for each Function, and the low probability of an event oc curring during this interval
. If the train cannot be restored to OPERABLE status, the uni t must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (54hours total time) and in MODE5 within an additional 30hours (84hours total time). The allowable Completion Times are reasonable, based on operating
experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-37Revision31ACTIONS(continued)
C.1, C.2.1, and C.2.2ConditionC applies to the automatic actuation logic and actuation relays for the following functions:
?SI;?Containment Spray;
?PhaseA Isolation;
?PhaseB Isolation; and
?Automatic Switchover to Containment Sump.This action addresses the train orientat ion of the SSPS and the master and slave relays. If one train is inoperable, 24hours are allowed to restore the train to OPERABLE status. The specified Completion Time is reasonable
considering that there is another tr ain OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to
OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (30hours total time) and in MODE5 within an additional 30hours (60hours total time). The Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillan ce testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of Reference8 that 4hours is the average time required to
perform channel surveillance.
D.1, D.2.1, and D.2.2ConditionD applies to:
?Containment Pressure-High;
?Pressurizer Pressure-LowLow;
?Steam Line Differential Pressure-High; North Anna Units 1 and 2B 3.3.2-38Revision31ESFAS Instrumentation B 3.3.2BASESACTIONSD.1, D.2.1, and D.2.2 (continued)
?High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low;
?Containment Pressure-Intermediate HighHigh;
?SG Water Level-LowLow;
?SG Water Level-HighHigh (P-14); and
?RWST Level-Low Coincident With Containment Pressure HighHigh.
If one channel is inoperable, 72hours are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.
Failure to restore the inoperable channe l to OPERABLE status or place it in the tripped condition within 72hours requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12hour s for surveillance testing of other channels. The 72hours allowed to re store the channel to OPERABLE status or to place the inoperable ch annel in the tripped condition, and the 12hours allowed for testing, are justified in Reference8.
E.1, E.2.1, and E.2.2ConditionE applies to:
?Containment Spray Containment Pressure-HighHigh; and ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-39Revision31ACTIONSE.1, E.2.1, and E.2.2 (continued)
?Containment PhaseB Isolation Containment Pressure-High High.
None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel
may be bypassed rather than tripped. Note that one channel may be
bypassed and still sati sfy the single failure criter ion. Furthermore, with one channel bypassed, a single instrument ation channel failure will not spuriously initiate containment spray.To avoid the inadvertent actuation of containment spray and PhaseB containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72hours, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperabl e channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval
. Failure to rest ore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72hours, requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and
without challenging unit systems. In MODE4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours for surveillance testing. Placing a second channel in the bypass condition for up to 12hours for testing purposes is acceptable based on the results of Reference8.
North Anna Units 1 and 2B 3.3.2-40Revision31ESFAS Instrumentation B 3.3.2BASESACTIONS(continued)
F.1, F.2.1, and F.2.2ConditionF applies to:
?Manual Initiation of Steam Line Isolation;
?Loss of Offsite Power; and
?P-4 Interlock.For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power
Function, this action recognizes the la ck of manual trip provision for a failed channel. If a train or channe l is inoperable, 48 hours is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be retu rned to OPERABLE status, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE4, the unit does not have any analy zed transients or conditions that require the explicit use of the protection functions noted above.
G.1, G.2.1, and G.2.2ConditionG applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Turbine Trip and Feedwater Isolation, and AFW actuation Functions.The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24hours are allowed to restore the train to OP ERABLE status. The Completion Time for restoring a train to OPERABLE stat us is reasonable considering that there is another train OPERABLE, a nd the low probability of an event
occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-41Revision31ACTIONSG.1, G.2.1, and G.2.2 (continued)orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all requirements fo r OPERABILITY of the protection
channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions th at require the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillance testing provided the other train
is OPERABLE. This allowance is based on the reliability analysis (Ref.8) assumption that 4hours is the averag e time required to perform channel surveillance.
H.1 and H.2ConditionH applies to the AFW pump start on trip of all MFW pumps.This action addresses the train orientation of the SSPS for the auto start function of the AFW System on loss of all MFW pumps. The
OPERABILITY of the AFW System must be assured by allowing
automatic start of the AFW System pumps. If a channel is inoperable, 48hours are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6hours are allowed to place the unit in MODE3. The allowed Completion Time of 6hours is
reasonable, based on operating experience, to reach MODE3 from full power conditions in an orderly ma nner and without challenging unit systems. In MODE3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48hours to return the train to an OPERABLE status is justified in Reference8.
I.1, I.2.1, and I.2.2ConditionI applies to:
?RWST Level-LowLow Coincide nt with Safety Injection.RWST Level-LowLow Coincident With SI provides actuation of switchover to the containm ent sump. Note that this Function requires the bistables to energize to perform thei r required action. The failure of up to two channels will not prevent (continued)
North Anna Units 1 and 2B 3.3.2-42Revision31ESFAS Instrumentation B 3.3.2BASESACTIONSI.1, I.2.1, and I.2.2 (continued) the operation of this Function. However, placing a failed channel in the tripped condition could result in a pr emature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass result s in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required.
Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72hour Completion Time is justified in a plant-specific risk assessment, consistent with Reference8. If the channel cannot be returned to OPERABLE st atus or placed in the bypass condition within 72hours, the unit must be brought to MODE3 within the following 6hours and MODE5 within the next 30hours. The allowed Completion Times are reasonable, ba sed on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and
without challenging unit systems. In MODE5, the unit does not have any analyzed transients or conditions th at require the explicit use of the
protection functions noted above.
The Required Actions are modified by a Note that allows placing a second channel in the bypass condition for up to 12hours for surveillance testing. The total of 78hours to reach MODE3 and 12hours for a second channel to be bypassed is acceptable based on the results of a pl ant-specific risk assessment, consistent with Reference8.
J.1, J.2.1, and J.2.2ConditionJ applies to the P-11 and P-12 interlocks.
With one or more channels inoperable, the operator must verify that the interlock is in the required stat e for the existing unit condition. The verification that the interlocks are in their proper state may be performed via the Control Room permissive st atus lights. This action manually accomplishes the function of the inte rlock. Determination must be made within 1hour. The 1hour Completion Time is equal to the time allowed by LCO3.0.3 to initiate shutdown (continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-43Revision 46ACTIONSJ.1, J.2.1, and J.2.2 (continued)actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all
requirements for OPERABILITY of these interlocks.SURVEILLANCE
REQUIREMENT
SThe SRs for each ESFAS Function are identified by the SRs column of Table3.3.2-1.
A Note has been added to the SR Table to clarify that Table3.3.2-1 determines which SRs apply to which ESFAS Functions.
Note that each channel of process pr otection supplies both trains of the ESFAS. When testing channelI, trainA and trainB must be examined. Similarly, trainA and trainB must be examined when testing channelII, channelIII, and channelIV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent
with the assumptions used in analyti cally calculating the required channel accuracies.SR3.3.2.1 Performance of the CHANNEL CHECK en sures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is ba sed on the assumption that instrument channels monitoring the same parame ter should read approximately the
same value. Significant deviations between the two instrument channels could be an indication of excessive inst rument drift in one of the channels or of something even more seri ous. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
(continued)
North Anna Units 1 and 2B 3.3.2-44 Revision 46ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT
SSR3.3.2.1 (continued)
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability.
If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.2SR3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, ar e tested for each protection function. This verifies th at the logic modules are OPERABLE.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.3SR3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil.
Upon master relay contact operation, a lo w voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The Survei llance Frequency is based on operating experience, equipment reliability, and plant risk and
is controlled under the Surveill ance Frequency Control Program.SR3.3.2.4SR3.3.2.4 is the performance of a COT.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-45Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.2.4 (continued)
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Se tpoints must be found within the Allowable Values specified in Table3.3.2-1. A successful test of the
required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shal l be left set consistent with the assumptions of the current unit specific setpoint methodology.The COT for the Containment Pressure Channel includes exercising the transmitter by applying either a vacuum or pressure to the appr opriate side of the transmitter.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.5SR 3.3.2.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is
verified in one of two ways. Actuati on equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact op eration can be ve rified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For th is latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. The Surveillance
Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note that allows an exception for testing of relays which could induce a unit transient, an inadvertent reactor trip or ESF actuation, or cause the inoperabilit y of two or more ESF components.
North Anna Units 1 and 2B 3.3.2-46 Revision 46ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.3.2.6SR3.3.2.6 is the performance of a TADOT.
This test is a check of the Loss of Offsite Power Function. The Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verifica tion of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elabor ate bench calibration and are verified during CHANNEL CALIBRATION. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.3.2.7SR3.3.2.7 is the performance of a TADOT.
This test is a check of the Manual Actuation Functions, AFW pump start on trip of all MFW pumps
and the P-4 interlock Function, includi ng turbine trip, automatic SI block, and seal-in of feedwa ter isolation by SI.
Each Manual Actuation Function is te sted up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the ot her required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). Th e turbine trip (P-4) is independently verified for both trains. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. However, the P-4 input signals to SSPS actuation logic are normally tested in conjunction with RTB testing under SR3.3.1.4 on a 31-day staggered test basis.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-47Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.2.7 (continued)
The SR is modified by a Note that ex cludes verification of setpoints during the TADOT for manual initiation or interlock Functions. The manual
initiation Functions have no associated setpoints.SR3.3.2.8SR3.3.2.8 is the performance of a CHANNEL CALIBRATION.CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifi es that the channel responds to measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be pe rformed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values a nd the previous test "as left" values must be consistent with the drif t allowance used in the setpoint methodology. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note stat ing that this test should include verification that the time constants are adjusted to the prescribed values where applicable.
SR3.3.2.9 This SR ensures the individual ch annel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the Technical Requirements Manual (Ref.9).
Individual component res ponse times are not modele d in the analyses. The analyses model the overall or total el apsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure
, valves in full open or closed position).
(continued)
North Anna Units 1 and 2B 3.3.2-48Revision31ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT
SSR3.3.2.9 (continued)
For channels that include dynamic tr ansfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resultin g measured response time compared to the appropriate UFSAR response time. Alternately, the response time test
can be performed with the time constants set to their nominal value provided the required response time is analytically calcul ated assuming the time constants are set at their nomin al values. The response time may be measured by a series of overlapping test s such that the en tire response time is measured.
Response time may be veri fied by actual response time tests in any series of sequential, overlapping or tota l channel measurements, or by the summation of allocated sensor, si gnal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor re sponse times may be obtained from: (1)historical records based on accepta ble response time tests (hydraulic, noise, or power interrupt tests), (2)i n place, onsite, or offsite (e.g., vendor) test measurements, or (3)utilizing vendor engineering specifications. WCAP-13632-P-A Revision2, "Eliminati on of Pressure Sensor Response Time Testing Requirements" (Ref.10) provides the basis and methodology
for using allocated sensor response time s in the overall verification of the channel response time for specific sensors identified in the WCAP.
Response time verification for other sensor types mu st be demonstrated by test.WCAP-14036-P-A Revision1 "Elimi nation of Periodic Protection Channel Response Time Tests" (Ref.11) provides the basis and the methodology for using allocated signa l processing and actuation logic response times in the overall verificat ion of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not
impact response time provided the parts used for repair are of the same type and value. Specific component s identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.
(continued)
ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-49Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.2.9 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24hours after reaching 1005psig in the SGs.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter7.3.UFSAR, Chapter15.
4.IEEE-279-1971.
5.10CFR50.49.
6.RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).7.NUREG-1218, April1988.
8.WCAP-10271-P-A, Supplement2, Rev.1, June1990 and WCAP-14333-P-A, Rev.1, October1998.9.Technical Requirements Manual.
10.WCAP-13632-P-A, Revision2, "El imination of Pressure Sensor Response Time Testing Requirements," January1996.11.WCAP-14036-P-A, Revision1, "El imination of Periodic Protection Channel Response Time Tests," December1995.
Intentionally Blank North Anna Units 1 and 2B 3.3.3-1Revision 0PAM Instrumentation B 3.3.3B 3.3  INSTRUMENTATIONB 3.3.3Post Accident Monitoring (PAM) InstrumentationBASESBACKGROUNDThe primary purpose of the PA M instrumentation is to display unit variables that provide information re quired by the control room operators during accident situations
. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their
safety functions for Design Basis Accidents (DBAs).
The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information av ailable on selected unit parameters to monitor and to assess unit status a nd behavior following an accident.
The availability of accident monitoring instrumentati on is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by Reference1 addressing the recommendations of Regulatory Guide1.97 (Ref.2) as required by Supplement1 to NUREG-0737 (Ref.3).
The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific implementation of Regulatory Guide1.97 as TypeA and CategoryI variables.TypeA variables are included in this LCO because they provide the primary information required for the cont rol room operator to take specific manually controlled actions for whic h no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs. Primary information is define d as information that is essential for the direct accomplishment of the specific safety functions; it does not include those variables that are associ ated with contingency actions that may also be identified in written procedures.
(continued)
North Anna Units 1 and 2B 3.3.3-2Revision 0PAM Instrumentation B 3.3.3BASESBACKGROUND (continued)CategoryI variables are the key variab les deemed risk significant because they are needed to:
?Determine whether other systems im portant to safety are performing their intended functions;
?Provide information to the operators th at will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release; and?Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.These key variables are identified by the plant specific Regulatory Guide1.97 analyses (Ref.1). This re port identifies the plant specific TypeA and Category I variables and pr ovides justification for deviating from the NRC proposed list of CategoryI variables.The specific instrument Functions listed in Table3.3.3-1 are discussed in
the LCO section.APPLICABLE SAFETY ANALYSESThe PAM instrumentation ensures the operability of Regulatory Guide1.97 TypeA and CategoryI variables so that the control room operating staff can:?Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to pre-planned actions for the primary success path of DBAs), e.g., lo ss of coolant accident (LOCA);
?Take the specified, pre-planned, manua lly controlled actions, for which no automatic control is pr ovided, and that are required for safety systems to accomplish their safety function;
?Determine whether systems important to safety are performing their
intended functions;
?Determine the likelihood of a gross breach of the ba rriers to radioactivity release;?Determine if a gross breach of a barrier has occurred; and (continued)
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-3Revision 0APPLICABLE SAFETY ANALYSES(continued)
?Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.PAM instrumentation that meets the definition of TypeA in Regulatory Guide1.97 satisfies Criterion3 of 10CFR 50.36(c)(2)(ii). CategoryI, non-TypeA, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents. Therefore, CategoryI, non-TypeA, variables are important for reducing public risk.LCOThe PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide1.97 TypeA monito rs, which provide information required by the control room operators to perform certain manual actions specified in the plant Emergency Operating Procedures. These manual actions ensure that a system can acc omplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide1.97 instruments that have been designated CategoryI, non-TypeA.The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with Reference1.LCO3.3.3 requires two OPERABLE channels for most Functions. Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident.
Furthermore, OPERABILITY of tw o channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.
The exception to the two channel requi rement is Containment Isolation Valve (CIV) Position. In this case, the imp ortant information is the status of the containment penetrations. The LC O requires one position indicator for each active CIV. This is sufficient to redundantly ve rify the isolation status of each isolable penetration either via indicated status of the active valve
and prior knowledge of a pa ssive valve, or via sy stem boundary status. If a normally active CIV is known to be closed and deactivated, position (continued)
North Anna Units 1 and 2B 3.3.3-4Revision 40PAM Instrumentation B 3.3.3BASESLCO(continued) indication is not needed to determ ine status. Therefore, the position indication for valves in this stat e is not required to be OPERABLE.Table3.3.3-1 lists all TypeA and CategoryI variables identified by the plant specific Regulatory Guide1.97 analyses (Ref.1).Reference1, Technical Report PE-0013, North Anna Power Station Response to Regulatory Guide1.97 and Reference4, Technical
Requirements Manual (TRM) Section3.3.9 - Regulatory Guide (RG) 1.97 Instrumentation, provide specific design and qualificati on requirements for RG1.97 instrumentation.Listed below are discussions of the spec ified instrument Functions listed in Table3.3.3-1.1, 2.Power Range and Source Range Neutron FluxPower Range and Source Range Neutron Flux indication is provided to verify reactor shutdown. This indication is provided by the
Gammametric channels. The two ra nges are necessary to cover the full range of flux that may occur post accident.
Neutron flux is used for accide nt diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.3, 4.Reactor Coolant System (RCS)
Hot and Cold Leg Temperatures (Wide Ranges)
RCS Hot and Cold Leg Temperatur e wide range indications are CategoryI variables provided for verification of core cooling and long term surveillance.
The RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.
The channels provide indication over a range of 0&deg;F to 700&deg;F.
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-5Revision 0 LCO(continued)5.Reactor Coolant System Pressure (Wide Range)RCS wide range pressure is a CategoryI variable provided for verification of core cooling and RC S integrity long term surveillance.
RCS pressure is used to verify closure of spray line valves and
pressurizer power operated relief valves (PORVs).
In addition to these verificatio ns, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of safety injecti on (SI), if still in progress, or reinitiation of SI if it has been stopped. RCS pressure can also be used:?to determine whether to terminate actuated SI or to reinitiate stopped SI;
?to determine when to reset SI and shut off low head SI;
?to manually restart low head SI;
?to make a decision on operation of reactor coolant pumps (RCPs);
and?to make a determination on the natu re of the accident in progress and where to go next in the procedure.
RCS subcooling margin is also used for unit stabilization and
cooldown control.
RCS pressure is also re lated to three decisions about depressurization.
They are:
?to determine whether to proceed with primary system depressurization;
?to verify termination of depressurization; and
?to determine whether to close accu mulator isolation valves during a controlled cooldown/depressurization.
Another use of RCS pressure is to determine whether to operate the
pressurizer heaters.
(continued)
North Anna Units 1 and 2B 3.3.3-6Revision 0PAM Instrumentation B 3.3.3BASESLCO5.Reactor Coolant System Pressure (Wide Range)
(continued)RCS pressure is a TypeA variable because the operator uses this indication to monitor subcooling margin during the cooldown of the RCS following a steam ge nerator tube rupture (S GTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this
indication.6.Inadequate Core Cooling Monitoring (ICCM) System The ICCM consists of three functi onal subsystems. Each subsystem is composed of two instrumentation trains. The three subsystems of ICCM are: the Reactor Vessel Level Instrumentation System (RVLIS); Core Exit Temper ature Monitoring (CETM); and Subcooling Margin Monitor (SMM).
The functions provided by the subsystems are discussed below.6.aReactor Vessel Level Instrumentation System RVLIS is provided for verification a nd long term surveillance of core cooling. It is also used to determine reactor coolant inventory
adequacy.
The RVLIS provides a measurement of the collapsed liquid level above the upper core plate. The coll apsed level represents the amount of liquid mass that is in the reactor vessel above the core.
Measurement of the collapsed water level is selected because it is an indication of the water inventory.6.bReactor Coolant System Subcooling Margin Monitor The RCS SMM is a Category I variab le provided for verification of core cooling. The SMM subsystem calc ulates the margin to saturation for the RCS from inputs of wide ra nge RCS pressure transmitters and the average of the five highest temperature core exit thermocouples. The two trains of SMM receive inputs from separate trains of pressure
transmitters and core ex it thermocouples (CETs).
(continued)LCO6.bReactor Coolant System Subcooling Margin Monitor (continued)
The SMM indicators are redundant to the information provided by the RCS hot and cold leg temperatur e and RCS wide range pressure indicators. RCS subcooling margin wi ll allow termination of SI, if still in progress, or re initiating of SI if it has been secured. RCS subcooling margin is also used for unit stabilization, cooldown control, and RCP trip criteria.
The SMM indicates the degree of subcooling from -35F (superheated) to +200F (subcooled).
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-7Revision 06.cCore Exit Temperature Monitoring CETM is provided for verification a nd long term surveillance of core cooling. Two OPERABLE CETs per channel are required in each core quadrant to provide indicati on of radial distribution of the coolant temperature rise across re presentative regions of the core.
Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient. Monitoring of the CETs is available through the In adequate Core Cooling Monitor. Different CETs are connected to their respective channel, so a single
CET failure does not affect bot h channels. The following CET indication is provided in the control room:
?Five hottest thermocouples (ranked from highest to lowest);
?Maximum, Average, and Minimum te mperatures for each quadrant; and?Average of the five high thermocouples.7.Containment Sump Water Level (Wide Range)
Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.
Containment Sump Water Level is used for accident diagnosis.LCO8, 9.Containment Pressure and Containment Pressure Wide Range (continued)
Containment Pressure and Contai nment Pressure Wide Range are provided for verification of RCS and containment OPERABILITY.Containment Pressure channels are used to verify Safety Injection (SI) initiation and PhaseA isolation on a Containment Pressure-High signal. These channels are also used to verify closure of the Main Steam Trip Valves on a Containm ent Pressure-Intermediate High High signal. The Containment Pressure channels are also used to verify initiation of Containment Spray and PhaseB isolation on a Containment Pressure-High High signal.10.Penetration Flow Path Contai nment Isolation Valve PositionCIV Position is provided for verification of Containment OPERABILITY, and PhaseA and PhaseB isolation.When used to verify PhaseA and PhaseB isolation, the important information is the isolation status of the containment penetrations.
The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment North Anna Units 1 and 2B 3.3.3-8Revision 0PAM Instrumentation B 3.3.3BASESpenetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with onl y one active CIV having control room indication, Note (b
) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolab le penetration either via indicated status of the active valve, as a pplicable, and prior knowledge of a passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not
needed to determine status. Ther efore, the position indication for valves in this state is not required to be OPERABLE. Note (a) to the
Required Channels states that the Function is not required for isolation valves whose associated pe netration is isolated by at least one closed and deactivated automatic valve, closed manual valve,
blind flange, or check valve with flow through the valve secured.
Each penetration is treated separate ly and each penetration flow path is considered a separate function.
Therefore, separate Condition entry is allowed for each inoperabl e penetration flow path.
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-9Revision 17 LCO(continued)11.Containment Area Radiation (High Range)
Containment Area Radiation is pr ovided to monitor for the potential of significant radiation releases a nd to provide release assessment for use by operators in determining th e need to invoke site emergency plans. Containment radiation level is used to determine if adverse containment conditions exist.12.Deleted13.Pressurizer Level Pressurizer Level is used to determin e whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that
the unit is maintained in a safe shutdown condition.14, 15.Steam Generator Water Level (Wide and Narrow Ranges)
SG Water Level is provided to monitor operation of decay heat removal via the SGs. Both wide and narrow ranges are CategoryI indications of SG level. The wide range level covers a span of +7 to -
41feet from nominal full load water level. The narrow range instrument covers from +7 to -5feet of nominal full load water level.The level signals are inputs to the unit computer, control room
indicators, and the Auxi liary Feedwater System.
SG Water Level is used to:
?identify the affected SG following a tube rupture;
?verify that the intact SGs are an adequate heat sink for the reactor;
?determine the nature of the accident in progress (e.g., verify a SGTR); and
?verify unit conditions for termination of SI.LCO14, 15.Steam Generator Water Level (Wide and Narrow Ranges)
(continued)
Operator action is based on the cont rol room indication of SG level.
The RCS response during a design basis small break LOCA depends on the break size. For a certain range of break sizes, a secondary heat sink is necessary to remove decay heat. Narrow range level is a TypeA variable because the operator must manually raise and control SG level.
North Anna Units 1 and 2B 3.3.3-10 Revision 17PAM Instrumentation B 3.3.3BASES16.Emergency Condensate St orage Tank (ECST) LevelECST Level is provided to ensure water supply for auxiliary feedwater (AFW). The ECST provides the ensured safety grade water supply for the AFW Syst em. Inventory is moni tored by a 0% to 100% level indication and ECST Level is displayed on a control room
indicator.
The DBAs that require AFW are the loss of offsite electric power, loss of normal feedwater, SG TR, steam line break (S LB), and small break LOCA.
The ECST is the initial source of water for the AFW System.
However, as the ECST is depleted, manual operator action is necessary to replenish the ECST.17.Steam Generator PressureSG pressure is a CategoryI variable and provides an indication of the integrity of a steam generator. Th is indication can provide important information in the event of a faul ted or ruptured steam generator.18.High Head Safety Injection (HHSI) FlowTotal HHSI flow to the RCS cold legs is a TypeA variable and provides an indication of the total borated water supplied to the RCS.
For the small break LOCA, HHSI flow may be the only source of
borated water that is injected into the RCS. Total HHSI flow is a Type A variable because it provides an indication to the operator for the RCP trip criteria.
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-11Revision 8APPLICABILITYThe PAM instrume ntation LCO is applicable in MODES1, 2, and3. These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES1, 2, and3. In MODES4, 5, and6, unit condi tions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not require d to be OPERABLE in these MODES.ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed on Table3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.
A.1ConditionA applies when one or mo re Functions have one required channel that is inoperable. Required ActionA.1 requires restoring the inoperable channel to OPERABLE status within 30days. The 30day Completion Time is based on operating experience and takes into account
the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.
B.1ConditionB applies when the Require d Action and associated Completion Time for ConditionA are not met.
This Required Action specifies immediate initiation of actions in Specification 5.6.6, which requires a written report to be submitted to the NRC within the following 14days.
This report discusses the results of the root cause evaluation of the inoperability and identif ies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.
North Anna Units 1 and 2B 3.3.3-12 Revision 46PAM Instrumentation B 3.3.3BASESACTIONS(continued)
C.1ConditionC applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function).
Required ActionC.1 requires restoring one channel in th e Function(s) to OPERABLE status within 7days. The Completion Time of 7days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of a lternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable becaus e the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring re storation of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.D.1 andD.2If the Required Action and associated Completion Time of ConditionD is not met the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and MODE4 within 12hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SA Note has been added to the SR Table to clarify that SR3.3.3.1 and SR3.3.3.3 apply to each PAM instrumentation Function in Table3.3.3-1 with the exception that SR3.3.3.3 is not required to be performed on
containment isolation valve position indication. SR3.3.3.4 is required for
the containment isolation valve position indication.SR3.3.3.1Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels.
It is based on the assumption that
instrument channels monitoring the same parameter should read (continued)
PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-13Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.3.1 (continued)approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to oper ate properly between each CHANNEL CALIBRATION. The high radiation in strumentation should be compared to similar unit instruments located throughout the unit.Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainti es, including isolation, indication, and readability. If a channel is outside th e criteria, it may be an indication that the sensor or the signal processing equipment has drifted out side its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.As specified in the SR, a CHANN EL CHECK is only required for those channels that are normally energized.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.3.2 Not Used SR3.3.3.3CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifi es that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the CET sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.3.3-14 Revision 46PAM Instrumentation B 3.3.3BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.3.3.4SR3.3.3.4 is the performance of a TADO T of containment isolation valve position indication. This TADOT is performed every 18months. The test shall independently verify the OPERABILITY of containment isolation
valve position indication against th e actual position of the valves.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.Technical ReportPE-0013.2.Regulatory Guide1.97, May 1983.3.NUREG-0737, Supplement1, "TMI Action Items."
4.Technical Requirements Manual North Anna Units 1 and 2B 3.3.4-1Revision 0 Remote Shutdown System B 3.3.4B 3.3  INSTRUMENTATIONB 3.3.4Remote Shutdown SystemBASESBACKGROUNDThe Remote Shutdown System pr ovides the control room operator with sufficient instrumentation and contro ls to maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect ag ainst the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE3. With the unit in MODE3, the Auxiliary Feedwater (AFW)
System and the steam generator (S G) power operated relief valves (PORVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolan t System (RCS) from outside the control room allows extended operation in MODE3.
If the control room becomes inaccessible, the operators can establish control at the auxiliary shutdown panel, and maintain the unit in MODE3. Not all controls and necessary transfer switches are located at the auxiliary shutdown panel. Some controls and tr ansfer switches will have to be operated locally at the switchgear, mo tor control panels, or other local stations. The unit automatically reaches MODE3 following a unit shutdown and can be maintained safely in MODE3 for an extended period of time.
The OPERABILITY of the remote sh utdown control and instrumentation functions ensures there is sufficient information available on selected unit parameters to maintain the unit in MODE3 should the control room
become inaccessible.APPLICABLE SAFETY ANALYSESThe Remote Shutdown System is re quired to provide equipment at appropriate locations outside the control room with a capability to maintain the unit in a safe condition in MODE3.
The criteria governing the design and sp ecific system requirements of the Remote Shutdown System are located in Reference1.
The Remote Shutdown System satisfies Criterion4 of 10CFR50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.3.4-2Revision 0 Remote Shutdown System B 3.3.4BASESLCOThe Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to maintain the unit in MODE3 from a location other than the control room. The instrumentation and controls required are listed in TableB3.3.4-1.
The controls, instrumentation, and tr ansfer switches are required for:*Core reactivity control (long term);*RCS pressure control;
*Decay heat removal via the AFW System and the SG PORVs; and
*RCS inventory control via charging flow.
A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, TableB3.3.4-1 may indicate that the required information or control capability is available from several
alternate sources. In these cases, the Function is OPERABLE as long as
one channel of any of the alternate information or control sources is OPERABLE.
The remote shutdown instrument and c ontrol circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments a nd control circuits will be OPERABLE if unit conditions require that the Remo te Shutdown System be placed in operation.APPLICABILITYThe Remote Shutdown System LCO is applicable in MODES1, 2, and3.
This is required so that the unit can be maintained in MODE3 for an extended period of time from a loca tion other than the control room.This LCO is not applicable in MODE4, 5, or6. In these MODES, the
facility is already subcritical and in a condition of reduced RCS energy.
Under these conditions, cons iderable time is availa ble to restore necessary instrument control functions if cont rol room instruments or controls become unavailable.
Remote Shutdown System B 3.3.4BASESNorth Anna Units 1 and 2B 3.3.4-3Revision 46ACTIONSA Remote Shutdown System functi on is inoperable when the function is not accomplished by at least one designed Remote Shutdown System channel that satisfies the OPERAB ILITY criteria for the channel's Function. These criteria are outlined in the LCO section of the Bases.
A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate C ondition entry is allowed for each Function. The Completion Time(s) of th e inoperable channe l(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was en tered for that Function.
A.1ConditionA addresses the situation wh ere one or more required Functions of the Remote Shutdown System are in operable. This includes the control and transfer switches for any required function.
The Required Action is to restore the required Function to OPERABLE status within 30days. The Completion Time is based on operating
experience and the low pr obability of an even t that would require evacuation of the control room.B.1 andB.2If the Required Action and associated Completion Time of ConditionA is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and
without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.3.4.1 Performance of the CHANNEL CHECK en sures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a
comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is ba sed on the assumption that instrument channels monitoring the same parame ter should read approximately the
same value. Significant deviations between the two instrument channels could be an indication of (continued)
North Anna Units 1 and 2B 3.3.4-4Revision 46 Remote Shutdown System B 3.3.4BASESSURVEILLANCE REQUIREMENT
SSR3.3.4.1 (continued) excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will de tect gross channel failure; thus, it is key to verifying that the instru mentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the si gnal processing equi pment has drifted outside its limit.
As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.4.2SR3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be sati sfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be maintained in MODE3 from the remote shutdown panel and
the local control stations. The Surveillance Frequency is based on
operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Remote Shutdown System B 3.3.4BASESNorth Anna Units 1 and 2B 3.3.4-5Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.3.4.3CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
Whenever a sensing element is repl aced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter3.
North Anna Units 1 and 2B 3.3.4-6Revision 0 Remote Shutdown System B 3.3.4TableB 3.3.4-1 (page1 of1)
Remote Shutdown System Instrumentation and ControlsFUNCTION/INSTRUMENTOR CONTROL PARAMETERREQUIREDNUMBER OF FUNCTIONS
: 1. Reactivity Controla.Boric Acid Pump controls
: 12. Reactor Coolant System (RCS) Pressure Control
: a. Pressurizer Pressure indications 1b.Pressurizer Heater controls 13.Decay Heat Removal via Steam Generators (SGs)a.RCS Tavg Temperature indication1loopb.AFW Pump and Valve controls 1c.SG Pressure indication 1d.SG Level (Wide Range) indication 1e.SG Power Operated Relief Valve controls 1f.AFW Discharge Header Pressure indication 1g.Emergency Condensate Storage Tank Level indication 14.RCS Inventory Controla.Pressurizer Level indication 1b.Charging Pump controls 1c.Charging Flow control 1
North Anna Units 1 and 2B 3.3.5-1Revision 0LOP EDG Start Instrumentation B 3.3.5B 3.3  INSTRUMENTATIONB 3.3.5Loss of Power (LOP) Emergency Diesel Generator (EDG) Start InstrumentationBASESBACKGROUNDThe EDGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation.
Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs on the emergency buses. There are two required LOP start signals for each 4.16kV emergency bus.Undervoltage relays are provided on each 4160V Class1E bus for detecting a loss of bus voltage or a sustained degraded voltage condition.
The relays are combined in a two-out
-of-three logic to generate a LOP signal. A loss of voltage start of the EDG is initiated when the voltage is less than 74% of rated voltage and lasts for approximately 2seconds. A
degraded voltage start of the EDG is produced when th e voltage is less than 90% of rated voltage sustained for approximately 56seconds. The time
delay for the degraded voltage start signal is reduced to approximately 7.5seconds with the presence of a Sa fety Injection signal for the H and J bus on this unit.One 4160VAC bus from the other unit is needed to support operation of each required Service Water (SW) pump, Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS) fan, Auxiliary Building central exhaus t fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, A uxiliary Building central exhaust system, and CC are shared systems.The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for Engineered Safety Features Actuation System (ESFAS) action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a lim iting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is
OPERABLE under these circumstances, th e setpoint must be left adjusted to within the established calibra tion tolerance band of the setpoint (continued)
North Anna Units 1 and 2B 3.3.5-2Revision 0LOP EDG Start Instrumentation B 3.3.5BASESBACKGROUND (continued)in accordance with uncertainty assumptions stated in the referenced setpoint methodology, (as-left-criteria) and confir med to be operating with the statistical allowances of the uncertainty terms assigned.Allowable Values and LOP EDG St art Instrumentation Setpoints The trip setpoints are summarized in Reference3. The selection of the Allowable Values is such that ade quate protection is provided when all sensor and processing time delays are taken into account.
Setpoints adjusted consistent with the requirement of the Allowable Value ensure that the consequences of accid ents will be accep table, providing the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.Allowable Values are specified for each Function in SR3.3.5.2. Nominal trip setpoints are also specified in the unit specific setpoint calculations and listed in the Technical Requirements Manual (TRM) (Ref.2). The trip setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measur ed setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a
trip setpoint less conservative than th e nominal trip setpoint, but within the Allowable Value, is acceptable provi ded that operation and testing is consistent with the assumptions of the unit specific setpoint calculation (Ref.3).APPLICABLE SAFETY ANALYSESThe LOP EDG start instrumentation is required for the Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS.Accident analyses credit the loading of the EDG based on the loss of offsite power during a loss of c oolant accident (LOCA). The actual EDG start has historically been associated with the ESFAS actuation. The EDG loading has been included in the delay time associated with each safety system component requiring EDG supplied power following a loss of offsite power. The analyses assume a non-mechanistic (continued)
LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)
EDG loading, which does not explicit ly account for each individual component of loss of power det ection and subsequent actions.
The required channels of LOP EDG st art instrumentation, in conjunction with the ESF systems powered from the EDGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference5, in which a loss of offsite power is assumed.
The delay times assumed in the safe ty analysis for the ESF equipment include the 10second EDG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO3.3.2, "Engineered Safety Feature Actuation System (ESFAS)
Instrumentation," include the appr opriate EDG loading and sequencing delay if applicable.
The LOP EDG start instrumentation channels satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO for LOP EDG start instrume ntation requires that three channels per bus of both the loss of voltage a nd degraded voltage Functions shall be OPERABLE in MODES1, 2, 3, and4 when the LOP EDG start
instrumentation supports safety systems associated with the ESFAS. This is associated with the requirement of LCO3.3.5.a for this unit's H and J buses. LCO3.3.5.b specifies that for a re quired H and/or J bus on the other unit that is needed to support a require d shared component for this unit, the LOP EDG start instrumentation for th e required bus must be OPERABLE. The other unit's required H and/or J bus are required to be OPERABLE to support the SW, MCR/ESGR EVS, Auxi liary Building cent ral exhaust, and CC functions needed for this unit.
These Functions share components,
pumps, or fans, which are electricall y powered from both units. A channel is OPERABLE with a trip setpoint va lue outside its calibration tolerance band provided the trip setpoint "as-found" value doe s not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration toleranc e band of the trip setpoint. A trip setpoint ma y be set more conservative than the trip setpoint specified in the TRM (Ref.2) as neces sary in response to unit conditions. In MODES5 or6, the three channels must be OPERABLE whenever the associated EDG is required to be OPERABLE to ensure that the automatic start of(continued)
North Anna Units 1 and 2B 3.3.5-4Revision 0LOP EDG Start Instrumentation B 3.3.5BASESLCO(continued)the EDG is available when needed. Loss of the LOP EDG Start Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences
during accidents. During the loss of offsite power the EDG powers the
motor driven auxiliary feedwater pumps
. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased
potential for a loss of decay heat removal through the secondary system.APPLICABILITYThe LOP EDG Start Instrumentation Functions are required in MODES1, 2, 3, and4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE5 or6 is required whenever the
required EDG must be OPERABLE so th at it can perform its function on a LOP or degraded power to the emergency bus.ACTIONSIn the event a channel's trip set point is found nonconservative with respect to the Allowable Value, or the ch annel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.
Because the required channels are specified on a per bus basis, the Condition may be entered separate ly for each bus as appropriate.
A Note has been added in the ACTI ONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Func tion listed in the LCO and for each emergency bus. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was en tered for that Function for the associated emergency bus.
A.1ConditionA applies to the LOP EDG start Function with one loss of voltage or degraded voltage channel per bus inoperable.
If one channel is inoperable, Required ActionA.1 requires that channel to be placed in trip within 72hours.
A plant-specific risk assessment, consistent with Reference4, (continued)
LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-5Revision 0ACTIONSA.1 (continued)was performed to justify the 72hour Completion Time. With a channel in trip, the LOP EDG start instrumentation channels are confi gured to provide a one-out-of-two logic to initiate a trip of the incoming offsite power.
A Note is added to allow bypassi ng an inoperable channel for up to 12hours for surveillance testing of othe r channels. A plant-specific risk assessment, consistent with Reference4, was performed to justify the 12hour time limit. This allowance is made where bypassing the channel does not cause an actuation and where normally, excluding required testing, two other channels are monitoring that parameter.The specified Completion Time and time allowed for bypassing one channel are reasonable consider ing the Function remains fully OPERABLE on every bus and the low probability of an event occurring
during these intervals.
B.1ConditionB applies when more than one loss of voltage or more than one degraded voltage channel on an emergency bus is inoperable.Required ActionB.1 requires restori ng all but one channel to OPERABLE status. The 1 hour Completion Time s hould allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.
C.1ConditionC applies to each of the LOP EDG start Functions when the Required Action and associated Completion Time for ConditionA orB are not met.In these circumstances the Conditions specified in LCO3.8.1, "AC Sources-Operating," or LCO3.8.2, "AC Sources-Shutdown," for the
EDG made inoperable by failure of the LOP EDG start instrumentation are required to be entered immediately. Th e actions of those LCOs provide for adequate compensatory actions to assure unit safety.
North Anna Units 1 and 2B 3.3.5-6Revision 46LOP EDG Start Instrumentation B 3.3.5BASESSURVEILLANCE REQUIREMENT
SSR3.3.5.1SR3.3.5.1 is the performance of a TA DOT for channels required by LCO3.3.5.a and LCO3.3.5.b. A successful te st of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay.
This clarifies what is an acceptable TADOT of a relay. This is acceptabl e because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at an 18 month frequency with applicable extensions. The test checks trip device s that provide actuation signals directly, bypassing the an alog process control equipment.
The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to the loss of voltage and degraded voltage relays for the 4160VAC emer gency buses, setpoi nt verification requires elaborate bench calibrati on and is accomplished during the CHANNEL CALIBRATION. Each train or logic channel shall be
functionally tested up to and including input coil continuity testing of the ESF slave relay. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.5.2SR3.3.5.2 is the performance of a CHANNEL CALIBRATION for channels required by LCO3.3.5.a and LCO3.3.5.b.
The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as shown in Reference1.CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The verification of degraded voltage wi th a SI signal is not required by LCO3.3.5.b.
(continued)
LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.3.5.2 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.5.3 This SR ensures the individual ch annel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis for channels required by LCO3.3.5.a and LCO3.3.5.b. Response Time testing acceptance criteria are included in the TRM (Ref.2).
Individual component res ponse times are not modele d in the analyses. The analyses model the overall or total el apsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure
, valves in full open or closed position).
For channels that include dynamic tr ansfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulti ng measured response time compared to the appropriate TRM response time. Alternately, the response time test can be performed with the time constant s set to their nominal value provided the required response time is analyti cally calculated assuming the time constants are set at th eir nominal values. The response time may be measured by a series of overlapping test s such that the entire response time is measured.
Response time may be verified by actual response ti me test in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, sign al processing and actuation logic response times with actual response time tests on the remainder of the channel.
Testing of the final actuation device s, which make up the bulk of the response time, is included in the testing of each channel.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section8.3.2.Technical Requirements Manual.3.RTS/ESFAS Setpoint Methodology Study (Technical ReportEE-0116).
North Anna Units 1 and 2B 3.3.5-8Revision 46LOP EDG Start Instrumentation B 3.3.5BASES4.WCAP14333-P-A, Rev.1, October1998.5.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.3.6-1Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6B 3.3  INSTRUMENTATIONB 3.3.6Main Control Room/Emergency Switchge ar Room (MCR/ESGR) Envelope Isolation Actuation InstrumentationBASESBACKGROUNDThe MCR/ESGR Envelope Isolation func tion provides a protected environment from which operators can control the unit following an uncontrolled release of radioactivity. During normal operation, the MCR and Relay Room Air Cond ition System provides unfiltered make up air and cooling. Upon receipt of an MCR/ES GR Envelope Isolation actuation signal from either unit Safety Injecti on (SI), High Radiation or manual, the Unit1 and2 control room normal ventil ation intake and exhaust ducts are isolated to prevent unfiltered makeup air from entering the control room. In addition to MCR/ESGR envelope isolation, an SI signal also automatically starts the affected units MCR/ESGR EVS fans to provide filtered
recirculated air within the MCR/ES GR envelope. The Fuel Building High Radiation or manual initiation starts bot h units' available EVS train fans in the recirculation mode. Manual operato r action is required to align the MCR/ESGR EVS to provided filtered makeup air. The MCR/ESGR EVS is described in the Bases for LCO3.7.10, "Main Control Room/Emergency Switchgear Room Emergency Ventilation System."There are four independent and redundant trains of manual actuation
instrumentation for the MCR/ESGR Envelope Isolation. Each manual actuation train consists of two actuation switches (channels), and the
interconnecting wiring to the actuation circuitry. Only one switch (channel) per train and two of the four trains are required for the system to maintain independence and redundancy.
The MCR/ESGR Envelope Is olation is actuated on a SI signal from either unit, a Fuel building High Radiation signal or manual switches in the MCR. The Safety Injection Function is discussed in LCO3.3.2,
"Engineered Safety Feature Actuation System (ESFAS) Instrumentation."APPLICABLE SAFETY ANALYSESThe control room must be kept habitable for the operators stationed there
during accident recovery and post accident operations. The MCR/ESGR Envelope Isolation actuation on a SI signal acts to automatically terminate
the supply of (continued)
North Anna Units 1 and 2B 3.3.6-2Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESAPPLICABLE SAFETY ANALYSES(continued) unfiltered outside air to the control room and initiate filtration in the
recirculation mode. Manual actions ar e required to align the MCR/ESGR EVS to provide filtered make up air to the MCR/ESGR envelope.The safety analysis for a loss of coolant accident in MODES1-4 assumes automatic isolation of the MCR/ESGR envelope on a SI signal and manual initiation of filtered outside air flow within 1hour.
No credit is taken for filtered recirculation or pressurization provided by the MCR/ESGR EVS. The safety analysis for a fuel handling accident (FHA) assumed manual isolation of the MCR/ESGR envelope and manual initiation or positioning of the MCR/ESGR EVS to supply filtered air flow within 1hour. For the
remaining design basis accidents, MCR/
ESGR envelope isolation is not assumed. Normal ventilation inflow with 500cfm of a dditional unfiltered inleakage is assumed.The accident analysis assumes norma l ventilation during a toxic gas or smoke incident. The MCR/ESGR envel ope isolation is not required to mitigate the consequences of these events.
The MCR/ESGR EVS actuation instrume ntation satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO requirements ensure that in strumentation necessary to initiate isolation of the MCR/ESGR envelope is OPERABLE.1.Manual Initiation The LCO requires one channel per train and two trains OPERABLE. The operator can initia te the MCR/ESGR isolation at any time by using any one of the two switches in a train from the
control room. This action will cause actuation of components in the same manner as the automatic actuation signal.
The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in th e manual actuation circuitry to ensure the operator has manual initiation capability.
Each train consists of two switches (channels) and the interconnecting wiring to the actuation circuitry.
MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESNorth Anna Units 1 and 2B 3.3.6-3Revision 39 LCO(continued)2.Safety InjectionRefer to LCO3.3.2 Function1 for all initiating Functions and requirements.APPLICABILITYThe MCR/ESGR Envelope Isolation Functi ons must be operable in MODES1, 2, 3, and4 and during the movement of recently irradiated fuel
assemblies to provide the require d MCR/ESGR envelope isolation initiation assumed in the applicable safety analyses. In MODES5 and6, when no fuel movement involving recently irradiated fuel (i.e., fuel that
has occupied part of a cr itical reactor core within the previous 300hours) is taking place, there are no requirements for MCR/ESGR EVS instrumentation OPERABILITY consis tent with the safety analyses assumptions applicable in these MODES.
In addition, the manual channels ar e required OPERABLE when moving recently irradiated fuel.ACTIONSA Note has been added to the AC TIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table3.3.6-1 in the accompanying LCO. The Completion Time(s) of the inoperable train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that FunctionA.1.
A.1ConditionA applies to the Manual Function of the MCR/ESGR EVS.
If one train is inoperable, in one or more Functions, 7days are permitted to restore it to OPERABLE status. The 7day Completion Time is the same as is allowed if one train of the MCR/ESGR EVS is inoperable. The basis for this Completion Time is the same as provided in LCO3.7.10. If the train
cannot be restored to OPERABLE st atus, the normal ventilation to the MCR/ESGR envelope must be isolat ed. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of
operation.
North Anna Units 1 and 2B 3.3.6-4Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESACTIONS(continued)
B.1ConditionB applies to the failure of two MCR/ESGR Envelope Isolation actuation trains, or two manual trains. The Required Action is to isolate the normal ventilation to the MCR/ESGR envelope immediately. This accomplishes the actuation instrument ation Function that may have been lost and places the unit in a conservative mode of operation.C.1 andC.2ConditionC applies when the Require d Action and associated Completion Time for ConditionA orB have not been met and the unit is in MODE1, 2, 3, or4. The unit must be brought to a MODE in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.D.1 andD.2ConditionD applies when the Require d Action and associated Completion Time for ConditionA orB have not been met when recently irradiated fuel assemblies are being move
: d. Either the normal ventilation to MCR/ESGR envelope must be isolated or movement of recently irradiated fuel assemblies must be suspended immediat ely to reduce the risk of accidents that would require MCR/ESGR Envelope Isolation actuation.
MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESNorth Anna Units 1 and 2B 3.3.6-5Revision 46SURVEILLANCE REQUIREMENT
SA Note has been added to the SR Table to clarify that Table3.3.6-1 determines which SRs apply to wh ich MCR/ESGR Envelope Isolation Actuation Functions.SR3.3.6.1SR3.3.6.1 is the performance of a TADOT.
This test is a check of the Manual Actuation Functions
. Each Manual Actuation Function is tested up to, and including, the master relay coil
: s. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some in stances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that ex cludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.REFERENCESNone Intentionally Blank North Anna Units 1 and 2B 3.4.1-1Revision 0RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1B 3.4REACTOR COOLANT SYSTEM (RCS)B 3.4.1RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)
LimitsBASESBACKGROUNDThese Bases address require ments for maintaining RCS pressure, temperature, and flow rate within li mits assumed in the safety analyses. The safety analyses (Ref.1) of norma l operating conditions and anticipated operational occurrences assume initia l conditions within the normal steady state envelope. The limits placed on RCS pressure, temperature, and flow rate ensure that the minimum de parture from nucleate boiling ratio (DNBR) will be met for each of the transients analyzed.The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are compared to the limit. A lower pressure will cause the reactor core to approach DNB limits.
The RCS coolant average temperature li mit is consistent with full power operation within the nominal opera tional envelope. RCS loop average temperature is compared to the lim it. A higher average temperature will cause the core to approach DNB limits.
The RCS flow rate norma lly remains constant during an operational fuel cycle with all pumps running. The mi nimum RCS flow limit corresponds to that assumed for DNB analyses. Flow rate indications are averaged to come up with a value for comparison to the limit. A lower RCS flow will
cause the core to approach DNB limits.
Operation for significant periods of time outside these DNB limits increases the likelihood of a fuel cladding failure in a DNB limited event.APPLICABLE SAFETY ANALYSESThe requirements of this LCO represent the initial conditions for DNB limited transients analyzed in the unit safety analyses (Ref.1). The safety
analyses have shown that transients initiated from the limits of this LCO will result in meeting the DNBR cr iterion. The limits on the DNB related parameters assure that each of the parameters are maintained within the
normal steady state envelope of (continued)
North Anna Units 1 and 2B 3.4.1-2Revision 0RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESAPPLICABLE SAFETY ANALYSES(continued) operation assumed in the transient and accident analysis. The limits have been analytically demonstrated to be adequate to maintain a minimum DNBR greater than the design limit throughout each analyzed transient including allowances for measurement uncertainties. Changes to the unit that could impact these parameters must be assessed for their impact on the DNBR criteria. The transients analyzed for include loss of coolant flow
events and dropped or stuck rod events. A key assumption for the analysis of these events is that the core power distribution is within the limits of LCO3.1.6, "Control Bank Insertion Limits"; LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)"; and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."The pressurizer pressure limit and RCS average temperature limit specified in the COLR equal the analytical li mits because of the application of statistical combination of uncertainty.
The RCS DNB parameters satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO specifies limi ts on the monitored process variables-pressurizer pressure, RCS average temperature, and RCS total flow rate-to ensure the core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle. However, the minimum RCS flow, usually based on the maximum analyzed steam generator tube plugging, is retained in the LCO. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.
The numerical values for pressure, temp erature, and flow rate specified in the COLR are given for the measurement location have been adjusted for instrument error.APPLICABILITYIn MODE1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criter ia will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. The (continued)
RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESNorth Anna Units 1 and 2B 3.4.1-3Revision 0APPLICABILITY (continued) design basis events that are sensitive to DNB in other MODES (MODE2 through5) have sufficient margin to DNB, and therefore, there is no reason to restrict DNB in these MODES.
A Note has been added to indicate the limit on pressurizer pressure is not applicable during short term operational transients such as a THERMAL POWER ramp increase >5%RTP per minute or a THERMAL POWER step increase >10%RTP. These conditions represent short term
perturbations where actions to cont rol pressure variations might be counterproductive. Also, since they re present transients initiated from power levels <100%RTP, an increased DNBR margin exists to offset the
temporary pressure variations.The DNBR limit is provided in SL2.1.1, "Reactor Core SLs." The conditions which define the DNBR limit are less restrictive than the limits
of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Shoul d a violation of this LCO occur, the operator must check whether or not an SL may have been exceeded.ACTIONSA.1RCS pressure and RCS average te mperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be ta ken to restore parameter(s).
RCS total flow rate is not a controllab le parameter and is not expected to vary during steady state operation. If th e indicated RCS total flow rate is below the LCO limit, power must be reduced, as required by Required ActionB.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds.The 2hour Completion Time for restor ation of the parameters provides sufficient time to adjust unit parameters, to determine the cause for the off normal condition, and to restore the read ings within limits, and is based on unit operating experience.
North Anna Units 1 and 2B 3.4.1-4Revision 46RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESACTIONS(continued)
B.1If Required ActionA.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE2 within 6hours. In MODE2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6hours is reasonable to reach the required unit c onditions in an orderly manner.SURVEILLANCE
REQUIREMENT
SSR3.4.1.1 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.1.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.1.3 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESNorth Anna Units 1 and 2B 3.4.1-5Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.4.1.4 Measurement of RCS total flow ra te by performance of a precision calorimetric heat balance allows the installed RCS flow instrumentation to be calibrated and verifies the actual RC S flow rate is greater than or equal to the minimum required RCS flow rate.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that allows entry into MODE1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 30days after 90% RTP. The 30day period after reaching 90% RTP is reasonable to establish st able operating conditions, install the test equipment, perform the test, and analyze the results. The Surveillance shall be performed within 30days after reaching 90% RTP.REFERENCES1.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.4.2-1Revision 0RCS Minimum Temperature for Criticality B 3.4.2B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.2RCS Minimum Temperature for CriticalityBASESBACKGROUNDThis LCO is based upon meeting several major considerations before the reactor can be made critical a nd while the reactor is critical.
The first consideration is moderator temperature coefficient (MTC), LCO3.1.3, "Moderator Temperature Coefficient (MTC)." In the transient and accident analyses, the MTC is assu med to be in a range from slightly positive to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is operated
consistent with these assumptions.
The second consideration is the prot ective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is chosen to en sure proper indication and response while the reactor is critical.
The third consideration is the pressu rizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i
.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup a nd power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within th e nominal operating envelope is chosen.
The fourth consideration is that the reactor vessel is a bove its minimum nil ductility reference temperature when the reactor is critical.APPLICABLE SAFETY ANALYSESAlthough the RCS minimum temperature for criticality is not itself an initial condition assumed in Design Ba sis Accidents (DBAs), the closely aligned temperature for hot zero power (HZP) is a process variable that is an initial (continued)APPLICABLE SAFETY ANALYSES(continued) condition of DBAs, such as the rod cluster control assembly (RCCA) withdrawal from subcritical, RCCA ejection, boron dilution at startup,
feedwater malfunction, main steam sy stem depressurization, and main steam line break accidents performed at zero power that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.
North Anna Units 1 and 2B 3.4.2-2Revision 0RCS Minimum Temperature for Criticality B 3.4.2BASESAll low power safety analyses assume initial RCS loop temperatures the HZP temperature of 547F. The minimum temperature for criticality limitation provides a small band, 6F, for critical operation below HZP.
This band allows critical operation below HZP during unit startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality.The RCS minimum temperature for criticality satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
LCOCompliance with the LCO ensures that the reactor will not be made or maintained critical (keff 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis.
Failure to meet the requirements of this LCO may produce initial
conditions inconsistent with the init ial conditions assumed in the safety analysis.APPLICABILITYIn MODE1 andMODE 2 with keff 1.0, LCO3.4.2 is applicable since the reactor can only be critical (keff 1.0) in these MODES.The special test exception of LCO3.1.9, "MODE2 PHYSICS TESTS
Exceptions," permits PHYSICS TESTS to be performed at 5%RTP with RCS loop average temperatures slight ly lower than normally allowed so that fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be
necessary to operate outside the norma l restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to fall below Tnoload, which may cause RCS loop average temperatures to fall below the temp erature limit of this LCO.ACTIONSA.1If the parameters that are outside the limit cannot be rest ored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE2 with keff <1.0 within 30minutes. Rapid reactor shutdown can be readily and practically achieved within a 30minute period. The allowed time is reasonable, based on operating experience, to reach MODE2 with keff <1.0 in an orderly manner and without challenging unit systems.
RCS Minimum Temperature for Criticality B 3.4.2BASESNorth Anna Units 1 and 2B 3.4.2-3Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.2.1 RCS loop average temperature is require d to be verified at or above 541F. The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCESNone.
Intentionally Blank North Anna Units 1 and 2B 3.4.3-1Revision 0 RCS P/T Limits B 3.4.3B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.3RCS Pressure and Temperature (P/T) LimitsBASESBACKGROUNDAll components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LC O limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions
and the stress limits for cyclic operation.
This LCO contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) test ing, and data for the maxi mum rate of change of reactor coolant temperature.
Each P/T limit curve defines an ac ceptable region for normal operation.
The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.
The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component mo st subject to bri ttle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristi cs and operating functions.10CFR50, AppendixG (Ref.1), requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. Reference1 requires an adequate margin to brittle failure during normal operation, anticipated operati onal occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code, SectionIII, AppendixG (Ref.2).
The neutron embrittlement effect on the material t oughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.
(continued)BACKGROUND (continued)The actual shift in the RTNDT of the vessel material is established periodically by removing and evaluating the irradiated reactor vessel
material specimens, in accordance with ASTME185 (Ref.3) and AppendixH of 10CFR50 (Ref.4). The operating P/T limit curves are adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide1.99 (Ref.5).
North Anna Units 1 and 2B 3.4.3-2Revision 0 RCS P/T Limits B 3.4.3BASESThe P/T limit curves are calculated using the most limiting value of RTNDT corresponding to the limiting beltline region material for the reactor vessel.The heatup curve represents a differ ent set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gr adient reversal alters the location of the tensile stress between the outer and inner walls.
The consequence of violating the LCO limits is that the RCS has been operated under conditions that can resu lt in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components. The ASME Code, SectionXI, AppendixE (Ref.6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.APPLICABLE SAFETY ANALYSESThe P/T limits are not derived fr om Design Basis Accident (DBA) analyses. They are prescribed during normal operation to avoid
encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause
nonductile failure of the RCPB, an un analyzed condition. Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.
RCS P/T limits satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).
RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-3Revision 20 LCOThe two elements of this LCO are:a.The limit curves for heatup, c ooldown, and ISLH testing; andb.Limits on the rate of change of temperature.The LCO limits apply to all components of the RCS, except the pressurizer.
These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.
The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/
T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.
The reactor vessel beltline is the most limiting region of the reactor vessel for the determination of P/T limit curves. The P/T curves include a correction for the difference between the pressure at the point of
measurement (hot leg or pressurizer) and the reactor vessel beltline. The P/T limits include instrument uncertain ties for pressure and temperature.Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components.
The consequences depend on se veral factors, as follow:a.The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;b.The length of time the limits were violated (longer violations allow the temperature gradient in the thic k vessel walls to become more pronounced); andc.The existences, sizes, and orientati ons of flaws in the vessel material.
North Anna Units 1 and 2B 3.4.3-4Revision 0 RCS P/T Limits B 3.4.3BASESAPPLICABILITYThe RCS P/T li mits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10CFR50, AppendixG (Ref.1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES3, 4, and5) or ISLH testing, their Applicab ility is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.During MODES1 and2, other Technical Specifications pr ovide limits for operation that can be more restrictiv e than or can supplement these P/T limits. LCO3.4.1, "RCS Pressure, Temper ature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit2.1, "Safety Limits," also provide operational restrictions for pressure and temper ature and maximum pressure. Furthermore, MODES1 and2 are above the temperature range of concern for nonductile failure, and stress analyses have be en performed for normal maneuvering profiles, such as power ascension or descent.ACTIONSA.1 and A.2Operation outside the P/T limits during MODE1, 2, 3, or4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.The 30minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.Besides restoring operation within li mits, an evaluation is required to determine if RCS operation can conti nue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Seve ral methods may be us ed, including comparison with pre-analyzed transients in th e stress analyses, new analyses, or inspection of the components.
ASME Code, SectionXI, AppendixE (Ref.6), may be us ed to support the evaluation. However, its use is rest ricted to evaluation of the vessel beltline.
(continued)
RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-5Revision 0ACTIONSA.1 and A.2 (continued)The 72hour Completion Time is reas onable to accomplish the evaluation.
The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation mu st be completed before continuing to operate.ConditionA is modified by a Note requiring Required ActionA.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required ActionA.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
B.1 and B.2 If a Required Action and associated Completion Time of ConditionA are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced
pressure and temperature. In reduced pressure and temperature conditions,
the possibility of propagation with undetected flaws is decreased.If the required restoration activity cannot be accomplished within 30minutes, Required ActionB.1 and Required ActionB.2 must be implemented to reduce pr essure and temperature.
If the required evaluation for continued operation cannot be accomplished within 72hours or the results are inde terminate or unfavor able, action must proceed to reduce pressure and temperature as specified in Required ActionB.1 and Required ActionB.2. A favorable evaluation must be
completed and documented before re turning to operating pressure and
temperature conditions.
Pressure and temperature are reduced by bringing the unit to MODE3 within 6hours and to MODE5 with RCS pressure <500psig within 36hours.(continued)
North Anna Units 1 and 2B 3.4.3-6Revision 0 RCS P/T Limits B 3.4.3BASESACTIONSB.1 and B.2 (continued)The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.
C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE1, 2, 3, or4, so that the RCPB
is returned to a condition that has been verified by stress analysis.The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.
Besides restoring operation within li mits, an evaluation is required to determine if RCS operation can continue. The evalua tion must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE4. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.ASME Code, SectionXI, AppendixE (Ref.6), may be us ed to support the evaluation. However, its use is rest ricted to evaluation of the vessel beltline.
ConditionC is modified by a Note requiring Required ActionC.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required ActionC.1 is insufficient because higher than analyzed stresse s may have occurred and may have affected the RCPB integrity.
RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.3.1Verification that operation is within li mits is required when RCS pressure and temperature conditions are undergoing planned changes. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant unit procedure for ending the activity is satisfied.
This SR is modified by a Note that onl y requires this SR to be performed during system heatup, cooldown, and IS LH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement.REFERENCES1.10CFR50, AppendixG.2.ASME, Boiler and Pressure Vessel Code, SectionIII,AppendixG.3.ASTM E185.
4.10CFR50, AppendixH.
5.Regulatory Guide1.99, Revision2, May1988.
6.ASME, Boiler and Pressure Vessel Code, SectionXI,AppendixE.
Intentionally Blank North Anna Units 1 and 2B 3.4.4-1Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.4RCS Loops-MODES1 and2BASESBACKGROUNDThe primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.
The secondary functions of the RCS include:a.Moderating the neutron energy level to the thermal state, to increase the probability of fission;b.Improving the neutron economy by acting as a reflector;c.Carrying the soluble neutron poison, boric acid;d.Providing a second barrier agains t fission product release to the environment; ande.Removing the heat generated in the fuel due to fission product decay following a unit shutdown.
The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reac tor coolant pump (RCP),
and appropriate flow and temperature instrumentation for both control and protection. The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary c oolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulati on of the reactor coolant ensures mixing of the coolant for proper boration and chemistry control.APPLICABLE SAFETY ANALYSESSafety analyses contain various assumptions for the design bases accident
initial conditions includi ng RCS pressure, RCS temp erature, reactor power level, core parameters, and safety system setpoints. The important aspect for this LCO is the reactor coolant forc ed flow rate, which is represented by the number of RCS loops in service.
(continued)APPLICABLE SAFETY ANALYSES(continued)Both transient and steady state analyses have been performed to establish the effect of flow on the departur e from nucleate boiling (DNB). The transient and accident analyses for the unit have been performed assuming three RCS loops are in operation. The ma jority of the unit safety analyses are based on initial conditions at high core power or zero power. The North Anna Units 1 and 2B 3.4.4-2Revision 28 RCS Loops-MODES 1 and 2 B 3.4.4BASESaccident analyses that are most important to RCP operation are the complete loss of forced reactor flow
, single reactor coolant pump locked rotor, partial loss of forced reactor flow, and rod withdrawal events (Ref.1).The DNB analyses assume normal thre e loop operation. Uncertainties in key unit operating parameters, nuclear and thermal para meters, and fuel fabrication parameters are considered statistically such that there is at least a 95 percent probability that DNB wi ll not occur for the limiting power rod.
Key unit parameter uncertainties are us ed to determine the unit departure from nucleate boiling ratio (DNBR) uncertainty. This DNBR uncertainty, combined with the DNBR limit, establishes a design DNBR value which must be met in unit safety analyses and is used to determine the pressure
and temperature Safety Limit (SL). Si nce the parameter uncertainties are considered in determining the design DNBR value, the unit safety analyses are performed using values of input parameters without uncertainties.
Therefore, nominal operating values for reactor coolant flow are used in the accident analyses.
The unit is designed to operate with all RCS loops in operation to maintain DNBR above the limit during all nor mal operations and anticipated transients. By ensuring heat transfer in the nucleate boiling region,
adequate heat transfer is provided be tween the fuel cladding and the reactor coolant.RCS Loops-MODES1 and2 satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNBR, three pumps are required at rated power.
An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG.APPLICABILITYIn MODES1 and2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in ope ration in these MODES to prevent DNB and core damage.
The decay heat production rate is much lower than the full power heat rate.
As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES3, 4, and5.
RCS Loops-MODES 1 and 2 B 3.4.4BASESNorth Anna Units 1 and 2B 3.4.4-3Revision 0 Operation in other MODES is covered by:LCO3.4.5, "RCS Loops-MODE3";LCO3.4.6, "RCS Loops-MODE4";
LCO3.4.7, "RCS Loops-MODE5, Loops Filled";
LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";
LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the unit to MODE3. This lowers power level and
thus reduces the core heat removal ne eds and minimizes the possibility of violating DNBR limits.The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from fu ll power conditions in an orderly manner and without challenging safety systems.SURVEILLANCE REQUIREMENT
SSR3.4.4.1 This SR requires verification that each RCS loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal while maintaining the margin to the DNBR limit. The Surveillance Frequency is
based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.4.4-4Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4BASES North Anna Units 1 and 2B 3.4.5-1Revision 0 RCS Loops-MODE 3 B 3.4.5B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.5RCS Loops-MODE3BASESBACKGROUNDIn MODE3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat
, via the steam generator (SG), to the secondary plant fluid. The secondary f unction of the reactor coolant is to act as a carrier for solubl e neutron poison, boric acid.
The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protect ion, and indication. The reactor vessel contains the clad fuel. The SGs provi de the heat sink. The RCPs circulate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage.In MODE3, RCPs are used to provide fo rced circulation for heat removal during heatup and cooldown. The MODE3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to ensure redundant capability for decay heat removal.APPLICABLE SAFETY ANALYSESWhenever the reactor trip breakers (R TBs) are in the closed position and the control rod drive mechanisms (CRDMs) are energized, an inadvertent
rod withdrawal from subcri tical, resulting in a power excursion, is possible.
Such a transient could be caused by a malfunction of the rod control system.Therefore, in MODE3 with RTBs in the closed position and Rod Control System capable of rod withdrawal, accidental control rod withdrawal from subcritical is postulated and requi res at least one RCS loop to be OPERABLE and in operation to ensure that the accident analyses limits are met.Failure to provide decay heat removal may result in chal lenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates (continued)
North Anna Units 1 and 2B 3.4.5-2Revision 0 RCS Loops-MODE 3 B 3.4.5BASESAPPLICABLE SAFETY ANALYSES(continued) to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the in tegrity of a fission product barrier.RCS Loops-MODE3 satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to requi re that at least two RCS loops be OPERABLE and one of those loops be in operation. One RCS loop in operation is necessary to ensure remova l of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop is required to be OPERABLE to ensure redundant capability for decay
heat removal.The Note permits all RCPs to be removed from operation for 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests that are designed to valida te various accident analyses values.
One of these tests is validation of th e pump coastdown curve used as input to a number of accident analyses includi ng a loss of flow accident. This test is generally performed in MODE3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values of the coastdown curve may be revalidated by conducting the test again.
Another test that may be performed during the startup testing program is the vali dation of rod drop times during cold conditions, both with and without flow.
The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to pe rform this test and validate the assumed analysis values. As with the validation of the pump coastdown curve, this test should be performed only once unless the flow
characteristics of the RCS are changed. The 1hour time period specified is adequate to perform the pump swap or the desired tests, and operating
experience has shown that boron stratification is not a problem during this short period with no forced flow.
(continued)
RCS Loops-MODE 3 B 3.4.5BASESNorth Anna Units 1 and 2B 3.4.5-3Revision 28 LCO(continued)
Utilization of the Note is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:a.No operations are permitted th at would dilute the RCS boron concentration with coolant at boron concentrations less than required to ensure the SDM of LCO3.1.1, thereby maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less
than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.
An OPERABLE RCS loop consists of one OPERABLE RCP and one OPERABLE SG, which has the minimum water level specified in SR3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.APPLICABILITYIn MODE3, this LCO ensures forc ed circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing.
Operation in other MODES is covered by:LCO3.4.4, "RCS Loops-MODES1 and 2";LCO3.4.6, "RCS Loops-MODE4";
LCO3.4.7, "RCS Loops-MODE5, Loops Filled";
LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";
LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If one required RCS loop is inoperabl e, redundancy for heat removal is lost. The Required Action is restor ation of the required RCS loop to OPERABLE status within the Completion (continued)
North Anna Units 1 and 2B 3.4.5-4Revision 28 RCS Loops-MODE 3 B 3.4.5BASESACTIONSA.1 (continued)Time of 72hours. This time allowance is a justified peri od to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat
produced in the reactor core and because of the low probability of a failure in the remaining loop occu rring during this period.
B.1If restoration is not possible within 72hours, the unit must be brought to MODE4. In MODE4, the unit may be placed on the Residual Heat
Removal System. The additional Completion Time of 12hours is compatible with required operations to achieve cooldown and
depressurization from the existing unit conditions in an orderly manner and without challenging unit systems.
C.1, C.2, and C.3If two required RCS loops are inoperable or a required RCS loop is not in operation, except as during conditions permitted by the Note in the LCO section, place the Rod Control System in a condition incapable of rod withdrawal (e.g., all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets). All operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets removes the possibility of an inadvertent rod withdrawal. Suspen ding the introduction of coolant into
the RCS of coolant with boron concentr ation less than requi red to meet the minimum SDM of LCO3.1.1 is require d to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.
RCS Loops-MODE 3 B 3.4.5BASESNorth Anna Units 1 and 2B 3.4.5-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.5.1 This SR requires verification that the required loops are in operation. Verification includes flow rate, temp erature, and pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.5.2SR3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 17% for required RCS loops. If the SG secondary side narrow range water level is <
17%, the tubes may become uncovered and the associated loop may not be ca pable of providing the heat sink for removal of the decay heat. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.5.3Verification that the required RCP is OPERABLE ensures that safety analyses limits are met. The requireme nt also ensures that an additional RCP can be placed in ope ration, if needed, to main tain decay heat removal and reactor coolant circulation. Veri fication is performed by verifying proper breaker alignment and power availability to the required RCP. The
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCESNone.
Intentionally Blank North Anna Units 1 and 2B 3.4.6-1Revision 0 RCS Loops-MODE 4 B 3.4.6B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.6RCS Loops-MODE4BASESBACKGROUNDIn MODE4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the compone nt cooling water via the residual heat removal (RHR) heat exchange rs. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.
The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protecti on, and indication. The RCPs circulate
the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.In MODE4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR l oop is adequate for decay heat removal. The other intent of this LC O is to require that two paths be OPERABLE to provide redundancy for decay heat removal.APPLICABLE SAFETY ANALYSESIn MODE4, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RCS and RHR loops provide this circulation.RCS Loops-MODE4 satisfies Criterion 4 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to require that at least two loops be OPERABLE in MODE4 and that one of these loops be in operation. The
LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and RHR loops. Any one loop in operation
provides enough flow to (continued)
North Anna Units 1 and 2B 3.4.6-2Revision 0 RCS Loops-MODE 4 B 3.4.6BASESLCO(continued) remove the decay heat from the core with forced circulation. An additional loop is required to be OPERABLE to provide redundancy for heat removal.Note1 permits all RCPs or RHR pumps to be removed from operation for 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests that are de signed to validate various accident analyses values. One of the tests which may be performed during the startup testing program is the vali dation of rod drop times during cold conditions, both with and without flow.
The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short
period of time. The Note permits th e stopping of the pumps in order to perform this test and validate the assu med analysis values. If changes are made to the RCS that would cause a ch ange to the flow characteristics of the RCS, the input values may be re validated by conducting the test again. The 1hour time period is adequate to perform the pump swap or test, and operating experience has shown that bor on stratification is not a problem during this short period with no forced flow.Utilization of Note1 is permitted provided the following conditions are met along with any other conditions imposed by initial startup test procedures:a.No operations are permitted that would dilute the RCS boron concentration with coolan t at boron concentrations less than required to meet the SDM of LCO3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less
than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.Note2 requires that the secondary side water temperature of each SG be 50F above each of the RCS cold leg te mperatures before the start of an RCP with any RCS cold leg temperature (continued)
RCS Loops-MODE 4 B 3.4.6BASESNorth Anna Units 1 and 2B 3.4.6-3Revision 28 LCO(continued)280F. This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.
An OPERABLE RCS loop is comprised of an OPERABLE RCP and an OPERABLE SG, which has the minimum water level specified in SR3.4.6.2.
Similarly for the RHR System, an OP ERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR pumps are
OPERABLE if they are capable of be ing powered and are able to provide forced flow if required.APPLICABILITYIn MODE4, this LCO ensures forc ed circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS and RHR loops are required to be OPERABLE to provide redundancy for heat
removal.Operation in other MODES is covered by:
LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";
LCO3.4.7, "RCS Loops-MODE5, Loops Filled";
LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";
LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If one required loop is inoperable, redundancy for heat removal is lost.
Action must be initia ted to restore a second RCS or RHR loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availabi lity of two paths for heat removal.
North Anna Units 1 and 2B 3.4.6-4Revision 0 RCS Loops-MODE 4 B 3.4.6BASESACTIONS(continued)
A.2If restoration is not accomplished and an RHR loop is OPERABLE, the unit must be brought to MODE5 within 24hours. Bringing the unit to MODE5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundanc y for decay heat removal is lost and, in the event of a loss of the remaining RHR loop, it would be safer to initiate that loss from MODE5 rather than MODE4. The Completion Time of 24hours is a reasonable time
, based on operating experience, to reach MODE5 from MODE4 in an orderly manner and without challenging unit systems.
This Required Action is modified by a Note which indicates that the unit must be placed in MODE 5 only if an RHR loop is OPERABLE. With no RHR loop OPERABLE, the unit is in a condition with only limited cooldown capabilities. Therefore, the ac tions are to be concentrated on the restoration of an RHR loop, rather th an a cooldown of extended duration.
B.1 and B.2 If two required loops are inoperable or a required loop is not in operation, except during conditions permitted by Note1 in the LCO section, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. The required margin to criticality must not be reduced in th is type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however
coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for
decay heat removal. The action to restore must be continued until one loop is restored to OPERAB LE status and operation.
RCS Loops-MODE 4 B 3.4.6BASESNorth Anna Units 1 and 2B 3.4.6-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.6.1 This SR requires verification that the required RCS or RHR loop is in operation. Verification includes flow rate, temperature, or pump status
monitoring, which help ensure that fo rced flow is providing heat removal.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.6.2SR3.4.6.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 17%. If the SG secondary side narrow range water level is <17%, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink necessary for removal of
decay heat. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.4.6.3Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be pl aced in operation, if needed, to maintain decay heat rem oval and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCESNone.
Intentionally Blank North Anna Units 1 and 2B 3.4.7-1Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.7RCS Loops-MODE5, Loops FilledBASESBACKGROUNDIn MODE5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) sec ondary side coolant via na tural circulation (Ref. 1) or the component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heat removal is via
the RHR System, the SGs via natural circulation (Ref.1) ar e specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water.
As long as the SG secondary side water is at a lower temperature than th e reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a
carrier for soluble ne utron poison, boric acid.In MODE5 with RCS loops filled, th e reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, a nd appropriate flow and temperature
instrumentation for control, prot ection, and indication. One RHR pump circulates the water through the RCS at a sufficient rate to prevent boric acid stratification.
The number of loops in operation can vary to suit the operational needs.
The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and tran sport. The flow provided by one RHR loop is adequate for decay heat removal. The other in tent of this LCO is to require that a second path be availa ble to provide redundancy for heat removal.The LCO provides for redundant paths of decay heat removal capability.
The first path can be an RHR l oop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop or maintaining a SG with secondary side water level of at least 17% using narrow range instrumentation to provide an alternate method for decay heat removal via natural circulation (Ref. 1).APPLICABLE SAFETY ANALYSESIn MODE5, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RHR loops provide this circulation.RCS Loops-MODE5 (Loops Filled
) satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.4.7-2Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7BASESLCOThe purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or a SG with secondary side water level 17% using narrow range instrumentation and the associated loop isolation valves open. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these c onditions. An additi onal RHR loop is required to be OPERABLE to provi de redundancy for heat removal. However, if the standby RHR loop is not OPERABLE, an acceptable
alternate method is a SG with its secondary side water level 17% using narrow range instrumentation. Shoul d the operating RHR loop fail, the SG could be used to remove the decay heat via natural circulation.Note1 permits all RHR pumps to be removed from operation 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests designed to validate various accident analyses values. One of the
tests performed during the startup test ing program is the validation of rod
drop times during cold conditions, both with and without flow. The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short period of time. Th e Note permits stopping of the pumps in order to perform this test and vali date the assumed analysis values. If changes are made to the RCS that would cause a change to the flow
characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1hour ti me period is adequate to perform the pump swap or test, and operati ng experience has shown that boron stratification is not likely during this short period with no forced flow.
(continued)
RCS Loops-MODE 5, Loops Filled B 3.4.7BASESNorth Anna Units 1 and 2B 3.4.7-3Revision 28 LCO(continued)Utilization of Note1 is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:a.No operations are permitted th at would dilute the RCS boron concentration with coolant at boron concentrations less than required to meet the SDM of LCO3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.Note2 allows one RHR loop to be inoperable for a period of up to 2hours, provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when such testing is safe and possible.Note3 requires that the secondary side water temperature of each SG be 50F above each of the RCS cold leg te mperatures before the start of a reactor coolant pump (RCP) with an RCS cold leg temperature 280F. This restriction is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.Note4 provides for an orderly transition from MODE5 to MODE4 during a planned heatup by permitting rem oval of RHR loops from operation when at least one RCS loop is in ope ration. This Note provides for the transition to MODE4 where an RCS l oop is permitted to be in operation and replaces the RCS ci rculation function provide d by the RHR loops with circulation provided by an RCP.
RHR pumps are OPERABLE if they ar e capable of being powered and are able to provide flow if required. A SG can perform as a heat sink via natural circulation when it has an adequate water level and is OPERABLE.
North Anna Units 1 and 2B 3.4.7-4Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7BASESAPPLICABILITYIn MODE5 with the unisolated portion of the RCS loops filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide pr oper boron mixing. One loop of RHR provides sufficient circulation for th ese purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least one SG is required to be 17% with the associated loop isolation valves open.
Operation in other MODES is covered by:
LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";
LCO3.4.6, "RCS Loops-MODE4";
LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";
LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).
If all RCS loops are isolated, an SG cannot be used for decay heat removal and RCS water inventory is substantially reduced. In this circumstance, LCO3.4.8 applies.ACTIONSA.1, A.2, B.1, andB.2 If one RHR loop is OPERABLE and th e required SG has secondary side water level <17%, redundancy for heat removal is lost. Action must be
initiated immediately to restore a second RHR l oop to OPERABLE status or to restore the required SG secondary side water level. Either Required Action will restore redundant heat removal paths. The immediate Completion Time reflects the importan ce of maintaining the availability of two paths for heat removal.
C.1 and C.2 If a required RHR loop is not in operation, except during conditions permitted by Note1 and Note4, or if no required RHR loop is OPERABLE, all operations involving intr oduction of coolant into the RCS with boron concentration less than re quired to meet the minimum SDM of LCO3.1.1 must be suspended and act ion to restore one RHR loop to OPERABLE status and operation must be initiated. Suspending the
introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of (continued)
RCS Loops-MODE 5, Loops Filled B 3.4.7BASESNorth Anna Units 1 and 2B 3.4.7-5Revision 46ACTIONSC.1 and C.2 (continued)LCO3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmi xed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for heat removal.SURVEILLANCE
REQUIREMENT
SSR3.4.7.1 This SR requires verification that the required loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.7.2Verifying that at least one SG is OPERABLE by ensuring its secondary side narrow range water level is 17% ensures an alternate decay heat removal method via natural circulati on in the event that the second RHR loop is not OPERABLE. If both RHR loops are OPERABLE, this Surveillance is not needed. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.7.3Verification that the required RHR pump is OPERABLE ensures that an additional pump can be placed in opera tion, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment a nd power available to the required RHR pump. If secondary side water level is 17% in at least one SG, this Surveillance is not needed. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCES1. NRC Information Notice 95-35, Degraded Ability of Steam Generators to Remove Decay Heat by Natural Circulation.
Intentionally Blank North Anna Units 1 and 2B 3.4.8-1Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.8RCS Loops-MODE5, Loops Not FilledBASESBACKGROUNDIn MODE5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat generated in the fuel, and the transfer of this heat to the componen t cooling water via the residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled. The secondary function of the reactor coolant is to act as a carrier for the soluble neutron poison, boric acid.In MODE5 with loops not filled, only RHR pumps ca n be used for coolant circulation. The number of pumps in operation can vary to suit the operational needs. The intent of this LC O is to provide forced flow from at least one RHR pump for decay heat re moval and transport and to require that two paths be available to provide redundancy for heat removal.APPLICABLE SAFETY ANALYSESIn MODE5, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RHR loops provide this circulation. Th e flow provided by one RHR loop is adequate for heat removal and for boron mixing.RCS loops in MODE5 (loops not f illed) satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).
LCOThe purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transf erring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the RHR System unless forced flow is used. A minimum of one running RHR pump meets the LCO requirement for one loop in operation.
An additional RHR loop is required to be OPERABLE to provide redundancy for heat removal.Note1 permits all RHR pumps to be removed from operation for 15minutes when switching from one loop to another.
The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet (continued)
North Anna Units 1 and 2B 3.4.8-2Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESLCO(continued) temperature is maintained > 10F below saturation temperature. The Note prohibits boron dilution with coolant at boron concentrations less than required to assure the SDM of LCO3.1.1 is maintained or draining operations when RHR forced flow is stopped.Note2 allows one RHR loop to be inoperable for a period of 2hours, provided that the other loop is OPER ABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when these tests are safe and possible.
An OPERABLE RHR loop is compri sed of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger.
RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required.APPLICABILITYIn MODE5 with the unisolated portion of the loops not filled, this LCO requires core heat removal and coolant circulation by the RHR System.
Operation in other MODES is covered by:LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";
LCO3.4.6, "RCS Loops-MODE4";
LCO3.4.7, "RCS Loops-MODE5, Loops Filled";
LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).
If all RCS loops are isolated, the RCS water inventory is substantially
reduced. In this circumstance, LCO3.4.8 applies whether or not the isolated loops are filled.ACTIONSA.1 If one required RHR loop is inopera ble, redundancy for RHR is lost. Action must be initiated to restore a second loop to OPERABLE status.
The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.
RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESNorth Anna Units 1 and 2B 3.4.8-3Revision 46ACTIONS(continued)
B.1 and B.2 If no required loop is OPERABLE or th e required loop is not in operation, except during conditions permitted by Note1, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE status and operation. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO3.1.1 is required to assure continued safe operation. With coolant added wi thout forced circulation, unmixed coolant could be introduced to the core, however c oolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal.
The action to restore must continue until one loop is restored to OPERABLE status and
operation.SURVEILLANCE
REQUIREMENT
SSR 3.4.8.1 This SR requires verification that the required loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.4.8.2Verification that the required pump is OPERABLE ensures that an additional pump can be placed in opera tion, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment a nd power available to the required pump. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.
North Anna Units 1 and 2B 3.4.8-4Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESREFERENCESNone.
North Anna Units 1 and 2B 3.4.9-1Revision 0 Pressurizer B 3.4.9B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.9PressurizerBASESBACKGROUNDThe pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under satu rated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining require d primary system pressure during steady state operation, and limiting the pr essure changes caused by reactor coolant thermal expansion and contraction during normal load transients.The pressure control components addressed by this LCO include the pressurizer water level, the require d heaters, and their controls and emergency power supplies. Pressurizer safety valves and pressurizer power
operated relief valves are addressed by LCO3.4.10, "Pressurizer Safety Valves," and LCO3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.
The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of
potential overpressure transients.
The presence of a steam bubble is consistent with analytical assump tions. Relatively small amounts of noncondensible gases can inhibit the condensation heat transfer between the pressurizer spray and the steam, and diminish the spray effectiveness for pressure control.Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressu rizer at saturation temperature and maintain a constant operating pressure. There are 5 groups of pressurizer heaters. Groups 1, 2, 4, and 5 are ba ckup heaters. Group 3 consists of proportional heaters. Groups 1 and 4 are powered from the emergency
busses and are governed by this Specification. A minimum required available capacity of pressurizer heater s ensures that the RCS pressure can be maintained. The capability to mainta in and control system pressure is important for maintaining subcooled conditions in the RCS and ensuring the capability to remove core decay heat by either forced or natural circulation of reactor coolant. Unless ad equate heater capacity is available,
the hot, high pressure condition cannot be maintained indefinitely and (continued)
North Anna Units 1 and 2B 3.4.9-2Revision 0 Pressurizer B 3.4.9BASESBACKGROUND (continued) still provide the required subcooling margin in the primary system. Inability to control the system pressure and maintain subcooling under conditions of natural circul ation flow in the primary system could lead to a loss of single phase natural circulati on and decreased capability to remove core decay heat.APPLICABLE SAFETY ANALYSESIn MODES1, 2, and3, the LCO re quirement for a steam bubble is
reflected implicitly in the accident an alyses. Safety analyses performed for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existe nce of a steam bubble and saturated conditions in the pressurizer. In ma king this assumption, the analyses neglect the small fraction of nonc ondensible gases normally present.Safety analyses presented in the U FSAR (Ref. 1) do not take credit for pressurizer heater operation unless their operation would increase the severity of the event; however, an im plicit initial condition assumption of the safety analyses is that the pressure control system is maintaining RCS pressure in the normal operating range.The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Although the heat ers are not specifically used in accident analysis, the need to mainta in subcooling in th e long term during loss of offsite power, as indicated in NUREG-0737 (Ref.2), is the reason for providing an LCO.
LCOThe LCO requirement for the pressurizer to be OPERABLE with a water volume 1240 cubic feet, which is equivalent to 93%, ensures that a steam bubble exists. Limiting the LCO maximum operating water level
preserves the steam space for pres sure control. The LCO has been established to ensure the capability to establish and maintain pressure control for steady state operation a nd to minimize the consequences of potential overpressure tran sients. Requiring the pres ence of a steam bubble is also consistent with analytical assumptions.
The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 125kW, capable of being powered from an emergency bus. The two heater groups are designated as (continued)
Pressurizer B 3.4.9BASESNorth Anna Units 1 and 2B 3.4.9-3Revision 0 LCO(continued)
Group 1 and Group 4. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insu lation. By maintaining the pressure
near the operating conditions, a wide margin to subcooling can be obtained in the loops. The exact design value of 125kW is derived from the use of seven heaters rated at 17.9kW each. The amount needed to maintain
pressure is dependent on the heat losses.APPLICABILITYThe need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has been designated for MODES1 and2. The applicability is also provided for MODE3. The purpose is to prevent solid water RCS operation during
heatup and cooldown to avoid rapid pressure rises caused by normal
operational perturbation, such as reactor coolant pump startup.In MODES1, 2, and3, there is need to maintain the availability of pressurizer heaters, capable of being powered from an emergency bus. In the event of a loss of offsite power, the initial conditions of these MODES give the greatest demand for maintaining the RCS in a hot pressurized
condition with loop subcooling for an extended period. Fo r MODE 4, 5, or 6, the need for pressurizer heaters supplied from an emergency bus to maintain pressure control is reduced because core heat is reduced, and has a correspondingly lower effect on pre ssurizer level and RCS pressure control. In addition, other mechanisms, such as the Residual Heat Removal (RHR) System and the Power Operated Relief Valves (PORVs) are
available to control RCS temperature and pressure should normal offsite power be lost.ACTIONSA.1, A.2, A.3 and A.4Pressurizer water level control malfunc tions or other unit evolutions may result in a pressurizer water level a bove the nominal upper limit, even with the unit at steady state conditions. Normal ly the unit will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level-High Trip.
(continued)
North Anna Units 1 and 2B 3.4.9-4Revision 46 Pressurizer B 3.4.9BASESACTIONSA.1, A.2, A.3 and A.4 (continued)
If the pressurizer water level is not within the limit, action must be taken to bring the unit to a MODE in which the LCO does not apply. To achieve this status, within 6hours the unit must be brought to MODE3, with all rods fully inserted and incapable of withdrawal. Additionally, the unit must be brought to MODE4 within 12hours. This takes the unit out of the applicable MODES.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.
B.1If one required group of pressurizer h eaters is inoperable, restoration is required within 72hours. The Completion Time of 72hours is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pr essure control may be maintained during this time using the remaining heaters.
C.1 and C.2 If one group of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required ActionB.1, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR 3.4.9.1 This SR requires that during steady state operation, pressurizer level is maintained below the nom inal upper limit to provi de a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Pressurizer B 3.4.9BASESNorth Anna Units 1 and 2B 3.4.9-5Revision 46SURVEILLANCE REQUIREMENT
SSR 3.4.9.2 The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer
heaters are verified to be at thei r required rating. This may be done by testing the power supply output and by performing an electrical check on
heater element continuity and resistance. The Surveillance Frequency is
based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter15.2.NUREG-0737, November1980.
Intentionally Blank North Anna Units 1 and 2B 3.4.10-1Revision 20Pressurizer Safety Valves B 3.4.10B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.10Pressurizer Safety ValvesBASESBACKGROUNDThe pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protec tion for the RCS. The pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensati on. The safety valves are designed to prevent the system pressure from ex ceeding the system Sa fety Limit (SL), 2735psig, which is 110% of the design pressure.
Because the safety valves are totally enclosed and self actuating, they are considered independent components. Th e relief capacity for each valve, 380,000lb/hr, is based on postulated overpressure transient conditions resulting from a complete loss of steam flow to the turbine, a locked reactor coolant pump rotor, and reactivity inse rtion due to contro l rod withdrawal.
The complete loss of steam flow is typically the limiting event. The limiting event results in the maximum surge rate into the pressurizer, which specifies the minimum relief capacity for the safety valves. The discharge
flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indica ted by an increase in temperature downstream of the pressurizer safety valves, increase in the pressurizer relief tank temperature or level, or by the acoustic monitors located on the relief line.Overpressure protection is required in MODES1, 2, 3, 4, and5; however, in MODE4, with one or more RCS cold leg temperatures 280F, and MODE5 and MODE6 with the reactor vessel head on, overpressure
protection is provided by operating procedures and by meeting the requirements of LCO3.4.12, "Low Temp erature Overpressure Protection (LTOP) System."The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positiv e or negative percentage of each tested safety valve, is summed and divided by the number of valves tested.
This average as-found value is compared to the acceptable range of +2% to -3%. In addition, no single valve is allowed to be outside of +/-3%. The lift
setting is for the ambient conditions associated with MODES1, 2, and3. This requires (continued)
North Anna Units 1 and 2B 3.4.10-2Revision 8Pressurizer Safety Valves B 3.4.10BASESBACKGROUND (continued) either that the valves be set hot or that a correlation between hot and cold settings be established.The pressurizer safety valves are pa rt of the primary success path and mitigate the effects of postulated a ccidents. OPERABILITY of the safety valves ensures that the RCS pr essure will be limited to 110% of design pressure in accordance with ASME Code, SectionIII (Ref.1). The consequence of exceeding the ASME Code pressure limit could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses pr ior to resumption of reactor operation.APPLICABLE SAFETY ANALYSESAll accident and safety analyses in the UFSAR (Ref.2) that require safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure protection analysis (Ref.3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not properly terminated include:a.Uncontrolled rod withdrawal from full power;b.Loss of reactor coolant flow;c.Loss of external electrical load; d.Loss of normal feedwater;e.Loss of all AC power to station auxiliaries;f.Locked rotor; andg.Uncontrolled rod withdrawal from subcritical.
Description of the analyses of the above transients are contained in Reference2. Safety valve actuation is required in eventsa, c, f andg (above) to limit the pressure increase. Compliance with this LCO is consistent with the design bases a nd accident analyses assumptions.
Pressurizer safety valves satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).
Pressurizer Safety Valves B 3.4.10BASESNorth Anna Units 1 and 2B 3.4.10-3Revision 20 LCOThe three pressurizer safety valv es are set to open at the RCS design pressure (2485psig), and within the ASME specified tolerance, to avoid exceeding the maximum design pressure SL, to maintain accident analyses assumptions, and to comply with ASME requirements. The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positive or negative percentage of each tested safety
valve, is summed and divided by the num ber of valves tested. This average as-found value is compared to the acceptable range of +2% to -3%. In
addition, no single valve is allowed to be outside of +/-3%. The limit protected by this Specification is th e reactor coolant pressure boundary (RCPB) SL of 110% of design pressure. Inoperability of one or more valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, incr eased leakage, or additional stress analysis being required prior to resumption of reactor operation.APPLICABILITYIn MODES1, 2, and3, and portions of MODE4 above the LTOP enabling temperature, OPERABILITY of thr ee valves is required because the combined capacity is requi red to keep reactor coolant pressure below 110%
of its design value during certain accidents. MODE3 and portions of MODE4 are conservatively included, although the listed accidents may
not require the safety valves for protection.The LCO is not applicable in MODE4 when any RCS cold leg temperatures are 280F or in MODE5 because LTOP is provided.
Overpressure protection is not required in MODE6 with reactor vessel
head detensioned.The Note allows entry into MODES3 and4 with the lift settings outside the LCO limits. This permit s testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminar y cold setting. The cold setting gives
assurance that the valves are OPER ABLE near their de sign condition. This method of testing is not cu rrently used at North Anna
, but it is an accepted method. Only one valve at a time may be removed fr om service for testing. The 54hour exception is based on 18hour outage time for each of the three valves. The 18hour period is derived from industry experience that hot
testing can be performed in this timeframe.
North Anna Units 1 and 2B 3.4.10-4Revision 20Pressurizer Safety Valves B 3.4.10BASESACTIONSA.1With one pressurizer safety valve i noperable, restoration must take place within 15minutes. The Completion Time of 15minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve coincident wi th an RCS overpressure event could challenge the integrity of the pressure boundary.
B.1 and B.2 If the Required Action of A.1 ca nnot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status
, the unit must be brought to at least MODE3 within 6hours and to MODE4 with any RCS cold leg temperatures 280F within 24hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems. With any RCS cold leg temp eratures at or below 280F, overpressure protection is provided by the LTOP System. The change from MODE1, 2, or3 to MODE4 reduces the RCS energy (core
power and pressure), lowers the potential for large pressurizer insurges,
and thereby removes the need fo r overpressure protection by three pressurizer safety valves.SURVEILLANCE
REQUIREMENT
SSR 3.4.10.1SRs are specified in the Inservice Testing Program. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref.4), which provides the acti vities and Frequencies necessary to satisfy the SRs. No additiona l requirements are specified.The pressurizer safety valve lift setting given in the LCO is for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift.REFERENCES1.ASME, Boiler and Pressure Vessel Code, SectionIII.2.UFSAR, Chapter15.3.WCAP-7769, Rev.1, June 1972.
Pressurizer Safety Valves B 3.4.10BASESNorth Anna Units 1 and 2B 3.4.10-5Revision 0REFERENCES (continued)4.ASME Code for Operation and Maintenance of Nuclear Power Plants.
Intentionally Blank North Anna Units 1 and 2B 3.4.11-1Revision 0Pressurizer PORVsB 3.4.11B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.11Pressurizer Power Operated Relief Valves (PORVs)BASESBACKGROUNDThe pressurizer is equipped with two types of devices for pressure relief: pressurizer safety valves and PORVs. The PORVs are air or nitrogen operated valves that are controlled to open at a set pressure when the pressurizer pressure increases and cl ose when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room.Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the control room. A stuck open PORV is, in effect, a small break lo ss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss.The PORVs and their associated bl ock valves may be used by unit operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their bl ock valves permit performance of surveillances on the valv es during power operation.The PORVs may also be used for feed and bleed core cooling in the case of
multiple equipment failure events that are not within the design basis, such as a total loss of feedwater.The PORVs, their block valves, and their controls are powered from the emergency buses that normally receive power from offsite power sources, but are also capable of being powered from emergency power sources in the event of a loss of offsite power. The PORVs are air operated valves and normally are provided motive force by the Instrument Air System. A backup, nitrogen supply for the PORVs is also available. Two PORVs and their associated block valves are power ed from two separate safety trains (Ref.1).The unit has two PORVs, each having a relief capacity of 210,000lb/hr at 2335psig. The functional design of the PORVs is based on maintaining
pressure below the Pressurizer (continued)
North Anna Units 1 and 2B 3.4.11-2Revision 0Pressurizer PORVsB 3.4.11BASESBACKGROUND (continued)
Pressure-High reactor trip setpoint following a step reduction of 50% of full load with steam dump. In addition, the PORVs mi nimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection (LTOP). See LCO3.4.12, "Low Temperature Overpressure Protection (LTOP) System."APPLICABLE SAFETY ANALYSESUnit operators employ the PORVs to depressurize the RCS in response to
certain unit transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event. A loss of offsite power is assume d to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are
assumed to be used for RCS depressu rization, which is one of the steps performed to equalize th e primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.The PORVs are also modeled in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical (Ref.2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint; thus, the DNBR calculation is more conser vative. As such, this actuation is not required to mitigate these events, and PORV automatic operation is, therefore, not an assumed safety function.Pressurizer PORVs satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe LCO requires the PORVs and thei r associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.
By maintaining two PORVs and their associated block valves OPERABLE, the single failure criteri on is satisfied. An OPERABLE block valve may be either open and energized with the capability to be closed, or closed and energized with the capabili ty to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of an inoperable PORV (continued)
Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-3Revision 0 LCO(continued) that is capable of being manually cycl ed (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render that PORV or block valve i noperable provided the relief function remains available with manual action.An OPERABLE PORV is required to be capable of manually opening and closing, and not experiencing excessive seat leakage. Excessive seat leakage, although not associated with a specific acceptance criteria, exists when conditions dictate closure of the block valve to limit leakage to within LCO3.4.13, "RCS Operational Leakage."
Satisfying the LCO helps minimize ch allenges to fission product barriers.APPLICABILITYIn MODES1, 2, and3, the PORVs and their associated block valves are required to be OPERABLE to limit th e potential for a small break LOCA through the flow path and for manual operation to mitigate the effects associated with an SGTR. The PORVs are also required to be OPERABLE in MODES1, 2, and3 for manual actuation to mitigate an SGTR event.
Imbalances in the energy output of the core and heat removal by the
secondary system can cause the RCS pressure to increase to the PORV opening setpoint. The most rapid in creases will occur at the higher operating power and pressure conditions of MODES1 and2.
Pressure increases are less prominent in MODE3 because the core input energy is reduced, but the RCS pressu re is high. Therefore, the LCO is applicable in MODES1, 2, and3. The LCO is not applicable in MODES4, 5, and6 with the reactor vessel head in place when both pressure and core energy are decreased and the pressure surges become much less significant.
LCO3.4.12 addresses the PORV requirements in these MODES.ACTIONSNote1 has been added to clarify that all pressurizer PORVs are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).
North Anna Units 1 and 2B 3.4.11-4Revision 0Pressurizer PORVsB 3.4.11BASESACTIONS(continued)
A.1The PORVs are provided normal moti ve force by the Instrument Air system and have a backup nitrogen supply. If the backup nitrogen supply is inoperable, the PORVs are still capable of being manually cycled provided the Instrument Air system is available. The Instrument Ai r system is highly reliable and the likelihood of its being unavailable during a demand for PORV actuation is low enough to justify a 14 day Completion Time for
return of the backup nitroge n supply to OPERABLE status.
B.1PORVs may be inoperable and capable of being manually cycled (e.g.,
excessive seat leakage). In this Condition, either the PORVs must be
restored or the flow path isolated within 1hour. The associated block valve
is required to be closed, but power must be maintained to the associated block valve, since removal of pow er would render the block valve inoperable. This permits operation of the unit until the next refueling outage (MODE6) so that maintenance can be performed on the PORVs to eliminate the problem condition.Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1hour is based on unit operating experience that has shown that minor problems can be corrected or closure accompl ished in this time period.
C.1, C.2, and C.3If one PORV is inoperable and not capable of being manually cycled, it
must be either restored, or isolated by closing the associated block valve and removing the power to the associ ated block valve. The Completion Time of 1hour is reasonable, based on challenges to the PORVs during this time period, and provides the operato r adequate time to correct the situation. If the inoperable valve cannot be restored to being capable of being manually cycled (permitting en try into Condition B), or OPERABLE status, it must be isolated within the specified time. Because there is one PORV that remains OPERABLE, an additional 72hours is provided to restore the inoperable PORV to OPERABLE status. If the PORV cannot be restored within this addi tional time, the unit must be brought to a MODE in which the LCO does not apply, as required by ConditionE.
Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-5Revision 0ACTIONS(continued)
D.1 and D.2If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1hour or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV.
Therefore, if the block valve cannot be restored to OPERABLE status within 1hour, the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1hour is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Becau se at least one PORV remains OPERABLE, the operator is permitted a Completion Time of 72hours to restore the inoperable block valve to OPERABLE status.
The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in ConditionC, since the PORVs
may not be capable of mitigating an ev ent if the inoperable block valve is not full open. If the block valve is restored within the Completion Time of 72hours, the PORV may be restored to automatic operation. If it cannot be restored within this addi tional time, the unit must be brought to a MODE in which the LCO does not apply, as required by ConditionE.The Required ActionsD.1 andD.2 are m odified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of ConditionC entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunction(s).)
E.1 and E.2If the Required Action of ConditionA, B, C, orD is not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within (continued)ACTIONSE.1 and E.2 (continued)12hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.
North Anna Units 1 and 2B 3.4.11-6Revision 0Pressurizer PORVsB 3.4.11BASESF.1 and F.2If more than one PORV is inoperabl e and not capable of being manually cycled, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an orderly
manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.G.1If two block valves are inoperable, it is necessary to restore at least one block valve within 2hours. The Completion Time is reasonable, based on the small potential for challenges to the system during this time and provide the operator time to correct the situation.The Required ActionG.1 is modified by a Note stating that the Required Action does not apply if the sole reas on for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Action for inoperable PORV (which requires the block valve power to be removed once it is closed) is adequate to address the condition. While it may be desirable to also place the PORV in manual control, this ma y not be possible fo r all causes of ConditionC entry with PORV inope rable and not capable of being manually cycled (e.g., as a result of fa iled control power fuse(s) or control switch malfunction(s)).
H.1 and H.2If the Required Actions of ConditionG are not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at (continued)
Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-7Revision 46ACTIONSH.1 and H.2 (continued)least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.SURVEILLANCE
REQUIREMENT
SSR3.4.11.1SR3.4.11.1 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope
with a steam generator tube rupture coin cident with loss of the containment Instrument Air system. The Surveilla nce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.11.2 Block valve cycling verifies that the valve(s) can be opened and closed if needed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.
This SR is modified by two Notes. Note1 modifies this SR by stating that it is not required to be performe d with the block valve closed, in accordance with the Required Actions of this LCO. Opening the block valve in this condition increases the risk of an unisolable leak from the RCS since the PORV is already inoperable.Note2 modifies this SR to allow entry into and operation in MODE3 prior to performing the SR. This allows the test to be performed in MODE3 under operating temperature and pressure conditions, prior to entering MODE1 or2.SR3.4.11.3SR3.4.11.3 requires a complete cycle of each PORV. Operating a PORV through one complete cycle ensures that the PORV can be manually
actuated for mitigation of an SGTR. This testing is performed in MODES3 or4 to prevent possible RCS pressure transients with th e reactor critical.
(continued)
Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-8Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.11.3 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.The Note modifies this SR to allow entry into and operation in MODE3 prior to performing the SR. This allo ws the test to be performed in MODE3 under operating temperature and pressure conditions, prior to entering MODE1 or2.SR3.4.11.4 Operating the solenoid control valves and check valves on the accumulators ensures the PORV cont rol system actuates properly when called upon. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.32, February1977.2.UFSAR, Section15.4.3.ASME Code for Operation and Maintenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.4.12-1Revision 20LTOP System B 3.4.12B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.12Low Temperature Overpressure Protection (LTOP) SystemBASESBACKGROUNDThe LTOP System controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the LTOP System design basis pressure and temperature (P/T) limit curve (i.e., 100%
of the isothermal P/T limit curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1).
The reactor vessel is th e limiting RCPB component for demonstrating such protection. This specification provi des the maximum allowable actuation logic setpoints for the power operated relief valves (PORVs) and LCO3.4.3, "RCS Pressure and Temper ature (P/T) Limits," provides the maximum RCS pressure for the existi ng RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference1 requirements during the LTOP MODES.
The reactor vessel material is less tough at low temp eratures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref.2). RCS pressu re, therefore, is maintained low at low temperatures and is increased only as temperature is increased.
The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while s hutdown; a pressure fluctuation can occur more quickly than an operato r can react to relieve the condition.
Exceeding the RCS P/T limits by a signi ficant amount could cause brittle cracking of the reactor vessel. LCO3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrati ve control of RCS pressure and temperature during heatup and cool down to prevent exceeding the P/T limits.This LCO provides RCS overpressure protection by limiting coolant input capability and having adequate pressure relief capacity. Limiting coolant input capability requires a ll but one low head safety injection (LHSI) pump and one charging pump incapable of injection into the RCS and isolating the accumulators when accumulator pressure is greater than the PORV lift setting. The pressure relief capacity requires either two redundant RCS PORVs or a depressurized RCS and an (continued)
North Anna Units 1 and 2B 3.4.12-2Revision 0LTOP System B 3.4.12BASESBACKGROUND (continued)RCS vent of sufficient size. One RCS PORV or the open RCS vent is the overpressure protection device that acts to terminate an increasing pressure event.With limited coolant input capability, the ability to provide core coolant addition is restricted. Th e LCO does not require th e makeup control system deactivated or the safety injection (S I) actuation circuits blocked. Due to the lower pressures in the LTOP MODE S and the expected core decay heat levels, the makeup system can provide adequate flow via the makeup control valve. If conditions require the use of more than one LHSI and charging pump for makeup in the event of loss of inventory, then pumps
can be made available through manual actions.The LTOP System for pressure relief consists of two PORVs with reduced lift settings, or a depressurized RCS and an RCS vent of sufficient size. Two RCS PORVs are required for redundancy. One RCS PORV has
adequate relieving capability to keep from overpressurization for the required coolant input capability.PORV RequirementsAs designed for the LTOP System, each PORV is signaled to open if the RCS pressure exceeds a limit determined by the LTOP actuation logic. The LTOP actuation logic monitors both RCS temperature and RCS pressure and determines when a condition is not acceptable. The wide range RCS temperature indications are auctioneered to select the lowest temperature signal.The lowest temperature signal is pass ed to a comparator circuit which determines the pressure limit for that temperature. The pressure limit is then compared with the indicated RCS pressure from a wi de range pressure channel. If the indicated pressure meets or exceeds the calculated value, the PORVs are signaled to open.The PORV setpoints are staggered so only one valve opens to stop a low temperature overpressure transient. If the opening of the first valve does not prevent a further increase in pre ssure, a second valve will open at its higher pressure setpoint to stop the tr ansient. Having the setpoints of both valves within the limits in the LCO ensures that the LTOP System design basis P/T limit curve will not be exceeded in any analyzed event.
(continued)
LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-3Revision 26BACKGROUNDPORV Requirements (continued)When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to decrease below the reset pressure as the valve closes.RCS Vent Requirements Once the RCS is depressurized, a ve nt exposed to the containment atmosphere will maintain the RCS within the LTOP design basis P/T limit curve in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path
must be capable of relieving the flow resulting from the limiting LTOP mass or heat input transient, and ma intaining pressure below the LTOP System design basis P/T limit curve.
The required vent capacity may be provided by one or more vent paths.For an RCS vent to meet the flow capacity requirement, it requires either removing a pressurizer safety valve, or blocking open a PORV and opening its block valve, or similarly establ ishing a vent by opening an RCS vent valve. The vent path(s) must be above th e level of reactor c oolant, so as not to drain the RCS when open.APPLICABLE SAFETY ANALYSESSafety analyses (Ref.3) demonstrate that the reactor vessel is adequately protected against exceeding the LTOP System design basis P/T limit curve (i.e., 100% of the isothermal P/T limi t curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1). In MODES1, 2, and3, and in MODE4 with RCS cold leg temperature exceeding 280&deg;F, the
pressurizer safety valves will prev ent RCS pressure from exceeding the Reference1 limits. At 280&deg;F and below, overpressure prevention falls to two OPERABLE RCS PORVs or to a depressurized RCS and a sufficient
sized RCS vent. Each of these means has a limited overpressure relief capability.
The RCS cold leg temperature below which LTOP protection must be provided increases as the reactor ve ssel material toughness decreases due to neutron embrittlement. Each time the P/T curves are revised, the LTOP System must be (continued)
North Anna Units 1 and 2B 3.4.12-4Revision 0LTOP System B 3.4.12BASESAPPLICABLE SAFETY ANALYSES(continued)re-evaluated to ensure its functional requirements can still be met using the PORV method or the depressuri zed and vented RCS condition.
The LCO contains the acceptance limits that define the LTOP requirements. Any change to the RCS must be evaluated against the Reference3 analyses to determine the impact of the change on the LTOP
acceptance limits.Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transi ents, examples of which follow:Mass Input Type Transientsa.Inadvertent safety injection; orb.Charging/letdown flow mismatch.Heat Input Type Transientsa.Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.
The following are required during the LTOP MODES to ensure that mass and heat input transients do not occur, which either of the LTOP overpressure protection means cannot handle:a.Rendering all but one LHSI pump and one charging pump incapable of injection;b.Deactivating the accumulator discharge isolation valves in their closed positions when accumulator pressure is greater than the PORV lift setting; andc.Disallowing start of an RCP if secondary temperature is more than 50F above primary temperature in any one loop. LCO3.4.6, "RCS Loops-MODE4," and LCO3.4.7, "RCS Loops-MODE5, Loops
Filled," provide this protection.The Reference3 analyses demonstrate that either one PORV or the depressurized RCS and RCS vent can maintain RCS pressure below limits when only one LHSI pump and one charging pump are actuated. Thus, the LCO allows only one LHSI pump and one charging pump OPERABLE during the LTOP MODES. The (continued)
LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-5Revision 20APPLICABLE SAFETY ANALYSESHeat Input Type Transients (continued)Reference3 analyses do not explicitly model actuation of the LHSI pump, since the RCS pressurization resulting from inadvertent safety injection by a single charging pump against a water-solid RCS would not be made more severe by such actuation. Since the LTOP analyses assume that the accumulators do not cause a mass addition transient, when RCS temperature is low, the LCO also requi res the accumulators to be isolated when accumulator pressure is greater than the PORV lift setting. The isolated accumulators must have their discharge valves closed and the
valve power supply breakers fixed in their open positions.Fracture mechanics analyses established the temperature of LTOP Applicability at 280F.The consequences of a small break lo ss of coolant accident (LOCA) in LTOP MODE4 conform to 10CFR50.46 (Ref.4), requirements by having a maximum of one LHSI pump and one charging pump OPERABLE.PORV PerformanceThe fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the allowable values shown in the LCO.
The setpoint allowable values are derived by analyses that model the performance of the LTOP System, assuming the limiting LTOP transient of one charging pump injecting into the RCS. These analyses consider pressure overshoot beyond the PORV ope ning and closing, resulting from signal processing and valve stroke times. The PORV setpoints at or below the derived value ensure the RCS pressure at the reactor vessel beltline will not exceed the LTOP design P/T limit curve.The PORV setpoint allowable values ar e evaluated when the P/T limits are modified. The P/T limits ar e periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits ar e determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO3.4.3 discuss these examinations.
The PORVs are considered active co mponents. Thus, the failure of one PORV is assumed to represent the worst case, single active failure.
North Anna Units 1 and 2B 3.4.12-6Revision 20LTOP System B 3.4.12BASESAPPLICABLE SAFETY ANALYSES(continued)RCS Vent PerformanceWith the RCS depressurized, analyses show a vent size of 2.07square inches is capable of mitigating the allowed LTOP overpressure transient.
(A vent size of 2.07 square inches is th e equivalent relief capacity of one PORV.) The capacity of a vent this size is greater than the flow of the limiting transient for the LTOP c onfiguration, one LHSI pump and one charging pump OPERABLE, maintaining RCS pressure less than the LTOP design basis P/T limit curve.
The RCS vent size is re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance.
The RCS vent is passive and is not subject to active failure.
The LTOP System satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the mi nimum coolant input and pressure relief capabilities are OPERABLE. Viol ation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the LTOP System design basis P/T limit curve (i
.e., 100% of the isot hermal P/T limit curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1) as a result of an operational transient.To limit the coolant input capability, the LCO requires a maximum of one LHSI pump and one charging pump capable of injecting into the RCS and all accumulator discharge isolation valves closed with power removed from the isolation valve operator, wh en accumulator pres sure is greater than the PORV lift setting.The LCO is modified by two Notes. Note1 allows two charging pumps to be made capable of injection for 1hour during pump swap operations. One hour provides sufficient time to safe ly complete the actual transfer and to complete the administrative cont rols and Surveillance requirements associated with the swap. The intent is to minimize the actual time that more than one charging pump is physically capable of injection.
(continued)
LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-7Revision 20 LCO(continued)Note2 states that accumulator isolation is only required when the accumulator pressure is more than the PORV lift setting.
This Note permits the accumulator discharge isolation valves to be open if the accumulator cannot challenge the LTOP limits.The elements of the LCO that pr ovide low temperature overpressure mitigation through pressure relief are:
a.Two OPERABLE PORVs; orA PORV is OPERABLE for LTOP when its block valve is open, its lift setpoint is set to the limits provi ded in the LCO and testing proves its ability to open at this setpoint, and backup nitrogen motive power is available to the PORVs a nd their control circuits.b.A depressurized RCS and an RCS vent.
An RCS vent is OPERABLE when open with an area of 2.07square inches.Each of these methods of overpressure prevention is capable of mitigating the limiting LTOP transient.APPLICABILITYThis LCO is applicable in MODE4 when any RCS cold leg temperature is 280F, in MODE5, and in MODE6 when the reactor vessel head is on.
The pressurizer safety valves provide overpressure protection that meets the Reference1 P/T limits above 280F. When the reactor vessel head is off, overpressurization cannot occur.
LCO3.4.3 provides the operational P/T limits for all MODES. LCO3.4.10, "Pressurizer Safety Valves
," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES1, 2, and3, and MODE4 above 280&deg;F.
Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input tran sient can cause a very rapid increase in RCS pressure wh en little or no time allows operator action to mitigate the event.
North Anna Units 1 and 2B 3.4.12-8Revision 20LTOP System B 3.4.12BASESACTIONSA.1 and B.1With more than one LHSI pump and one charging pump capable of injecting into the RCS, RCS ove rpressurization is possible.To immediately initiate ac tion to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from this condition.
C.1, C.2, D.1, and D.2 An unisolated accumulator requires isolation immediately.
Power available to an accumulator isolation valve operator must be removed in one hour. These ACTIONS are modified by a Note which states the Condition only applies if the accumulator pressure is more than the PORV lift setting.
If isolation is needed and cannot be accomplished, Required ActionD.1 and Required ActionD.2 pr ovide two options, either of which must be performed in the next 12hours. By increasing the RCS temperature to >280&deg;F, the LCO is no longer Applicable. Depressurizing the accumulators below the PORV lift setting also exits the Condition.The Completion Times are based on op erating experience that these activities can be accomplished in th ese time periods and on engineering judgement indicating that an event requiring LTOP is not likely in the allowed times.
E.1In MODE4 when any RCS co ld leg temperature is 280F, with one RCS PORV inoperable, the RCS PORV must be restored to OPERABLE status within a Completion Time of 7days. Two PORVs are required to provide low temperature overpressure miti gation while withstanding a single failure of an active component.The Completion Time considers the facts that only one of the PORVs is required to mitigate an overpressure tran sient and that the likelihood of an active failure of the remaining valve pa th during this time period is very low.
LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-9Revision 0ACTIONS(continued)F.1The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref.5). Thus, with one of the two RCS PORVs inoperable in MODE5 or in MODE6 with the head on, the Completion Time to restore two valves to OPERABLE status is 24hours.The Completion Time represents a r easonable time to investigate and repair PORV failures without exposur e to a lengthy period with only one OPERABLE RCS PORV to protect against overpressure events.G.1The RCS must be depressurized and a vent must be established within 12hours when:
a.Both required RCS PORVs are inoperable; orb.A Required Action and associated Completion Time of ConditionA, B, D, E, orF is not met; orc.The LTOP System is inoperable for any reason other than ConditionA, B, C, D, E, orF.
The vent must be sized 2.07square inches to ensure that the flow capacity is greater than that required for the worst case mass input transient reasonable during the applic able MODES. This action is needed to protect the RCPB from a low temperature overpressure even t and a possible brittle failure of the reactor vessel.The Completion Time considers the time required to place the unit in this Condition and the relatively low proba bility of an overpressure event during this time period due to increased operator awareness of administrative control requirements.SURVEILLANCE
REQUIREMENT
SSR3.4.12.1, SR3.4.12.2, and SR3.4.12.3To minimize the potential for a lo w temperature overpressure event by limiting the mass input capability, a maximum of one LHSI pump and a maximum of one charging pump are verified (continued)
North Anna Units 1 and 2B 3.4.12-10 Revision 46LTOP System B 3.4.12BASESSURVEILLANCE REQUIREMENT
SSR3.4.12.1, SR3.4.12.2, and SR3.4.12.3 (continued)incapable of injecting into the RCS and the accumulator discharge isolation valves are verified closed with pow er removed from the isolation valve operator.SR3.4.12.3 is modified by a Note stati ng that the verification is only required when accumulator pressure is greater than the PORV lift setting. With accumulator pressure less than the PORV lift setting, the accumulator cannot challenge the LTOP limits and the isolation valves are allowed to be open.
The LHSI pumps and charging pumps are rendered incapable of injecting into the RCS through removing the power from the pumps by racking the breakers out under administ rative control. An alternate method of LTOP control may be employed using at least two independent means to prevent a pump start such that a single failure or single action will not result in an
injection into the RCS. This ma y be accomplished through the pump control switch being placed in pull to lock and at least one valve in the discharge flow path being closed.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.4 The RCS vent of 2.07square inches is pr oven OPERABLE by verifying its open condition either:
a.Once every 12hours for a valve that is not locked.b.The Surveillance Frequency for lo cked valves is based on operating experience, equipment reliability, a nd plant risk and is controlled under the Surveillance Fre quency Control Program.The passive vent arrangement must only be open to be OPERABLE. This Surveillance is required to be performed if the vent is being used to satisfy the pressure relief requirements of the LCO3.4.12b.
LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-11Revision 46SURVEILLANCE REQUIREMENT
S(continued)
SR 3.4.12.5The PORV block valve must be verified open every 72hours to provide the flow path for each required PORV to perform its function when actuated.
The valve may be remotely verified open in the main control room. In addition, the PORV keyswitch must be ve rified to be in the proper position to provide the appropriated trip setpoints to the PORV actuation logic. This Surveillance is performed if the PORV is used to satisfy the LCO.
The block valve is a remotely contro lled, motor operated valve. The power to the valve operator is not require d removed, and the manual operator is not required locked in the inactive position. Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.6SR3.4.12.6 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope with an overpressure event. The Surveillance Frequency is based on
operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.7Performance of a COT is required on each required PORV to verify the PORV is capable of performing its LTOP function and, as necessary, adjust its lift setpoint. A successful test of the required contac t(s) of a channel relay may be performed by the verifica tion of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The COT will verify the setpoint is within the al lowed maximum limits in this specification. PORV actuation could depressurize the (continued)
North Anna Units 1 and 2B 3.4.12-12 Revision 46LTOP System B 3.4.12BASESSURVEILLANCE REQUIREMENT
SSR 3.4.12.7 (continued)
RCS and is not required. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
A Note has been added indicating that this SR is not required to be performed until 12hours after entering a condition in which the PORV is required to be OPERABLE. The Note allows entering the LTOP
Applicability prior to performing the SR. The 12-hour frequency considers the unlikelihood of a low temperature overpressure even t during this time.SR3.4.12.8Performance of a CHANNEL CALIBRATION on each required PORV
actuation channel is required to adjust the whole channel so that it responds and the valve opens within the requi red range and accur acy to known input.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixG.2.Generic Letter88-11.3.UFSAR, Section5.2.2.2.
4.10CFR50, Section50.46.
5.Generic Letter90-06.
North Anna Units 1 and 2B 3.4.13-1Revision 0RCS Operational LEAKAGE B 3.4.13B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.13RCS Operational LEAKAGEBASESBACKGROUNDComponents that cont ain or transport the coolan t to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational
wear or mechanical deterioration.
The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of
LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.General Design Criteria3 (Ref.1), requi res means for dete cting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide1.45 (Ref.2) describe s acceptable methods for selecting leakage detection systems.The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing
them to take corrective action should a l eak occur that is detrimental to the safety of the facility and the public.A limited amount of leakage inside cont ainment is expected from auxiliary systems that cannot be made 100% le aktight. Leakage from these systems should be detected, loca ted, and isolated from th e containment atmosphere, if possible, to not interfere with RCS leakage detection.
This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the co re from inadequate cooling, in addition to preventing the accident an alyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).
North Anna Units 1 and 2B 3.4.13-2Revision 28RCS Operational LEAKAGE B 3.4.13BASESAPPLICABLE SAFETY ANALYSESExcept for primary to secondary LEA KAGE, the safety analyses do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect
the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes that primary to secondary LEAKAGE from all steam generators (SGs) is one gallon per minute or increases to one gallon per minute as a result of accident induced conditions. The LCO requirement to limit primary to secondary LEAKAGE through any one SG to less than or equal to 150gallons per
day is significantly less than the condi tions assumed in the safety analysis.
Primary to secondary LEAKAGE is a f actor in the dose releases outside containment resulting from a main steam line break (MSLB) accident.
Other accidents or transients involve secondary steam release to the atmosphere, such as a steam generato r tube rupture (SGTR). The leakage contaminates the secondary fluid.The UFSAR (Ref.3) analysis for SGTR assumes the contaminated secondary fluid is released via power operated relief valves or safety
valves. The source term in the primary system coolant is transported to the affected (ruptured) steam generator by the break flow. The affected steam generator discharges steam to the environment for 30minutes until the generator is manually isolated. The 1gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue through the unaff ected steam generators until the Residual Heat Removal Syst em is placed in service.The MSLB is less limiting for site radiation releases than the SGTR. The safety analysis for the MSLB ac cident assumes 1 gpm primary to secondary LEAKAGE as an initial condition. The dose consequences resulting from the MSLB and SGTR accidents are within the limits defined in the staff approved licensing basis.The RCS operational LEAKAGE satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-3Revision 28 LCORCS operational LEAKAGE shall be limited to:a.Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not
pressure boundary LEAKAGE.b.Unidentified LEAKAGE One gallon per minute (gpm) of unide ntified LEAKAGE is allowed as a reasonable minimum detectable am ount that the containment air monitoring and containment sump level monitoring equipment can
detect within a reasonable time pe riod. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.c.Identified LEAKAGEUp to 10gpm of identified LEAKAGE is considered allowable because
LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the
containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a nor mal function not considered LEAKAGE). Violation of this LC O could result in continued degradation of a component or system.d.Primary to Secondary LEAKAGE through Any One SGThe limit of 150gallons per day pe r SG is based on the operational LEAKAGE performance criterion in NEI97-06, Steam Generator Program Guidelines (Ref.4). The Steam Generator Program operational LEAKAGE performance criterion in NEI97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage (continued)
North Anna Units 1 and 2B 3.4.13-4Revision 28RCS Operational LEAKAGE B 3.4.13BASESLCOd.Primary to Secondary LEAKAGE through Any One SG (continued) rate criterion in conjunction with the implementation of the Steam Generator Program is an effect ive measure for minimizing the frequency of steam generator tube ruptures.APPLICABILITYIn MODES1, 2, 3, and4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.In MODES5 and6, LEAKAGE limits ar e not required because the reactor coolant pressure is far lower, resu lting in lower stresses and reduced potentials for LEAKAGE.
LCO3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.ACTIONSA.1Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4hours. This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must
be shut down. This action is necessary to prevent further deterioration of the RCPB.
B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within li mit, or if unidentified LEAKAGE, or identified LEAKAGE, cannot be reduced to within limits within 4hours, the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential conseque nces. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. The reactor must be brought to MODE3 within (continued)
RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-5Revision 28ACTIONSB.1 and B.2 (continued)6hours and MODE5 within 36hours. This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.SURVEILLANCE
REQUIREMENT
SSR 3.4.13.1Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintain ed. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance.
The RCS water inventory ba lance must be met with the reactor at steady state operating conditions (s table temperature, power level, pressurizer and makeup tank levels, makeup and let down, and RCP seal injection and return flows). The surveillance is modified by two Notes. Note1 states that this SR is not required to be performed until 12hours after establishing steady state operation. The 12hour allowance provides sufficient time to collect and process all necessary data after stable pl ant conditions are established.Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not usef ul. For RCS operational LEAKAGE determination by water inve ntory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and let down, and RCP seal injection and return flows.
An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and (continued)
North Anna Units 1 and 2B 3.4.13-6Revision 46RCS Operational LEAKAGE B 3.4.13BASESSURVEILLANCE REQUIREMENT
SSR 3.4.13.1 (continued)the containment sump level. It should be noted that LEAKAGE past seals
and gaskets is not pressure boundary LEAKAGE. These leakage detection systems are specified in LCO3.4.15, "RCS Leakage Detection
Instrumentation."Note2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory balance.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.13.2 This SR verifies that primary to se condary LEAKAGE is le ss than or equal to 150gallons per day through any one SG. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Gene rator Program is met. If this SR is not met, compliance with LCO3.4.20, "Steam Generator Tube Integrity," should be evaluated. The 150gallons pe r day limit is measured at room temperature as described in Reference5. The operational LEAKAGE rate
limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG.The Surveillance is modified by a Note, which states that the Surveillance is not required to be performed until 12hours after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup ta nk levels, makeup and letdown, and RCP seal injection and return flows.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The primary to secondary LEAKAGE is
determined using continuous process radiation moni tors or radiochemical grab sampling in accordance with the EPRI guidelines (Ref.5).
RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-7Revision 28REFERENCES1.UFSAR, Section3.1.26.2.Regulatory Guide1.45, May 1973.3.UFSAR, Chapter15.
4.NEI97-06, "Steam Generator Program Guidelines."
5.EPRI, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines."
Intentionally Blank North Anna Units 1 and 2B 3.4.14-1Revision 0 RCS PIV Leakage B 3.4.14B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.14RCS Pressure Isolation Valve (PIV) LeakageBASESBACKGROUND10CFR50.2, 10CFR50.55a(c), and General Design Criteria55 (Refs.1, 2, and3), define RCS PIVs as any two normally closed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attach ed low pressure system. The 1975 Reactor Safety Study, WA SH-1400, (Ref. 4) identi fied intersystem LOCAs as a significant contributor to the risk of core melt. The study considered
designs containing two in-series chec k valves and two check valves in series with an MOV which isolate the high pressure RCS from the low
pressure safety injection system. The sc enario considered is a failure of the two check valves leading to overpr essurization and rupture of the low pressure injection piping which results in a LOCA that bypasses containment. A letter was issued (R ef. 5) by the NRC requiring plants to describe the PIV configuration of the plant. On April 20, 1981, the NRC
issued an Order modifying the North Anna Unit 1 Technical Specifications to include testing requirements on PI Vs and to specify the PIVs to be tested. The original North Anna 2 Technical Specifications, dated August 21, 1980, included a list of PIVs required to be tested and described the required testing. The valves required to be leak tested by this Specification are listed in Tables B 3.4.14-1 (Unit1) and B 3.4.14-2 (Unit 2).During their lives, these valves can produce varying amounts of reactor
coolant leakage through either norma l operational wear or mechanical deterioration. The RCS PIV Leakag e LCO allows RCS high pressure
operation when leakage through these valves exists in amounts that do not compromise safety.The PIV leakage limit applies to each individual valve to which the LCO applies. Leakage through both series PIVs in a line must be included as part of the identified LEAKAGE, governed by LCO3.4.13, "RCS Operational LEAKAGE." This is true during opera tion only when the loss of RCS mass through two series valves is determ ined by a water inventory balance (SR3.4.13.1). A known component of th e identified LEAKAGE before operation begins is the leas t of the two individual leak rates determined for leaking series PIVs during the (continued)
North Anna Units 1 and 2B 3.4.14-2Revision 0 RCS PIV Leakage B 3.4.14BASESBACKGROUND (continued) required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight.Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overp ressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure
piping or components. Failure conseque nces could be a loss of coolant accident (LOCA) outside of contai nment, an unanalyzed accident, that could degrade the ability for low pressure injection.Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.APPLICABLE SAFETY ANALYSESReference4 identified potential intersystem LOCAs as a significant contributor to the risk of core melt. The dominan t accident sequence in the intersystem LOCA category is the failur e of the low pressure portion of the ECCS low pressure injection system ou tside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the ECCS low pressure injection system downstream of the PIVs from the RCS. Because the low pressure portion of the system is not designed for RCS pressure, overpressurization failure of the low pressure line would result in a LOCA outside containment and subsequent risk of core melt.
RCS PIV leakage satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).
LCOThe RCS PIVs required to be leak tested are listed in TablesB3.4.14-1 (Unit 1) and B3.4.14-2 (Unit 2).
RCS PIV leakage is identified LEAK AGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute. Leakage that increases signifi cantly suggests that something is operationally wrong and correc tive action must be taken.
(continued)
RCS PIV Leakage B 3.4.14BASESNorth Anna Units 1 and 2B 3.4.14-3Revision 0 LCO(continued)The LCO PIV leakage limit is 0.5gpm pe r nominal inch of valve size with a maximum limit of 5gpm. The previous criterion of 1gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing information on potential valve degradat ion and resulted in higher personnel radiation exposures. A study concluded a leakage ra te limit based on valve size was superior to a single allowable value.Reference6 permits leakage testing at a lower pressure differential than between the specified maximum RCS pr essure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall l eakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power.APPLICABILITYIn MODES1, 2, 3, and4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE4, any valves in the RHR flow path that are required to be tested are not required to meet the requirements of this LCO when in, or during the transition to or from, the RHR mode of operation.In MODES5 and6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment.ACTIONSThe Actions are modified by two Notes. Note1 provides clarification that each flow path allows separate entry into a Condition. This is allowed based upon the functional independence of the flow path. Note2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system operability, or isolation of a le aking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function.
North Anna Units 1 and 2B 3.4.14-4Revision 46 RCS PIV Leakage B 3.4.14BASESACTIONS(continued)
A.1Required ActionA.1 requires that RCS PIV leakage be restored to within limit within 4hours. Four hours provides time to reduce leakage in excess of the allowable limit. The 4hour Completion Time allows the actions and restricts the operation with leaking isolation valves.
B.1 and B.2 If leakage cannot be redu ced the unit must be brou ght to a MODE in which the requirement does not apply. To ach ieve this status, the unit must be brought to MODE3 within 6hours and MODE5 within 36hours. This Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.4.14.1 Performance of leakage testing on the affected RCS PIV or isolation valve used to satisfy Required ActionA.1 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5gpm per inch of nominal valve diameter up to 5gpm maximum applies to each valve. Le akage testing requires a st able pressure condition. Leakage may be measured indirectly (a s from the performance of pressure indicators) to satisfy ALARA require ments if supported by calculations verifying that the method is capabl e of demonstrating valve compliance with the leakage criteria.For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage te sted, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situati on, the protection provided by redundant valves would be lost.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
RCS PIV Leakage B 3.4.14BASESNorth Anna Units 1 and 2B 3.4.14-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.4.14.1 (continued)
The Frequency is within frequency allowed by the American Society of Mechanical Engineers (ASME) Code (Ref.6).
In addition, testing must be performe d once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance should also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24hours after the valve has been reseated. Within 24hours is a reasonable and practical time limit for performing this test after opening or reseating a valve.The leakage limit is to be met at the RCS pressure associated with MODES1 and2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES wi th lower pressures. If testing cannot be performed at these pr essures, testing can be performed at lower pressures and scaled to operating pressure.Entry into MODES3 and4 is allowed if needed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows th is provision is complementary to the Frequency of prior to entry into MODE2 whenever the unit has been in MODE5 for 7days or more, if leakage testing has not been performed in the previous 9months. In addition, this Surveillance is not required to be performed on any RCS PIVs in the RH R System flow path when the RHR System is aligned to the RCS in the shutdown cooling mode of operation.
PIVs contained in the RHR shutdown cool ing flow path that are required to be tested must be leakage rate tested after RHR is secu red and stable unit conditions and the necessary differ ential pressures are established.REFERENCES1.10CFR50.2.2.10CFR50.55a(c).3.UFSAR, Section 3.1.48.1.
North Anna Units 1 and 2B 3.4.14-6Revision 0 RCS PIV Leakage B 3.4.14BASESREFERENCES (continued)4.WASH-1400 (NUREG-75/014), AppendixV, October 1975.5.Letter from D. G. Eisenhut, NRC, to all LWR licensees, LWR Primary Coolant System Pressure Isolation Valves, February23,1980.6.ASME Code for Operation and Main tenance of Nuclear Power Plants.7.10CFR50.55a(g).
North Anna Units 1 and 2B 3.4.14-7Revision 0 RCS PIV Leakage B 3.4.14TableB 3.4.14-1 (page1 of1)
Unit 1 RCS PIVS Required To Be Tested VALVEFUNCTION1-SI-83Low Head Safety Injection to Cold Legs-Loop 11-SI-195Low Head Safety Injection to Cold Legs-Loop 11-SI-86Low Head Safety Injection to Cold Legs-Loop 21-SI-197Low Head Safety Injection to Cold Legs-Loop 2 1-SI-89Low Head Safety Injection to Cold Legs-Loop 31-SI-199Low Head Safety Injection to Cold Legs-Loop 3 North Anna Units 1 and 2B 3.4.14-8Revision 0 RCS PIV Leakage B 3.4.14TableB 3.4.14-2 (page 1 of 1)
Unit 2 RCS PIVS Required To Be Tested ValveFunction2-SI-85High head safety injection to cold legs and hot legs 2-SI-93High head safety injection to cold legs and hot legs 2-SI-107High head safety injection to cold legs and hot legs 2-SI-119High head safety injection to cold legs and hot legs MOV-2836High head safety injection off charging headerMOV-2869A, BHigh head safety injection off charging headerMOV-2867C, DBoron injection tank outlet valves
2-SI-91Low head safety injection to cold legs 2-SI-99Low head safety injection to cold legs 2-SI-105Low head safety injection to cold legs 2-SI-126Low head safety injection to hot legs 2-SI-128Low head safety injection to hot legs2-SI-151Accumulator discharge check valves2-SI-153Accumulator discharge check valves2-SI-168Accumulator discharge check valves2-SI-170Accumulator discharge check valves2-SI-185Accumulator discharge check valves2-SI-187Accumulator discharge check valves MOV-2700RHR system isolation valves MOV-2701RHR system isolation valvesMOV-2720A, BRHR system isolation valvesMOV-2890A, B, C, & DLow head safety injection to cold legs and hot legs North Anna Units 1 and 2B 3.4.15-1Revision 47RCS Leakage Detection Instrumentation B 3.4.15B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.15RCS Leakage Detection InstrumentationBASESBACKGROUNDUFSAR, Chapter3 (Ref.1) requires compliance with Regulatory Guide1.45, Revision0 (Ref.2). Regulatory Guide1.45, Revision0 describes acceptable methods for sele cting RCS leakage detection systems.Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential fo r propagation to a gross failure. Thus, an early indication or warning signal in the control room is necessary to permit proper evaluati on of all unidentified LEAKAGE. In addition to meeting the OPERABILITY requirements, the monitors are typically set to provide the most se nsitive response without causing an excessive number of spurious alarms.
These leakage detection methods or systems differ in sensitivity and response time.
The containment sump used to co llect unidentified LEAKAGE includes two sump level monitors that provide level indication. The "A"train level indicator provides input to a calculated discharge flow rate determined by the plant computer. Either level indi cation or the calculated containment sump discharge flow rate is accep table for detecting increases in
unidentified LEAKAGE.The reactor coolant contains radioact ivity that, when released to the containment, may be detected by ra diation monitoring instrumentation.
Radioactivity detection systems are included for monitoring both particulate and gaseous activities beca use of their sensitivities and rapid responses to RCS LEAKAGE. One C ontainment Air Recirculation Fan (CARF) provides enough air flow for the operation of the radiation detectors.
(continued)
North Anna Units 1 and 2B 3.4.15-2Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESBACKGROUND (continued)Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containm ent. Containment temperature and pressure fluctuate slightly during unit operation, but a rise above the
normally indicated range of values may indicate RCS leakage into the
containment. The relevance of temperature and pressure measurements are affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing rapid and sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO.APPLICABLE SAFETY ANALYSESThe need to evaluate the severity of an alarm or an indication is important to the operators, and the ability to compare and verify with indications from other systems is necessary. Multiple instrument locations are utilized, if needed, to ensure that the trans port delay time of the leakage from its source to an instrument location yields an acceptable overa ll response time.The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the un identified LEAKAGE provides quantitative information to the operators, allowing them to take corrective
action should a leakage occur detrimental to the safety of the unit and the public.RCS leakage detection instrumentation satisfies Criterion1 of 10CFR50.36(c)(2)(ii).
LCOThis LCO requires instruments of di verse monitoring principles to be OPERABLE to provide confidence th at small amounts of unidentified LEAKAGE are detected in time to allow actions to place the unit in a safe condition, when RCS LEAKAGE indicat es possible RCPB degradation.
The LCO requires two instruments to be OPERABLE.
The containment sump used to co llect unidentified LEAKAGE includes two sump level monitors that provid e level indication. The "A" train level indicator provides input to a calculated discharge flow rate determined by the plant (continued)
RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-3Revision 47 LCO(continued)computer. Either level indication or the calculated containment sump discharge flow rate is acceptable for detecting increases in unidentified LEAKAGE. The identification of an increase in unidentified LEAKAGE
will be delayed by the time require d for the unidentified LEAKAGE to travel to the containment sump and it may take longer than one hour to detect a 1 gpm increase in unid entified LEAKAGE, depending on the origin and magnitude of the LEAKAGE.
This sensitivity is acceptable for containment sump monitor OPERABILITY.The reactor coolant contains radioact ivity that, when released to the containment, can be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Only one of the two detectors is required to be OPERABLE. Radioactivity detection systems are included for monitoring both particulate and gase ous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolan t radioactivity levels will be low during initial reactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects. If there are few fuel element cladding defects and low levels of activation products, it may not be possible for the gaseous or part iculate containment atmosphere radioactivity monitors to detect a 0.5gpm increase wi thin 1 hour during normal operation. However, the gase ous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable of detecting a 0.5gpm increase in unidentified LEAKAGE within 1hour given an RCS activity equivalent to th at assumed in the design calculations for the monitors (Reference 3).The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor, in combination with a gaseous or particulate radioactivity monitor, provides an acceptable minimum.
North Anna Units 1 and 2B 3.4.15-4Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESAPPLICABILITYBecause of elevated RCS temperature and pressure in MODES1, 2,3, and4, RCS leakage detection inst rumentation is required to be OPERABLE.In MODE5 or6, the temperature is to be 200F and pressure is maintained low or at atmospheric pr essure. Since the temperatures and pressures are far lower than those for MODES1, 2, 3, and4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of this LCO are not applicable in MODES5 and6.ACTIONSA.1 and A.2With the required containment sump m onitor inoperable, no other form of sampling can provide the equivalent information; however, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together wi th the containment atmosphere radioactivity monitor, the periodic su rveillance for RCS water inventory balance, SR3.4.13.1, must be performe d at an increased frequency of 24hours to provide information that is adequate to detect leakage. A Note is added allowing that SR3.4.13.1 is not required to be performed until 12hours after establishing steady state operation (stable temperature,
power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12hour allowance provides sufficient time to collect and process all necessary data after stable unit
conditions are established.
Restoration of the required sump m onitor to OPERABLE status within a Completion Time of 30days is require d to regain the function after the monitor's failure. This time is acceptable, considering the Frequency and adequacy of the RCS water inve ntory balance required by Required ActionA.1.B.1.1, B.1.2, andB.2With both gaseous and particulate c ontainment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is
required. Either grab samp les of the containment at mosphere must be taken and analyzed or water inventory balances, in accordance with SR3.4.13.1,
must be performed to provide alternate periodic information.
(continued)
RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-5Revision 47ACTIONSB.1.1, B.1.2, andB.2 (continued)With a sample obtained and analyz ed or water inventory balance performed every 24hours, the reactor may be operated for up to 30days to allow restoration of the required co ntainment atmosphere radioactivity monitors.The 24hour interval provides periodic information that is adequate to detect leakage. A Note is added allowing that SR3.4.13.1 is not required to be performed until 12hours after esta blishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12hour allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established. The 30day Completion Time
recognizes at least one other form of leakage detection is available.
C.1 and C.2With the required containment sump m onitor inoperable, the only means of
detecting LEAKAGE is the required containment atmosphere radiation monitor. A Note clarifies that this Condition is applicable when the only OPERABLE monitor is the containm ent atmosphere gaseous radiation monitor. The containment atmosphe re gaseous radioactivity monitor typically cannot detect a 0.5gpm leak within one hour when RCS activity is low. In addition, this configurati on does not provide th e required diverse means of leakage detection. Indirect methods of monitoring RCS leakage
must be implemented. Grab samples of the containment atmosphere must be taken to provide alternate periodic information. The 12hour interval is sufficient to detect increasing RCS leakage. The Required Action provides 7days to restore another RCS leakag e monitor to OPERABLE status to regain the intended leakage detection capability. The 7day Completion Time ensures that the plant will not be operated in a degraded configuration for a lengthy time period.
(continued)
North Anna Units 1 and 2B 3.4.15-6Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESACTIONS(continued)
D.1 and D.2If a Required Action of ConditionA or B cannot be met, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.
E.1With all required monitors inoperable, no required automatic means of monitoring leakage are available, and immediate unit shutdown in accordance with LCO3.0.3 is required.SURVEILLANCE
REQUIREMENT
SSR3.4.15.1SR3.4.15.1 requires the performance of a CHANNEL CHECK of the
required containment atmosphere radioactivity monitor. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.15.2SR3.4.15.2 requires the performance of a COT on the required containment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument string. The
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.15.3 and SR3.4.15.4These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is
based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter3.2.Regulatory Guide1.45, Revision 0, "Reactor Coolant Pressure Boundary Leakage Detection Systems," dated May,1973.
RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-7Revision 473.UFSAR, Chapter5.2.4 Intentionally Blank North Anna Units 1 and 2B 3.4.16-1Revision 42RCS Specific Activity B 3.4.16B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.16RCS Specific ActivityBASESBACKGROUNDThe maximum dose that an indi vidual at the exclusion area boundary can receive for 2hours following an accident, or at the low population zone outer boundary for the radiological release duration, is specified in 10CFR50.67 (Ref.1). Doses to control room operators must be limited per GDC19. The limits on specific activity ensure that the offsite and control room doses are appropriately limited during analyzed transients and accidents.
The RCS specific activity LCO limits th e allowable concentration level of radionuclides in the reactor coolant. The LCO limits are established to minimize the dose consequences in the event of a steam line break (SLB) or steam generator tube rupture (SGTR) accident.
The LCO contains specific activity limits for both DOSE EQUIVALENTI-131 and DOSE EQUIVALENTXE-133. The allowable levels are intended to ensure that offsite and control room doses meet the
appropriate acceptance criteria in the Standard Review Plan (Ref. 2).APPLICABLE SAFETY ANALYSESThe LCO limits on the specific activity of the reactor coolant ensure that the resulting offsite and control r oom doses meet the appropriate SRP acceptance criteria following a SLB or SGTR accident. The safety analyses (Refs. 3 and 4) assume the specific activity of the reactor coolant is at the LCO limits, and an existing reactor coolant steam generator (SG) tube leakage rate of 1gpm exists. The safety analyses assume the specific
activity of the secondary coolant is at its limit of 0.1Ci/gm DOSE EQUIVALENTI-131 from LCO3.7.18, "Secondary Specific Activity."The analyses for the SLB and SGTR accidents establish the acceptance limits for RCS specific activity. Reference to these analyses is used to
assess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits.
(continued)
North Anna Units 1 and 2B 3.4.16-2Revision 42RCS Specific Activity B 3.4.16BASESAPPLICABLE SAFETY ANALYSES(continued)The safety analyses consider two cases of reactor coolant iodine specific activity. One case assume s specific activity at 1.0 Ci/gm DOSE EQUIVALENTI-131 with a concurrent large iodine spike that increases the rate of release of i odine from the fuel rods containing cladding defects to the primary coolant immediately af ter a SLB (by a factor of 500), or SGTR (by a factor of 335), respectively. The second case assumes the initial reactor coolant iodine activity at 60.0Ci/gm DOSE EQUIVALENTI-131 due to an iodine sp ike caused by a reactor or an RCS transient prior to the accident. In bot h cases, the noble gas specific activity is assumed to be 197Ci/gm DOSE EQUIVALENTXE-133.The SGTR analysis also assumes a loss of offsite power at the same time as the reactor trip. The SGTR causes a reduction in reactor coolant inventory. The reduction initiates a reactor trip from a low pressuri zer pressure signal or an RCS overtemperature T signal.The loss of offsite power causes the st eam dump valves to close to protect the condenser. The rise in pressure in the ruptured SG discharges radioactively contaminated steam to the atmosphere through the SG power operated relief valves and the main steam safety valves. The unaffected SGs remove core decay heat by venting steam to the atmosphere until the
cooldown ends and the Residual Heat Re moval (RHR) system is placed in service.The SLB radiological analysis assumes that offsite power is lost at the same time as the pipe break occurs outside containment. Reactor trip occurs after the generation of an SI signal on low steam line pressure. The affected SG blows down completely and steam is vented directly to the atmosphere. The unaffected SGs remove core decay heat by venting steam to the atmosphere until th e cooldown ends and the RHR system is placed in service.Operation with iodine specific activity levels greater than the LCO limit is permissible, if the activi ty levels do not exceed 60.0Ci/gm for more than 48hours.
The limits on RCS specific activity are also used for establishing standardization in radiation shie lding and plant personnel radiation protection practices.
RCS specific activity satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe iodine specific activity in the reactor coolant is limited to 1.0Ci/gm DOSE EQUIVALENTI-131, and the noble gas specific ac tivity in the reactor coolant is limited to 197Ci/gm DOSE EQUIVALENTXE-133.
The limits on specific activity ensure that offsite and control room doses will meet the appropriate SRP acceptance criteria (Ref.2).
RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-3Revision 46 The SLB and SGTR accident analyses (Refs.3 and 4) show that the calculated doses are within acceptable limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of a SLB or SGTR, lead to doses that exceed the SRP acceptance criteria (Ref.2).APPLICABILITYIn MODES1, 2, 3, and 4, operation within the LCO limits for DOSE EQUIVALENTI-131 and DOSE EQUIVALENTXE-133 is necessary to limit the potential consequences of a SLB or SGTR to within the SRP acceptance criteria (Ref.2).
In MODES 5 and 6, the steam generators are not bei ng used for decay heat removal, the RCS and steam generators are depressurized, and primary to secondary leakage is minimal. Theref ore, the monitoring of RCS specific activity is not required.ACTIONSA.1 and A.2With the DOSE EQUIVALENTI-131 greate r than the LCO limit, samples at intervals of 4hours must be taken to demonstrate that the specific activity is <
60.0Ci/gm. The Completion Time of 4hours is required to obtain and analyze a sample. Sampling is continued every 4hours to provide a trend.The DOSE EQUIVALENTI-131 must be restored to within limit within 48hours. The Completion Time of 48hours is acceptable since it is
expected that, if there were an iodi ne spike, the normal coolant iodine concentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.A Note permits the use of the provisions of LCO3.0.4.c. This allowance permits entry into the applicable MODE(S), relying on Required Actions A.1 and A.2 while the DOSE EQUIVALENT I-131 LCO limit is not met. This allowance is acceptable due (continued)ACTIONS(continued) to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or pr oceeds to, power operation.
B.1With the DOSE EQUIVALENTXE-133 greater than the LCO limit, DOSE EQUIVALENTXE-133 must be restored to within limit within 48hours. The allowed Completion Time of 48hours is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas North Anna Units 1 and 2B 3.4.16-4Revision 46RCS Specific Activity B 3.4.16BASESconcentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.
A Note permits that the use of the provisions of LCO3.0.4.c. This allowance permits entry into the appl icable MODE(S), relying on Required ActionB.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to si gnificant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to,
power operation.
C.1 and C.2If the Required Action and associated Completion Time of ConditionA or B is not met, or if the DOSE EQUIVALENTI-131 is > 60.0Ci/gm, the reactor must be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full
power conditions in an orderly manner and without challenging plant
systems.SURVEILLANCE
REQUIREMENT
SSR3.4.16.1SR3.4.16.1 requires performing a gamma isotopic analys is as a measure of the noble gas specific activity of the r eactor coolant. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveill ance provides an indication of any increase in the noble gas specific activity.
(continued)SURVEILLANCE
REQUIREMENT
S(continued)SR3.4.16.1 (continued)Trending the results of this Surveillan ce allows proper re medial action to be taken before reaching the LCO li mit under normal operating conditions.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.Due to the inherent difficulty in detecting Kr-85 in a react or coolant sample due to masking from radioisotopes within similar decay energies, such as F-18 and I-134, it is acceptable to incl ude the minimum detectable activity for Kr-85 in the SR3.4.16.1 calculation. If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT
XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.SR3.4.16.2 RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-5Revision 46 This Surveillance is performed to ensu re iodine specific activity remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more apt to occur. The Surveillance
Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The Frequency, between 2 and 6 hours after a power change
>15% RTP within a 1hour period, is established because the iodine levels peak during this time foll owing the iodine spike init iation; samples at other times would provide accurate results.
RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-6Revision 42REFERENCES1.10CFR50.67.2.Standard Review Plan (SRP) Section15.0.1 "Radiological Consequence Analyses Using Alternative Source Terms."3.UFSAR, Section15.4.2.4.UFSAR, Section15.4.3.
North Anna Units 1 and 2B 3.4.17-1Revision 0RCS Loop Isolation Valves B 3.4.17B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.17RCS Loop Isolation ValvesBASESBACKGROUNDThe reactor coolant loops are equipped with l oop isolation valves that permit any loop to be isolated from the reactor vessel. One valve is installed on each hot leg and one on each cold leg. The loop isolation valves are used to perform mainte nance on an isolated loop. Power operation with a loop isolated is not permitted.To ensure that inadvertent closure of a loop isolation valve does not occur, the valves must be open with power to the valve operators removed in MODES1, 2, 3 and4. If the valves are closed, a set of administrative
controls and equipment interlocks mu st be satisfied prior to opening the isolation valves as described in LCO3.4.18, "RCS Isolated Loop Startup."APPLICABLE SAFETY ANALYSESThe safety analyses performed for the reactor at power assume that all reactor coolant loops are initially in operation and the loop isolation valves are open. This LCO places c ontrols on the loop isolation valves to ensure that the valves are not inadvertently closed in MODES1, 2, 3 and4. The
inadvertent closure of a loop isolat ion valve when the Reactor Coolant Pumps (RCPs) are operating will result in a partial loss of forced reactor coolant flow (Ref.1). If the reactor is at power at the time of the event, the effect of the partial loss of forced coolant flow is a rapid increase in the
coolant temperature which could resu lt in DNB with subsequent fuel damage if the reactor is not tripped by the Low Flow reactor trip. If the reactor is shutdown and an RCS loop is in operation removing decay heat,
closure of the loop isolation valve a ssociated with the operating loop could also result in increasing coolant temp erature and the possibility of fuel damage.RCS Loop Isolation Valves satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).
LCOThis LCO ensures that the loop isolat ion valves are open and power to the valve operators is removed. Loop isolat ion valves are used for performing maintenance in MODES5 and6.
(continued)
North Anna Units 1 and 2B 3.4.17-2Revision 0RCS Loop Isolation Valves B 3.4.17BASESLCO(continued)
The safety analyses assume that the loop isolation valves are open in any RCS loops required to be OPERABLE by LCO3.4.4, "RCS Loops-MODES1 and2," LCO3.4.5, "RCS Loops-MODE3," or LCO3.4.6, "RCS Loops-MODE4."APPLICABILITYIn MODES1 through4, this LCO ensures that the loop isolation valves are open and power to the valve operators is removed. The safety analyses assume that the loop isolation valves are open in any RCS loops required to
be OPERABLE.In MODES5 and6, the loop isolation valves may be closed. Controlled startup of an isolated loop is governed by the requirements of LCO3.4.18, "RCS Isolated Loop Startup."ACTIONSThe Actions have been provided wi th a Note to clarify that all RCS loop isolation valves for this LCO are treated as separate entities, each with separate Completion Times, i.e., the Completion Time is on a component basis.A.1If power is inadvertentl y restored to one or more loop isolation valve operators, the potential exists for acci dental isolation of a loop. The loop isolation valves have motor operators. Therefore, these valves will maintain their last position when power is removed from the valve operator. With power applied to the valve operators, only the interlocks prevent the valve from being opera ted. Although operating procedures and interlocks make the occurrence of this event unlikely, the prudent action is to remove power from the loop isol ation valve operators. The Completion Time of 30minutes to remove pow er from the loop isolation valve operators is sufficient considering the complexity of the task.
B.1, B.2, and B.3 Should a loop isolation valve be closed in MODES1 through4, the affected loop isolation valve(s) must remain closed and the unit placed in MODE5. Once in MODE5, the isolat ed loop may be started in a controlled manner in accordance with LCO3.4.18, "RCS Isolated Loop Startup." Opening the closed isolation valve in MODES1 through4 could
result in colder water or water at a lower boron concentration being mixed with the operating RCS loops (continued)
RCS Loop Isolation Valves B 3.4.17BASESNorth Anna Units 1 and 2B 3.4.17-3Revision 46ACTIONSB.1, B.2, and B.3 (continued) resulting in positive reac tivity insertion. The Completion Time of Required ActionB.1 allows time for borati ng the operating loops to a shutdown boration level such that the unit can be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.4.17.1 The Surveillance is performed to ensure that the RCS loop isolation valves
are open prior to removing power from the isolation valve operator. There is no remote position indi cation available after power is removed from the valve operators. The valves will maintain their last position when power is removed for the valve operator.SR3.4.17.2The primary function of this Surveillance is to ensure that power is removed from the valve operators, since SR3.4.4.1 of LCO3.4.4, "RCS Loops-MODES1 and2," ensures that the loop isolation valves are open by verifying every 12hours that all loops are operating and circulating reactor coolant. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section15.2.6.
Intentionally Blank North Anna Units 1 and 2B 3.4.18-1Revision 0RCS Isolated Loop Startup B 3.4.18B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.18RCS Isolated Loop StartupBASESBACKGROUNDThe RCS may be operated with loops isolated in MODES5 and6 in order to perform maintenance. While opera ting with a loop isolated, there is potential for inadvertently opening the is olation valves in the isolated loop.
In this event, any coolant in the isolated loop would begin to mix with the coolant in the operating loops. This situ ation has the potential of causing a positive reactivity addition with a corresponding reduction of SDM if:a.The temperature in the isolated loop is lower than the temperature in the operating Residual Heat Removal (RHR) or RCS loops (cold water incident); orb.The boron concentration in the isol ated loop is lower than the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1 (boron dilution incident).
If the loop is drained of coolant, st artup of an isolat ed loop will cause coolant to flow from the RCS into the isolated portion of the loop with the potential to lower the RCS water level and cause a loss of suction to the RHR System pumps.As discussed in the UFSAR (Ref.1), the startup of a filled, isolated loop is done in a controlled manner that virtually eliminates any sudden reactivity addition from cold water or boron dilution because:a.This LCO and unit operating procedures require that the boron concentration in the isolated loop be equal to or greater than the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1 prior to opening the isolation valves, thus eliminating the potential for introducing coolant from the isolated loop that could dilute the boron concentr ation in the operating loops below the required limit.b.The cold leg loop isolation valve cannot be opened unless the loop has been operated with the hot leg isol ation valve open and recirculation flow of 125 gpm for (continued)
North Anna Units 1 and 2B 3.4.18-2Revision 0RCS Isolated Loop Startup B 3.4.18BASESBACKGROUNDb.(continued)90minutes. This ensures that the te mperatures of both the hot leg and cold leg of the isolat ed loop are within 20F of the operating loops and the boron concentration of the isolated loop is gr eater than or equal to the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1. Comp liance with the recirculation requirement is ensured by operat ing procedures and automatic interlocks.c.Other automatic interlocks preven t opening the hot leg loop isolation valve unless the cold leg loop is olation valve is fully closed.
The startup of an initially drained, isolated loop is performed in a controlled manner to ensure that sufficient water is available in the RCS to support RHR operation. In this case, the automatic interlocks are defeated and the isolated loop is fille d under administrative control.APPLICABLE SAFETY ANALYSESDuring startup of a filled isolated loop, the cold leg loop isolation valve
interlocks and operating procedures prevent opening the valve until the isolated loop and active RCS volume temperatures are equalized and the
boron concentration is within limit. This ensures that any undesirable reactivity effect from the isolated loop does not occur.An evaluation of the effects of openi ng the loop isolation valves with the boron concentration or temperature re quirements of the filled, isolated portion not met is described in Reference1. Failure to follow the requirements in the LCO could result in the RCS boron concentration or coolant temperature being reduced with a corresponding reduction in SDM. The evaluation concluded that adequate time is available for an operator to identify and respond to such an event prior to reactor criticality.The initial RCS volume re quirements ensure that the operation of the RHR System is not impaired during the fill ing of an isolated loop from the RCS should the isolatio n valves on three drained, isol ated loops be inadvertently opened.RCS isolated loop startup satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).
LCOLoop isolation valves are used for pe rforming maintenance when the unit is in MODE5 or6. This LCO governs the return to operation of an isolated loop (i.e., the hot and cold leg loop isolation valves are initially closed) and ensures that the loop isolation valves remain closed unless acceptable conditions for opening the valves are established.
There are two methods for returning an isolated loop to operation. The first method is used when the is olated loop is filled with water. When using the RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-3Revision 0 filled loop method, the hot leg isolation valve (e.g., the inlet valve to the isolated portion of the loop) is opened first. As described in LCO3.4.18.a, the water in the isolated loop must be borated to at least the boron
concentration needed to provide the required shutdown margin prior to opening the hot leg isolation valve. This ensures that the RCS boron
concentration is not reduced below th at required to maintain the required shutdown margin. The water in the isolated loop is then mixed with the
water in the RCS by establ ishing flow through the reci rculation line (which bypasses the cold leg isolation va lve). After the flow through the recirculation line has thoroughly mixed the water in the isolated loop with the water in the RCS and it is verified that the isolated loop temperature is no more than 20F below the temperature of the RCS (to avoid reactivity additions due to reduced RCS temperat ure), the cold leg isolation valve may be opened.
The second method for returning an isol ated loop to operat ion is described in LCO3.4.18.b and is used when the isolated loop is drained of water. In the drained loop method, the water in the RCS is used to fill the isolated portion of the loop. The LCO also requi res that the pressurizer water level be established sufficiently high prior to and during the opening of the isolation valves to ensure that the in advertent opening of all three sets of loop isolation valves on thr ee drained and isolated l oops would not result in loss of net positive suction head fo r the Residual Heat Removal system.
The LCO is modified by a Note wh ich allows Reactor Coolant Pump
(RCP) seal injection to be initiated to a RCP in a drained, isolated loop. This is to support vacuum assisted backfill of the loop. In this method, a
vacuum is drawn on the isolated loop pr ior to opening the cold leg isolation valve in order to minimize the amount of trapped air in the loop and to
minimize the need to run the RCP in the isolated loop to clear out air
pockets. In order to draw a vacuum on (continued)
LCO(continued)the isolated loop, the RCP seals must be filled with water. The boron concentration of the water used for seal injection must meet the same requirements as the reactor coolant sy stem and the loop must be drained prior to starting seal inje ction in order to be sure that no water at a boron concentration less than required remains in the isolated loop.
The LCO is modified by a Note which allows a hot or cold leg isolation valve to be closed for up to two hours without considering the loop isolated and meeting the LCO requirements when opening the closed valve. This allows for necessary maintenance and testing on the valves and the valve operators. If the closed valve is not re opened with two hours, it is necessary to close both isolation valves on the affected loop and follow the
requirements of the LCO when reopeni ng the isolation valves. This is required because there is a possibility th at the water in the isolated loop has become diluted or cooled to the point that reintroduction of the water into to the reactor vessel could result in a significant reactivity change.
North Anna Units 1 and 2B 3.4.18-4Revision 0RCS Isolated Loop Startup B 3.4.18BASESAPPLICABILITYIn MODES 5 and 6, RCS loops may be isolated to perform maintenance.
When a filled, isolated loop is to be put in operation, the isolated loop boron concentration and temperature must be controlled prior to opening the loop isolation valves in order to avoid the potential for positive reactivity addition. When an initially drai ned, isolated loop is to be put into operation, sufficient RCS inventory must be available to ensure that RCS
water level continues to support RHR operation. The LCO water level requirement is sufficient to ensure that RCS water level does not drop below that required for RHR operation. In MODES1, 2, 3 and4, the loop
isolation valves are required to be open with power to the valve operators removed by LCO3.4.17, "RCS Loop Isolation Valves."ACTIONSA.1, B.1, andC.1Required ActionsA.1, B.1, andC.1 apply when the requirements of LCO3.4.18.a are not met and a loop is olation valve has been opened.
Therefore, the Actions require immedi ate closure of isolation valves to preclude a boron dilution event or a cold water event or RCS water level falling below that required for RHR operation.
RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-5Revision 0ACTIONS(continued)D.1, D.2, E.1 andE.2Required ActionsD.1, D.2, E.1 andE.2 apply when the requirements of LCO3.4.18.b are not met and an initially drained, isolated loop is filled from the active RCS volume by opening a loop isolation valve. If the RCS water level requirement is not met, there is the possibility of insufficient net positive suction head to suppor t the RHR pumps. If the RCP seal
injection boron concentration requirements are not met, there is the possibility of diluting the reactor c oolant boron concentration below that which is required. In both cases, the isol ation valve(s) are to be closed and the requirements of the LCO must be met prior to opening the isolation
valves. If both isolation valves on the loop are not fully opened within 2hours, the lack of flow through the cl osed valve(s) could result in the boron concentration of the previously isolated portion of the loop being significantly different from the remainder of the RCS. The boron concentration in the isolated loop must be verified to be wi thin limit or the isolation valve(s) are to be closed and the requireme nts of the LCO must be met prior to opening th e isolation valves.F.1If power is restored to one or more closed loop isolat ion valve operators without the initial conditions in LCO 3.4.18.a.1 or LCO 3.4.18.b.1 being met, the potential exists for accident al startup of an isolated loop and possible reduction in shutdown margi
: n. The loop isolation valves have motor operators. Therefore, these valves will maintain their last position
when power is removed from the valve operator. With power applied to the valve operators, only the interlocks prevent the valve from being operated. Although operating procedures and interlocks make the occurrence of this event unlikely, the prudent action is to remove power from the loop isolation valve operators. The Completion Time of 30minutes to remove power from the loop isolation valve operators is sufficient considering the complexity of the task.SURVEILLANCE
REQUIREMENT
SSR3.4.18.1 This Surveillance is performed to ensure that the temperature differential
between a filled, isolated loop and the operating loops is 20F. The loop stop valve interlocks (continued)
North Anna Units 1 and 2B 3.4.18-6Revision 0RCS Isolated Loop Startup B 3.4.18BASESSURVEILLANCE REQUIREMENT
SSR3.4.18.1 (continued) ensure that the temperature of the isolated loop is equalized with the temperature of the operating loops by re quiring that the isolated loop is operated for at least 90minutes with a recirculation flow of  125 gpm. The safety analysis neglects the uncertainty associated with measuring
recirculation flow due to the insignificant effect on the analysis. Performing the Surveillance 30minutes prior to opening the cold leg
isolation valve in the isolated loop provides reasonable assurance, based on engineering judgment, that the temperature differential will stay within limits until the cold leg isolation valve is opened.
This Frequency has been shown to be acceptable th rough operating experience.The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO
applicable to starting a filled, isolated loop.SR3.4.18.2To ensure that the boron concentration of a filled, isolated loop is greater than or equal to the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1, a Surveillance is performed 1hour prior to opening either the hot or cold le g isolation valve. Performing the Surveillance 1hour prior to opening either the hot or cold
leg isolation valve provides reasonable assurance the boron concentration difference will stay wi thin acceptable limits until the loop is unisolated.
This Frequency is a reasonable amount of time given that the isolated loop boron concentration changes slowly a nd the time require d to request and have analyzed a boron concentration measurement prior to opening the
isolation valve.The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting a filled, isolated loop.
RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-7Revision 0SURVEILLANCE REQUIREMENT
S(continued)SR3.4.18.3 This Surveillance is performed to ensu re that a filled, isolated loop is recirculated, with the hot leg isolation valve open, for at least 90 minutes at a flow rate of at least 125 gpm. This will ensure that the boron
concentration and temperatur e of the isolated loop is similar to those of the operating loops. The Frequency of with in 30 minutes prior to opening the cold leg isolation valve in a filled, is olated loop is considered a reasonable time to prepare for the opening of the cold leg isolation valve. The
Surveillance is modified by a Note which states that the Surveillance is only required to be met when util izing the requirements of the LCO applicable to starting a filled, isolated loop.SR3.4.18.4 This Surveillance is performed to ensu re that an isolated loop is drained
before opening an isolation valve to fill the isolated portion of the RCS from the RCS active volume or before initiating seal injection to the RCP in the isolated loop. This verificati on is performed to prevent unsampled water in a partially filled, isolated loop from mixing with the water in the RCS and potentially causing reactivity changes due to differences in boron concentration. The Frequency of within 2hours prior to fill ing an initially drained loop from the active RCS volume or within 2hours of initiating seal injection to the RCP in the isol ated loop is considered a reasonable time to prepare for the opening of the isolation valve. The Surveillance is modified by a Note which states that th e Surveillance is on ly required to be met when utilizing the requirements of the LCO applicable to starting an initially drained, isolated loop.SR3.4.18.5This Surveillance verifies that the bor on concentration of the water used for seal injection to the RCP in the isolated loop is borated to the same requirement as the RCS. This will prevent the water used for seal injection from diluting the water in the RCS. The LCO is modified by two Notes. Note1 states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting an initially drained, isolated loop. Note2 states that the Su rveillance is only required to be met when using blended flow as the sour ce for RCP seal injection. The other sources(continued)
North Anna Units 1 and 2B 3.4.18-8Revision 0RCS Isolated Loop Startup B 3.4.18BASESSURVEILLANCE REQUIREMENT
SSR3.4.18.5 (continued) for seal injection are required to be borated to at least the required boron concentration and are periodically verified by ot her specifications. The Frequency of within 1hour prior to in itiating seal inject ion flow and once per hour during filling of an initia lly drained loop from the active RCS volume is considered a reasonable time to monitor the seal injection boron concentration.SR3.4.18.6This Surveillance verifies that there is sufficient water in the RCS when filling an initially drained, isolated portion of the RCS. The volume of water required is sufficient to cont inue to support RHR operation in the event of the inadvertent opening of th e isolation valves on three isolated and drained loops. The required level of 32% incorporates inaccuracies due to use of instruments calibrated at cold conditions. If inst ruments calibrated at hot conditions are used, an indicated level of 39% is required due to the increased instrument uncertainty.
The Frequency of every 15 minutes during filling of a drained, isolated loop ensures that the operators are aware of the water level during the fi lling operation. The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting a drained, isolated loop.SR3.4.18.7This Surveillance is performed to ensu re that the boron concentration of an isolated loop satisfies the boron con centration requirements of the RCS prior to completely opening the cold leg isolation valve or opening the hot leg isolation valve. The Surveillance is modified by a Note which states
that the Surveillance is only required to be met when utilizing the
requirements of the LCO applicable to starting an initially drained, isolated loop. The Frequency of within 1hour prior to fully opening the cold leg
isolation valve or opening the hot le g isolation valve is considered a reasonable time to prepare for th e opening of the isolation valves.REFERENCES1.UFSAR, Section15.2.6.
North Anna Units 1 and 2B 3.4.19-1Revision 0RCS Loops-Test Exceptions B 3.4.19B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.19RCS Loops-Test ExceptionsBASESBACKGROUNDThe primary purpose of this test exception is to provide an exception to LCO3.4.4, "RCS Loops-MODES1 and2,"
to permit reactor criticality under no forced flow conditions during certain PHYSICS TESTS (natural
circulation demonstration, station blackout, and loss of offs ite power) to be performed while at low THERMAL POWER levels. SectionXI of 10CFR50, AppendixB (Ref.1), requi res that a test program be established to ensure that structures, systems, a nd components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceed ed during normal operation and anticipated operational occurrences must be tested. This testing is an
integral part of the design, construc tion, and operation of the power plant as specified in General Design Criteria1, "Quality Standards and Records" (Ref.2).The key objectives of a test program are to provide assurance that the facility has been adequately designed to validate the analytical models used in the design and analysis, to verify the assumptions used to predict unit response, to provide assurance that in stallation of equipment at the unit has been accomplished in accordance with the design, and to verify that the operating and emergency procedures are adequate. Testing is performed prior to initial criticality, during startup, and following low power operations.The tests will include verifying the ability to establish and maintain natural circulation following a unit trip, pe rforming natural circulation cooldown on emergency power, and during the c ooldown, showing that adequate boron mixing occurs and that pressure can be controlled using auxiliary spray and pressurizer heaters powered from the emergency power sources.APPLICABLE SAFETY ANALYSESThe tests described above require operating the unit without forced convection flow and as such are not bounded by any safety analyses. However, operating experience has dem onstrated this exception to be safe under the present applicability.
(continued)
North Anna Units 1 and 2B 3.4.19-2Revision 0RCS Loops-Test Exceptions B 3.4.19BASESAPPLICABLE SAFETY ANALYSES(continued)As described in LCO3.0.7, compliance with Test Exception LCOs is
optional, and therefore no criteria of 10CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCOThis LCO provides an exemption to the requirements of LCO3.4.4.
The LCO is provided to allow for th e performance of PHYSICS TESTS in MODE2 (after a refueling), where the core cooling requirements are significantly different than after the core has been operating. Without the LCO, unit operations would be held bound to the normal operating LCOs for reactor coolant loops and circulation (MODES1 and2), and the appropriate tests could not be performed.In MODE2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under no flow conditions provided THERMAL POWER is P-7 and the reactor trip setpoints of the OPERABLE power level channels are set 25%RTP. This ensures, if some problem caused the unit to enter MODE1 and start increasing unit power, the Reactor Trip System (RTS) would automatically shut it down before power became too high, and thereby prevent violation of fuel design limits.The exemption is allowed even though there are no bounding safety analyses. However, these tests are performed under close supervision
during the test program and provide valuable information on the unit's capability to cool down without offs ite power available to the reactor
coolant pumps.APPLICABILITYThis LCO is applicable when performing low power PHYSICS TESTS without any forced convection flow. This testing is performed to establish
that heat input from nuclear heat do es not exceed the natural circulation heat removal capabilities.
Therefore, no safety or fu el design limits will be violated as a result of the associated tests.ACTIONSA.1 When THERMAL POWER is  the P-7 interlock setpoint 10%, the only acceptable action is to ensure the reactor trip breakers (RTBs) are opened immediately in accordance with Required ActionA.1 to prevent operation
of the fuel beyond its design limits. Opening the RTBs will shut down the RCS Loops-Test Exceptions B 3.4.19BASESNorth Anna Units 1 and 2B 3.4.19-3Revision 46reactor and prevent operation of the fuel outside of its design limits.SURVEILLANCE REQUIREMENT
SSR3.4.19.1Verification that the power level is <
the P-7 interlock setpoint (10%) will ensure that the fuel design criteria are not violated during the performance of the PHYSICS TESTS. The Surveillance Frequency is based on
operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.19.2 The power range and intermediate range neutron detectors, P-10, andP-13 interlock setpoint must be verified to be OPERABLE and adjusted to the proper value. The Low Power Reactor Trips Block, P-7 interlock, is actuated from either the Power Ra nge Neutron Flux, P-10, or the Turbine Impulse Chamber Pressure, P-13 interl ock. The P-7 interlock is a logic Function with train, not channel identity. A COT is performed prior to initiation of the PHYSICS TESTS. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This will ensure that the RTS is properly aligned to provide the required degree of core protection dur ing the performance of the PHYSICS TESTS. The SR3.3.1.8 Frequency is suff icient for the power range and intermediate range neutron detectors to ensure that the instrumentation is OPERABLE before initiating PHYSICS TESTS.
North Anna Units 1 and 2B 3.4.19-4Revision 0RCS Loops-Test Exceptions B 3.4.19BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.4.19.3The Low Power Reactor Trips Block, P-7 interlock, must be verified to be OPERABLE in MODE1 by LCO3.3.1, "Reactor Trip System
Instrumentation." The P-7 interlock is actuated from either the Power Range Neutron Flux, P-10, or the Turb ine Impulse Chamber Pressure, P-13 interlock. The P-7 interlock is a logic Function. An ACTUATION LOGIC TEST is performed to verify OPERABIL ITY of the P-7 interlock prior to initiation of startup and PHYSICS TESTS. This will ensure that the RTS is properly functioning to pr ovide the required degr ee of core protection during the performance of the PHYSICS TESTS.REFERENCES1.10CFR50, AppendixB, SectionXI.2.UFSAR, Section 3.1.1.
North Anna Units 1 and 2B 3.4.20-1Revision 28SG Tube Integrity B 3.4.20B 3.4  REACTOR COOLANT SYSTEM (RCS)B 3.4.20Steam Generator (SG) Tube IntegrityBASESBACKGROUNDSteam generator (SG) tubes are small diameter, th in walled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of impor tant safety functions. SG tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and inventory. The SG tubes isolate the radioactive fission pr oducts in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface betw een the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO3.4.4, "RCS Loops-MODES1 and2," LCO3.4.5, "RCS Loops-MODE3,"
LCO3.4.6, "RCS Loops-MODE4," and LCO3.4.7, "RCS Loops-MODE5, Loops Filled."
SG tube integrity means that the t ubes are capable of performing their intended RCPB safety f unction consistent with the licensing basis, including applicable regulatory requirements.
SG tubing is subject to a variety of degradation mechanisms. SG tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular atta ck, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear.
These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG
tube degradation.Specification5.5.8, "Steam Generator (SG) Program
," requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification5.5.8, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, acci dent induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification5.5.8. Meeting the (continued)
North Anna Units 1 and 2B 3.4.20-2Revision 28SG Tube Integrity B 3.4.20BASESBACKGROUND (continued)SG performance criteria provides reasonable assura nce of maintaining tube integrity at normal a nd accident conditions.The processes used to meet the SG pe rformance criteria are defined by the Steam Generator Program Guidelines (Ref.1).APPLICABLE SAFETY ANALYSESThe steam generator tube rupture (S GTR) accident is the limiting basis event for SG tubes and avoiding a SGTR is the basis for th is Specification.
The analysis of a SGTR event as sumes a bounding primary to secondary LEAKAGE rate of 1gpm, which is co nservative with respect to the operational LEAKAGE rate limits in LCO3.4.13, "RCS Operational LEAKAGE," plus the leakage rate a ssociated with a double-ended rupture of a single tube. The UFSAR analysis for SGTR as sumes the contaminated secondary fluid is released via power operated relief valves or safety
valves. The source term in the primary system coolant is transported to the affected (ruptured) steam generator by the break flow. The affected steam generator discharges steam to the environment for 30minutes until the generator is manually isolated. The 1gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue through the unaff ected steam generators until the Residual Heat Removal Syst em is placed in service.The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their struct ural integrity (i.e., they are assumed not to rupture.) In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs of 1gallon per minute or is assumed to increase to 1gallon per minute as a
result of accident induced conditions.
For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO3.4.16, "RCS Specific Activity," limits. For accidents that assume fuel damage
, the primary coolant activity is a function of the amount of activity re leased from the damaged fuel. The dose consequences of these events are within the limits of GDC19 (Ref.2), 10CFR50.67 (Ref.3) or RG1.183 (Ref.4), as appropriate.
SG tube integrity satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-3Revision 49 LCOThe LCO requires that SG tube in tegrity be maintained. The LCO also requires that all SG tubes that sati sfy the plugging criteria be plugged in accordance with the Steam Generator Program.During an SG inspection, any inspected tube that satisfies the Steam Generator Program pluggi ng criteria is removed from service by plugging.
If a tube was determined to sati sfy the plugging criteria but was not plugged the tube may still have tube integrity.
In the context of this Spec ification, a SG tube is de fined as the entire length of the tube, including the tube wall be tween the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesh eet weld at the tube outlet. The tube-to-tubesheet weld is not considered part of the tube.
A SG tube has tube integrity when it satisfies the SG performance criteria.
The SG performance criteria are defined in Specification5.5.8, "Steam Generator Program," and describe ac ceptable SG tube performance. The Steam Generator Program also pr ovides the evaluation process for determining conformance with the SG performance criteria.
There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAG E. Failure to meet any one of these criteria is considered failure to meet the LCO.
The structural integrity performance criterion provides a margin of safety against tube burst or collapse unde r normal and accide nt conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tu be burst is defined as, "The gross structural failure of the tube wall. The condition t ypically corresponds to an unstable opening displacemen t (e.g., opening area incr eased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation." Tube collapse is defined as, "For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero." The structural integrity performance criterion provides
guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term "s ignificant" is defined as "An accident loading condition other than differential pressure is considered significant (continued)
North Anna Units 1 and 2B 3.4.20-4Revision 28SG Tube Integrity B 3.4.20BASESLCO(continued) when the addition of such loads in the assessment of the st ructural integrity performance criterion could cause a lower structural limit or limiting burst/collapse condition to be established." For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circ umferential degradation, th e classification of axial thermal loads as primary or second ary loads will be evaluated on a case-by-case basis. The divisi on between primary and secondary classifications will be based on detailed analysis and/or testing.Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for all ASME Code, SectionIII, Service LevelA (normal operating conditions) and Service LevelB (upset or abnormal conditions) transients incl uded in the design specification. This includes safety factors and applicable design basis loads based on ASME Code, SectionIII, SubsectionNB (Ref.5) and Draft Regulatory Guide1.121 (Ref.6).
The accident induced leakage perf ormance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions. The accident analysis assumes that accident induced leakage does not exceed 1gpm.
The accident induced leakage rate includes any primary to secondary LEAKAGE existing prior to the acci dent in addition to primary to secondary LEAKAGE induced during the accident.
The operational LEAKAGE performance cr iterion provides an observable indication of SG tube conditions during plant operation. The limit on operational LEAKAGE is contained in LCO3.4.13, "RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150gallons per day. This limit is based on the assumption that a single crack leaking this amount woul d not propagate to a SGTR under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one cr ack, the cracks are very small, and the above assumption is conservative.APPLICABILITYSG tube integrity is challenged when the pressure differential across the tubes is large. Large differential pr essures across SG tubes can only be experienced in MODE1, 2, 3, or4.
(continued)
SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-5Revision 49APPLICABILITY (continued)
SG integrity limits are not provided in MODES 5 and6 since RCS conditions are far less challenging than in MODES5 and6 than during MODES1, 2, 3, and4. In MODES5 and6, primary to secondary differential pressure is low, resulting in lower st resses and reduced potential for LEAKAGE.ACTIONSThe ACTIONS are modified by a Note clarifying that separate Conditions entry is permitted for each SG tube. This is acceptable because the
Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for
continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and appl ication of associated Required
Actions.A.1 andA.2ConditionA applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by SR3.4.20.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG
performance criteria described in the Steam Generator Program. The SG plugging criteria define li mits on SG tube degradation that allow for flaw growth between inspections while st ill providing assurance that the SG performance criteria will c ontinue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must
be completed that demonstrates that the SG performan ce criteria will continue to be met until the next re fueling outage or SG tube inspection.
The tube integrity determ ination is based on the estimated condition of the tube at the time the situation is disc overed and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, ConditionB applies.A Completion Time of 7days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity.
If the evaluation determines that the affected tube(s) have tube integrity, Required ActionA.2 allows plant opera tion to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported (continued)
North Anna Units 1 and 2B 3.4.20-6Revision 49SG Tube Integrity B 3.4.20BASESACTIONSA.1 andA.2 (continued) by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.B.1 andB.2 If the Required Actions and associated Completion Times of ConditionA are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE3 within 6hours and MODE5 within 36hours.
The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power
conditions in an orderly manner a nd without challenging plant systems.SURVEILLANCE
REQUIREMENT
SSR3.4.20.1 During shutdown periods the SGs are in spected as required by this SR and the Steam Generator Program. NEI97-06, Steam Generator Program Guidelines (Ref.1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator
Program ensures that the inspection is appropriate and consistent with accepted industry practices.
During SG inspections a condition mon itoring assessment of the SG tubes is performed. The condition monitoring assessment determines the "as found" condition of the SG tubes. Th e purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for
the previous operating period.The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying
the tube plugging criteria. Inspection sc ope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and
potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation.
Inspection methods are a SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-7Revision 49SURVEILLANCE REQUIREMENT
SSR3.4.20.1 (continued)function of degradation morphology, non-destructive examination (NDE) technique capabilities, a nd inspection locations.The Steam Generator Program defines the Frequency of SR3.4.20.1. The Frequency is determined by the operati onal assessment and other limits in the SG examination guidelines (Ref.7). The Steam Generator Program
uses information on existing degradati ons and growth rates to determine an inspection Frequency that provides r easonable assurance that the tubing will meet the SG performa nce criteria at the next scheduled inspection. In addition, Specification5.5.8 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met betw een scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is re stricted by Specification 5.5.8 until subsequent inspections support ex tending the inspection interval.SR3.4.20.2During an SG inspection, any inspected tube that satisfies the Steam
Generator Program pluggi ng criteria is removed from service by plugging.
The tube plugging criteria delineated in Specification5.5.8 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In ad dition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure
that the SG performance criteria wi ll continue to be met until the next inspection of the subject tube(s). Reference1 provides guidance for performing operational assessments to ve rify that the tubes remaining in service will continue to meet the SG perfor mance criteria.The Frequency of prior to entering MODE4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.
North Anna Units 1 and 2B 3.4.20-8Revision 49SG Tube Integrity B 3.4.20BASESREFERENCES1.NEI97-06, "Steam Ge nerator Program Guidelines."2.10CFR50 AppendixA, GDC19.3.10CFR50.67.
4.RG1.183, July2000.
5.ASME Boiler and Pressure Vessel Code, SectionIII, SubsectionNB.
6.Draft Regulatory Guide1.121, "Basis for Plugging Degraded Steam Generator Tubes," August1976.7.EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."
North Anna Units 1 and 2B 3.5.1-1Revision 0Accumulators B 3.5.1B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.1AccumulatorsBASESBACKGROUNDThe functions of th e ECCS accumulators are to supply water to the reactor vessel during the blowdown phase of a loss of coolant acci dent (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a
small break LOCA.The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot in ternals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient
ends when the RCS pressu re falls to a value approaching that of the containment atmosphere.In the refill phase of a large break LOCA, which immediately follows the blowdown phase, reactor coolant inve ntory has vacated the core through steam flashing and ejection out through the break. The co re is essentially in adiabatic heatup. The balance of accumulat or inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer so as to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of safety injection (SI) water.The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas.
The accumulators are passive components, since no operator or cont rol actions are required in order for them to perform their function. Internal accumulator tank pressure is sufficient to discharge the accumula tor contents to the RCS, if RCS pressure decreases below the accumulator pressure.
Each accumulator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a mo tor operated isolation valve and two check valves in series.The accumulator size, water volume, and nitrogen cover pressure are selected so that two of the three accumulators are sufficient to partially
cover the core before significant clad melting or zirconium water reaction can(continued)
North Anna Units 1 and 2B 3.5.1-2Revision 0Accumulators B 3.5.1BASESBACKGROUND (continued)occur following a large break LOCA
. The need to ensure that two accumulators are adequate for this function is consistent with the large break LOCA assumption that the entire contents of one accumulator will be lost via the RCS pipe break during the blowdown phase of the large
break LOCA.APPLICABLE SAFETY ANALYSESThe accumulators are assumed OPERABLE in both the large and small break LOCA analyses at full power (Ref.1). These are the Design Basis
Accidents (DBAs) that establis h the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used to assess changes in the accumulators as they relate to the acceptance limits.In performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a large
break LOCA, with or without a loss of offsite power, the accumulators provide the sole source of makeup water to the RCS. The assumption of loss of offsite power is required by re gulations and conservatively imposes a delay wherein the ECCS pumps cannot deliver flow until the emergency
diesel generators start, come to rated speed, and energize their respective buses. In cold leg large break scenarios, the entire contents of one
accumulator are assumed to be lost through the break.The limiting large break LOCA is a double ended guillotine break at the discharge of the reactor coolant pump. During this event, the accumulators discharge to the RCS as soon as RCS pressure decreases to below
accumulator pressure.
As a conservative estimate, no credit is taken for ECCS pump flow until an effective delay has elapsed. This dela y accounts for the di esels starting and the pumps being loaded and delivering full flow. The delay time is conservatively set with an additional 2seconds to account for SI signal generation. During this time, the accumulators are analyzed as providing the sole source of emergency core c ooling. No operator action is assumed during the blowdown stage of a large break LOCA.The worst case small break LOCA an alyses also assume a time delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the accumulators, with pumped flow then providing continued cooling. As break size decr eases, the accumulators and High (continued)
Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-3Revision 48APPLICABLE SAFETY ANALYSES(continued)
Head Safety Injection (HHSI) pumps bo th play a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the accumulators continues to decrease until they are not required and the
HHSI pumps become solely responsible for terminati ng the temperature increase.This LCO helps to ensure that the fo llowing acceptance criteria established for the ECCS by 10CFR50.46 (Ref.2) will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200&deg;F for small breaks, and there must be a high le vel of probability that the peak cladding temperature does not exceed 2200&deg;F for large breaks;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinde rs surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; andd.Core is maintained in a coolable geometry.Since the accumulators discharge during the blowdown phase of a LBLOCA, they do not contribute to th e long term cooling requirements of 10CFR50.46.For the small break LOCA analysis, a nominal contained accumulator water volume is used while the larg e break LOCA analysis samples the accumulator water volume over a gi ven range. For small breaks, the accumulator water volume only affects the mass flow rate of water into the RCS since the tanks do not empty for most break sizes analyzed. The assumed water volume has an insignificant effect upon the peak clad temperature. For large breaks, an incr ease in water volume can be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the br eak during the core reflooding portion of the transient. The safety analysis supports operation with a contained water volume of between 7580gallons and 7756gallons per accumulator.
(continued)
North Anna Units 1 and 2B 3.5.1-4Revision 48Accumulators B 3.5.1BASESAPPLICABLE SAFETY ANALYSES(continued)
The minimum boron concentration set point is used in the post LOCA boron concentration calculation. The cal culation is performed to assure reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly insertion.
A reduction in the accumulator mi nimum boron concentration would produce a subsequent reduction in the available containment sump
concentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron concentration is used in determining the cold leg to hot leg recirculation injection switchover time and minimum sump pH.The small break LOCA peak clad temper ature analysis is performed at the minimum nitrogen cover pressure, since sensitivity analyses have demonstrated that higher nitrogen cover pressure results in a computed peak clad temperature benefit. The maximum nitrogen cover pressure limit prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity. The large break LOCA analysis samples the
accumulator pressure over a given range.The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Ref.1). The large break LOCA containment analyses assume that the accumulator nitrogen is discharged into the containment, which affects transient
subatmospheric pressure.
The accumulators satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe LCO establishes the minimum c onditions required to ensure that the accumulators are available to accomplish their core cooling safety function following a LOCA. Three accumulators are required to ensure that 100% of the contents of two of the accumulators will reach the core during a large break LOCA. This is consistent with the assumpti on that the contents of one accumulator spill through the break. If less than two accumulators are injected during the blowdown phase of a large break LOCA, the ECCS acceptance criteria of 10CFR50.46 (Ref.2) could be violated.
(continued)
Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-5Revision 9 LCO(continued)For an accumulator to be considered OPERABLE, the isolation valve must be fully open, power removed when RCS pressure is 2000psig, and the limits established in th e SRs for contained volum e, boron concentration, and nitrogen cover pressure must be met.APPLICABILITYIn MODES1 and2, and in MODE3 with RCS pressure >1000psig, the accumulator OPERABILITY requir ements are based on full power operation. Although cooling requirements decrease as power decreases, the accumulators are still required to provi de core cooling as long as elevated RCS pressures and temperatures exist.
This LCO is only applicable at pressures >1000psig. At pressures 1000psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10CFR50.46 (Ref.2) limit of 2200F.In MODE3, with RCS pressure 1000psig, and in MODES4, 5, and6, the accumulator motor opera ted isolation valves are closed to isolate the accumulators from the RCS. This allows RCS cooldown and depressurization without discharging the accumulators into the RCS or
requiring depressurization of the accumulators.ACTIONSA.1 If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72hours. In this Condition, ability to maintain subcriticality or minimu m boron precipitation time may be reduced. The boron in the accumulators contributes to the assumption that the combined ECCS water in the par tially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of the core subcritical. One accumulator below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood. Boiling of ECCS water in the core during reflood concentrates boron in the saturated liquid that remains in the core. In addition, the accumulators do not discharge following a large main steam line break. Thus, 72hours is
allowed to return the boron concentration to within limits.
North Anna Units 1 and 2B 3.5.1-6Revision 46Accumulators B 3.5.1BASESACTIONS(continued)
B.1If one accumulator is inoperabl e for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 1hour. In this Condition, the re quired contents of two accumulators cannot be assumed to reach the core during a large break LOCA. Due to the severity of the consequences should a large break LOCA occur in these conditions, the 1hour Completion Time to open the valve, remove power to the valve, or restore the proper wa ter volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable accumulator to OPERABLE status. The Completion Time minimizes the
time the unit is exposed to a LOCA under these conditions.
C.1 and C.2 If the accumulator cannot be return ed to OPERABLE status within the associated Completion Time, the uni t must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and RCS pressure reduced to 1000psig within 12hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.
D.1If more than one accumulator is inoperable, the unit is in a condition outside the accident analyses; therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE
REQUIREMENT
SSR3.5.1.1Each accumulator isolation valve should be verified to be fully open. This
verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the ra te of injection to the RCS would be reduced. Although a motor operated valv e position should not change with power removed, a closed valve could result in not meeting accident analyses assumptions. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-7Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.5.1.2 and SR3.5.1.3 Borated water volume and nitrogen cove r pressure are verified for each accumulator. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.5.1.4 The boron concentration shoul d be verified to be wi thin required limits for each accumulator since the static de sign of the accumulators limits the ways in which the concentration can be changed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Sampling the affected accumulator within 6hours after a 50%
increase of indicated level will iden tify whether inleakage has caused a reduction in boron concentration to be low the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), because th e water contained in the RWST is within the accumulator boron concentration requirements.
This is consistent with the recommendation of NUREG-1366 (Ref.3).Although the run of piping between the two accumulator discharge check
valves is credited in demonstrating compliance with Technical Specification3.5.1 minimum accumul ator volume requirement, the minimum boron concentration requirement does not apply to this run of piping. Applicable ac cident analyses have explic itly considered in-leakage from the RCS, and the resulting reduction in boron concentration in this
run of piping, which is not sampled.SR3.5.1.5Verification that power is removed from each accumulator isolation valve operator when the RCS pressure is 2000 psig ensures that an active failure could not result in the clos ure of an accumulator motor operated isolation valve. If this were to occur, only one accumulator would be available for injection given a single failure (continued)
North Anna Units 1 and 2B 3.5.1-8Revision 46Accumulators B 3.5.1BASESSURVEILLANCE REQUIREMENT
SSR3.5.1.5 (continued) coincident with a LOCA. The Surveillance Frequency is based on
operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is <2000psig, t hus allowing operational flexibility by avoiding unnecessary delays to ma nipulate the breakers during unit startups or shutdowns.REFERENCES1. UFSAR, Chapter6 and Chapter15.2. 10CFR50.46.3. NUREG-1366, February1990.
North Anna Units 1 and 2B 3.5.2-1Revision 0 ECCS-Operating B 3.5.2B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.2ECCS-OperatingBASESBACKGROUNDThe function of the ECCS is to provide core co oling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:a.Loss of coolant accident (LOCA),
coolant leakage greater than the capability of the normal charging system;b.Rupture of a control rod drive mechanism-control rod assembly ejection accident;c.Loss of secondary coolant acci dent, including uncontrolled steam release or loss of feedwater; andd.Steam generator tube rupture (SGTR).
The addition of negative reactivity is designed primarily for the MSLB where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.
There are three phases of ECCS operati on: injection, cold leg recirculation, and hot leg recirculation. In the inj ection phase, water is taken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the cont ainment sumps have enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation. Within approximately 5hours, the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the boiling in the top of the core and any resulting boron precipitation.
The ECCS consists of two separate subsystems: High Head Safety Injection (HHSI) and Low Head Safety Injection (LHSI)
. Each subsystem consists of two redundant, 100% capacity trains.
The ECCS accumulators and the RWST are also part of the ECCS, but are not considered part of an ECCS flow path as described by this LCO.
(continued)
North Anna Units 1 and 2B 3.5.2-2Revision 0 ECCS-Operating B 3.5.2BASESBACKGROUND (continued)
The ECCS flow paths cons ist of piping, valves, and pumps such that water from the RWST can be injected in to the RCS following the accidents described in this LCO. The major components of each subsystem are the HHSI pumps and the LHSI pumps. Each of the two subsystems consists of two 100% capacity trains that are in terconnected and redundant such that either train is capable of supplying 100%
of the flow required to mitigate the accident consequences. This in terconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the re quired 100% flow to the core.
During the injection phase of LOCA recovery, a suction header supplies water from the RWST to the ECCS pumps. Water from the supply header enters the LHSI pumps through para llel, normally open, motor operated valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header th en branches to the three HHSI pumps through normally open, motor operated valves. The discharge from the HHSI pumps combines prior to ente ring the boron injection tank (BIT) and then divides again into three supply lines, each of which feeds the injection line to one RCS cold leg. The discharge from the LHSI pumps combine
and then divide into thre e supply lines, each of which feeds the injection line to one RCS cold leg. Control valves in the HHSI lines are set to balance the flow to the RCS. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs and preclude pump runout.
For LOCAs that are too small to depressurize the RCS below the shutoff head of the LHSI pumps, the HHSI pumps supply water until the RCS pressure decreases below the LHSI pump shutoff head. During this period, the steam generators are used to provide part of the core cooling function.
During the recirculation phase of LOCA recovery, LHSI pump suction is transferred to the containment sum
: p. The LHSI pumps then supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation altern ates injection between the hot and cold legs.
(continued)
ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-3Revision 0BACKGROUND (continued)
The HHSI subsystem of the ECCS also functions to supply borated water to the reactor core following increase d heat removal events, such as an MSLB. The limiting design conditions occur when th e negative moderator temperature coefficient is highly negati ve, such as at the end of each cycle.
HHSI pumps A and B are capable of being automatically started and are powered from separate emergenc y buses. HHSI pump C can only be manually started, but can be powered from either of the emergency buses that HHSI pumps A and B are powered from. An interlock prevents HHSI pump C from being powered from both emergency buses simultaneously.
For HHSI pump C to be OPERABLE, it must be running since it does not start automatically. In the event of a Sa fety Injection signal coincident with a loss of offsite power, interlocks pr event automatic opera tion of two HHSI pumps on the same emergency bus to prevent overloading the emergency diesel generators. HHSI pump C is nor mally either running, or available but not running. HHSI pump C is normally running if either HHSI pumpA or B is inoperable or both are otherwise preferred to not be in operation.
HHSI pump C is normally available but not running when either HHSI pump A or B is running.
The ECCS subsystems are actuated upon receipt of an SI signal. The actuation of safeguard loads is accomplished in a programmed time sequence. If offsite power is available, the safeguard loads start
immediately in the programmed sequence. If offsite power is not available, the Engineered Safety Feature (ESF
) buses shed normal operating loads and are connected to the emergency di esel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting an d pump starting determines the time required before pumped flow is availa ble to the core following a LOCA.
The active ECCS components, along with the passive accumulators and the RWST covered in LCO3.5.1, "Accumulators," and LCO3.5.4, "Refueling Water Storage Tank (RWST)," provide th e cooling water necessary to meet Reference1.
North Anna Units 1 and 2B 3.5.2-4Revision 13 ECCS-Operating B 3.5.2BASESAPPLICABLE SAFETY ANALYSESThe LCO helps to ensure that the fo llowing acceptance criteria for the ECCS, established by 10CFR50.46 (Ref.2), will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200&deg;F for small breaks, and there must be a high le vel of probability that the peak cladding temperature does not exceed 2200&deg;F for large breaks;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding th e fuel, excluding the cladding surrounding the plenum volume, were to react;d.Core is maintained in a coolable geometry; ande.Adequate long term core cool ing capability is maintained.The LCO also limits the magnitude of post trip return to power following an MSLB event and ensures that containment temperature limits are met.
Each ECCS subsystem is taken credit for in a large break LOCA event at full power (Refs.3 and4). This ev ent establishes the maximum flow requirement for the ECCS pumps. The HHSI pumps are credited in a small break LOCA event. This event relies upon the flow and discharge head of
the HHSI pumps. The SGTR and MSLB events also credit the HHSI
pumps. The OPERABILITY requirements for the ECCS are based on the
following LOCA analysis assumptions:a.A large break LOCA event, with loss of offsite power and a single failure disabling one LHSI pump (
both EDG trains are assumed to operate due to requirements for modeling full active containment heat removal system operation); andb.A small break LOCA event, with a loss of offsite power and a single failure disabling one Emergency Diesel Generator.
(continued)
ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-5Revision 9APPLICABLE SAFETY ANALYSES(continued)During the blowdown stage of a large break LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large
breaks or control rod insertio n for small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower plenum, and refloods the core.The effects on containment mass and energy releases are accounted for in appropriate analysis (Ref.3). The LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It also ensures that the HHSI pumps will deliver sufficient wa ter and boron during a small LOCA to maintain core subcriticality. For smaller LOCAs, the HHSI pump delivers sufficient fluid to maintain RCS inventory. For a small break LOCA, the steam generators continue to serve as the heat sink, providing part of the required core cooling.
The ECCS trains satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOIn MODES1, 2, and3, two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is availabl e, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.In MODES1, 2, and3, an ECCS train consists of an HHSI subsystem and a LHSI subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an SI signal and automati cally transferring suction to the containment sump.
During an event requiring ECCS actuat ion, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply its flow to the RCS hot and cold legs.
(continued)
North Anna Units 1 and 2B 3.5.2-6Revision 12 ECCS-Operating B 3.5.2BASESLCO(continued)The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.As indicated in the Note, the SI flow paths may be isolated for 2hours in MODE3, under controlled conditions, to perform pressure isolation valve testing per SR3.4.14.1. The flow path is r eadily restorable from the control room.APPLICABILITYIn MODES1, 2, and3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are based on full power operation. Although reduced power would not require the same level of performance, the accident an alysis does not provide for reduced cooling requirements in the lower MODES. MODE2 and MODE3 requirements are bounded by the MODE1 analysis.This LCO is only applicable in MODE3 and above. Below MODE3, the
SI signal setpoint has already been manually bypa ssed by operator control, and system functional requirements ar e relaxed as described in LCO3.5.3, "ECCS-Shutdown."In MODES5 and6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled." MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Re moval (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Removal
(RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With one or more trains inoperable and at least 100% of the ECCS flow
equivalent to a single OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72hours. The 72hour Completion Time is based on an NRC reliability evaluation (Ref.5) and is a reasona ble time for repair of many ECCS components.
A note has been added to this Action's Completion Time to permit a one-time extension of the Completion Time to 7days to effect repairs on the Unit1 "A" LHSI train.
(continued)
ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-7Revision 9ACTIONSA.1 (continued)
An ECCS train is inoperable if it is not capable of deliveri ng design flow to the RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are not available.
The LCO requires the OPERABILIT Y of a number of independent subsystems. Due to the redundancy of trains and the diversity of
subsystems, the inoperabil ity of one active compone nt in a train does not render the ECCS incapable of perfor ming its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of f unction for the ECCS (e.g., an inoperable HHSI pump in one train, and an inoperable LHSI pump in the other). This
allows increased flexibility in uni t operations under circumstances when components in opposite tr ains are inoperable.An event accompanied by a loss of offs ite power and the failure of an EDG can disable one ECCS train until power is restored. A relia bility analysis (Ref.5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72hours.
B.1 and B.2 If the inoperable trains cannot be retu rned to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and MODE4 within 12hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.
C.1ConditionA is applicable with one or more trains inopera ble. The allowed Completion Time is based on the assu mption that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is available. With less than 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the facility is in a condition outside of the accident analyses. Therefore, LCO3.0.3 must be entered immediately.
North Anna Units 1 and 2B 3.5.2-8Revision 46 ECCS-Operating B 3.5.2BASESSURVEILLANCE REQUIREMENT
SSR3.5.2.1Verification of proper va lve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves
could render both ECCS trains inoperable. Securing these valves in
position by removal of power or by ke y locking the control in the correct position ensures that they cannot change position as a result of an active
failure or be inadvertentl y misaligned. These valves ar e of the type that can disable the function of both ECCS tr ains and invalidate the accident
analyses. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.2Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provi des assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were
verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signa l is allowed to be in a nonaccident position provided the valve will automa tically reposition within the proper stroke time. This Surveillance doe s not require any testing or valve manipulation. Rather, it involves verifi cation that those va lves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.3With the exception of the operating charging pump, the ECCS pumps are normally in a standby nonope rating mode. As such, so me flow path piping has the potential to develop pockets of entrained gases. Plant operating experience and analysis has shown that after proper system filling (following maintenance or refuel ing outages), some entrained noncondensable gases remai
: n. These gases will form small voids, which remain stable in the system in both normal and tran sient operation. Mechanisms postulated to increase the (continued)
ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-9Revision 46SURVEILLANCE REQUIREMENT
SSR3.5.2.3 (continued) void size are gradual in nature, and th e system is operated in accordance with procedures to preclude growth in these voids.To provide additional assurances that the system will function, a verification is performed that the system is sufficiently full of water. The system is sufficiently full of water when the voids and pockets of entrained gases in the ECCS piping are small e nough in size and number so as to not interfere with the proper operation of the ECCS. Verificati on that the ECCS piping is sufficiently full of wa ter can be performed by venting the
necessary high point ECCS vents outsi de containment, using NDE, or using other Engineering-justified means. Maintaining the piping from the ECCS pumps to the RCS sufficiently full of water ensures that the system will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent water hammer, pump cavitation, and pumping of excess noncondensable gas (e.g., air, nitrogen, or hydrogen)
into the reactor vessel following an SI signal or during shutdown cooling.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.4 Periodic surveillance testing of E CCS pumps is required by the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This
testing is performed at low flow conditions during quarterly tests and near
design flow conditions at least once every 24months, as required by the Code. The quarterly test will detect gross degradation caused by impeller
structural damage or other hydrauli c component problems, but is not a good indicator of expected pump perf ormance at high flow conditions. Both tests verify that the measured performance is within an acceptable tolerance of the original pump baseline performance. Additionally, the 24-month comprehensive test verifies that the test flow is greater than or equal to the performance assumed in th e safety analysis. Due to limitations in system design, the 24-m onth test is performed during refueling outages.
SRs are specified in the Inservice Testing Program, (continued)
North Anna Units 1 and 2B 3.5.2-10 Revision 46 ECCS-Operating B 3.5.2BASESSURVEILLANCE REQUIREMENT
SSR3.5.2.4 (continued) which encompasses the ASME Code. The ASME Code provides the activities and Frequencies necessary to satisfy the requirements.SR3.5.2.5 and SR3.5.2.6These Surveillances demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SI signal and that each ECCS pump capable of starting automatically starts on recei pt of an actual or simulated SI signal. Th is Surveillance is not requi red for valves that are locked, sealed, or otherwise secu red in the required position under administrative controls. The Survei llance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.7 Proper throttle valve position is ne cessary for proper ECCS performance and to prevent pump runout and s ubsequent component damage. The Surveillance verifies each listed ECCS throttle valve is secured in the
correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.8 Periodic inspections of the containmen t sump components ensure that they are unrestricted and stay in prope r operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-11Revision 0REFERENCES1.UFSAR, Section3.1.31.2.10CFR50.46.3.UFSAR, Section15.4.1.
4.UFSAR, Section6.2 and Chapter15.
5.NRC Memorandum to V.Stello,Jr., from R.L.Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December1,1975.
Intentionally Blank North Anna Units 1 and 2B 3.5.3-1Revision 0 ECCS-Shutdown B 3.5.3B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.3ECCS-ShutdownBASESBACKGROUNDThe Background section for Bases3.5.2, "ECCS-Operating," is applicable to these Bases, wi th the following modifications.In MODE4, the required ECCS train cons ists of two separate subsystems:
High Head Safety Injection (HHSI) and Low Head Safety Injection (LHSI).The ECCS flow paths consist of piping, valves and pumps such that water from the refueling water storage tank (RWST) can be injected into the Reactor Coolant System (RCS) foll owing the accidents described in Bases3.5.2.APPLICABLE SAFETY ANALYSESThe Applicable Safety Analyses section of Bases3.5.2 also applies to this
Bases section.
Due to the stable conditions associated with operation in MODE4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is understood in these reductions that certain automatic safety injection (S I) actuation is not available. In this MODE, sufficient ti me exists for manual actuation of the required ECCS to mitigate the consequences of a DBA. The safety analysis assumes that flow from one HHSI pump is manually initiated 10minutes after the DBA.
Only one train of ECCS is required for MODE4. This requirement dictates that single failures are not consid ered during this MODE of operation.
The ECCS trains satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOIn MODE4, one of the two independe nt (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.
In MODE4, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. Each train includes the pi ping, instruments, and controls to ensure an OPERABLE flow path capable of (continued)
North Anna Units 1 and 2B 3.5.3-2Revision 0 ECCS-Shutdown B 3.5.3BASESLCO(continued)taking suction from the RWST and tran sferring suction to the containment sump.During an event requiring ECCS actuat ion, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment su mp and to deliver its flow to the RCS hot or cold legs.APPLICABILITYIn MODES1, 2, and3, the OPERABILITY requirements for ECCS are covered by LCO3.5.2.In MODE4 with RCS temperature below 350F, one OPERABLE ECCS train is acceptable without single fail ure consideration, on the basis of the stable reactivity of the reactor and the limited core cooling requirements.In MODES5 and6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled." MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Res idual Heat Removal (RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With no ECCS train OPERABLE, due to the inoperability of the ECCS
flow path, the unit is not prepared to respond to Design Basis Events requiring SI. The 1hour Completion Time to restore at least one ECCS train to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the unit in MODE5, where an ECCS train is not required.
B.1When the Required Actions of ConditionA cannot be completed within the required Completion Time, the unit should be placed in MODE5. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE5 in an orderly manner and without challenging unit systems or operators.
ECCS-Shutdown B 3.5.3BASESNorth Anna Units 1 and 2B 3.5.3-3Revision 0SURVEILLANCE REQUIREMENT
SSR3.5.3.1The applicable Surveillance descriptions from Bases3.5.2 apply.REFERENCESThe applicable references from Bases3.5.2 apply.
Intentionally Blank North Anna Units 1 and 2B 3.5.4-1Revision 0RWSTB 3.5.4B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.4Refueling Water Storage Tank (RWST)BASESBACKGROUNDThe RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal opera ting conditions, to the refueling pool during refueling, and to the ECCS and the Quench Spray System during accident conditions.The RWST supplies water to the ECCS pumps through a common supply header. Water from the supply header en ters the low head safety injection (LHSI) pumps through parallel, norm ally open, motor operated valves. Water to the High Head Safety Inj ection (HHSI) pumps is supplied via parallel motor operated valves to ensure that at least one opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The RWST supplies water to the Quench Spray
pumps via separate, redundant lines. A motor operated isolation valve is provided in each header to isolate the RWST from the ECCS once the system has been transferred to the recirculation mode.
The recirculation mode is entered when pump suction is transferred to the containment sump either manually or automatically following receipt of the RWST-Low Low level signal. Use of a single RWST to supply both trains of the ECCS and Quench Spray System is acceptable since the RWST is a passive component used for a short period of time following an accident, and
passive failures are not re quired to be assumed to occur during the time the RWST is needed follow ing Design Basis Events.
The switchover from normal operation to the injection phase of ECCS operation requires changing HHSI pump suction from the CVCS volume control tank (VCT) to the RWST through the use of isolation valves.
During normal operation, the LHSI pumps are aligned to take suction from the RWST.
The ECCS pumps are provided with r ecirculation lines that ensure each pump can maintain minimum flow requi rements when operating at or near shutoff head conditions.
(continued)
North Anna Units 1 and 2B 3.5.4-2Revision 0RWSTB 3.5.4BASESBACKGROUND (continued)
When the suction for the ECCS pumps is transferred to the containment sump, the recirculation lines are isol ated to prevent a release of the containment sump contents to the RWST
, which could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ECCS pumps.
This LCO ensures that:
a.The RWST contains sufficient borated water to support the ECCS during the injection phase and Quench Spray System;b.Sufficient water volume exists in the containment sumpto support continued operation of the ECCS and Recirculation Spray System pumps following transfer to the reci rculation mode of cooling; andc.The reactor remains subcritical following a loss of coolant accident (LOCA).Insufficient water volume in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. Improper boron concentrations could result in a reduction of SDM or excessive boric acid precipitation in the core following the LOCA, as well as excessive caustic stress corrosion of mechanic al components and systems inside the containment.APPLICABLE SAFETY ANALYSESDuring accident conditions, the RWST provides a source of borated water to the ECCS and Quench Spray System pumps. As such, it provides
containment cooling and depressurizat ion, core cooling, and replacement inventory to the RCS and is a source of negative reactivity for reactor shutdown (Ref.1). The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B3.5.2, "ECCS-Operating"; B3.5.3, "ECCS-Shutdown"; and B3.6.6, "Que nch Spray System." These analyses are used to assess changes to the RWST in order to evaluate their effects in relation to the acceptance limits in the analyses.The RWST must also meet volume, boron concentration, and temperature requirements for certain non-LOCA even ts. The volume is not an explicit assumption in non-LOCA events since the required volume is a small fraction of the (continued)
RWSTB 3.5.4BASESNorth Anna Units 1 and 2B 3.5.4-3Revision 10APPLICABLE SAFETY ANALYSES(continued) available volume. The deliverable volume limit is assumed by the Large Break LOCA containment analyses. For the RWST, the deliverable volume is different from the total volume c ontained. Because of the design of the tank, more water can be contained than can be delivered. The upper RWST volume limit is assumed for pH c ontrol after a LBLOCA. The minimum
boron concentration is an explicit as sumption in the main steam line break (MSLB) analysis to ensure the required shutdown capability. The importance of its value is small because of the boron injection tank (BIT)
with a high boron concentration. The maximum boron concentration is an explicit assumption in the inadvertent ECCS actuation anal ysis, although it is typically a nonlimiting ev ent and the results are ve ry insensitive to boron concentrations. The maximum RWST temperature ensures that the amount of containment cooling provided from the RWST during containment
pressurization events is consistent wi th safety analysis assumptions. The minimum RWST temperature is an assumption in the inadvertent Quench
Spray actuation analyses.For a large break LOCA analysis, the minimum water volume limit of 466,200gallons and the lower boron concentration limit of 2600ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The large break LOCA is the limiting case since the safety analysis assumes that all control rods are out of the core.
The upper limit on boron concentration of 2800ppm is used to determine the maximum allowable time to switch to hot leg recirculation following a LOCA. The purpose of switching from cold leg to hot leg injection is to avoid boron precipitation in the core following the accident.
In the ECCS analysis, the quench spray temperature is bounded by the RWST lower temperature limit of 40F. If the lower temperature limit is violated, the quench spray further re duces containment pressure, which decreases the rate at which steam can be vented out the break and increases peak clad temperature. The upper temperature limit of 50F is bounded by the values used in the small break LOCA analysis and containment OPERABILITY analysis. Exceeding this temperature will result in a higher peak clad temperature, because there is less heat transfer from the core to the injected water for the small break LOCA and higher containment pressures due to reduced quench spray cooling capacity. For
the containment response following an MSLB, (continued)
North Anna Units 1 and 2B 3.5.4-4Revision 10RWSTB 3.5.4BASESAPPLICABLE SAFETY ANALYSES(continued) the lower limit on boron concentration and the upper limit on RWST water temperature are used to maximize the total energy release to containment.The RWST satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe RWST ensures that an adequate supply of borated wate r is available to cool and depressurize the containmen t in the event of a Design Basis Accident (DBA), to cool and cover th e core in the event of a LOCA, to maintain the reactor subcritical follow ing a DBA, and to ensure adequate level in the containment sump to support ECCS and Recirculation Spray
System pump operation in the recirculation mode.To be considered OPERABLE, the RWST must meet the water volume, boron concentration, and temperature limits established in the SRs.APPLICABILITYIn MODES1, 2, 3, and4, RWST OPERABILITY requirements are dictated by ECCS and Quench Spray System OPERABILITY requirements. Since both the ECCS and the Quench Spray System must be OPERABLE in MODES1, 2, 3, and4, the RWST must also be
OPERABLE to support their operation. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled."
MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Re moval (RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With RWST boron concentration or bor ated water temperature not within limits, they must be returned to within limits within 8hours. Under these conditions neither the ECCS nor the Qu ench Spray System can perform its design function. Therefore, prompt action must be ta ken to restore the tank to OPERABLE condition. The 8hour limit to restore the RWST temperature or boron concentration to within limits was developed considering the time required to change either the boron concentration or
temperature and the fact that the contents of the tank are still available for injection.
RWSTB 3.5.4BASESNorth Anna Units 1 and 2B 3.5.4-5Revision 46ACTIONS(continued)
B.1With the RWST inoperable for reasons other than ConditionA (e.g., water volume), it must be restored to OPERABLE status within 1hour.
In this Condition, neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the unit in a MODE in which the RWST is not required. The short time limit of 1hour to restore the RWST to OPERABLE status is ba sed on this condition simultaneously affecting redundant trains.
C.1 and C.2If the RWST cannot be returned to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.5.4.1The RWST borated water temperature should be verified to be within the
limits assumed in the accident anal yses band. The Surv eillance Frequency is based on operating experience, equipment reliability, and plant risk and
is controlled under the Surveill ance Frequency Control Program.SR3.5.4.2The RWST water volume should be ve rified to be above the required minimum level in order to ensure that a sufficient initial supply is available for injection and to support conti nued ECCS and Recirculation Spray System pump operation on recirculati on. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.
North Anna Units 1 and 2B 3.5.4-6Revision 46RWSTB 3.5.4BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.5.4.3The boron concentration of the RWST should be verified to be within the required limits. This SR ensures that the reactor will remain subcritical following a LOCA. Further, it assures that the resulting sump pH will be maintained in an acceptable range so that boron precipitation in the core will not occur and the effect of ch loride and caustic stress corrosion on mechanical systems and components wi ll be minimized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6 and Chapter15.
North Anna Units 1 and 2B 3.5.5-1Revision 0 Seal Injection Flow B 3.5.5B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.5Seal Injection FlowBASESBACKGROUNDThe function of the seal injection throttle valv es during an accident is similar to the function of the ECCS throttle valves in that each restricts flow from the High Head Safety In jection (HHSI) pum p header to the Reactor Coolant System (RCS).
The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted from the injection path following an accident and precludes HHSI pump runout due to excessive seal injection flow. This limit is based on safety analysis assumptions that are required because RCP seal injection flow is not isolated during safety injection (SI).APPLICABLE SAFETY ANALYSESAll ECCS subsystems are assumed to be OPERABLE in the large break loss of coolant accident (LOCA) at full power (Ref.1). The LOCA analysis establishes the minimum flow for the HHSI pumps. The HHSI pumps are also credited in the small break LOCA analysis. This analysis establishes the flow and discharge head requireme nts at the design point for the HHSI pumps. The steam generator tube ruptur e and main steam line break event analyses also credit the HHSI pumps, but are not limiting in their design.
Reference to these analyses is made in assessing changes to the Seal Injection System for evaluation of their effects in relation to the acceptance limits in these analyses.This LCO ensures that seal injection flow of 30gpm, with RCS pressure 2215psig and 2255psig and seal injection (air operated) hand control valve full open, will be limited in such a manner that the ECCS trains will be capable of delivering sufficient wa ter to provide adequate core cooling following a large LOCA, and protec t against HHSI pump runout. The analysis conservatively neglects the contribution from seal injection to the
RCS. This conservatism bounds the minor effect of instrument uncertainty, so instrument uncertainties have not been included in the derivation of the flow (30 gpm) and RCS pressure (2215psig and 2255psig) setpoints.
The flow limit also ensures that the HHSI pumps will deliver (continued)
North Anna Units 1 and 2B 3.5.5-2Revision 0 Seal Injection Flow B 3.5.5BASESAPPLICABLE SAFETY ANALYSES(continued)sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the HHSI pumps alone deliver sufficient fluid to overcome the loss and maintain RCS inventory.
Seal injection flow satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe intent of the LCO li mit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure that sufficient HHSI pump injection flow is directed to the RCS via the injection points and to prevent pump runout.The LCO is not strictly a flow limit, but rather a flow lim it based on a flow line resistance. In order to establis h the proper flow line resistance, a pressure and flow must be known. The flow line resistance is determined by assuming that the RCS pressure is at normal operating pressure as specified in this LCO. The HHSI pump discharge header pressure remains essentially constant through all the applicable MODES of this LCO. A
reduction in RCS pressure would result in more flow being diverted to the RCP seal injection line than at normal operating pressure. The valve settings established at the prescribed RCS pressure result in a conservative valve position should RCS pressure decr ease. The additional modifier of this LCO, the seal injection (air op erated) hand control valve being full open, is required since the valve is designed to fail open for the accident condition. With the discharge pressure and control valve position as
specified by the LCO, a flow path resistance limit is established. It is this resistance limit that is used in the accident analyses.The limit on seal injection flow, combined with the RCS pressure limit and an open wide condition of the seal injection hand control valve, must be met to render the ECCS OPERABLE. If these conditions are not met, the ECCS flow to the core could be less than that assumed in the accident analyses.APPLICABILITYIn MODES1, 2, and3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for MODES1, 2, 3, and4. The seal
injection flow limit is not applicable for MODE4 and lower, however, because high seal (continued)
Seal Injection Flow B 3.5.5BASESNorth Anna Units 1 and 2B 3.5.5-3Revision 46APPLICABILITY (continued) injection flow is less critical as a result of the lower initial RCS pressure and decay heat removal requirements in these MODES. Therefore, RCP
seal injection flow must be limited in MODES1, 2, and3 to ensure adequate ECCS performance.ACTIONSA.1With the seal injection flow exceeding its limit, the amount of charging flow available to the RCS may be reduced or, following a LOCA, pump runout could occur. Under this Conditi on, action must be taken to restore the flow to below its limit. The operator has 4hours from th e time the flow is known to be above the limit to co rrectly position the manual valves and thus be in compliance with the accident analysis. The Completion Time minimizes the potential exposure of the unit to a LOCA with insufficient
injection flow and provides a reasonable time to rest ore seal injection flow within limits. This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel.
B.1 and B.2When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6hours for reaching MODE3 from MODE1 is a reasonable time for a controlled shutdown, based on operating experience
and normal cooldown rates, and does no t challenge unit safety systems or operators. Continuing the unit shutdown begun in Required ActionB.1, an additional 6hours is a reasonable time, based on operating experience and normal cooldown rates, to reach MODE4, where this LCO is no longer applicable.SURVEILLANCE
REQUIREMENT
SSR3.5.5.1Verification that the manual seal inject ion throttle valves are adjusted to give a flow within the limit ensure s that proper manual seal injection throttle valve position, and hence, proper seal injection flow, is maintained.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
North Anna Units 1 and 2B 3.5.5-4Revision 46 Seal Injection Flow B 3.5.5BASESSURVEILLANCE REQUIREMENT
SSR3.5.5.1 (continued)As noted, the Surveillance is not required to be performed until 4hours after the RCS pressure has stabilized within a +/-20psi range of normal
operating pressure. The RCS pressure re quirement is specified since this configuration will produce the require d pressure conditions necessary to assure that the manual valves are set correctly. The exception is limited to 4hours to ensure that the Surveillance is timely.REFERENCES1.UFSAR, Chapter6 and Chapter15.
North Anna Units 1 and 2B 3.5.6-1Revision 0 BITB 3.5.6B 3.5  EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.6Boron Injection Tank (BIT)BASESBACKGROUNDThe BIT is the primary means of quickly introducing negative reactivity into the Reactor Coolant System (RCS
) on a safety injection (SI) signal.
The main flow path through the Boron Injection Tank is from the discharge of the High Head Safety Injecti on (HHSI) pumps through lines equipped with a flow element and two valves in parallel that open on an SI signal. The valves can be operated from th e main control board. The valves and flow elements have main control boa rd indications. Downstream of these valves, the flow enters the BIT (Ref.1).The BIT is a stainless steel clad ta nk containing concentrated boric acid. Two trains of strip heaters are mounted on the tank to keep the temperature of the boric acid solution above the precipitation point. The strip heaters are controlled by temperature elements located near the bottom of the BIT. The temperature elements also activate High and Low temperature alarms in the Control Room. In addition to the strip heaters on the BIT, there is a recirculation system wi th a heat tracing system, including the piping section between the motor operated isolation valves
, which further ensures that the boric acid stays in solution.
The entire contents of the BIT are injected when required; thus, the cont ained and deliverable volumes are the same.During normal operat ion, a boric acid transfer pump provides recirculation between the boric acid tank and the BIT.
On receipt of an SI signal, the recirculation line valves close. Flow to the BIT is then supplied from the HHSI pumps. The solution of the BIT is injected into the RCS through the RCS cold legs.APPLICABLE SAFETY ANALYSESDuring a main steam line break (MSL B) or loss of coolant accident (LOCA), the BIT provides an immediate source of concentrated boric acid that quickly introduces negative reactivity into the RCS.
(continued)
North Anna Units 1 and 2B 3.5.6-2Revision 0 BITB 3.5.6BASESAPPLICABLE SAFETY ANALYSES(continued)
The contents of the BIT are not cred ited for core cooling or immediate boration in the LOCA analysis, but are for post LOCA recovery. The BIT maximum boron concentration of 15,750ppm is used to determine the
minimum time for hot leg recirculation switchover. The minimum boron concentration of 12,950ppm is used to determine the minimum mixed mean sump boron concentration fo r post LOCA shutdown requirements.For the MSLB, the BIT is the primar y mechanism for injecting boron into the core to counteract the positive increases in re activity caused by an RCS cooldown. The MSLB core response an alysis conservatively assumes a 0ppm minimum boron concentration of the BIT, which also affects the
departure from nucleate boiling desi gn analysis. The MSLB containment response analysis conservatively assumes a 2000ppm minimum boron concentration of the BIT. Reference to the LOCA and MSLB analyses is used to assess changes to the BIT to evaluate their effect on the acceptance limits contained in these analyses.The minimum temperature limit of 115F for the BIT ensures that the solution does not reach the boric acid precipitation point. The temperature of the solution is monitored and alarmed on the main control board.
The BIT boron concentration limits are established to ensure that the core remains subcritical during post LOCA recovery. The BIT will counteract any positive increases in reactiv ity caused by an RCS cooldown.The BIT water volume of 900gallons is us ed to ensure that the appropriate quantity of highly borated water with sufficient negative reactivity is injected into the RCS to shut down the core following an MSLB, to determine the hot leg recirculation switchover time, and to safeguard against boron precipitation.The BIT satisfies Criteria2 and3 of 10CFR 50.36(c)(2)(ii).
LCOThis LCO establishes the minimum requirements for contained volume, boron concentration, and temperature of the BIT inventory. This ensures that an adequate supply of borated wa ter is available in the event of a LOCA or MSLB to maintain the re actor subcritical following these accidents.
(continued)
BITB 3.5.6BASESNorth Anna Units 1 and 2B 3.5.6-3Revision 0 LCO(continued)To be considered OPERABLE, the limits established in the SR for water volume, boron concentration, a nd temperature must be met.APPLICABILITYIn MODES1, 2, and3, the BIT OPERABILITY requirements are consistent with those of LCO3.5.2, "ECCS-Operating."In MODES4, 5, and6, the respective accidents are less severe, so the BIT is not required in these lower MODES.ACTIONSA.1 If the required volume is not present in the BIT, both the hot leg recirculation switchover time analysis and the boron preci pitation analysis may not be correct. Under these conditions, prompt ac tion must be taken to restore the volume to above its re quired limit to declare the tank OPERABLE, or the unit must be placed in a MODE in which the BIT is
not required.
The BIT boron concentration is consid ered in the hot leg recirculation switchover time anal ysis, the boron precipitation analysis, and may effect the reactivity analysis for an MSLB. If the concentration were not within
the required limits, these analyses could not be relied on. Under these conditions, prompt action must be taken to restore the concentration to
within its required limits, or the unit must be placed in a MODE in which the BIT is not required.The BIT temperature limit is establis hed to ensure that the solution does not reach the boric acid crystallization point. If the temperature of the solution drops below the minimum, prom pt action must be taken to raise the temperature and declare the ta nk OPERABLE, or the unit must be placed in a MODE in which the BIT is not required.The 1hour Completion Time to restore the BIT to OPERABLE status is consistent with other Completion Times established for loss of a safety
function and ensures that the unit will not operate for long periods outside of the safety analyses.
North Anna Units 1 and 2B 3.5.6-4Revision 46 BITB 3.5.6BASESACTIONS(continued)
B.1, B.2, and B.3When Required ActionA.1 cannot be completed within the required Completion Time, a controlled shutdow n should be initiated. Six hours is a
reasonable time, based on operating experience, to reach MODE3 from full power conditions and to be bor ated to the required SDM without challenging unit systems or operators
. Borating to the required SDM assures that the unit is in a safe c ondition, without need for any additional boration.
After determining that the BIT is i noperable and the Required Actions of B.1 andB.2 have been completed, the tank must be returned to OPERABLE status within 7days. Thes e actions ensure that the unit will not be operated with an inoperable BIT for a lengthy period of time. It should be noted, however, that cha nges to applicable MODES cannot be
made until the BIT is restored to OPERABLE status, except as provided by LCO3.0.4.
C.1Even though the RCS has been borated to a safe and stable condition as a result of Required ActionB.2, either the BIT must be restored to OPERABLE status (Required ActionC.1) or the unit must be placed in a condition in which the BIT is not required (MODE4). The 12hour Completion Time to reach MODE4 is reasonable, based on operating
experience and normal cooldown rates, and does not challenge unit safety systems or operators.SURVEILLANCE
REQUIREMENT
SSR3.5.6.1Verification that the BIT water temper ature is at or above the specified minimum temperature will identify a temperature change that would approach the acceptable limit. The solution temperature is also monitored by an alarm that provides further a ssurance of protection against low temperature. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
BITB 3.5.6BASESNorth Anna Units 1 and 2B 3.5.6-5Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.5.6.2Verification that the BIT contained volume is above the required limit assures that this volume will be availa ble for quick injection into the RCS. The 900gallon limit corresponds to the BIT being completely full.
Methods of verifying that the BIT is completely full include venting from the high point vent, and recirculation flow with the Boric Acid Storage Tanks. If the volume is too low, the BIT would not provi de enough borated water to ensure subcriticality during recirculation or to provide additional core shutdown margin following an MS LB. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.5.6.3Verification that the boron concentration of the BIT is within the required band ensures that the reactor remains subcritical foll owing a LOCA; it limits return to power following an MSLB, and maintains the resulting sump pH in an acceptable range so that boron precipitati on will not occur in the core. In addition, the effect of chloride and causti c stress corrosion on mechanical systems and components will be minimized.
The BIT is in a recirculation loop th at provides continuous circulation of the boric acid solution through the BIT and the boric acid tank (BAT).
There are a number of points along th e recirculation loop where local samples can be taken. The actual loca tion used to take a sample of the solution is specified in the unit Surv eillance procedures.
Sampling from the BAT to verify the concentration of th e BIT is not recommended, since this sample may not be homogenous and the boron concentration of the two tanks may differ.
The sample should be taken from the BI T or from a point in the flow path of the BIT recirculation loop.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6 and Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.6.1-1Revision 0Containment B 3.6.1B 3.6CONTAINMENT SYSTEMSB 3.6.1ContainmentBASESBACKGROUNDThe containment consists of the concrete reactor building, its steel liner, and the penetrations through this stru cture. The structure is designed to contain radioactive material that may be released from the reactor core following a design basis loss of coolant accident (LOCA). Additionally, this structure provides shielding from the fission products that may be present in the containment atmos phere following accident conditions.
The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a hemispherica l dome roof. The in side surface of the containment is lined with a carbon st eel liner to ensure a high degree of leak tightness during operating and accident conditions.The concrete reactor building is requi red for structural integrity of the containment under Design Basis Acci dent (DBA) conditions. The steel liner and its penetrations establis h the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioac tivity from the containment to the environment. SR3.6.1.1 leakage rate requirements comply with 10CFR50, AppendixJ, OptionB (Ref.1), as modified by approved exemptions.
The isolation devices for the penetra tions in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:
a.All penetrations required to be closed during accident conditions are either:1.capable of being closed by an OPERABLE automatic containment isolation system, or2.closed by manual valves, blind flan ges, or de-activated automatic valves secured in their closed positions, except as provided in LCO3.6.3, "Containment Isolation Valves";
North Anna Units 1 and 2B 3.6.1-2Revision31Containment B 3.6.1BASESBACKGROUND (continued)b.Each air lock is OPERABLE, except as provided in LCO3.6.2, "Containment Air Locks";c.All equipment hatches are closed; andd.The sealing mechanism associated with each penetration (e.g. welds, bellows, or O-rings) is OPERABLE.APPLICABLE SAFETY ANALYSESThe safety design basis for the containment is that the containment must
withstand the pressures and temperat ures of the limiting DBA without exceeding the design leakage rate.The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a LOCA, a steam line break, and a rod ejection accident (REA) (Ref.2). In addition, release of significant fission product radioactivity within containmen t can occur from a LOCA or REA. In the DBA analyses, it is assume d that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate of c ontainment leakage. The containment was designed with an allowable l eakage rate of 0.1% of containment air weight per day (Ref.3). This leakage rate, used to evaluate offsite doses resulting from accidents, is defined in 10CFR50, AppendixJ, OptionB (Ref.1), as L a: the maximum allowable containment leakage rate at the calculated peak containment internal pressure (P a) resulting from the limiting design basis LOCA. The allowable leakage rate represented by L a forms the basis for the acceptance criteria imposed on all containment leakage rate testing. L a is assumed to be 0.1% of containment air weight per day in the safety analyses at P a (Ref.3).Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.
The containment satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOContainment OPERABILITY is maintained by limiting leakage to  1.0 La, except prior to the first startup af ter performing a required Containment Leakage Rate Testing Program leakage test. At this time the applicable leakage limits must be met.
(continued)
Containment B 3.6.1BASESNorth Anna Units 1 and 2B 3.6.1-3Revision 0 LCO(continued)
Compliance with this LCO will en sure a containment configuration, including the equipment hatch, that is st ructurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.
Individual leakage rates specified fo r the containment air lock (LCO3.6.2) and purge valves with resilient seals (LCO3.6.3) are not specifically part of the acceptance criteria of 10CFR50, AppendixJ. Therefore, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0L a.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material into containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and
temperature limitations of these MODE S. Therefore, containment is not required to be OPERABLE in MODE5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE6 are addressed in LCO 3.9.4, "Containment Penetrations."ACTIONSA.1 In the event containment is inoperable, containment must be restored to OPERABLE status within 1hour. The 1hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES1, 2, 3, and4. This time period
also ensures that the probability of an accident (requiring containment
OPERABILITY) occurring during periods when containment is inoperable is minimal.
B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.
North Anna Units 1 and 2B 3.6.1-4Revision 0Containment B 3.6.1BASESSURVEILLANCE REQUIREMENT
SSR3.6.1.1 Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock and purge valves with resilient seal leakage limits specified in LCO3.6.2 and LCO3.6.3 does not invalidate the acceptability of these overall leakage
determinations unless their contribution to overall TypeA, B, andC leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program, leakage test is required to be 0.6La for combined Type B and C leakage, and 0.75La for overall Type A leakage. At all other times between required leakage rate tests, the accep tance criteria is based on an overall Type A leakage limit of 1.0La. At 1.0La the offsite dose consequences are bounded by the assumptions of the sa fety analysis. SR Frequencies are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.REFERENCES1.10CFR50, AppendixJ, OptionB.2.UFSAR, Chapter15.3.UFSAR, Section6.2.
North Anna Units 1 and 2B 3.6.2-1Revision 0 Containment Air Locks B 3.6.2B 3.6  CONTAINMENT SYSTEMSB 3.6.2Containment Air LocksBASESBACKGROUNDContainment air lock s form part of the contai nment pressure boundary and provide a means for personnel acce ss during all MODES of operation.
Each air lock is nominally a right circular cylinder, one of which is 7ft in diameter, the other 5.75ft in diameter, with a door at each end. The 5.75ft diameter equipment hatch escape air lock is an integral part of the
containment equipment hatch. The doors are interlocked to prevent
simultaneous opening. During periods wh en containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing
both doors of an air lock to rema in open for extended periods when frequent containment entry is necessary. Each air lock door has been
designed and tested to certif y its ability to withstand a pressure in excess of the maximum expected pressure follo wing a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors co ntains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. The inner and outer door of the 7 ft diameter personnel air lock include an 18 inch diameter emergency manway. The ma nways contain double gasketed seals and local leak rate testing capability to ensure pressure integrity. The manways are to be used only for emer gency entrance or exit from the air lock. Operation of the manways of the 7 ft personnel air lock is controlled administratively.The 7ft personnel air lock is provide d with limit switches on both doors that provide control room alarm of inside or outside door operation. Outside access to the 5.75ft equipment hatch escape air lock is controlled by an alarmed door to the space outside containment which provides access to the air lock.The containment air locks form part of the containment pressure boundary.
As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate
in excess of that assumed in the unit safety analyses.
North Anna Units 1 and 2B 3.6.2-2Revision31 Containment Air Locks B 3.6.2BASESAPPLICABLE SAFETY ANALYSESThe DBAs that result in a releas e of radioactive material within containment are a loss of coolant ac cident and a rod ejection accident (Ref.3). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the
environment is controlled by the ra te of containment leakage. The containment was designed with an a llowable leakage rate of 0.1% of containment air weight per day (Ref.2).
This leakage rate is defined in 10CFR50, AppendixJ, OptionB (Ref.1), as L a=0.1% of containment air weight per day, the maximum allowable containm ent leakage rate at the calculated peak containment internal pressure P a following a design basis LOCA. This allowable leakage rate forms the basis for the acceptance
criteria imposed on the SRs a ssociated with the air locks.
The containment air locks satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOEach containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the c ontainment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are
essential to the successful mitigation of such an event.
Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the TypeB air lock leakage test, and both air lock doors must be OPERABLE. Opening or
closing of the manways of the 7 ft pers onnel air lock is treated in the same manner as opening or closing of the associated door. The interlock allows only one air lock door of an air lock to be opened at one time. Operation of the manways of the 7 ft personnel air lock is controlled administratively.
These provisions ensure that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to pr ovide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for entry into or exit from containment.
Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-3Revision 0APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE5 to prevent leakage of radioactive material from containment.
The requirements for th e containment air locks during MODE6 are addressed in LCO3.9.4, "Containment Penetrations."ACTIONSThe ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is
inoperable, then it may be easily acce ssed for most repairs. It is preferred that the 7ft personnel air lock be used for access to Containment due to the size and configuration of the 5.75ft equipment hatch escape air locks. The equipment hatch escape air lock is typically only used in case of emergency. This means there is a s hort time during which the containment boundary is not intact (during acce ss through the OPERABLE door). The ability to open the OPERABLE door, ev en if it means the containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize th e containment during the short time in which the OPERABLE door is expect ed to be open. After each entry and
exit, the OPERABLE door must be immediately closed.
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for e ach Condition provide appropriate compensatory actions for each inope rable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associ ated Required Actions.In the event the air lock leakage results in exceeding the overall containment leakage rate, Note3 di rects entry into the applicable Conditions and Required Actions of LCO3.6.1, "Containment."
North Anna Units 1 and 2B 3.6.2-4Revision 0 Containment Air Locks B 3.6.2BASESACTIONS(continued)
A.1, A.2, and A.3With one air lock door in one or more containment air locks inoperable, the OPERABLE door must be verified closed (Required ActionA.1) in each affected containment air lock. This en sures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This
action must be completed within 1hour. This specified time period is consistent with the ACTIONS of LCO3.6.1, which requires containment be restored to OPERABLE status within 1hour.In addition, the affected air lock pene tration must be isolated by locking closed the OPERABLE air lock door within the 24hour Completion Time. The 24hour Completion Time is reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is
being maintained closed.Required ActionA.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leak age boundary is maintained. The Completion Time of once per 31days is based on engineering judgment and is consider ed adequate in view of the low likelihood of a locked door being mis positioned and othe r administrative controls. Required ActionA.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified
locked closed by use of administra tive means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
The Required Actions have been modified by two Notes. Note1 ensures that only the Required Actions and associated Completion Times of ConditionC are required if both doors in the same air lock are inoperable.
With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required ActionsC.1 andC.2 are the
appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note2 allows use of the air lock for entry and exit for 7day s under administrative controls if the air lock has an inoperable door. This 7 day restriction (continued)
Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-5Revision 0ACTIONSA.1, A.2, and A.3 (continued) begins when the air lock door is di scovered inoperable. Containment entry may be required on a periodic basis to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equi pment. This Note is not intended to preclude performing other activities (i.e., non-TS-require d activities) if the containment is entered, using the inoperable air loc k, to perform an allowed activity listed above. This allowance is acceptable due to the low
probability of an event that could pressurize the containment during the
short time that the OPERABLE door is expected to be open.
B.1, B.2, and B.3With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in ConditionA.The Required Actions have been modified by two Notes. Note1 ensures that only the Required Actions and associated Completion Times of ConditionC are required if both doors in the same air lock are inoperable.
With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required ActionsC.1 andC.2 are the appropriate remedial actions. Note2 allows entry into and exit from
containment under the contro l of a dedicated individu al stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).Required ActionB.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked
closed by use of administrative means. Al lowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
North Anna Units 1 and 2B 3.6.2-6Revision 0 Containment Air Locks B 3.6.2BASESACTIONS(continued)
C.1, C.2, and C.3With one or more air locks inoperable for reasons other than those described in ConditionA orB, Required ActionC.1 requires action to be initiated immediately to evaluate pr evious combined leakage rates using current air lock test results. An evalua tion is acceptable, since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many inst ances (e.g., only one seal per door has failed), containment remains OPERABLE, yet only 1hour (per LCO3.6.1) would be provided to restore the air lock door to OPERABLE status prior
to requiring a unit shutdown. In additi on, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.Required ActionC.2 requires that one door in the affected containment air lock must be verified to be closed within the 1hour Completion Time. This
specified time period is consistent with the ACTIONS of LCO3.6.1, which requires that containment be restored to OPERABLE status within 1hour.Additionally, the affected air lock(s
) must be restored to OPERABLE status within the 24hour Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE status, assuming that at le ast one door is maintained closed in each affected air lock.
D.1 and D.2 If the inoperable containment air lo ck cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within6 hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.
Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.6.2.1Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of TS5.5.15 Containm ent Leakage Rate Testing Program. This SR reflects the ove rall air lock leakage rate testing acceptance criteria with regard to air lock leakage (TypeB leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage limits do not exceed the allowed fraction of the overall containment leakage rate required by the Technical Specifications. The Frequency is required by the Containment Leakage Rate Testing Program.
The SR has been modified by two Notes. Note1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either
air lock door is capable of providing a fission product barrier in the event of a DBA. Note2 has been added to this SR requiring the results to be
evaluated against the acceptance criteria which are applicable to SR3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the combined TypeB andC containment leakage rate.SR3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interl ock feature supports containment OPERABILITY while the air lock is being used for personnel transit in and
out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of
the inner and outer doors will not ina dvertently occur when combined with administrative procedures. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixJ, OptionB.2.UFSAR, Section6.2.3.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.6.3-1Revision 8Containment Isolation Valves B 3.6.3B 3.6  CONTAINMENT SYSTEMSB3.6.3Containment Isolation ValvesBASESBACKGROUNDThe containment isolation valves listed in TRM Tables4.1-1 (Unit1) and4.1-2 (Unit2) form part of th e containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on a containment isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves
secured in their closed position (incl uding check valves with flow through
the valve secured), blind flanges, and closed systems are considered passive devices. Automatic valves designed to close without operator action following an accident are considered active devices. Two barriers in series are provided for each penetration so that no si ngle credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these
barriers may be a closed system. Th ese barriers (typically containment isolation valves) make up the Containment Isolation System.
Automatic isolation signals are pr oduced during accident conditions. Containment Phase"A" isolation occurs upon receipt of a safety injection signal. The Phase"A" isolation signal isolates nonessential process lines in order to minimize leakage of fission product radioactivity. Containment Phase"B" isolation occurs upon receipt of a containment pressure
High-High signal and isolates the rema ining process lines, except systems required for accident mitigation.The OPERABILITY requirements for c ontainment isolation valves help ensure that containment is isolated within the time limits assumed in the safety analyses. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the safety analyses will be maintained.
(continued)
North Anna Units 1 and 2B 3.6.3-2Revision 0Containment Isolation Valves B 3.6.3BASESBACKGROUND (continued)Containment Purge System (36inch purge and exhaust valves, 18inch containment vacuum breaking valve, and 8inch purge bypass valve)The Containment Purge System operate s to supply outside air into the containment for ventilation and cooling or heating and may also be used to reduce the concentration of noble gase s within containment prior to and during personnel access. The supply a nd exhaust lines each contain two isolation valves. Because of their large size, the 36inch purge valves are not qualified for automa tic closure from their open position under Design Basis Accident (DBA) conditions. Therefore, the 36inch purge valves are maintained closed in MODES1, 2, 3, and4 to ensure the containment boundary is maintained. The 18inch containment vacuum breaking valve and 8inch bypass valve are also maintained closed in MODES1, 2, 3, and4.APPLICABLE SAFETY ANALYSESThe containment isolation valve LCO was derived from the assumptions related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during majo r accidents. As part of the containment boundary, containment isolation valve OPERABILITY
supports leak tightness of the containment. Therefore, the safety analyses of any event requiring isolation of containment is applicable to this LCO.The DBAs that result in a releas e of radioactive material within containment are a loss of coolant accident (LOCA) and a rod ejection accident (Ref.1). In the analyses for each of these accidents, it is assumed
that containment isolation valves are either clos ed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analyses assume that the 36inch purge and exhaust valves are closed at event initiation.
The DBA analysis assumes that, within 60seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate, La. The cont ainment isolation total response time of 60seconds includes signal delay, di esel generator startup (for loss of offsite power), and containment isolation valve stroke times.
(continued)
Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-3Revision 8APPLICABLE SAFETY ANALYSES(continued)
The containment isolation valv es satisfy Criterion 3 of 10CFR50.36(c)(2)(ii).LCOContainment isolation valves listed in TRM Tables4.1-1 (Unit1) and4.1-2 (Unit2) form a part of the containment boundary. The containment isolation valves' safety f unction is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA.The automatic power operated isola tion valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The 36, 18, and 8inch purge valves must be maintained locked, sealed, or otherwise secured closed. The valves covered by this LCO are listed along with their associated stroke times in the Technical Requirements Manual (Ref.2).The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges ar e in place, and closed systems are intact. These passive isolation valves/devices are those listed in Reference2.Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO3.6.1, "Containment," as TypeC testing.
This LCO provides assurance that th e containment isolation valves and purge valves will perform their desi gned safety functions to minimize the loss of reactor coolant inventory a nd establish the containment boundary during accidents.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE5. The
requirements for containment isolation valves during MODE6 are addressed in LCO3.9.4, "Cont ainment Penetrations."
North Anna Units 1 and 2B 3.6.3-4Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSThe ACTIONS are modified by a Note allowing penetration flow paths, except for 36inch purge and exhaust valve, 18inch containment vacuum breaking valve, 8inch purge bypass valv e, and steam jet ai r ejector suction penetration flow paths, to be unisolated intermitte ntly under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the fact that the 36inch valves are not qualified for automatic closure from their open position under DBA conditions and that these and the other penetrations listed as excepted exhaust directly fr om the containment atmosphere to the environment, the penetrat ion flow path containing these valves may not be opened under administrative controls.
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment
isolation valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.The ACTIONS are further modified by a third Note, which ensures appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inopera ble containment isolation valve.In the event the leakage for a containment penetration flow path results in exceeding the overall containment leakage rate acceptance criteria, Note4 directs entry into the applicable Conditions and Required Actions of LCO3.6.1.
A.1 and A.2In the event one containment isolation valve in one or more penetration flow paths is inoperable, except for purge valve leakage not within limit, the affected penetration flow path must be isolated. The method of isolation must include the use of at l east one isolation barrier that cannot be adversely affected by a single active fail ure. Isolation barriers that meet this criterion are a closed and (continued)
Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-5Revision 0ACTIONSA.1 and A.2 (continued)de-activated automatic containment isol ation valve, a closed manual valve, a blind flange, or a check valve with flow through the valve secured. For a penetration flow path is olated in accordance with Required ActionA.1, the device used to isolate the penetration should be the closest available one to containment. Required ActionA.1 must be completed within 4hours. The 4hour Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES1, 2, 3, and4.For affected penetration flow paths that cannot be restored to OPERABLE status within the 4hour Completion Time and that have been isolated in accordance with Required ActionA.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of bei ng automatically isol ated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification, through a system walkdown, that t hose isolation devices outside containment and capable of being mispos itioned are in th e correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate consider ing the fact that the devices are operated under administrative contro ls and the probability of their misalignment is low. For the isolation devices inside containment, the time period specified as "prior to entering MODE4 from MODE5 if not performed within the previous 92days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation
devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.ConditionA has been modified by a No te indicating that this Condition is only applicable to those penetrati on flow paths with two containment
isolation valves. For penetration fl ow paths with only one containment isolation valve and a closed system, ConditionC provides the appropriate actions.Required ActionA.2 is modified by two Notes. Note1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of (continued)
North Anna Units 1 and 2B 3.6.3-6Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSA.1 and A.2 (continued)administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note2 applies to isolation devices th at are locked, sealed, or otherwise secured in position and allows these devi ces to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices
once they have been verified to be in the proper position, is small.
B.1With two containment isolation valves in one or more penetration flow paths inoperable, except for purge valve leakage not within limit, the affected penetration flow path must be isolated within 1hour. The method
of isolation must include the use of at least one is olation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 1hour Completion Time is consistent with the ACTIONS of LCO3.6.1. In the event the affected
penetration is isolated in accordance with Required ActionB.1, the affected penetration must be verified to be isolated on a periodic basis per Required ActionA.2, which remains in ef fect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an acci dent are isolated. The Completion Time of once per 31days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative control and the probability of their misalignment is low.ConditionB is modified by a Note indicating this Condition is only applicable to penetration flow paths with two cont ainment isolation valves. ConditionA of this LCO addresses the condition of one containment isolation valve inoperable in this type of penetration flow path.
Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-7Revision 0ACTIONS(continued)
C.1 and C.2With one or more penetration flow paths with one cont ainment isolation valve inoperable, the inoperable valve flow path must be restored to OPERABLE status or the affected penetration flow path must be isolated.
The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetrat ion flow path, with the exception of valves specified in Reference4. Required ActionC.1 must be completed within the 72hour Completion Time. The specified time period is
reasonable considering the relative stab ility of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of maintaining containment integrity during MODES1, 2, 3, and4. In the event the affected penetration flow path is isolated in accordance with Required ActionC.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure l eak tightness of containment and that containment penetrations requiring is olation following an accident are isolated. The Completion Time of once per 31days for verifying that each affected penetration flow path is isolated is appropriate because the valves are operated under administrative cont rols and the probability of their misalignment is low.ConditionC is modified by a Note indi cating that this Condition is only applicable to those pe netration flow paths wi th only one containment isolation valve and a closed system. The closed system must meet the requirements of Reference3. This Note is necessary since this Condition is written to specifically address those penetration flow paths in a closed system.
Required ActionC.2 is modified by two Notes. Note1 applies to valves and blind flanges located in high radi ation areas and allows these devices to be verified closed by use of admi nistrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note2 applies to is olation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification (continued)
North Anna Units 1 and 2B 3.6.3-8Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSC.1 and C.2 (continued)by administrative means is considered acceptable, since the function of locking, sealing, or securi ng components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these valves, once they have been ve rified to be in the proper position, is small.D.1With the purge valve penetration leakage rate (SR3.6.3.4) not within limit, the assumptions of the safety analyses are not met. Therefore, the leakage
must be restored to within limit.
Restoration can be accomplished by isolating the penetration(s) that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated the leakage rate for the isolated
penetration is assumed to be th e actual pathway leakage through the
isolation device. If two is olation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 24hour Completion Time for pur ge valve penetration leakage is acceptable considering the purge valves remain closed so that a gross breach of containment does not exist.
E.1 andE.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times
are reasonable, based on operating expe rience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.6.3.1 This SR requires verification that eac h containment isolation manual valve and blind flange located outside cont ainment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment (continued)
Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-9Revision 46SURVEILLANCE REQUIREMENT
SSR3.6.3.1 (continued)boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it invol ves verification, through a system walkdown, that those containment isol ation valves outside containment and capable of being mispositioned are in the correct position. The
Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR sp ecifies that containment isolation valves that are open under administrative controls are not required to meet the SR during the time the valves ar e open. This SR does not apply to valves that are locked, sealed, or ot herwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing,
or securing.
The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verifi ed closed by use of administrative means. Allowing verification by admi nistrative means is considered acceptable, since access to these ar eas is typically restricted during MODES1, 2, 3 and4 for ALARA reasons. Therefore, the probability of misalignment of these containment isol ation valves, once they have been verified to be in the proper position, is small.SR3.6.3.2This SR requires verification that each containment isolation manual valve and blind flange located inside cont ainment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE4 from MODE5 if not performed within the previous 92days" is appropriate sin ce these containment isolation valves are operated under administrative cont rols and the probability of their misalignment is low. The SR specifies that containment isolation valves that are open under administrative contro ls are not required to meet the SR during the time they are open. This SR does not apply to (continued)
North Anna Units 1 and 2B 3.6.3-10 Revision 0Containment Isolation Valves B 3.6.3BASESSURVEILLANCE REQUIREMENT
SSR3.6.3.2 (continued) valves that are locked, sealed, or ot herwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.
This Note allows valves and blind flan ges located in high radiation areas to be verified closed by use of administ rative means. Allo wing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES1, 2, 3, and 4, for ALARA reasons.
Therefore, the probability of misali gnment of these containment isolation valves, once they have been verified to be in their proper position, is small.SR3.6.3.3Verifying that the isolation time of each automatic power operated containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analyses. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program.SR3.6.3.4For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10CFR50, AppendixJ, OptionB, is required to ensure OPERABILITY. Operating experience has demonstrated that this type of seal ha s the potential to degrade in a shorter time period than do other seal types.This SR must be performed prior to entering MODE4 from MODE5 after containment vacuum has been broken. This Frequency was chosen
recognizing that cycling the valv e could introduce additional seal degradation (beyond that occurring to a valve that has not been opened).
This Frequency will ensure that each time these valv es are cycled they will be leak tested.
Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-11Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.6.3.5Automatic containment isolation valves close on a containment isolation signal to prevent leakage of radi oactive material from containment following a DBA. This SR ensures that each automatic power operated containment isolation valve will ac tuate to its isolation position on a containment isolation signal. Check va lves which are containment isolation valves are not considered automati c valves for the purpose of this
Surveillance as they do not receive a containment isolation signal. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.3.6The check valves that serve a containment isolation function are weight or spring loaded to provide positive closure in the direction of flow. This ensures that these check valves will remain closed when the inside
containment atmosphere returns to subatmospheric conditions following a DBA. SR3.6.3.6 verifies the operation of the check valves that are not
testable during unit operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter15.2.Technical Requirements Manual.3.Standard Review Plan 6.2.4.
4.UFSAR, Section6.2.4.2.
Intentionally Blank North Anna Units 1 and 2B 3.6.4-1Revision31 Containment Pressure B 3.6.4B 3.6  CONTAINMENT SYSTEMSB 3.6.4Containment PressureBASESBACKGROUNDContainment air partial pressure is a process va riable that is monitored and controlled. The containment air partial pressure is maintained as a function of refueling water storage tank temperature and service water temperature according to Figure3.6.4-1 of the LCO, to ensure that, following a Design Basis Accident (DBA), the containmen t would depressurize to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours.
Controlling containment partial pressure within prescribed limits also prevents the containment pressure fr om exceeding the containment design negative pressure differential with respect to the outside atmosphere in the
event of an inadvertent actuation of the Quench Spray (QS) System.
Controlling containment air partial pressure limits within prescribed limits ensures adequate net positive suction head (NPSH) for the recirculation
spray and low head safety injection pumps following a DBA.
The containment internal air partial pressure limits of Figure3.6.4-1 are derived from the input c onditions used in the containment DBA analyses.
Limiting the containment internal air partial pressure and temperature in turn limits the pressure that could be expected following a DBA, thus ensuring containment OPERABILITY. Ensuring containment OPERABILITY limits leakage of fi ssion product radioactivity from containment to the environment.APPLICABLE SAFETY ANALYSESContainment air partial pressure is an initial condition used in the containment DBA analyses to establish the maximum peak containment internal pressure. The limiting DBAs considered relative to containment pressure are the loss of coolant accident (LOCA) and steam line break (SLB). The LOCA and SLB are analyz ed using computer codes designed to predict the resultant containment pressure transients. DBAs are assumed not to occur simultaneously or consecutively. The postulated DBAs are
analyzed assuming degraded containment Engineered Safety Feature (ESF) systems (i.e., assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure, resulting in one train of the QS System and (continued)
North Anna Units 1 and 2B 3.6.4-2Revision 48 Containment Pressure B 3.6.4BASESAPPLICABLE SAFETY ANALYSES(continued) one train of the Recirculation Spray System becoming inoperable). The containment analysis for the DBA (Ref.1) shows that the maximum peak containment pressure results fr om the limiting design basis SLB.The maximum design internal pressure for the containment is 45.0psig.
The LOCA and SLB analyses establish the limits for the containment air
partial pressure operating range. The initial conditions used in the containment design basis LOCA analyses were an air partial pressure of 12.3psia and an air temperature of 115F. This resulted in a maximum peak containment internal pressure of 42.7psig, which is less than the maximum design internal pressure for the containment. The SLB analysis resulted in a maximum peak containment internal pressure of 43.0psig, which is less than the maximum de sign internal pressure for the containment.
The containment was also designed for an external pressure load of 9.2psid (i.e., a design minimum pressure of 5.5psia). The inadvertent actuation of the QS System was anal yzed to determine the reduction in containment pressure (Ref.1). The init ial conditions used in the analysis were 10.3psia and 115F. This resulted in a minimum pressure inside containment of 8.6psia, which is c onsiderably above the design minimum of 5.5psia.
Controlling containment air partial pressure limits within prescribed limits ensures adequate NPSH for the recirc ulation spray and low head safety injection pumps following a DBA. The minimum containment air partial
pressure is an initial condition for the NPSH analyses.
For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emerge ncy Core Cooling System during the core reflood phase of a LOCA anal ysis increases with increasing containment backpressure. For the reflood phase calculations, the containment backpressure is calc ulated in a manner designed to conservatively minimize, rather than maximize, th e containment pressure response in accordance with 10CFR50.46 (Ref.2).The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig (continued)
Containment Pressure B 3.6.4BASESNorth Anna Units 1 and 2B 3.6.4-3Revision31APPLICABLE SAFETY ANALYSES(continued)for the interval from 1 to 6hours following the Design Basis Accident (Ref.3). Beyond 6hours the containmen t pressure is assumed to be less than 0.0psig, terminating leakage from containment.
Containment pressure satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOMaintaining containment pressure within the limits shown in Figure3.6.4-1 of the LCO ensures that in the event of a DBA the resultant peak containment accident pressure will be maintained below the containment design pressure. These lim its also prevent the containment pressure from exceeding the contai nment design negative pressure differential with respect to the out side atmosphere in the event of inadvertent actuation of the QS System. The LCO limits also ensure the containment structure will depressurize to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. Since main taining containment pressure within design basis limits is essential to ensure initial conditions assumed in the accident analyses are maintained, the LCO is applicable in MODES1, 2, 3, and4.In MODES5 and6, the probability and consequences of these events are reduced due to the Reactor Coolant System pressure and temperature limitations of these MODES. Therefor e, maintaining containment pressure within the limits of the LCO is not required in MODE5 or6.ACTIONSA.1 When containment air partial pressure is not within the limits of the LCO, containment pressure must be restored to within these limits within 1hour.
The Required Action is necessary to return operation to within the bounds
of the containment analysis. The 1hour Completion Time is consistent with the ACTIONS of LCO3.6.1, "Con tainment," which requires that containment be restored to OPERABLE status within 1hour.
North Anna Units 1 and 2B 3.6.4-4Revision 48 Containment Pressure B 3.6.4BASESACTION (continued)
B.1 and B.2If containment air partial pressure cannot be restored to within limits within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.6.4.1Verifying that containment air partial pressure is within limits ensures that operation remains within the limits a ssumed in the containment analysis.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section6.2.2.10CFR50.46.3.UFSAR, Section15.4.1.7.
North Anna Units 1 and 2B 3.6.5-1Revision31Containment Air Temperature B 3.6.5B 3.6  CONTAINMENT SYSTEMSB 3.6.5Containment Air TemperatureBASESBACKGROUNDThe containment stru cture serves to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or steam line break (SLB).
The containment average air temperatur e limit is derived from the input conditions used in the containment functional analyses and the containment structure external pressure analyses. This LCO ensures that
initial conditions assumed in the anal ysis of containment response to a DBA are not violated dur ing unit operations. The total amount of energy to be removed from containment by th e Containment Spray systems during post accident conditions is dependent upon the energy released to the containment due to the event, as well as the initial containment temperature and pressure. The higher the initial temperature, the more energy which must be removed, resulting in a higher peak containment pressure and temperature. Exceeding containment design pressure may result in leakage greater than that assumed in the accident analysis. Operation with containment temperature in excess of the LCO limit violates an initial condition assumed in the accident analysis.APPLICABLE SAFETY ANALYSESContainment average air temperature is an initial condition used in the DBA analyses that establishes the c ontainment environm ental qualification operating envelope for both pressure and temperature. The limit for containment average air temperature en sures that operation is maintained within the assumptions used in the DBA analyses for containment (Ref.1).The limiting DBAs considered relati ve to containment OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are analyzed using
computer codes designed to predict the resultant containment pressure transients. No two DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed with regard to
containment (continued)
North Anna Units 1 and 2B 3.6.5-2Revision31Containment Air Temperature B 3.6.5BASESAPPLICABLE SAFETY ANALYSES(continued)Engineered Safety Feature (ESF) systems, assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure, resulting in one train of the Quench Spray (QS) System and Recirculation Spray System being rendered inoperable.
The postulated SLB events are analyzed without credit for the RS system.The limiting DBA for the maximum peak containment air temperature is an SLB. The initial containment average air temperature assumed in the design basis analyses is 115F. This resulted in a maximum containment air temperature of 309F. The design temperature is 280F.The temperature upper limit is used to establish the environmental qualification operating envelope for containment. The maximum peak containment air temperature was calc ulated to exceed the containment design temperature for a relatively shor t period of time during the transient.
The basis of the containment design temperature, however, is to ensure the performance of safety related equipment inside containment (Ref.2).
Thermal analyses showed that the time interval during which the
containment air temperature exceeded the containment design temperature was short enough that there would be no adverse effect on equipment inside containment assumed to mitigate the consequences of the DBA.
Therefore, it is concluded that the calculated transien t containment air temperature is acceptable for the DBA SLB.
The temperature upper limit is also used in the depressurization analyses to ensure that the minimum pressure limit is maintained following an inadvertent actuation of the QS System (Ref.1).
The containment pressure transient is sensitive to the initial air mass in containment and, therefore, to the initi al containment air temperature. The limiting DBA for establishing the ma ximum peak containment internal pressure is an SLB. The temperature upper limit is used in the SLB analysis
to ensure that, in the event of an accident, the maximum containment internal pressure will not be exceeded.Containment average air temperature satisfies Criterion2 of 10CFR50.36(c)(2)(ii).
Containment Air Temperature B 3.6.5BASESNorth Anna Units 1 and 2B 3.6.5-3Revision 0 LCODuring an SLB, with an initial containment average temperature less than or equal to the LCO temperature limits, the resultant peak accident temperature exceeds containment design temperature for a relatively short period of time, but otherwise is main tained below the containment design temperature. As a result, the ability of containment to perform its design function is ensured.APPLICABILITYIn MODES1, 2, 3, and4, an SLB could cause an accidental release of radioactive material to the environm ent or a reactivity excursion. In MODES5 and6, the probability and c onsequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the limit is not required in MODE5 or6.ACTIONSA.1When containment average air temperat ure is not within the limits of the LCO, it must be restored to within limits within 8hours. This Required Action is necessary to return operation to within the bounds of the containment analysis. The 8hour Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.
B.1 and B.2 If the containment average air temperat ure cannot be restor ed to within its limits within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.6.5.1Verifying that containment average air temperature is within the LCO limits ensures that containment operation remains within the limits assumed for the containment analys es. In order to determine the containment average air temperature, (continued)
North Anna Units 1 and 2B 3.6.5-4Revision 46Containment Air Temperature B 3.6.5BASESSURVEILLANCE REQUIREMENT
SSR3.6.5.1 (continued)a weighted average is calculated using measurements ta ken at locations within containment selected to provi de a representative sample of the overall containment atmosphere. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.
North Anna Units 1 and 2B 3.6.6-1Revision31QS System B 3.6.6B 3.6  CONTAINMENT SYSTEMSB 3.6.6Quench Spray (QS) SystemBASESBACKGROUNDThe QS System is designed to provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. The QS System, ope rating in conjunction with the Recirculation Spray (RS)
System, is designed to c ool and depressurize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a Design Basis Accident (DBA).
Reduction of containment pr essure and the iodine removal capability of the spray limit the release of fission product radioactiv ity from containment to the environment in the event of a DBA.
The QS System consists of two separate trains of equal capacity, each capable of meeting the design bases.
Each train includes a spray pump, a dedicated spray header, nozzles, valves, and piping. Each train is powered from a separate Engineered Safety Features (ESF) bus. The refueling water storage tank (RWST) supplies borated water to the QS System.The QS System is actuated either automatically by a containment High-High pressure signal or manually. The QS System provides a spray of cold borated water into the upper regions of containment to reduce the
containment pressure and temperature during a DBA. Each train of the QS System provides adequate spray coverage to meet the system design
requirements for containmen t heat and iodine fiss ion product removal. The QS System also provides flow to th e Inside RS pumps to improve the net positive suction head available.
The Chemical Addition System s upplies a sodium hydroxide (NaOH) solution into the spray. The resulting al kaline pH of the spray enhances the ability of the spray to scavenge iodine fission products from the containment atmosphere. The NaOH adde d to the spray also ensures an alkaline pH for the solution recirculated in the containment sump. The alkaline pH of the containment sump water minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.
(continued)
North Anna Units 1 and 2B 3.6.6-2Revision31QS System B 3.6.6BASESBACKGROUND (continued)The QS System is a containment ESF sy stem. It is designed to ensure that the heat removal capabili ty required during the post accident period can be attained. Operation of the QS System and RS System provides the required heat removal capability to limit post accident conditions to less than the containment design values and depressu rize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.The QS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.APPLICABLE SAFETY ANALYSESThe limiting DBAs considered are the loss of coolant accident (LOCA) and the steam line break (SLB). The LOCA and SLB are analyzed using computer codes designed to predict the resultant c ontainment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed, with respect to
containment ESF Systems, assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure,
resulting in one train of the QS Syst em and the RS System inoperable. The postulated SLB events are analyzed without credit for the RS system.
During normal operation, the c ontainment internal pressure is varied, along with other parameters, to maintain the capability to depressurize the containment to less than 2.0 psig in 1 hour and to subatmospheric pressure within 6 hours after a DBA. This capability and the variation of containment pressure during a DBA ar e functions of the service water temperature, the RWST water temp erature, and the containment air temperature.
The DBA analyses (Ref.1) show th at the maximum peak containment pressure of 43.0psig results from the SL B analysis and is calculated to be less than the containment design pressure. The maximum peak containment atmosphere temperature of 309F results from the SLB analysis and was calculated to exceed the containment design temperature for a relatively short period of time during the transient. The basis of the
containment design temperature, however, is to ensure OPERABILITY of
safety related equipment inside containment (Ref.2). Thermal analyses show that the time interval duri ng which the contai nment atmosphere temperature (continued)
QS System B 3.6.6BASESNorth Anna Units 1 and 2B 3.6.6-3Revision 48APPLICABLE SAFETY ANALYSES(continued) exceeded the containment design temp erature was short enough that there would be no adverse effect on equipm ent inside containment assumed to
mitigate the consequences of the DBA.
Therefore, it is concluded that th e calculated transient containment atmosphere temperatures are acceptable for the SLB.
The modeled QS System actuation from the containment analysis is based upon a response time associated wi th exceeding the containment High-High pressure signal setpoint to achieving full flow through the spray nozzles. A delayed response time initia tion provides conservative analyses of peak calculated containment temp erature and pressure responses. The QS System total response time of 70seconds after Containment Pressure-High High comprises the signal delay, diesel generator startup time, and system startup time, in cluding pipe fill time.
For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis in creases with increasing containment backpressure. For these calculations, the containment backpressure is
calculated in a manner designed to c onservatively minimiz e, rather than maximize, the calculated transient containment pressures in accordance with 10CFR50.46 (Ref.3).
Inadvertent actuation of the QS System is evaluated in the analysis, and the resultant reduction in containment pressure is calculated. The maximum calculated reduction in containment pressure results in containment pressures within the design co ntainment minimum pressure.The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig for the interval from 1 to 6hours following the Design Basis Accident (Ref.4). Beyond 6hour s the containment pressure is assumed to be less than 0.0psig, te rminating leakage from containment.
The QS System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.6.6-4Revision31QS System B 3.6.6BASESLCODuring a DBA, one train of the QS Sy stem is required to provide the heat removal capability assumed in the safety analyses for containment. In addition, one QS System train, with sp ray pH adjusted by the contents of
the chemical addition tank, is required to scavenge iodine fission products from the containment at mosphere and ensure their retention in the containment sump water. To ensure that these requirements are met, two QS System trains must be OPERABLE with power from two safety
related, independent power supplies. Ther efore, in the event of an accident, at least one train of QS will operate, assuming that the worst case single active failure occurs.Each QS train includes a spray pump, a dedicated spray header, nozzles, valves, piping, instruments, and cont rols to ensure an OPERABLE flow path capable of taking suction from the RWST.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment and an increase in containment pressure and temperature requiring the oper ation of the QS System.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
Thus, the QS System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1 If one QS train is inoperable, it mu st be restored to OPERABLE status within 72hours. The components availa ble in this degraded condition are capable of providing 100% of the heat removal and iodine removal needs after an accident. The 72hour Completion Time was developed taking into account the redundant heat removal and iodine removal capabilities afforded by the OPERABLE train a nd the low probability of a DBA
occurring during this period.
B.1 and B.2 If the Required Action and associated Completion Time are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 (continued)
QS System B 3.6.6BASESNorth Anna Units 1 and 2B 3.6.6-5Revision 46ACTIONSB.1 and B.2 (continued)within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.6.6.1Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the QS System provides assurance that the proper flow path exists for QS System operation. This SR does not
apply to valves that are locked, seal ed, or otherwise secured in position, since they were verified to be in th e correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it
involves verification, through a system walkdown, that those valves outside containment and capable of pot entially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.6.2Verifying that each QS pump's develope d head at the flow test point is greater than or equal to the required developed head ensu res that QS pump performance is consistent with the safety analysis assumptions. Flow and differential head are normal tests of centrifugal pump performance required by the ASME Code (Ref.5). Since the QS System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow.
This test confirms one point on the pump design curve and is indicative of overall performance. Such inse rvice tests confirm component OPERABILITY, trend performance, and detect incipient failures by
indicating abnormal performance. Th e Frequency of this SR is in accordance with the Inservice Testing Program.SR3.6.6.3 and SR3.6.6.4These SRs ensure that each QS auto matic valve actuates to its correct position and each QS pump starts upon receipt of an actual or simulated Containment Pressure high-high signal.
(continued)
North Anna Units 1 and 2B 3.6.6-6Revision 48QS System B 3.6.6BASESSURVEILLANCE REQUIREMENT
SSR3.6.6.3 and SR3.6.6.4 (continued)
This Surveillance is not required for valves that are locked, sealed, or
otherwise secured in the required pos ition under administrative controls.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.SR3.6.6.5With the quench spray inlet valves clos ed and the spray header drained of any solution, low pressure air or smoke can be blown through test connections or an inspection of the nozzles can be performed. This SR ensures that each spray nozzle is unobstr ucted and that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzle and the non-corrosive design of the system, a test performed following maintenance which could result in nozzle blockage is consider ed adequate to detect obstruction of the nozzles.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.
3.10CFR50.46.
4.UFSAR, Section15.4.1.7.
5.ASME Code for Operation and Main tenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.6.7-1Revision31RS System B 3.6.7B 3.6  CONTAINMENT SYSTEMSB 3.6.7Recirculation Spray (RS) SystemBASESBACKGROUNDThe RS System, operating in c onjunction with the Quench Spray (QS)
System, is designed to limit the post accident pressure and temperature in the containment to less than the design values and to depressurize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a Design Basis Accident (DBA). The
reduction of containment pressure a nd the removal of iodine from the containment atmosphere by the spray limit the release of fission product radioactivity from containment to the environment in the event of a DBA.
The RS System consists of two separate trains of equal capacity, each capable of meeting the design and accident analysis bases. Each train includes one RS subsystem outside containment and one RS subsystem
inside containment. Each subsystem consists of one approximately 50%
capacity spray pump, one spray cooler, one 180 coverage spray header, nozzles, valves, piping, instrumentati on, and controls. Each outside RS subsystem also includes a casing cool ing pump with its own valves, piping, instrumentation, and controls. The two outside RS subsystems' spray pumps are located outside containment and the two inside RS subsystems' spray pumps are located inside containment. Each RS train (one inside and
one outside RS subsystem) is powered from a separate Engineered Safety Features (ESF) bus. Each train of the RS System provides adequate spray coverage to meet the system design requirements for cont ainment heat and iodine fission product removal. Two spray pumps are required to provide
360 of containment spray coverage assumed in the accident analysis. One train of RS or two outside RS subs ystems will provide the containment spray coverage and required flow.
The two casing cooling pumps and common casing cooling tank are designed to increase the net positive suction head (NPSH) available to the outside RS pumps by injecting cold wa ter into the suction of the spray pumps. They are also beneficial to the containment depressurization
analysis. The casing cooling tank contains at least 116,500gal of chilled and borated water. Each casing cool ing pump supplies one outside spray pump with cold borated water from the casing (continued)
North Anna Units 1 and 2B 3.6.7-2Revision31RS System B 3.6.7BASESBACKGROUND (continued) cooling tank. The casing cooling pumps ar e considered part of the outside RS subsystems. Each casing cooling pu mp is powered from a separate ESF bus.The inside RS subsystem pump NPSH is increased by reducing the temperature of the water at the pump su ction. Flow is diverted from the QS system to the suction of the inside RS pump on the same safety train as the quench spray pump supplying the water.
The RS System provides a spray of s ubcooled water into the upper regions of containment to reduce the containment pressure and temperature during a DBA. Upon receipt of a High-High containment pressure signal, the two casing cooling pumps start, the casing cooling discharge valves open, and the RS pump suction and discharge valves receive an open signal to assure the valves are open. Refueling water storage tank (RWST) Level-Low
coincident with Containment Pressu re-High High provides the automatic start signal for the inside RS and ou tside RS pumps. Once the coincidence logic is satisfied, the outs ide RS pumps start immedi ately and the inside RS pumps start after a 120-second delay. The delay time is sufficient to avoid simultaneous starting of the RS pumps on the same emergency diesel generator. The coincident trip ensure s that adequate water inventory is present in the containment sump to m eet the RS sump strainer functional requirements following a loss of coolant accident (LOCA). The RS system is not required for steam line break (SLB) mitigation. The RS pumps take suction from the containment sump and discharge through their respective spray coolers to the spray headers a nd into the containment atmosphere. Heat is transferred from the containment sump water to service water in the spray coolers.
The Chemical Addition System s upplies a sodium hydroxide (NaOH) solution to the RWST water supplied to the suction of the QS System pumps. The NaOH added to the QS System spray ensures an alkaline pH for the solution recirculated in th e containment sump. The resulting alkaline pH of the RS spray (pumped from the sump) enhances the ability of the spray to scavenge iodine fi ssion products from the containment atmosphere. The alkaline pH of the containment sump water minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical syst ems and components exposed to the fluid.(continued)
RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-3Revision31BACKGROUND (continued)The RS System is a containment ESF sy stem. It is designed to ensure that the heat removal capabilit y required during the post accident period can be attained. Operation of the QS and RS systems provides the required heat removal capability to limit post ac cident conditions to less than the containment design values and depressu rize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.
The RS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.APPLICABLE SAFETY ANALYSESThe limiting DBAs considered are th e LOCA and the SLB. The LOCA and SLB are analyzed using computer codes designed to predict the resultant
containment pressure and temperature transients; DB As are assumed not to occur simultaneously or consecutively. The postulated DBAs are analyzed assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure fo r containment
depressurization, resulting in one trai n of the QS and RS systems being rendered inoperable (Ref.1). The postulated SLB events are analyzed
without credit for the RS system.The peak containment pressure following a high energy line break is affected by the initial total pressure and temperature of the containment atmosphere and the QS System operation. Maximizing the initial containment total pressure and average atmospheric temperature maximizes the calculated peak pressure. The heat removal effectiveness of the QS System spray is dependent on the temperature of the water in the RWST. The time required to depressurize the containment and the
capability to maintain it depressuri zed below atmospheric pressure depend on the functional performance of the QS and RS systems and the service water temperature. When the Service Water temperature is elevated, it is more difficult to depressurize the containment to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours since the heat removal effectiveness of the RS System is limited.During normal operation, the containment internal pressure is varied to maintain the capability to depressurize the containment to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours after a DBA. This (continued)
North Anna Units 1 and 2B 3.6.7-4Revision 48RS System B 3.6.7BASESAPPLICABLE SAFETY ANALYSES(continued) capability and the variation of cont ainment pressure are functions of service water temperature, RWST wate r temperature, and the containment air temperature.The DBA analyses show that the maxi mum peak containment pressure of 43.0psig results from the SL B analysis and is calculat ed to be less than the containment design pressure. The maximum 309F peak containment atmosphere temperature re sults from the SLB analysis and is calculated to exceed the containment design temperature for a relatively short period of time during the transient. The basis of the containment design temperature, however, is to ensure OPERABILITY of safety related equipment inside containment (Ref.2). Thermal analyses show that the time interval during
which the containment atmosphere temperature exceeds the containment design temperature is short enough that there would be no adverse effect on equipment inside containment. Ther efore, it is concluded that the calculated transient cont ainment atmosphere temperatures are acceptable for the SLB and LOCA.The RS System actuation model from the containment analysis is based upon a response associated with exceed ing the Containment Pressure-High High signal setpoint and RWST level decreasing below the RWST
Level-Low setpoint. The contai nment analysis models account conservatively for instrument uncertainty for the Containment Pressure-High High setpoint and the RWST Level-Low setpoint. The RS System's total response time is determined by the time to satisfy the coincidence logic, the timer delay fo r the inside RS pumps, pump startup time, and piping fill time.
For certain aspects of accident analyses, maximizing the calculated containment pressure is not conser vative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure is
calculated in a manner designed to c onservatively minimiz e, rather than maximize, the calculated transient containment pressures in accordance with 10CFR50.46 (Ref.3).The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig for the interval from 1 to 6hours following the Design Basis(continued)
RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-5Revision31APPLICABLE SAFETY ANALYSES(continued)Accident (Ref.4). Beyond 6hours the c ontainment pressure is assumed to be less than 0.0psig, terminating leakage from containment.
The RS System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCODuring a DBA, one train (one inside and one outside RS subsystem in the same train) or two outside RS subsystems of the RS System are required to provide the minimum heat removal capability assumed in the safety analysis. To ensure that this requireme nt is met, four RS subsystems and the casing cooling tank must be OPERABLE. This will ensure that at least one train will operate assuming the worst case single failure occurs, which is no offsite power and the loss of one emergency diesel generator.
Inoperability of the casing cooling tank, the casing cooling pumps, the casing cooling valves, piping, instrume ntation, or controls, or of the QSSystem requires an assessment of the effect on RS subsystem OPERABILITY.
Each RS train consists of one RS subsystem outside c ontainment and one RS subsystem inside containment. Each RS subsystem includes one spray pump, one spray cooler, one 180&deg; coverage spray header, nozzles, valves, piping, instrumentation, and controls to ensure an OPERABLE flow path capable of taking suction fr om the containment sump.APPLICABILITYIn MODES1, 2, 3, and4, a DBA c ould cause an increase in containment pressure and temperature requiri ng the operation of the RS System.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
Thus, the RS System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1With one of the RS subsystems inope rable, the inoperable subsystem must be restored to OPERABLE status within 7days. The components in this
degraded condition are capable of pr oviding at least 100% of the heat removal needs (i.e., approximately 150% when one RS subsystem is inoperable)
(continued)
North Anna Units 1 and 2B 3.6.7-6Revision31RS System B 3.6.7BASESACTIONSA.1 (continued)after an accident. The 7day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the RS and QS systems and the low probability of a DBA occurring
during this period.
B.1 and C.1With two of the required RS subsystems inoperable either in the same train, or both inside RS subsystems, at leas t one of the inoperable RS subsystems must be restored to OPERABLE status within 72hours. The components in this degraded condition are capab le of providing 100% of the heat removal needs and 360 containment spray coverage after an accident. The 72hour Completion Time was develope d taking into account the redundant heat removal capability afforded by the OPERABLE subsystems, a reasonable amount of time for repair s, and the low probability of a DBA occurring during this period.
D.1With the casing cooling tank inoperable, the NPSH available to both outside RS subsystem pumps may not be sufficient. The inoperable casing cooling tank must be restored to OPERABLE status within 72hours. The components in this degr aded condition are capable of providing 100% of the heat removal needs after an accid ent. The casing cooling tank does not affect the OPERABILITY of the insi de RS subsystem pumps. The effect on NPSH of the outside RS pumps must be assessed as part of outside RS pump OPERABILITY. The 72hour Completion Time was chosen based on the same reasons as given in Required ActionB.1.
E.1 and E.2 If the inoperable RS subsystem(s) or the casing cooling tank cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 84hours. The allowed Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3
from full power conditions in an orderly manner and without challenging unit systems. The extended interval to reach (continued)
RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-7Revision 46ACTIONSE.1 and E.2 (continued)MODE5 allows additional time and is reasonable considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE3.F.1With an inoperable inside RS subsys tem in one train, and an inoperable outside RS subsystem in the other train, only 180 containment spray coverage is available. This condition is outside accident analysis. With three or more RS subsystems inoperabl e, the unit is in a condition outside the accident analysis. With two inoperable outside RS subsystems, less than 100% of required RS flow is availa ble. Therefore, in all three cases, LCO3.0.3 must be entered immediately.SURVEILLANCE
REQUIREMENT
SSR3.6.7.1Verifying that the casing cooling tank solution temperature is within the specified tolerances provides assurance that the water injected into the suction of the outside RS pumps will increase the NPSH available as per design. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.6.7.2Verifying the casing cooling tank c ontained borated water volume provides assurance that sufficient water is available to support the outside RS subsystem pumps during the time they are required to operate. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.6.7-8Revision 46RS System B 3.6.7BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.6.7.3Verifying the boron concentration of the solution in the casing cooling tank
provides assurance that borated water added from the casing cooling tank to RS subsystems will not dilute th e solution being recirculated in the containment sump. A Note states that for Unit2, until the first entry into MODE4 following the Unit2 Fall2002 refueling outage, the casing cooling tank boron concentration acceptance criter ia shall be 2300ppm and 2400ppm. The Surveillance Fre quency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.4Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in th e RS System and casing cooling tank provides assurance that the proper flow path exists for operation of the RS System. This SR does not apply to va lves that are locked, sealed, or otherwise secured in position, since they are verified as being in the correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it invol ves verification, through a system walkdown, that those valves outsi de containment and capable of potentially being mispositioned are in the corre ct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.5Verifying that each RS and casing cooling pump's developed head at the flow test point is greater than or equal to the required developed head ensures that these pumps' performance has not degraded during the cycle.
Flow and differential head are normal tests of centrifugal pump performance required by the ASME Code (Ref.5). Since the RS System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. Th is test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend perf ormance, and detect incipient failures by indicating abnor mal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.
RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-9Revision 48SURVEILLANCE REQUIREMENT
S(continued)SR3.6.7.6These SRs ensure that each automatic valve actuates and that the casing
cooling pumps start upon receipt of an actual or simulated High-High containment pressure signal. The RS pum ps are verified to start with an actual or simulated RWST Leve l-Low signal coincident with a Containment Pressure-High High signal. The start delay times for the inside RS pumps are also verified. Th is Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.7 Periodic inspections of the containmen t sump components ensure that they are unrestricted and stay in prope r operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR3.6.7.8 This SR ensures that each spray nozzle is unobstructed and that spray coverage of the containment will meet its design ba ses objective. Either an inspection of the nozzles or an air or smoke test is performed through each spray header. Due to the passive design of the spray header and its
normally dry state, a test performe d following maintenance which could result in nozzle blockage is consider ed adequate for detecting obstruction of the nozzles.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.3.10CFR50.46.
4.UFSAR, Section15.4.1.7.
5.ASME Code for Operation and Main tenance of Nuclear Power  Plants.
Intentionally Blank North Anna Units 1 and 2B 3.6.8-1Revision 36Chemical Addition System B 3.6.8B 3.6  CONTAINMENT SYSTEMSB 3.6.8Chemical Addition SystemBASESBACKGROUNDThe Chemical A ddition System is a subsystem of the Quench Spray System that assists in reducing the iodine fission product inventory in the containment atmosphere resulting fr om a Design Basis Accident (DBA).
Radioiodine in its various forms is the fission product of primary concern in the evaluation of a DBA. It is absorbed by the spray from the containment atmosphere. To enhance th e iodine absorption capacity of the spray, the spray solution is adjusted to an alkaline pH that promotes iodine hydrolysis, in which iodine is conver ted to nonvolatile forms. Because of its stability when exposed to radiati on and elevated temperature, sodium hydroxide (NaOH) is the pr eferred spray additive.
The NaOH added to the spray also ensures a pH value of between7.0 and8.5 of the solution recirculated from the containment sump. This pH band minimizes the evolution of iodine as well as the oc currence of chloride and caustic stress corrosion on mechanical systems and components.
The Chemical Addition System consists of one chemical addition tank, two parallel redundant motor operated valves in the line between the chemical addition tank and the refueling water storage tank (RWST), instrumentation, and a recirculation pump. The NaOH solution is added to the spray water by a balanced gravity feed from the chemical addition tank through the connecting piping into a weir within the RWST. There, it mixes with the borated water flowing to the spray pump suction. Because of the hydrostatic balance between the two ta nks, the flow rate of the NaOH is controlled by the volume per foot of height rati o of the two tanks. This ensures a spray mixture pH that is 8.5 and 10.5.The Quench Spray System actuation si gnal opens the valves from the chemical addition tank to the spray pump suctions or the quench spray
pump start signal opens the valves from the chemical addition tank after a 5minute delay. The 12%to 13%NaOH solution is drawn into the spray
pump suctions. The chemical addi tion tank capacity provides for the addition of NaOH solution to all of the water sprayed from the RWST into containment. The percent solution and volume of solution (continued)
North Anna Units 1 and 2B 3.6.8-2Revision 36Chemical Addition System B 3.6.8BASESBACKGROUND (continued) sprayed into containment ensures a lo ng term containment sump pH of 7.0 and 8.5. This ensures the continued iodine retention effectiveness of the sump water during the recirculation phase of spray operation and also minimizes the occu rrence of chloride induced stress corrosion cracking of the stainless steel recirc ulation piping. Maintaining the sump fluid pH less than or equal to 8.5 en sures that there is adequate NPSH available to the ECCS and RSS pum ps with post-LOCA debris and chemical precipitant loading on the containment sump strainer.APPLICABLE SAFETY ANALYSESThe Chemical Addition System is esse ntial to the removal of airborne iodine within contai nment following a DBA.
Following the assumed release of radioactive materials into containment, the containment is assumed to leak at its analysis value volume following the accident. The plant accident dose calculations use an effective containment coverage of 70% of the containment volume. The containment safety analyses implicitly assume that the containment atmosphere is so turbulent following an accidental release of high energy fluids inside containment that, for heat removal purposes, the containment volume is effectively completely covered by spray.The DBA response time assumed for the Chemical Addi tion System is based on the Chemical A ddition System isolation valves beginning to open 5minutes after a QS pump start.
The DBA analyses assume that one train of the Quench Spray System is inoperable and that the entire chem ical addition tank volume is added through the remaining Quench Spray System flow path.The Chemical Addition System satisfies Criterion3 of 10CFR50.36(c)(2)(ii).
LCOThe Chemical Addition System is necessary to reduce the release of radioactive material to the environment in the event of a DBA. To be
considered OPERABLE, the volume a nd concentration of the chemical addition solution must be sufficient to provide NaOH injection into the
spray flow until the Quench Spray System has completed pumping water from the RWST to the contai nment sump, and to raise the (continued)
Chemical Addition System B 3.6.8BASESNorth Anna Units 1 and 2B 3.6.8-3Revision 36 LCO(continued)average spray solution pH to a level conducive to iodine removal, namely, to between8.5 and10.5. This pH range maximizes the effe ctiveness of the iodine removal mechanism without in troducing conditions that may induce caustic stress corrosion cracking of mechanical system components.
In addition, it is essentia l that valves in the Chem ical Addition System flow paths are properly positioned and that automatic valves are capable of
activating to their correct positions.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment requiring th e operation of the Chemical Addition System. The Chemical Addition System assists in reducing the iodine fission product inventory prior to release to the environment.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.
Thus, the Chemical Addition System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1 If the Chemical Addition System is i noperable, it must be restored to OPERABLE within 72hours. The pH adjustment of the Quench Spray System flow for iodine removal enha ncement is reduced in this condition.
The Quench Spray System would still be available and would remove some iodine from the containment atmo sphere in the event of a DBA. The 72hour Completion Time takes into account the ability of the Quench
Spray System to remove iodine at a reduced capa bility using the redundant Quench Spray flow path capabilities and the low probability of the worst case DBA occurring during this period.
B.1 and B.2If the Chemical Addition System canno t be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 84hours. The allowed Completion Time of 6hours is reasonable, based (continued)
North Anna Units 1 and 2B 3.6.8-4Revision 46Chemical Addition System B 3.6.8BASESACTIONSB.1 and B.2 (continued)on operating experience, to reach MODE3 from full power conditions in an orderly manner and without chal lenging unit systems. The extended interval to reach MODE5 allows 48hour s for restoration of the Chemical Addition System in MODE3 and 36hours to reach MODE5. This is reasonable when considering the re duced pressure and temperature conditions in MODE3 for the release of radioactive material from the Reactor Coolant System.SURVEILLANCE
REQUIREMENT
SSR3.6.8.1Verifying the correct alignment of Chemical Addition System manual, power operated, and automatic valves in the chemic al addition flow path provides assurance that the system is able to provide additive to the Quench Spray System in the event of a DBA. This SR does not apply to
valves that are locked, sealed, or ot herwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing,
or securing. This SR does not requir e any testing or valve manipulation. Rather, it involves verification, th rough a system walkdown, that those valves outside containment and capable of potentially be ing mispositioned are in the correct position. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.2To provide effective iodine removal, the containment spray must be an alkaline solution. Since the RWST contents are normally acidic, the volume of the chemical addition tank must provide a sufficient volume of spray additive to adjust pH for all wa ter injected. This SR is performed to verify the availability of sufficie nt NaOH solution in the Chemical Addition System. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.3 This SR provides veri fication, by chemical analysis, of the NaOH concentration in the chemical addition tank and is sufficient to ensure that the spray solution being injected (continued)
Chemical Addition System B 3.6.8BASESNorth Anna Units 1 and 2B 3.6.8-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.6.8.3 (continued) into containment is at the correct pH level. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.6.8.4 This SR provides verificat ion that each automatic valve in the Chemical Addition System flow path actuat es to its correct position. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.5To ensure that the correct pH level is established in the borated water solution provided by the Quench Spray System, flow from the Chemical Addition System is verified draining solution from the RWST and chemical addition tank through the dr ain lines in the cross-connection between the tanks. This SR provides a ssurance that the correct amount of NaOH will be metered into the flow path upon Quench Spray System initiation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.REFERENCESNone Intentionally Blank North Anna Units 1 and 2B 3.7.1-1Revision 8 MSSVsB 3.7.1B 3.7PLANT SYSTEMSB 3.7.1Main Steam Safety Valves (MSSVs)BASESBACKGROUNDThe primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSV s also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water Syst em, is not available.
Five MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described in the UFSAR, Section10.3.1 (Ref.1). The MSSVs must have sufficient capacity to limit the secondary system pressure to 110% of the steam generator design pressure in order to meet the requirements of the ASME Code, SectionIII (Ref.2). The MSSV design includes sta ggered lift settings, according to Table3.7.1-2 in the accompanying LCO, so that only the needed valves will actuate. Staggered lift settings reduce the potential for valve chattering that is due to steam pressure insufficie nt to fully open all valves following a turbine reactor trip. These lift setti ngs are for ambient conditions of the valve associated with MODES1, 2, and3. This requires either that the valves be set hot or that a correlation between hot and cold settings be
established.APPLICABLE SAFETY ANALYSESThe design basis for the capacity of the MSSVs comes from Reference2 and its purpose is to limit the secondary system pressure to 110% of design pressure for any anticipate d operational occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.The events that challenge the relieving capacity of the MSSVs, and thus RCS pressure, are those characterized as decreased heat removal events,
which are presented in the UFSAR, Section15.2 (Ref.3). Of these, the full power turbine trip without steam dump is typically the limiting AOO. This event also terminates normal feedwater flow to the steam generators.
(continued)
North Anna Units 1 and 2B 3.7.1-2Revision 8 MSSVsB 3.7.1BASESAPPLICABLE SAFETY ANALYSES(continued)
The safety analysis demons trates that the transient response for turbine trip occurring from full power without a di rect reactor trip presents no hazard to the integrity of the RCS or the Main Steam System. One turbine trip analysis is performed assuming primary system pressure control via
operation of the pressurizer relief valves and spray. This analysis demonstrates that the DNB design ba sis is met. Another analysis is performed assuming no primary system pressure control, but crediting reactor trip on high pressurizer pressu re and operation of the pressurizer safety valves. This analysis demonstrates that RCS integrity is maintained
by showing that the maximum RCS pressure does not exceed 110% of the design pressure. All cases analyzed demonstrate that the MSSVs maintain Main Steam System integrity by limiting the maximum steam pressure to less than 110% of the steam generator design pressure.
In addition to the decreased heat removal events, reactivity insertion events may also challenge the relieving capacity of the MSSVs. The uncontrolled rod cluster control assembly (RCCA) bank withdrawal at power event is characterized by an increase in core power and steam generation rate until reactor trip occurs when either the Overtemperature T or Power Range Neutron Flux-High setpoint is reached. Steam flow to the turbine will not increase from its initial value for this event. The increased heat transfer to the secondary side causes an increase in steam pressure and may result in opening of the MSSVs prior to reactor trip, assuming no credit for operation of the atmospheric or condenser steam dump valves. The UFSAR Section15.2 safety analysis of the RCCA bank withdrawal at power event for a range of initial core power levels demonstrates that the MSSVs are capable of preventing sec ondary side overpressurization for this AOO. The UFSAR safety analyses discussed above assume that all of
the MSSVs for each steam genera tor are OPERABLE. If there are inoperable MSSV(s), it is necessary to limit the primary system power
during steady-state operation and AOOs to a value that does not result in exceeding the combined steam flow capacity of the turbine (if available) and the remaining OPERABLE MSSV
: s. The required limitation on primary system power necessary to prevent secondary system
overpressurization may be determined by system transient analyses or conservatively arrived at by a simple heat balance cal culation. In some circumstances it is necessary to limit the primary side heat generation that can be achieved during an AOO by reducing the setpoint of the Power
Range Neutron Flux-High reacto r trip function. For example, (continued)
MSSVsB 3.7.1BASESNorth Anna Units 1 and 2B 3.7.1-3Revision 42APPLICABLE SAFETY ANALYSES(continued) if more than one MSSV on a single steam generator is inoperable, an uncontrolled RCCA bank withdrawal at power event occurring from a partial power level may result in an increase in reactor power that exceeds the combined steam flow capacity of the turbine and the remaining
OPERABLE MSSVs. Thus, for multiple inoperable MSSVs on the same steam generator it is necessary to prevent this power increase by lowering
the Power Range Neutron Flux-High set point to an appropriate value. When Moderator Temperature Coeffici ent (MTC) is positive, the reactor power may increase above the initial value during an RCS heatup event
(e.g., turbine trip). Thus, for any number of inoperable MSSVs it is necessary to reduce the trip setpoint if a positive MTC may exist at partial power conditions.The MSSVs satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe accident analysis requires five MSSVs per steam generator be OPERABLE to provide overpressure pr otection for design basis transients occurring at 100.37%RTP. The LCO requires that five MSSVs per steam generator be OPERABLE in compliance with Reference2, and the DBA analysis.
The OPERABILITY of the MSSVs is defined as the ability to open upon demand within the setpoint tolerances to relieve steam generator overpressure, and reseat when pressure has been reduced. The OPERABILITY of the MSSVs is dete rmined by periodic surveillance testing in accordance with the Inservice Testing Program.
This LCO provides assurance that the MSSVs will perform their designed safety functions to mitigat e the consequences of acci dents that could result in a challenge to the RCPB or Main Steam System integrity.APPLICABILITYIn MODES1, 2, and3, five MSSVs per steam ge nerator are required to be OPERABLE to prevent Main Steam System overpressurization.In MODES4 and5, there are no credible transients requiring the MSSVs.
The steam generators are not normally used for heat removal in MODES5 and6, and thus cannot be overpressurize d; there is no requirement for the MSSVs to be OPERABLE in these MODES.
North Anna Units 1 and 2B 3.7.1-4Revision 42 MSSVsB 3.7.1BASESACTIONSThe ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV.With one or more MSSVs inoperable, action must be taken so that the available MSSV relieving capacity meets Reference2 requirements.Operation with less than all five MSSVs OPERABLE for each steam generator is permissible, if THERMAL POWER is limited to the relief capacity of the remaining MSSVs. Th is is accomplished by restricting THERMAL POWER so that the energy transfer to the most limiting steam generator is not greater than the avai lable relief capacity in that steam generator.
A.1In the case of only a single inope rable MSSV on one or more steam generators, when the MTC is not posit ive, a reactor power reduction alone is sufficient to limit primary side heat generation such that overpressurization of the secondary si de is precluded for any RCS heatup event. Furthermore, for this case there is sufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to
preclude overpressurization in the even t of an increased reactor power due to reactivity insertion, such as in the event of an uncontrolled RCCA bank withdrawal at power. Therefore, Required ActionA.1 requires an appropriate reduction in reactor power within 4 hours.
The maximum THERMAL POWER corr esponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balan ce calculation as described in the attachment to Reference5, with an appropriate allowance for calorimetric power uncertainty.
B.1 and B.2 In the case of multiple inopera ble MSSVs on one or more steam generators, with a reactor power reduction alone there may be insufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to prec lude overpressurization in the event of an increased reactor power due to reactivity insertion, such as in the event of
an uncontrolled RCCA bank withdrawal at power. Furthermore, for a single inoperable MSSV on one or more steam generators when the MTC
is positive the reactor power may increase as a result of an RCS heatup event such that flow capacity of the (continued)
MSSVsB 3.7.1BASESNorth Anna Units 1 and 2B 3.7.1-5Revision 42ACTIONSB.1 and B.2 (continued) remaining OPERABLE MSSVs is insufficient. The 4 hour Completion Time for Required ActionB.1 is c onsistent with A.1. An additional 32hours is allowed in Required ActionB.2 to reduce the setpoints. The Completion Time of 36hours is based on a reasonable time to correct the MSSV inoperability, the time requi red to perform the power reduction, operating experience in resetting all ch annels of a protective function, and on the low probability of the occurrence of a transient that could result in
steam generator overpressure during this period.
The maximum THERMAL POWER corr esponding to the heat removal capacity of the remaining OPER ABLE MSSVs is determined via a conservative heat balan ce calculation as described in the attachment to Reference5, with an appropriate allowance for Nuclear Instrumentation System trip channel uncertainties.Required ActionB.2 is modified by a Note, indicating that the Power Range Neutron Flux-High reactor trip se tpoint reduction is only required in MODE1. In MODES2 and3 the reactor protection system trips specified in LCO3.3.1, "Reactor Protection Sy stem Instrumentation," provide sufficient protection.The allowed Completion Times are reasonable based on operating experience to accomplish the Require d Actions in an orderly manner without challenging unit systems.
C.1 and C.2 If the Required Actions are not completed within the associated Completion Time, or if one or more steam generators have 4 inoperable MSSVs, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and
without challenging unit systems.
North Anna Units 1 and 2B 3.7.1-6Revision 19 MSSVsB 3.7.1BASESSURVEILLANCE REQUIREMENT
SSR3.7.1.1SRs are specified in the Inservice Test ing Program. MSSVs ar e to be tested in accordance with the requirements of the ASME Code (Ref.4) which
provides the activities and frequencie s necessary to satisfy the SR. The MSSV lift settings given in the LCO are for operability, however, the
valves are reset to +/-1% during the surveillance to allow for drift.
This SR is modified by a Note that allows entry into and operation in MODE3 prior to performing the SR. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate
lift pressure.REFERENCES1.UFSAR, Section10.3.1.2.ASME, Boiler and Pressure Vessel Code, SectionIII.3.UFSAR, Section15.2.4.ASME Code for Operation and Main tenance of Nuclear Power Plants.5.NRC Information Notice 94-60, "Poten tial Overpressurization of the Main Steam System," August22,1994.
North Anna Units 1 and 2B 3.7.2-1Revision 0 MSTVsB 3.7.2B 3.7  PLANT SYSTEMSB 3.7.2Main Steam Trip Valves (MSTVs)BASESBACKGROUNDThe MSTVs isolate steam flow from the se condary side of the steam generators following a high energy line break (HELB). MSTV closure terminates flow from the unaff ected (intact) steam generators.One MSTV is located in each main steam line outside, but close to, containment. The MSTVs are downstream from the main steam safety valves (MSSVs) and auxiliary fe edwater (AFW) pump turbine steam supply, to prevent MSSV and AFW isolation from the steam generators by MSTV closure. Closing the MSTVs isolates each steam generator from the others, and isolates the turbine, Steam Dump Syst em, and other auxiliary steam supplies from the steam generators.The MSTVs close on a main steam is olation signal generated by either intermediate high high containment pr essure, high steam flow coincident with low low RCS T avg, or low steam line pressu re. The MSTVs fail closed on loss of control air pressure.
Each MSTV has an MSTV bypass valv
: e. Although these bypass valves are normally closed, they receive the same emergency closure signal as do their associated MSTVs. The MSTV bypass valves may also be actuated manually.
A description of the MSTVs is found in the UFSAR, Section10.3 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis of the MSTVs is esta blished by the containment analysis for the main steam line break (MSLB) inside containment, discussed in the UFSAR, Section6.2 (Ref.2). It is also affected by the acci dent analysis of the SLB events presented in the UFSAR, Section15.4.2 (Ref.3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSTV
to close on demand).
(continued)
North Anna Units 1 and 2B 3.7.2-2Revision 0 MSTVsB 3.7.2BASESAPPLICABLE SAFETY ANALYSES(continued)
The limiting case for the containment analysis is the MSLB inside containment, with a loss of offsite pow er following turbine trip, and failure of the Non Return Valve (NRV) on the affected steam generator to close. At lower powers, the steam generator inventory and temperature are at their maximum, maximizing the analyzed mass and energy release to the
containment. Due to reverse flow and failure of the NRV to close, the additional mass and energy in the steam headers downstream from the
other MSTVs contribute to the total release. With the most reactive rod cluster control assembly assumed stuck in the fully withdrawn position,
there is an increased possibility that the core will b ecome critical and return to power. The core is ultimately sh ut down by the boric acid injection delivered by the Emergency Core Cooling System.The accident analysis compares several different MSLB events against different acceptance criteria. The MSLB outside containment upstream of the MSTV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The MSLB inside
containment at hot zero power is the limiting case for a post trip return to power. The analysis includes scenarios with offsite power available, and with a loss of offsite power following turbine trip. With offsite power
available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing th e Reactor Coolant System cooldown. With a loss of offsite power, the resp onse of mitigating systems is delayed. Significant single failures considered include failure of an MSTV to close.The MSTVs only serve a safety func tion and remain open during power operation. These valves operate under the following situations:a.A HELB inside containment. In order to maximize the mass and energy release into containment, the analysis assumes that the NRV in the affected steam generator remains ope
: n. For this accident scenario, steam is discharged into containment from all steam generators until the remaining MSTVs close. After MSTV closure, steam is discharged into containment only from the affected steam genera tor and from the residual steam in the main steam header downstream of the closed MSTVs in the unaffected loops. Clos ure of the MSTVs isolates the break from the unaffec ted steam generators.
(continued)
MSTVsB 3.7.2BASESNorth Anna Units 1 and 2B 3.7.2-3Revision 20APPLICABLE SAFETY ANALYSES(continued)b.A break outside of containment a nd upstream from the MSTV is not a containment pressurization concer
: n. The uncontrolled blowdown of more than one steam generator must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity addition.
Closure of the MSTVs isolates the break and limits the blowdown to a single steam generator.c.A break downstream of the MSTVs will be isolated by the closure of the MSTVs.d.Following a steam generator tube rupture, the operator will isolate flow to the ruptured steam generator, ad just auxiliary feedwater flow to maintain specified water levels in the ruptured and intact steam generators and manually isolate steam flow from the ruptured generator to the turbine-driven auxiliary feedwater in the Main Steam Valve
House. The operator will also veri fy that the steam generator power operated relief valves are available and their manual isolation valves
are opened (if required) in preparati on for subsequent steps. Closure of the MSTVs isolates the ruptured steam generator from the intact steam generators to minimize radiological releases.e.The MSTVs are also utilized during other events such as a feedwater line break. This event is less limiting so far as MSTV OPERABILITY is concerned.
The MSTVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that three MSTV s in the steam lines be OPERABLE. The MSTVs are considered OPERABLE when the isolation times are
within limits, and they close on an isolation actuation signal.
This LCO provides assurance that the MSTVs will perform their design safety function to mitigate the conseque nces of accidents that could result in offsite exposures comparable to the 10CFR50.67 (Ref.4) limits or the NRC staff approved licensing basis.
North Anna Units 1 and 2B 3.7.2-4Revision 8 MSTVsB 3.7.2BASESAPPLICABILITYThe MSTVs must be OPERABLE in MODE1, and in MODES2 and3 except when closed and de-activate d, when there is significant mass and energy in the RCS and steam generators. When the MSTVs are closed, they are already performing the safety function.In MODE4, the steam generator energy is low and the MSTVs are not required to support the safety analyses due to the low probability of a design basis accident.In MODE5 or6, the steam generators do not contain much energy because their temperature is belo w the boiling point of water; therefore, the MSTVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES.ACTIONSA.1With one MSTV inoperable in MODE1, action must be taken to restore OPERABLE status within 8hours. Some repairs to the MSTV can be made with the unit hot. The 8hour Completion Time is reasonable, considering the low probability of an accident occurring during this time period that would require a closure of the MSTVs.The 8hour Completion Time is greater than that normally allowed for containment isolation valves because the MSTVs are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides an additional means for containment isolation.
B.1If the MSTV cannot be restored to OPERABLE status within 8hours, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in MODE2 within 6hours and ConditionC would be entered. The Completion Times are reasonable, based on operating experience, to reach MODE2 and to close the MSTVs in an orderly manner and without challenging unit systems.
C.1 and C.2ConditionC is modified by a Note indi cating that separate Condition entry is allowed for each MSTV.
(continued)
MSTVsB 3.7.2BASESNorth Anna Units 1 and 2B 3.7.2-5Revision 8ACTIONSC.1 and C.2 (continued)
Since the MSTVs are required to be OPERABLE in MODES2 and3, the inoperable MSTVs may either be restor ed to OPERABLE status or closed.
When closed, the MSTVs are already in the position required by the assumptions in the safety analysis.The 8hour Completion Time is consistent with that allowed in ConditionA.
For inoperable MSTVs that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, the inoperable
MSTVs must be verified on a periodic ba sis to be closed. This is necessary to ensure that the assumptions in th e safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, in view of MSTV status indications ava ilable in the control room, and other administrative controls, to ensure th at these valves are in the closed
position.
D.1 and D.2 If the MSTVs cannot be restored to OPERABLE status or are not closed within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed at least in MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the required unit conditions from MODE2 conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.7.2.1 This SR verifies that MSTV isolation time is 5.0seconds. The MSTV isolation time is assumed in the acci dent and containment analyses. This Surveillance is normally performe d upon returning the unit to operation following a refueling outage. The MSTVs should not be tested at power, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power. As the MSTVs are not tested at power, they are exempt from the ASME Code (Ref.5) require ments during operation in MODE1 or2.The Frequency is in accordance with the Inservice Testing Program.
(continued)
North Anna Units 1 and 2B 3.7.2-6Revision 46 MSTVsB 3.7.2BASESSURVEILLANCE REQUIREMENT
SSR3.7.2.1 (continued)
This test may be conducted in MODE3 with the unit at operating temperature and pressure. This SR is modified by a Note that allows entry into and operation in MODE3 prior to performing the SR. This allows a delay of testing until MODE3, to es tablish conditions consistent with those under which the acceptance criterion was generated.SR3.7.2.2This SR verifies that each MSTV clos es on an actual or simulated actuation signal. This Surveillance is normally performed u pon returning the plant to operation following a refueling outage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section10.3.2.UFSAR, Section6.2.3.UFSAR, Section15.4.2.
4.10CFR50.67.
5.ASME Code for Operation and Main tenance of Nuclear Power Plants.
North Anna Units 1 and 2B 3.7.3-1Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3B 3.7  PLANT SYSTEMSB3.7.3Main Feedwater Isolation Valves (MFIVs), Main Feedwater Pump Discharge Valves (MFPDVs), Main Feedwater Regulating Valves (MFRVs), and Main Feedwater Regulating Bypass Valves (MFRBVs)BASESBACKGROUNDThe MFIV and the MFRV are in series in the Main Feedwater (MFW) line upstream of each steam generator.
The MFRBV is parallel to both the MFIV and the MFRV. The MFPDV is located at the discharge of each main feedwater pump. The valves are located outside of the containment. These valves provide the isolation of each MFW line by the closure of the MFIV and MFRBV, the MFRV and MFRBV, or the closure of the MFPDV. To provide the needed isolation given the single failure of one of the valves,
all four valve types are required to be OPERABLE. The MFIVs and the MFRVs provide single failure protection for each other in one flow path
and the MFPDVs and the MFRBVs provi de single failure protection for each other in the other flow path.
The safety-related function of the MFIVs, MFPDVs, MFRVs and the MFRBVs is to provide isolation of MF W from the secondary side of the steam generators following a high energy line break. Closure of the MFIV and MFRBV, the MFRV and MFRBV, or the closure of the MFPDV terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam or feedwater line breaks and minimizing the positive reactivity effects of the Reactor Coolant System (RCS) cooldown associated with th e blowdown. In the event of pipe rupture inside the containment, the valves limit the quantity of high energy fluid that enters the containment through the broken loop.
The containment isolation MFW check va lve in each loop provides the first pressure boundary for the addition of Auxiliary Feedwater (AFW) to the intact loops and prevents back flow in the feedwater line should a break occur upstream of these valves. These check valves also isolate the non-safety-related portion of the MFW system from the safety-related portion of the system. The piping volume from the feedwater isolation valve to the steam generators is considered in calculating mass and energy
release following either a st eam or feedwater line break.
(continued)
North Anna Units 1 and 2B 3.7.3-2Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESBACKGROUND (continued)The MFIVs, MFPDVs, MFRVs, and MF RBVs close on receipt of Safety Injection or Steam Generator Water Level-High High signal. The MFIVs, MFPDVs, MFRVs, and MFRBVs may also be actuated manually.
A description of the operation of the MFIVs, MFPDVs, MFRVs, and MFRBVs is found in the UFSAR, Section10.4.3 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis for the closure of the MFIVs, MFPDVs, MFRVs, and MFRBVs is established by the analyses for the Main Steam Line Break (MSLB). It is also influenced by the accident analysis for the Feedwater Line Break (FWLB). Closure of the MFIVs and MFRBVs, or MFRVs and
MFRBVs, or the MFPDVs, may also be relied on to terminate an MSLB on
receipt of an SI signal for core response analysis and for an excess
feedwater event upon the receipt of a Steam Generator Water Level-High High signal.Failure of an MFIV and MFRV, or an MFRBV and MFPDV to close following an MSLB or FWLB can result in additional mass and energy
being delivered to the steam genera tors, contributing to cooldown. This failure also results in additional mass and energy releases following an MSLB or FWLB event.The MFIVs, MFPDVs, MFRVs, and MFRBVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO ensures that the MFIVs, MFPDVs, MFRVs, and MFRBVs will isolate MFW flow to the steam genera tors, following an FWLB or MSLB.This LCO requires that three MFIVs, three MFPDVs, three MFRVs, and three MFRBVs be OPERABLE. The valves are considered OPERABLE when isolation times are within limi ts and they close on an isolation actuation signal. The MFIVs and the MFRVs provide single failure protection for each other, and the MFPDV and the MFRBV provide single failure protection for each other.Failure to meet the LCO requirements can result in additional mass and energy being released to containment following an MSLB or FWLB inside containment. A feedwater isolation signal on high high steam generator level is relied on to terminate an excess feedwater flow event, and failure to meet the LCO may result in the introduction of water into the main steam lines.(continued)
MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESNorth Anna Units 1 and 2B 3.7.3-3Revision 23APPLICABILITYThe MFIVs, MFPDVs, MFRVs, and MFRBVs must be OPERABLE whenever there is significant mass and energy in the RCS and steam generators. In MODES1, 2, and3, the MFIVs, MFPDVs, MFRVs, and MFRBVs are required to be OPERABLE to limit the amount of available fluid that could be added to containmen t in the case of a secondary system pipe break inside containment. When the valves are closed and
de-activated or isolated by a closed manual valve, they are already performing their safety function.In MODES4, 5, and6, steam generator energy is low. Therefore, the MFIVs, MFPDVs, MFRVs, and MF RBVs are not required to be OPERABLE.ACTIONSThe ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each valve.
A.1 and A.2With one MFIV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPER ABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performi ng their required safety function.The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on
operating experience.
Inoperable MFIVs that are cl osed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, in view of other
administrative controls, to ensure that these valves are closed or isolated.
B.1 and B.2With one MFRV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are perf orming their required safety function.
(continued)
North Anna Units 1 and 2B 3.7.3-4Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESACTIONSB.1 and B.2 (continued)The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.Inoperable MFRVs, that are closed or isolated, must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgmen t, in view of other administrative controls to ensure that the valves are closed or
isolated.
C.1 and C.2With one MFRBV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performing their required safety function.The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.
Inoperable MFRBVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgmen t, in view of other administrative controls to ensure that these valves are closed or
isolated.
D.1 and D.2With one MFPDV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performing their required safety function.
(continued)
MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESNorth Anna Units 1 and 2B 3.7.3-5Revision 23ACTIONSD.1 and D.2 (continued)The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.
Inoperable MFPDVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, and in
view of other administrative controls, to ensure that these valves are closed or isolated.
E.1With two inoperable valves in the same flow path, there may be no redundant system to operate automatical ly and perform the required safety function. For example, either a MFIV and a MFRV in the same main
feedwater line are inoperable or a MFPDV and a MFRBV are inoperable.
Under these conditions, at least one of the affected valves must be restored to OPERABLE status, or the affected flow path isolated within 8hours.
This action returns the system to the condition where at least one valve in each flow path is performing the required safety function. The 8hour Completion Time is reasonable, based on operating experience, to complete the actions required to close the affected valves, or otherwise isolate the affected flow path.
F.1 and F.2 If the inoperable valve(s) cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.
North Anna Units 1 and 2B 3.7.3-6Revision 46MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESSURVEILLANCE REQUIREMENT
SSR3.7.3.1This SR verifies that the isolation time of each MFIV, MFRV, and MFRBV is 6.98seconds and the isolati on time for each MFPDV is 60seconds.
The isolation times are assumed in th e accident and containment analyses.
This Surveillance is normally pe rformed during a refueling outage.
The Frequency for this SR is in accordance with the Inservice Testing Program.SR3.7.3.2 This SR verifies that each MFIV, MFRV, MFRBV, and MFPDV can close on an actual or simulated actuation signal. This Surveillance is normally performed upon returning the plant to operation following a refueling outage.The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section10.4.3.
North Anna Units 1 and 2B 3.7.4-1Revision 0SG PORVsB 3.7.4B 3.7  PLANT SYSTEMSB 3.7.4Steam Generator Power Operated Relief Valves (SG PORVs)BASESBACKGROUNDThe SG PORVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions shoul d the preferred heat sink via the condenser dump valves not be availa ble, as discussed in the UFSAR, Section10.3 (Ref.1). This is done in conjunction with the Auxiliary Feedwater System providi ng cooling water from the emergency condensate storage tank (ECST) (or, alternately, with main feedwater from the condenser hotwell or main c ondensate tanks, if available).One SG PORV line for eac h of the three st eam generators is provided. Each SG PORV line consists of one SG PORV and an associated upstream
manual isolation valve.The SG PORVs are provided with upstream manual isolation valves to permit their being tested at power, a nd to provide an alternate means of isolation. The SG PORVs are equippe d with pneumatic controllers to permit control of the cooldown rate.The SG PORVs are provided with a backup supply tank which is pressurized from the instrument air header via a check valve arrangement that, on a loss of pressure in the normal instrument air supply,
automatically supplies air to operate the SG PORVs. The air supply is sized to provide the sufficient pressurized air to operate the SG PORVs until manual operation of the SG PORVs can be established.A description of the SG PORVs is found in Reference1. The SG PORVs are OPERABLE when they are capable of providing controlled relief of the
main steam flow and capable of be ing fully opened and closed, either remotely or by local manual operation.APPLICABLE SAFETY ANALYSESThe design basis of the SG PORVs is established by the capability to cool the unit to RHR entry conditions. The SG PORVs are used in conjunction with auxiliary feedwater supplied from the ECST (or, alternately, with main feedwater from the condenser hotwell or main condensate tanks, if (continued)
North Anna Units 1 and 2B 3.7.4-2Revision 0SG PORVsB 3.7.4BASESAPPLICABLE SAFETY ANALYSES(continued) available). Adequate inventory is available in the ECST to support operation for 2hours in MODE3 followed by a 4hour cooldown to the RHR entry conditions.In the SGTR accident analysis presented in Reference2, the SG PORVs are assumed to be used by the operator to cool down the unit to RHR entry conditions when the SGTR is accompanied by a loss of offsite power, which renders the condenser dump valv es unavailable. Prior to operator actions to cool down the unit, the SG PORVs and main steam safety valves (MSSVs) are assumed to operate au tomatically to relieve steam and maintain the steam generator pressu re below the design value. For the recovery from a steam generator tube rupture (SGTR) even t, the operator is also required to perform a limite d cooldown to establish adequate subcooling as a necessary step to terminate the pr imary to secondary break flow into the ruptured steam generator. The time required to terminate the primary to secondary break flow for an SGTR is more critical than the time required to cool down to RHR conditions for this event. Thus, the SGTR is the limiting event for the SG PORVs. The requirement for three SG PORVs to be OPERABLE satisfies the SGTR accident analysis requirements,
including consideration of a single failure of one SG PORV to open on demand.The SG PORVs are equipped with manual isolation valves in the event an SG PORV spuriously fails open or fails to close during use.The SG PORVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThree SG PORV lines are required to be OPERABLE. One SG PORV line is required from each of three steam generators to ensure that at least one SG PORV line is available to conduc t a unit cooldown fo llowing an SGTR, in which one steam generator becomes unavailable, accompanied by a
single, active failure of a second SG PORV line on an unaffected steam generator. The manual isolation valves must be OPERABLE to isolate a failed open SG PORV line. A closed manual isolation valve does not render it or its SG PORV line inopera ble because operator action time to open the manual isolation valve is supported in the accident analysis.
(continued)
SG PORVsB 3.7.4BASESNorth Anna Units 1 and 2B 3.7.4-3Revision 0 LCO(continued)
Failure to meet the LCO can result in the inability to cool the unit to RHR entry conditions following an event in which the condenser is unavailable for use with the Steam Dump System.An SG PORV is considered OPERAB LE when it is capable of providing controlled relief of the main steam flow and capable of fully opening and closing, remotely or by lo cal manual operation on demand.APPLICABILITYIn MODES1, 2, and3, and in MODE4, when a steam generator is being relied upon for heat removal, the SG PORVs are required to be OPERABLE.
In MODE5 or6, an SGTR is not a credible event.ACTIONSA.1With one required SG PORV line i noperable, action must be taken to restore OPERABLE status within 7days. The 7day Completion Time
allows for the redundant capability afforded by the remaining OPERABLE SG PORV lines, a nonsafety grade backup in the Steam Dump System, and MSSVs.B.1With two or more SG PORV lines i noperable, action must be taken to restore all but one SG PORV line to OPERABLE status. Since the upstream manual isolation valve can be closed to isolate an SG PORV, some repairs may be possible with the unit at power. The 24hour Completion Time is reasonable to repair inoperable SG PORV lines, based on the availability of the Steam Dump System and MSSVs, and the low
probability of an event occurring duri ng this period that would require the SG PORV lines.
C.1 and C.2If the SG PORV lines cannot be rest ored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4, without reliance upon steam generator for heat removal, within 24hours. The allowed Completion Times are reasonable, based on operating (continued)
North Anna Units 1 and 2B 3.7.4-4Revision 46SG PORVsB 3.7.4BASESACTIONSC.1 and C.2 (continued) experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE REQUIREMENT
SSR3.7.4.1To perform a controlled cooldown of the RCS, the SG PORVs must be able to be opened either remotely or lo cally and throttled through their full range. This SR ensures that the SG PORVs are tested thr ough a full control cycle at least once per fuel cycle. Perf ormance of inservice testing or use of an SG PORV during a unit cooldown may satisfy this requirement. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.4.2The function of the upstream manual isolation valve is to isolate a failed SG PORV. Cycling the upstream manua l isolation valve both closed and open demonstrates its capability to pe rform this function. Performance of inservice testing or use of the upstr eam manual isolation valve during unit cooldown may satisfy this requirement. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section10.3.2.UFSAR, Section15.4.3.
North Anna Units 1 and 2B 3.7.5-1Revision 0AFW System B 3.7.5B 3.7  PLANT SYSTEMSB 3.7.5Auxiliary Feedwater (AFW) SystemBASESBACKGROUNDThe AFW System automatically s upplies feedwater to the steam generators to remove decay heat from the Reac tor Coolant System upon the loss of normal feedwater supply. The AFW pum ps take suction through separate and independent suction lines from the emergency condensate storage tank (ECST) (LCO3.7.6) and pump to the st eam generator secondary side via separate and independent connections to the main feedwater (MFW) piping outside containment. The steam generators function as a heat sink for core decay heat. The heat load is dissipated by releasing steam to the atmosphere from the steam generators via the main steam safety valves (MSSVs) (LCO3.7.1) or steam generator power operate d relief valves (SG PORVs) (LCO3.7.4). If the main conde nser is available, steam may be released via the steam dump valves and recirculated to the condenser hotwell.The AFW System consists of two mo tor driven AFW pumps and one steam turbine driven pump configured into th ree trains. Each pump is aligned to one steam generator, and the capacity of each pump is sufficient to provide
the designated flow assumed in the accident analysis. The pumps are
equipped with recirculation lines to prevent pump operation against a closed system. Each motor driven AFW pump is powered from an independent Class1E power suppl y and normally feeds one steam generator, although each pump has the capability to be realigned to feed
other steam generators. The steam turbine driven AFW pump receives steam from three main steam lines upstr eam of the main steam trip valves (MSTVs). The steam supply lines combin e into a header which is isolated from the steam driven auxiliary fe edwater pump by two parallel valves. Main steam trip valves, MS-TV-111A and MS-TV-111B (Unit1),
MS-TV-211A and MS-TV-211B (Unit 2) are powered from separate 125V
DC trains and actuated by the Engine ered Safety Features Actuation System (ESFAS). Opening of either trip valve will provide sufficient steam to the steam driven pump to produce th e design flow rate from the ECST to the steam generator(s).
The AFW System is capable of supplying feedwater to the steam generators during normal unit startup, shutdown, and hot standby conditions.
(continued)
North Anna Units 1 and 2B 3.7.5-2Revision 0AFW System B 3.7.5BASESBACKGROUND (continued)
The AFW pumps may be aligned and supply a common header capable of feeding all steam generators. One pump at full flow is sufficient to remove decay heat and cool the unit to residual heat removal (RHR) entry conditions. Thus, the requirement for diversity in motive power sources for the AFW System is met.
The AFW System is designed to supply sufficient water to the steam generator(s) to remove decay heat with steam generator pressure associated with the lowest setpoint MSSV. Subsequently, the AFW System supplies sufficient water to cool the unit to RHR entry conditions, with steam released through the SG PORVs.The AFW System actuates automatically on Steam Generator Water Level low-low by the ESFAS (LCO3.3.2). The system also actuates on loss of offsite power, safety injection, and trip of all MFW pumps.
The AFW System is discussed in the UFSAR, Section10.4.3.2 (Ref.1).APPLICABLE SAFETY ANALYSESThe AFW System mitigates the conseque nces of any event with loss of normal feedwater.
The design basis of the AFW System is to supply water to the steam generator to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the steam generators at pressures corresponding to the lowest steam genera tor safety valve set pressure plus 3%.In addition, the AFW Syst em must supply enough ma keup water to replace steam generator secondary inventory lost as the unit cools to MODE4 conditions. Sufficient AFW fl ow must also be availa ble to account for flow losses such as pump recirc ulation and line breaks.
The limiting Design Basis Accidents (DBAs) and transients for the AFW System are as follows:a.Feedwater Line Break (FWLB);b.Main Steam Line Break (MSLB); andc.Loss of MFW.
(continued)
AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)
In addition, the minimum available AF W flow and system characteristics are considerations in the analysis of a small break loss of coolant accident (LOCA).The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valves and containment, combined with a loss of offsite power follow ing turbine trip, and a single active failure of the steam turbine driven AFW pump. In such a case, the ESFAS logic may not detect the affected st eam generator if the backflow check valve to the affected MFW header worked properly. One motor driven
AFW pump would deliver to the broke n MFW header at maximum design
flow until the problem was detected, and flow terminated by the operator. Sufficient flow would be delivered to the intact steam generator by the
redundant AFW pump.The ESFAS automatically actuates the AFW turbine driven pump when required to ensure an adequate feed water supply to its dedicated steam generator during loss of power. Air or motor operated valves are provided for each AFW line to control the AFW flow to each steam generator.The AFW System satisfies the requirements of Criterion3 of 10CFR50.36(c)(2)(ii).
LCOThis LCO provides assura nce that the AFW System will perform its design safety function to mitigate the conseque nces of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent AFW pumps in three di verse trains are required to be OPERABLE to ensure the availability of AFW capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering two of the pumps from independent emergency buses. The third AFW pump is powered by a different means, a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSTVs.The AFW System is configured into three trains. The AFW System is considered OPERABLE when the components and flow paths required to
provide redundant AFW flow to the steam generators are OPERABLE. This requires that the two motor driven AFW pumps be OPERABLE in
two diverse paths, each supplying AFW to separate steam generators. The turbine driven AFW pump is required to be OPERABLE with redundant (continued)
North Anna Units 1 and 2B 3.7.5-4Revision 37AFW System B 3.7.5BASESLCO(continued) steam supplies from each of two main steam supply paths through MS-TV-111A and MS-TV-111B (Unit1), MS-TV-211A and MS-TV-211B (Unit2), which receive steam from at least two of the three main steam lines upstream of the MSTVs. The piping, valves, instrumentation, and controls required to perform the safety function in the required flow paths
also are required to be OPERABLE.
In addition, if a seismic air tank or th e inlet check valve to the seismic air tank associated with any of the air operated valves (FW-PCV-159A, FW-PCV-159B, FW-HCV-100A, FW-HCV-1OOB, FW-HCV-100C, MS-TV-111A and MS-TV-111B (Unit1), FW-PCV-259A, FW-PCV-259B, FW-HCV-200A, FW-HCV-200B, FW-HCV-200C, MS-TV-211A and MS-TV-211B (Unit2)) is removed fro m service, or becomes unavailable, then the associated valve is considered inoperable.
The LCO is modified by a Note i ndicating that one AFW train, which includes a motor driven pump, is required to be OPERABLE in MODE4 when the steam generator is relied upon for heat removal. This is because
of the reduced heat removal require ments and short period of time in MODE4 during which the AFW is required and the insufficient steam available in MODE4 to power the turbine driven AFW pump.APPLICABILITYIn MODES1, 2, and3, the AFW Sy stem is required to be OPERABLE in the event that it is called upon to function when the MFW is lost. In
addition, the AFW System is require d to supply enough makeup water to replace the steam generator secondary inventory, lost as the unit cools to MODE4 conditions.In MODE4 one AFW train is required to be OPERABLE when the steam generator(s) is relied upon for heat removal.
In MODE5 or6, the steam generators are not normally used for heat removal, and the AFW System is not required.ACTIONSA.1 If one of the two steam supplies, MS-TV-111A and MS-TV-111B (Unit1), MS-TV-211A and MS-TV-211B (Unit2), to the turbine driven AFW train is inoperable or if a turbine driven AFW pump is inoperable while in MODE3 immediately following refueli ng, action must be taken to restore the affected (continued)
AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-5Revision 37ACTIONSA.1 (continued)equipment to an OPERABLE status within 7days. The 7day Completion Time is reasonable, based on the following reasons:a.For the inoperability of a steam supply to the turbine driven AFW pump, the 7day Completion Time is reasonable since there is a redundant steam supply line for the turbine driven pump.b.For the inoperability of a turbin e driven AFW pump while in MODE3 immediately subsequent to a refueling outage, the 7day Completion Time is reasonable due to the minimal decay heat levels in this
situation.c.For both the inoperability of a st eam supply line to the turbine driven pump and an inoperable turbine driven AFW pump while in MODE3
immediately following a refueling outage, the 7day Completion Time is reasonable due to the availabili ty of redundant OPERABLE motor driven AFW pumps; and due to th e low probability of an event requiring the use of the turbine driven AFW pump.The second Completion Time for Required ActionA.1 establishes a limit on the maximum time allowed for a ny combination of Conditions during any contiguous failure to meet this LCO.The 10day Completion Time provides a limitation time allowed in this specified Condition after disc overy of failure to meet the LCO. This limit is considered reasonable fo r situations in which ConditionsA andB are entered concurrently. The AND connector between 7days and 10days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.
ConditionA is modified by a Note whic h limits the applicability of the Conditions to when the unit has not entered MODE2 following a refueling. ConditionA allows the turbine driven AFW train to be inoperable for 7days vice the 72hour Completion Time in ConditionB. This longer Completion Time is based on the reduced decay heat following refueling and prior to th e reactor being critical.
North Anna Units 1 and 2B 3.7.5-6Revision 37AFW System B 3.7.5BASESACTIONS(continued)
B.1With one of the required AFW trains (pump or flow path) inoperable in MODE1, 2, or3 for reasons other than ConditionA, action must be taken to restore OPERABLE status within 72hours.
This Condition includes the loss of two steam supply lines to the turbine driven AFW pump. The 72hour Completion Time is reasonabl e, based on redundant capabilities afforded by the AFW System, time needed for repairs, and the low
probability of a DBA occurr ing during this time period.The second Completion Time for Required ActionB.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any contiguous failure to meet this LCO.The 10day Completion Time provides a limitation time allowed in this specified Condition after disc overy of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The AND connector between 72hours and 10days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.
C.1 and C.2When Required ActionA.1 orB.1 cannot be completed within the required Completion Time, or if two AFW trains are inoperable in MODE1, 2, or3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 18hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.In MODE4, when the steam generator is relied upon for heat removal, with two AFW trains inoperable, opera tion is allowed to continue because only one motor driven pump AFW train is required in accordance with the Note that modifies the LCO. Alt hough not required, the unit may continue to cool down and initiate RHR.
AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-7Revision 46ACTIONS(continued)
D.1If all three AFW trains are inoperable in MODE1, 2, or3, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety related equipment. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this conditi on requires that action be started immediately to restore one AFW train to OPERABLE status.
Required ActionD.1 is modified by a Note indicating that all required MODE changes or power reductions required by the Technical
Specifications are suspended until one AFW train is restored to OPERABLE status. In this case, LCO3.0.3 is not applicable because it could force the unit into a less safe condition.
E.1In MODE4, either the reactor coolan t pumps or the RHR loops can be used to provide forced circulation. This is addressed in LCO3.4.6, "RCS Loops-MODE4." With the required AF W train inoperable, action must be taken to immediately restore the inoperable train to OPERABLE status. The immediate Completion Time is consistent with LCO3.4.6.SURVEILLANCE
REQUIREMENT
SSR3.7.5.1Verifying the correct alignment for manual, power operated, and automatic valves in the AFW System water a nd steam supply flow paths provides assurance that the proper flow paths will exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to
locking, sealing, or securi ng. This SR also does not apply to valves that cannot be inadvertently misaligne d, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of bein g mispositioned are in the correct position.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.7.5-8Revision 46AFW System B 3.7.5BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.7.5.2Verifying that each AFW pump's developed head at the flow test point is
greater than or equal to the require d developed head ensures that AFW
pump performance has not degraded during the cycle. Flow and differential head are normal tests of centrif ugal pump performance required by the ASME Code (Ref2). Because it is so metimes undesirable to introduce cold AFW into the steam generators while they are operating, this testing is
typically performed on recirculation flow. This test confirms one point on the pump design curve and is indicativ e of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance.
Performance of inservice testing disc ussed in the ASME Code (Ref. 2) (only required at 3 month intervals) satisfies this requirement.
This SR is modified by a Note indicat ing that the SR should be deferred until suitable test conditions are established. This deferral is required because there may be insufficient st eam pressure to perform the test.SR3.7.5.3 This SR verifies that AFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an ESFAS, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or si mulated actuation signal. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that st ates the SR is not required in MODE 4. In MODE4, the heat removal requirements would be less providing more time for operator action to manually align the required valves.
AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-9Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.7.5.4This SR verifies that the AFW pumps wi ll start in the even t of any accident or transient that generates an ESFAS by demonstrating that each AFW
pump starts automatically on an actual or simulated actuation signal in MODES1, 2, and3. In MODE4, the required pump's autostart function is not required. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.
This SR is modified by tw o Notes. Note 1 indicates that the SR be deferred until suitable test conditions are established. This deferral is required because there may be insufficient steam pressure to perform the test. Note 2 states that the SR is not required in MODE 4. In MODE 4, the heat removal requirements would be less providing more time for operator action to manually start the required AFW pump.SR3.7.5.5This SR verifies that the AFW is properly aligned by verifying the flow paths from the ECST to each steam generator prior to entering MODE3 after more than 30contiguous days in any combination of MODES 5, 6, or defueled. OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shut down. The Frequency is reasonable, based on engineering judgement and ot her administrative controls that ensure that flow paths remain OPERABLE. To further ensure AFW
System alignment, flow path OPERABILITY is verified following extended outages to determine no misa lignment of valves has occurred.
This SR ensures that the flow path fr om the ECST to the steam generators is properly aligned.REFERENCES1.UFSAR, Section10.4.3.2.2.ASME Code for Operation and Maintenance of Nuclear Power Plants.
Intentionally Blank North Anna Units 1 and 2B 3.7.6-1Revision0ECSTB 3.7.6B 3.7  PLANT SYSTEMSB 3.7.6Emergency Condensate Storage Tank (ECST)BASESBACKGROUNDThe ECST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the Reactor Coolant System (RCS). The ECST provides a passive flow of water, by gravity, to the Auxiliary Feedwater (AFW) System (LCO3.7.5). The steam produced is released to the atmosphere by the main steam safety valves (MSSVs) or the steam generator power operated relief valves (SG PORVs). The AFW
pumps operate with a continuous recirculation to the ECST.
When the main steam trip valves are open, the preferred means of heat removal is to discharge steam to th e condenser by the nonsafety grade path of the steam dump valves. The condensed steam is returned to the hotwell and is pumped to the 300,000gallon conde nsate storage ta nk which can be aligned to gravity feed the ECST. Th is has the advantage of conserving condensate while minimizing releases to the environment.
Because the ECST is a principal com ponent in removing re sidual heat from the RCS, it is designed to with stand earthquakes a nd other natural phenomena, including missiles that might be generated by natural phenomena. The ECST is designed to Seismic CategoryI to ensure availability of the feedwater supply.
Feedwater is also available from alternate sources.A description of the ECST is found in the UFSAR, Section9.2.4 (Ref.1).APPLICABLE SAFETY ANALYSESThe ECST provides cooling water to remove decay heat and to cool down
the unit following all events in the ac cident analysis as discussed in the UFSAR, Chapters6 and15 (Refs.2 and3, respectively). For anticipated operational occurrences and accidents that do not affect the
OPERABILITY of the steam generators
, the analysis as sumption is 2 hours in MODE3, steaming through the MSSV s, followed by a 4 hour cooldown to residual heat removal (RHR) entr y conditions at the design cooldown rate.(continued)
North Anna Units 1 and 2B 3.7.6-2Revision 42 ECSTB 3.7.6BASESAPPLICABLE SAFETY ANALYSES(continued)
The limiting event for the condensate volume is the large feedwater line break coincident with a loss of offsite power. Single failures accommodated by the accident include the following:a.Failure of the diesel generator powering the motor driven AFW pump to one unaffected steam generator (requiring additional steam to drive the remaining AFW pump turbine); andb.Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one mo tor driven AFW pump).
These are not usually the limiting fail ures in terms of consequences for these events.
A nonlimiting event considered in EC ST inventory determinations is a break in either the main feedwater or AFW line near where the two join. This break has the potential for dumping condensate until terminated by
operator action, since the Engineered Safety Features Actuation System (LCO3.3.2, ESFAS) starts the AFW system and would not detect a difference in pressure between the steam generators for this break location.
This loss of condensat e inventory is partially compensated for by the retention of steam generator inventory.
The ECST satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOTo satisfy accident analysis assumptions, the ECST must contain sufficient cooling water to remove decay heat for 30minutes following a reactor trip from 100.37%RTP, and then to cool down the RCS to RHR entry conditions, assuming a coincident loss of offsite power and the most adverse single failure. In doing this, it must retain sufficient water to ensure adequate net positive suction head for the AFW pumps during cooldown, as well as account for any losses from the steam driven AFW pump turbine, or before isolating AFW to a broken line.
The ECST level required is equiva lent to a contained volume of 110,000gallons, which is based on holding the unit in MODE3 for 8hours, or maintaining the unit in MODE3 for 2hours followed by a 4hour cooldown to RHR entry (continued)
ECSTB 3.7.6BASESNorth Anna Units 1 and 2B 3.7.6-3Revision0 LCO(continued) conditions within the limit of 100F/hour. The basis for these times is established in the accident analysis.The OPERABILITY of the ECST is determined by maintaining the tank level at or above the minimum requi red level to ensure the minimum volume of water.APPLICABILITYIn MODES1, 2, and3, and in MODE4, when steam generator is being relied upon for heat removal, the ECST is required to be OPERABLE.In MODE5 or6, the ECST is not required because the AFW System is not required.ACTIONSA.1 and A.2 If the ECST is not OPERABLE, the OPERABILITY of the backup supply, the Condensate Storage Tank, should be verified by administrative means within 4hours and once every 12hours thereafter. OPERABILITY of the backup feedwater supply must include ve rification that the flow paths from the backup water supply to the AFW pumps are OPERABLE, and that the backup supply has the required volume of water available. The ECST must be restored to OPERABLE status within 7days, because the backup supply may be performing this function in addition to its normal functions. The 4hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the backup water supply. Additionally, verifying the backup water supply every 12hours is adequate to ensure the
backup water supply continues to be available. The 7day Completion Time is reasonable, based on an OP ERABLE backup water supply being available, and the low pr obability of an event oc curring during this time period requiring the ECST.
B.1 and B.2If the ECST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4, without reliance on the steam
generator for heat removal, within 24hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and
without challenging unit systems.
North Anna Units 1 and 2B 3.7.6-4Revision 46 ECSTB 3.7.6BASESSURVEILLANCE REQUIREMENT
SSR3.7.6.1 This SR verifies that the ECST c ontains the required volume of cooling water. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.4.2.UFSAR, Chapter6.3.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.7.7-1Revision 20 Secondary Specific Activity B 3.7.7B 3.7  PLANT SYSTEMSB 3.7.7Secondary Specific ActivityBASESBACKGROUNDActivity in the secondary cool ant results from steam generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half lives and, thus, indicates current conditions. During transients, I-131spikes have been observed as well as increased re leases of some noble gases. Other fission product isotopes, as well as act ivated corrosion products in lesser amounts, may also be found in the secondary coolant.
A limit on secondary coolant speci fic activity during power operation minimizes releases to the envir onment because of normal operation, anticipated operational occurrences, and accidents.This limit is lower than the activity value that might be expected from a 1gpm tube leak (LCO3.4.13, "RCS Op erational LEAKAGE") of primary coolant at the limit of 1.0Ci/gm (LCO3.4.16, "RCS Specific Activity").
The steam line failure is assumed to result in the release of the noble gas and iodine activity contained in the steam generator inventory, the feedwater, and the reacto r coolant LEAKAGE. Most of the iodine isotopes have short half lives, (i.e., <20hours).
If the main steam safety valves (MSSVs) open for 2hours following a trip from full power with the specified activity limit, the resultant 2hour dose to a person at the exclusion area boundary (EAB) would be less than 0.033rem TEDE (the consequences of the design basis main steam line break accident).Operating a unit at the allowable limits could result in a 2hour EAB exposure at the Regulatory Guide1.183 (Ref.1) limits, or the limits established as the NRC staff approved licensing basis.
North Anna Units 1 and 2B 3.7.7-2Revision 20 Secondary Specific Activity B 3.7.7BASESAPPLICABLE SAFETY ANALYSESThe accident analysis of the main steam line break (MSLB), as discussed in the UFSAR, Chapter15 (Ref.2) assu mes the initial secondary coolant specific activity to have a radi oactive isotope concentration of 0.10Ci/gm DOSE EQUIVALENTI-131. This assumption is used in the analysis for determining the radiological consequences of the postulated accident. The accident analysis, based on this an d other assumptions, shows that the radiological consequences of an MSLB do not exceed the limits specified in Regulatory Guide1.183 (Ref.1).With the loss of offsite power, the remaining steam generators are available for core decay heat dissi pation by venting steam to the atmosphere through the MSSVs and steam generator power operated relief valves (SG PORVs). The Auxiliary Feedwater System supplies the necessary makeup to the steam generators. Venting continues until the reactor coolant temperature and pressure have decreased sufficie ntly for the Residual Heat Removal System to complete the cooldown.
In the evaluation of the radiological consequences of this accident, the activity released fro m the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through the MSSVs and SG PORV during the event. Since no credit is taken in the analysis for activity pl ateout or retention, the resultant radiological consequences represent a conservative estimate of the
potential integrated dose due to the postulated steam line failure.Secondary specific activity limits satisfy Criterion2 of 10CFR50.36(c)(2)(ii).
LCOAs indicated in the Applicable Safety Analyses, the specifi c activity of the secondary coolant is required to be 0.10Ci/gm DOSE EQUIVALENTI-131 to limit the radiol ogical consequences of a Design
Basis Accident (DBA) to the required limit (Ref.1).
Monitoring the specifi c activity of the secondary coolant ensures that when secondary specific activity limits ar e exceeded, appropriate actions are taken in a timely manner to place the unit in an operational MODE that
would minimize the radiologica l consequences of a DBA.
Secondary Specific Activity B 3.7.7BASESNorth Anna Units 1 and 2B 3.7.7-3Revision 46APPLICABILITYIn MODES1, 2, 3, and4, the limits on secondary specific activity apply due to the potential for secondary steam releases to the atmosphere.In MODES5 and6, the steam generators are not being used for heat removal. Both the RCS and steam generators are depressurized, and primary to secondary LEAKAGE is mi nimal. Therefore, monitoring of secondary specific activity is not required.ACTIONSA.1 and A.2DOSE EQUIVALENTI-131 exceeding the allowable value in the
secondary coolant, is an indication of a problem in the RCS and contributes
to increased post accident doses. If th e secondary specific activity cannot be restored to within limits within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.7.7.1 This SR verifies that the secondary specific activity is within the limits of the accident analysis. A gamma isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident releases. It also serves to iden tify and trend any unusual isotopic concentrations that might indicate cha nges in reactor coolant activity or LEAKAGE. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.183, July2000.2.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.7.8-1Revision 0SW System B 3.7.8B 3.7  PLANT SYSTEMSB 3.7.8Service Water (SW) SystemBASESBACKGROUNDThe SW System provides a heat sink for the removal of process and operating heat from safety relate d components during a Design Basis Accident (DBA) or tr ansient. During normal operation, and a normal shutdown, the SW System also provides this function for various safety related and nonsafety related component
: s. The safety related function is covered by this LCO.
The SW System is common to Units 1 and 2 and is designed for the simultaneous operation of various subsystems and components of both units. The source of cooling water for the SW System is the Service Water Reservoir. The SW System consists of two loops and components can be aligned to operate on either loop. Th ere are four main SW pumps taking suction on the Service Water Reservoir, supplying various components through the supply headers, and then returning to the Service Water
Reservoir through the return headers.
Eight spray arrays are available to provide cooling to the service water, as well as two winter bypass lines.
The isolation valves on the spray ar ray lines automatically open, and the isolation valves on the winter bypass lines automatically shut, following receipt of a Safety Inje ction signal. The main SW pumps are powered from the four emergency buses (two from each unit). There are also two
auxiliary SW pumps whic h take suction on North Anna Reservoir and discharge to the supply header. When the auxiliary SW pumps are in
service, the return header may be redirected to wast e heat treatment facility if desired. However, the auxiliary SW pumps are strictly a backup to the normal arrangement and are not cred ited in the analysis for a DBA.
During a design basis loss of coolant a ccident (LOCA) concurrent with a loss of offsite power to both units, one SW loop will provide sufficient
cooling to supply post-LOCA loads on one unit and shutdown and
cooldown loads on the other unit. During a DBA, the two SW loops are cross-connected at the recirculation spray (RS) heat exchanger supply and return headers of the accident unit. On a Safety Injection (SI) signal on
either unit, all four main SW pumps start and the system is aligned for Service Water Reservoir spray opera tion. On a contai nment high-high (continued)
North Anna Units 1 and 2B 3.7.8-2Revision 0 SW System B 3.7.8BASESBACKGROUND (continued) pressure signal the accident unit' s Component Cooling (CC) heat exchangers are isolated from the SW System and its RS heat exchangers are placed into service. All safety-r elated systems or components requiring cooling during an accident are cooled by the SW System, including the RS heat exchangers, main control ro om air conditioning condensers, and charging pump lubricating oil and gearbox coolers.
The SW System also provides cooling to the instrument air compressors, which are not safety-related, and the non-accident unit's CC heat exchangers, and serves as a bac kup water supply to the Auxiliary Feedwater System, the spent fuel pool coolers, and the containment recirculation air cooling coils. The SW System has sufficient redundancy
to withstand a single failure, including the failure of an emergency diesel generator on the affected unit.Additional information about the design and operation of the SW System, along with a list of the components se rved, is presented in the UFSAR, Section9.2.1 (Ref.1). The principal sa fety related function of the SW System is the removal of decay heat from the reactor fo llowing a DBA via the RS System.APPLICABLE SAFETY ANALYSESThe design basis of the SW System is for one SW loop, in conjunction with the RS System, to remove core deca y heat following a design basis LOCA as discussed in the UFSAR, Section6.2.2 (Ref.2). This prevents the
containment sump fluid from increasing in temperature, once the cooler RWST water has reached equilibrium wi th the fluid in containment, during the recirculation phase following a LOCA and provides for a gradual reduction in the temperature of this fl uid which is supplie d to the Reactor Coolant System by the ECCS pumps. The SW System also prevents the buildup of containment pressure from exceeding the containment design pressure by removing heat through the RS System heat exchangers. The SW System is designed to perform its function with a single failure of any
active component, assuming the loss of offsite power.
The SW System, in conjunction with the CC System, also cools the unit from residual heat removal (RHR), as discussed in the UFSAR, Section5.5.4, (Ref.3) entry conditions to MODE5 during normal and post accident operations. The time required for this evolution is a function of the number of CC and RHR System trains that are operating.
(continued)
SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-3Revision 14APPLICABLE SAFETY ANALYSES(continued)The SW System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo SW loops are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident
heat loads, assuming that the worst case single active failure occurs coincident with the loss of offsite power.
A SW loop is considered OPERABLE during MODES1, 2, 3, and4 when:a.Eithera.1Two SW pumps are OPERABLE in an OPERABLE flow path; ora.2One SW pump is OPERABLE in an OPERABLE flow path provided two SW pumps are OPERABLE in the other loop and SW flow to the CC heat ex changers is throttled; andb.Eitherb.1Three spray arrays are OPERAB LE in an OPERABLE flow path; orb.2Two spray arrays are OPERABLE in an OPERABLE flow path, provided two spray arrays are OP ERABLE in the other loop; and the spray valves for the required OPERABLE spray arrays in both loops are secured in the accident position and power removed
from the valve operators; andc.The associated piping, valves, a nd instrumentation and controls required to perform the safety related function are OPERABLE.
A required valve directing flow to a spray array, bypass line, or other component is considered OPERABLE if it is capable of automatically
moving to its safety position or if it is administratively placed in its safety position.
North Anna Units 1 and 2B 3.7.8-4Revision 14 SW System B 3.7.8BASESAPPLICABILITYIn MODES1, 2, 3, and4, the SW System is a normally operating system that is required to support the OPER ABILITY of the e quipment serviced by the SW System and required to be OPERABLE in these MODES.In MODES5 and6, the OPERABILITY requirements of the SW System are determined by the systems it supports.ACTIONSA.1If one SWSystem loop is inoperable due to an inoperable SW pump, the flow resistance of the system mu st be adjusted within 72 hours by throttling component cooling water heat exchanger flows to ensure that
design flows to the RS System heat exchangers are achieved following an accident. The required re sistance is obtained by th rottling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a
SW pump would not result in lo ss of the SW System function.
B.1 and B.2 If one or more SW System loops ar e inoperable due to only two SW pumps being OPERABLE, the flow resistance of the system must be adjusted within one hour to ensure that design flows to the RS System heat exchangers are achieved if no additional failures occur following an
accident. The required re sistance is obtained by th rottling SW flow through the CC heat exchangers. Two SW pumps aligned to one loop or one SW
pump aligned to each loop is capable of performing the safety function if CC heat exchanger flow is properly throttled. However, overall reliability is reduced because a single failure disabling a SW pump could result in loss of the SW System function. The one hour time reflects the need to minimize the time that two pumps ar e inoperable and CC heat exchanger flow is not properly throttled, but is a reasonable time based on the low probability of a DBA occurring during this time period.
Restoring one SW pump to OPERABLE status within 72 hours together with the throttling ensures that design flows to the RS System heat exchangers are achieved following an accident. The required resistance is obtained by throttling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a SW pump would not result in loss of the SW System function.
SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-5Revision 14ACTIONS(continued)
C.1If one SW loop is inoperable for reasons other than ConditionA, action must be taken to restore th e loop to OPERABLE status.
In this Condition, the remaining OP ERABLE SW loop is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE SW loop could result in loss of SW System function. The inoperable SW loop is required to be restored to OPERABLE status within 72 hours unless the criteria for a 7 day Completion Time are met, as stated in the 72 hour Completion Time Note. The 7 day Completion Time applies if the three criteria in the 7 day Completion Time Note are met.The first criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if the inoperability of one SW loop is part of SW System upgrades. Service Water System upgrades include modification and maintenance activities associated with the installation of new discharge headers and spray arrays, mechanical and chemical cleaning of SW System piping and valves, pipe repair and replacement, valve repair and replacement, installation of corrosion mitigation measures and inspection of and repairs to buried pi ping interior coatings and pump or valve house components. The second criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if three SW pumps are OPERABLE from initial Condition entry, including one SW pump being allowed to not have automatic start capability. The third criterion in the 7 day Completion Ti me Note states that the 7 day Completion Time is only applicable if two auxiliary SW pumps are OPERABLE from initial Condition entry. The 72hour and 7day Completion Times are both based on the redundant capabilities afforded by the OPERABLE loop, and the low probab ility of a DBA occurring during this time period. The 7day Completion Time also credits the redundant capabilities afforded by three OPERABLE SW pumps (one without
automatic start capability) and tw o OPERABLE auxiliary SW pumps.
Changing the designation of the th ree OPERABLE SW pumps during the 7day Completion Time is allowed.
North Anna Units 1 and 2B 3.7.8-6Revision 14 SW System B 3.7.8BASESACTIONS(continued)
D.1 and D.2 If the SW pumps or loop cannot be re stored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 36hours.The allowed Completion Times are reasonable, based on operating
experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.
E.1 and E.2 If two SW loops are inope rable for reasons other than only two SW pumps
being OPERABLE, the SW System ca nnot perform the safety function. With two SW loops inoperable, the CC System and, consequently, the Residual Heat Removal (RHR) Syst em have no heat sink and are inoperable. Twelve hours is allowed to enter MODE 4, in which the Steam Generators can be used for decay heat removal to maintain reactor temperature. Twelve hours is reasonabl e, based on operating experience, to reach MODE 4 from full power c onditions in an orderly manner and without challenging unit systems. Th e unit may then remain in MODE 4 until a method to further cool the units becomes available, but actions to determine a method and cool the uni t to a condition outside of the Applicability must be initiated wi thin one hour and continued in a reasonable manner and without delay un til the unit is brought to MODE 5.SURVEILLANCE
REQUIREMENT
SSR3.7.8.1 This SR is modified by a Note indi cating that the isolation of the SW System components or systems may render those components inoperable, but does not affect the OPERABILITY of the SW System.Verifying the correct alignment for manual, power operated, and automatic valves in the SW System flow path provides assurance th at the proper flow paths exist for SW System operation. This SR does not apply to valves that
are locked, sealed, or otherwise secure d in position, since they are verified to be in the correct posit ion prior to being locked, sealed, or secured. This SR does not require any testing or (continued)
SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-7Revision 46SURVEILLANCE REQUIREMENT
SSR3.7.8.1 (continued)valve manipulation; rather, it invol ves verification that those valves capable of being misposit ioned are in the correct position. This SR does not apply to valves that cannot be ina dvertently misaligned, such as check valves. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.7.8.2 This SR verifies proper automatic ope ration of the SW System valves on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal testing.
This Surveillance is not required for valves that are locked, sealed, or
otherwise secured in the required pos ition under administrative controls.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.8.3This SR verifies proper automatic operation of the SW pumps on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal te sting during normal operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.1.2.UFSAR, Section6.2.2.3.UFSAR, Section5.5.4.
Intentionally Blank North Anna Units 1 and 2B 3.7.9-1Revision 0 UHSB 3.7.9B 3.7  PLANT SYSTEMSB 3.7.9Ultimate Heat Sink (UHS)BASESBACKGROUNDThe UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the Service Water (SW) System.
The ultimate heat sink is the Service Water Reservoir and its associated retaining structures, and is the norma l source of service water for Units 1 and 2.The Service Water Reservoir is locate d approximately 500 ft. south of the station site area. The Service Water Reservoir is adequate to provide sufficient cooling to permit simultaneous safe shutdown and cooldown of both units, and then maintain them in a safe-shutdown condition. Further, in the event of a design basis loss of coolant accident (LOCA) in one unit concurrent with a loss of offsite power to both units, the Service Water Reservoir is designed to provide suff icient water inventory to supply post-LOCA loads on one unit and shutdow n and cooldown loads on the other unit and maintain them in a safe-shutdown condition for at least 30days without makeup. After 30 days, makeup to the Service Water Reservoir is provided from the North Anna Reservoir as necessary to maintain cooling water inventory, ensuring a continued cooling capability. The Service Water Reservoir spray system is desi gned for operation of two units based on the occurrence of a LOCA on one unit with cooldown of the non-
accident unit and simultaneous loss of offsite power to both units.The two principal functions of the UHS are the dissipation of residual heat
after reactor shutdown, and dissipation of residual he at after an accident.
The North Anna Reservoir provides a backup source of service water using the auxiliary SW pumps, and can pr ovide makeup water to the Service Water Reservoir using the Circulating Water screen wash pumps, but is not credited for the DBA. The Lake Anna Dam impounds a lake with a surface area of 13,000acres and 305,000 acre-ft. of storage, at its normal- stage
elevation of 250 ft., along the channel of the North Anna River. The lake is normally used by the power station as (continued)
North Anna Units 1 and 2B 3.7.9-2Revision 0 UHSB 3.7.9BASESBACKGROUND (continued) a cooling pond for condenser circulating water. To improve the thermal performance of the lake, it has been divided by a series of dikes and canals into two parts. The larger, referred to as the North Anna Reservoir, is 9600 acres. The smaller part, called the waste heat treatment facility, is 3400 acres. When the North An na Reservoir is used by the SW System, water is withdrawn from the North Anna Reservoir and discharged to the waste heat treatment facility, though it is possible to discharg e water to the Service Water Reservoir.
The two sources of water are i ndependent, and each has separate, redundant supply and discharge headers. The only common points are the main redundant supply and discharge he aders in the service building where distribution to the components take s place. These common headers are encased in concrete.
Additional information on the design and operation of the system, along with a list of components served, can be found in Reference1.APPLICABLE SAFETY ANALYSESThe UHS is the sink for heat removed from the reactor core following all accidents and anticipate d operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation. Its
maximum post accident heat load occu rs in the first hour after a design basis LOCA. During this time, the Re circulation Spray (RS) subsystems
have started to remove the core decay heat.
The operating limits are based on conser vative heat transfer analyses for the worst case LOCA. The analyses provi de the details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative un certainties when calcula ting decay heat, and the worst case single active fail ure (e.g., single failure of an EDG). The UHS is designed in accordance with the Regulatory Guide1.27 (Ref.2) requirement for a 30day supply of cooling water in the UHS.
The UHS satisfies Criterion3 of 10CFR50.36(c)(2)(ii).
UHSB 3.7.9BASESNorth Anna Units 1 and 2B 3.7.9-3Revision 46 LCOThe UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficie nt volume of water at or below the maximum temperature that would allow the SW System to operate for at least 30days following the design ba sis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the SW System. To meet this condition, the Service Water Reservoi r temperature should not exceed 95F and the level should not fall below 313ft mean sea level during normal unit operation.APPLICABILITYIn MODES1, 2, 3, and4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.In MODE5 or6, the OPERABILITY requirements of the UHS are determined by the systems it supports.ACTIONSA.1 and A.2 If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this st atus, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 36hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.7.9.1 This SR verifies that adequate long term (30day) cooling can be maintained. The specified level also ensures that sufficient NPSH is available to operate the SW pumps. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.
North Anna Units 1 and 2B 3.7.9-4Revision 46 UHSB 3.7.9BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.7.9.2 This SR verifies that the SW System is available with the maximum accident or normal design heat loads for 30days following a Design Basis Accident. The Surveillance Frequency is based on operat ing experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.2.Regulatory Guide1.27, March, 1974.
North Anna Units 1 and 2B 3.7.10-1Revision 39 MCR/ESGR EVS B 3.7.10B 3.7  PLANT SYSTEMSB 3.7.10Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS)BASESBACKGROUNDThe MCR/ESGR Emergency Ventilation System (EVS) provides a protected environment from whic h occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. The MCR/ESGR EVS consists of four 100% capacity redundant trains (2per unit) that can filter a nd recirculate air inside the MCR/ESGR envelope or supply filter ed makeup air to the MCR/ESGR envelope, and a MCR/ESGR boundary that limits the inleakage of unfiltered air. Each train consists of a heater, demister filter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorb er section for removal of gaseous activity (principally iodines), and a fan (Ref.1). Ductwork, valves,
dampers, doors, barriers, and instrument ation also form pa rt of the system. One EVS train is capable of performing the safety function of supplying outside filtered air. In the event of a Safety Injection (SI), the two MCR/ESGR EVS trains on the accident unit actuate automatically in recirculation. All availabl e trains of MCR/ESGR EVS start automatically on a fuel building radiation monitor signal or manual actuation of the MCR/ESGR Isolation Actuation Instrumentation. These trains can also be
aligned to provide filtered outside ai r when appropriate. Either train from the other unit can be manually actuate d to provide filtered outside air approximately 60minutes after the event. However, due to the location of the air intake for 1-HV-F-41, it can not be used to satisfy the requirements of LCO3.7.10. Two of the three remaining trains (1-HV-F-42, 2-HV-F-41, and 2-HV-F-42) are required for independence and redundancy.
The MCR/ESGR envelope is the area within the confines of the MCR/ESGR envelope boundary that contai ns the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses th e control room, and may encompass other non-critical areas to which frequent pers onnel access or continuous occupancy is not necessary in the event of an accident. The MCR/ESGR envelope is protected duri ng normal operation, natural (continued)
North Anna Units 1 and 2B 3.7.10-2Revision 39MCR/ESGR EVS B 3.7.10BASESBACKGROUND (continued) events, and accident conditions. Th e MCR/ESGR envelope boundary is the combination of walls, floor, r oof, ducting, doors, penetrations and equipment that physically form the MCR/ESGR envelope. The OPERABILITY of the MCR/ESGR envelope boundary must be maintained to ensure that the inleakage of unfiltered air into the
MCR/ESGR envelope will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to MCR/ESGR envelope occupants.
The MCR/ESGR envelope and its boundary are defined in the MCR/
ESGR Envelope Habitability
Program.Upon receipt of an actuating signal(s)
(i.e., SI, fuel building radiation monitors or manual), normal air supply to and exhaust from the MCR/ESGR envelope is is olated, and at least tw o trains of MCR/ESGR EVS receive a signal to actuate to recirculate air in the MCR/ESGR envelope. Approximately 60minutes after actuation of the MCR/ESGR Isolation Actuation Instrumentati on, a single MCR/ESGR EVS train is manually actuated or aligned to provide filtered outside air to the
MCR/ESGR envelope through HEPA filters and ch arcoal adsorbers. The demisters remove any entrained water droplets present, to prevent excessive moisture loading of the HEPA filters and charcoal adsorbers.
Continuous operation of each train for at least 10hours per month, with the heaters on, reduces moisture buildup on the HEPA filters and adsorbers. Both the demister a nd heater are important to the effectiveness of the HEPA filters and charcoal adsorbers.
Although not assumed in the Analysis of Record, pressurization of the MCR/ESGR envelope minimizes inf iltration of unfilt ered air through the MCR/ESGR envelope boundary from all the surrounding areas adjacent to the MCR/ESGR envelope boundary.
Redundant MCR/ESGR EVS supply and re circulation trains provide the required filtration of out side air should an ex cessive pressure drop develop across the other filter train.
(continued)
MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-3Revision 39BACKGROUND (continued)The MCR/ESGR EVS is designed in accordance with Seismic CategoryI requirements. Any of the actuation signal(s) will isolate the
MCR/ESGR envelope and start th e MCR/ESGR EVS trains for the affected unit in recirc ulation. Requiring two of the three MCR/ESGR EVS trains provides redundancy, assuring that at least one train is available to be realigned to provide filtered outside air.The MCR/ESGR EVS is designed to maintain a habitable environment in the MCR/ESGR envelope for 30da ys of continuous occupancy after a DBA without exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.3
) for alternative source terms.APPLICABLE SAFETY ANALYSESThe MCR/ESGR EVS components ar e arranged in redundant, safety related ventilation trains. The loca tion of most components and ducting within the MCR/ESGR envelope ensure s an adequate supply of filtered air to all areas requiring access. Th e MCR/ESGR EVS pr ovides airborne radiological protection for the MCR/
ESGR envelope occupants, as
demonstrated by the MCR/ESGR envel ope accident dose analyses for the most limiting DBA (LOCA) fission product release presented in the UFSAR, Chapter15 (Ref.2). The accident analysis assumes that at least one train is aligned to provide filt ered outside air to the MCR/ESGR envelope approximately 60minut es after MCR/ESGR envelope isolation, but does not take any credit for automatic start of the trains in the recirculation mode or any filtration of recirculated air. Since the
MCR/ESGR EVS train associated with 1-HV-F-41 can not be used to provide filtered outside air (due to the location of its air intake with respect to Vent StackB), it can not be used to satisfy the requirements of LCO3.7.10.
The North Anna UFSAR describes potentially hazardous chemicals stored onsite in quantities greater than 100lb. These include hydrogen, sulfuric acid, sodium hydroxide, hydrazine, ethanolamine, and sodium hypochlorite. Evaluations for accidental release of these chemicals indicate that the worst-case concentr ations at the control room intake would be expected to be less than their (continued)
North Anna Units 1 and 2B 3.7.10-4Revision 51MCR/ESGR EVS B 3.7.10BASESAPPLICABLE SAFETY ANALYSES(continued)respective toxicity limit (Refs.1 and4). The assessment assumed no action being taken by the control room operator (i.e., normal or emergency supply system remains operating).
In the event of fire/smoke external to the MCR/ESGR envelope, equipment and procedures are availabl e to maintain habitability of the
control room. Smoke detectors are installed in the return ducts to the MCR Air-Handling Units (AHUs), in the near vicinity of the ESGR AHUs, and in the MCR/ESGR EVS supply ducts, as well as other numerous locations in the ESGRs a nd MCR. Smoke detectors are also installed in the MCR/ESGR chiller r ooms, which are ventilated with air from the Turbine Building, and the Mechanical Equipment rooms. If smoke is detected, the MCR/ESGR normal and EVS supply can be manually isolated. The fire response procedures provide direction for removing smoke from the MCR or ESGRs. (Ref.5)The SGTR analysis assumes MCR/ESGR envelope isolation occurs. An unfiltered MCR/ESGR inleakage of 250cfm is assumed, with filtered makeup air of 900cfm commencing at 1hour.For the remainder of the DBAs, MCR/ESGR envelope isolation is not assumed. Normal ventilation with 500cfm of additional inleakage is assumed. The safety analysis for a fuel handling accident (FHA) assumes isolation of th e MCR/ESGR envelope.
The worst case single active failure of a component of the MCR/ESGR EVS, assuming a loss of offsite power, does not impair th e ability of the system to perform its design function.
The MCR/ESGR EVS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).
LCOTwo independent and redundant MCR/
ESGR EVS trains are required to be OPERABLE to ensure that at least one train is available to be manually aligned to provide outside filtered air to the MCR/ESGR envelope, if a single active failure disables one of the two required OPERABLE trains. Total system failu re, such as from a loss of both required EVS trains or from an inoperable MCR/ESGR envelope boundary, could result in exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.3) for alternative source terms, in the event of a large radioactive release.
(continued)
MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-5Revision 39 LCO(continued)
The MCR/ESGR EVS is considered OPERABLE when the individual components necessary to limit MCR/ESGR envel ope occupant exposure are OPERABLE in the two required trains of the MCR/ESGR EVS.
1-HV-F-41 can not be used to satisfy the requirements of LCO3.7.10.
An MCR/ESGR EVS train is OP ERABLE when the associated:a.Fan is OPERABLE;b.Demister filters, HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; andc.Heater, ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.The MCR/ESGR EVS is shared by Unit1 and Unit2.In order for the MCR/ESGR EVS trai ns to be considered OPERABLE, the MCR/ESGR envelope boundary must be maintained such that the MCR/ESGR envelope occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence
analyses for DBAs, and that MC R/ESGR envelope occupants are protected from hazardous chemicals and smoke.
The LCO is modified by a Note allowing the MCR/ESGR envelope boundary to be opened intermittently under administrative controls. This Note only applies to openings in the MCR/ESGR envelope boundary
that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s)
entering or exiting the area
. For other openings, th ese controls should be proceduralized and consist of stat ioning a dedicated individual at the opening who is in continuous communi cation with the operators in the MCR/ESGR envelope. This individua l will have a method to rapidly close the opening and restore the MCR/ESGR envelope boundary to a condition equivalent to the de sign condition when a need for MCR/ESGR isolation is indicated.
North Anna Units 1 and 2B 3.7.10-6Revision 39MCR/ESGR EVS B 3.7.10BASESAPPLICABILITYIn MODES1, 2, 3, and4, MC R/ESGR EVS must be OPERABLE to ensure that the MCR/ESGR envelope will remain habitable during and following a DBA.The MCR/ESGR EVS must be OPERABLE to respond to the release from a FHA involving recently irradiated fuel assemblies. The MCR/ESGR EVS is only required to be OPERABLE during fuel handling involving recently irradiated fuel assemblies (i.e., fuel assemblies that have occupied part of a critical reactor core within the previous 300hours) due to radioactive decay.ACTIONSA.1 When one required MCR/ESGR EVS tr ain is inoperable, for reasons other than an inoperable MCR/ESGR envelope boundary, action must be taken to restore OPERABLE status within 7days. In this Condition, the
remaining required OPERABLE MCR/ES GR EVS train is adequate to perform the MCR/ESGR envelope occupant protection function.
However, the overall reliability is reduced because a failure in the required OPERABLE EVS trains could result in loss of MCR/ESGR EVS function. The 7day Completion Time is based on the low
probability of a DBA occurring during this time period, a nd ability of the remaining trains to provide the required capability.
B.1, B.2, andB.3 If the unfiltered inleakage of potentially contaminated air past the MCR/ESGR envelope boundary and into the MCR/ESGR envelope can result in MCR/ESGR envelope occ upant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5rem total effect ive dose equivalent), or inadequate protection of MCR/ESGR envel ope occupants from hazardous chemicals or smoke, the MCR/ESGR envelope boundary is inoperable.
Actions must be taken to restore an OPERABLE MCR/ESGR envelope
boundary within 90 days. During th e period that the MCR/ESGR envelope boundary is considered inopera ble, action must be initiated to implement mitigating actions to lessen the effect on MCR/ESGR envelope occupants from the potential hazards of a radiological or
chemical event or a challenge from smoke. Actions must be taken within 24hours to verify that in the event of a DBA, the mitigating actions will ensure that MCR/ESGR envelope occupant (continued)
MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-7Revision 39ACTIONSB.1 (continued) radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA c onsequences, and that MCR/ESGR envelope occupants are protected from hazardous chemicals and smoke.
These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable MC R/ESGR envelope boundary) should be preplanned for implementati on upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24hour Completion Time is reasonable base d on the low probability of a DBA
occurring during this time period, a nd the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions wi ll ensure protection of MCR/ESGR envelope occupants within analyzed limits while limiting the probability that MCR/ESGR envelope occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the MCR/ESGR envelope boundary.
C.1 and C.2In MODE1, 2, 3, or4, if the inopera ble required MCR/ESGR EVS train or the inoperable MCR/ESGR envel ope boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this
status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.
D.1.1, D.1.2, and D.2During movement of recently irradiated fuel, if the inoperable MCR/ESGR EVS train cannot be restor ed to OPERABLE status within the required Completion Time, the MCR/ESGR envelope must be isolated immediately and the rema ining OPERABLE MCR/ESGR train placed in service within one hour. These actions will ensure that the
MCR/ESGR envelope is in a conf iguration that would protect the occupants from radioactive expos ure consistent with the DBA assumptions and ensure that any active failures w ould be readily detected.
North Anna Units 1 and 2B 3.7.10-8Revision 46MCR/ESGR EVS B 3.7.10BASESACTIONSD.1.1, D.1.2, and D.2 (continued)
An alternative to Required Action D.1 is to immediately suspend activities that present a potential fo r releasing radioactivity that might require isolation of the control room
. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to a safe position.
E.1During movement of recently irradiated fuel assemblies, if a required train of MCR/ESGR EVS train becomes inoperable due to an inoperable MCR/ESGR envelope boundary or two required MCR/ESGR EVS trains inoperable, action must be ta ken immediately to suspend activities that could result in a release of radi oactivity that might require isolation of the control room. This places the unit in a condition that minimizes
risk. This does not preclude the move ment of fuel to a safe position.
F.1When two required MCR/ESGR EVS trains are inoperable in MODE1, 2, 3, or4 for reasons other than an inoperable MCR/ESGR envelope boundary (i.e., ConditionB), the MCR/
ESGR EVS may not be capable of performing the intended function a nd the unit is in a condition outside the accident analyses. Therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE
REQUIREMENTSSR3.7.10.1Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on the MCR/ESGR EVS are not too se vere, testing each required train once every month provides an adequate check of this system. Monthly
heater operations dry out any moisture accumulated in the charcoal and HEPA filters from humidity in the ambient air. Each required train must be operated for 10continuous hours with the heaters energized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-9Revision 39SURVEILLANCE REQUIREMENTS (continued)SR3.7.10.2This SR verifies that the required MCR/ESGR EVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing the performance of the demister filter, HEPA filter, charcoal adsorber efficiency, minimum and maximum flow rate, and the physical properties of the activated charcoal. Specific test
Frequencies and additiona l information are discus sed in detail in the VFTP.SR3.7.10.3 Not Used SR3.7.10.4 This SR verifies the OPERABIL ITY of the MCR/ESGR envelope boundary by testing for unfiltered ai r inleakage past the MCR/ESGR envelope boundary and into the MCR/ES GR envelope. The details of the testing are specified in the MCR/ES GR Envelope Habitability Program.
The MCR/ESGR envelope is considered habitable when the radiological dose to MCR/ESGR envel ope occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem TEDE and the MCR/ESGR envelope occupants are protected from hazardous
chemicals and smoke. This SR verifies that the unfiltered air inleakage into the MCR/ESGR envelope is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, ConditionB must be entered. Required ActionB.3 allows time to restore the MCR/ESGR envelope boundary to OPERABLE stat us provided mitigating actions can ensure that the MCR/ESGR envelope remains within the licensing basis habitability limits for the occupants following an accident.
Compensatory measures are discussed in Regulatory Guide1.196, SectionC.2.7.3, (Ref.6) which endorses, with exceptions, NEI 99-03, Section8.4 and AppendixF (Ref.7).
These compensatory measures may also be used as mitigating actions as required by Required ActionB.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref.8). Options for restoring the MCR/ESGR envelope boundary to OPERABLE status include changing the licensing basis DBA consequence analysis,
repairing the MCR/ESGR envelope boundary, or a combination of these actions.(continued)
North Anna Units 1 and 2B 3.7.10-10 Revision 39MCR/ESGR EVS B 3.7.10BASESSR3.7.10.4 (continued)
Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the
MCR/ESGR envelope boundary has been restored to OPERABLE status.REFERENCES1.UFSAR, Section6.4.2.UFSAR, Chapter15.3.10CFR50, AppendixA.
4.Control Room Habitability Study (Supplement to 1980 Onsite Control Room Habitability Study - North Anna Power Station Units1 and2, January1982.5.Letter from L.N. Hartz (Virgini a Electric and Power Company) to the USNRC, dated March3,2004, Response to Generic Letter2003-01, "Control Room Habitability - Control Room Testing & Technical Information."6.Regulatory Guide1.196.
7.NEI99-03, "Control Room Habitability Assessment," June2001.8.Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January30,2004, "NEI Draft White Paper, Use of Generic Letter91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No.ML040300694)
North Anna Units 1 and 2B 3.7.11-1Revision 15 MCR/ESGR ACSB 3.7.11B 3.7  PLANT SYSTEMSB 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS)BASESBACKGROUNDThe MCR/ESGR ACS provides cooling for the MCR/ESGR envelope following isolation of the MCR/ES GR envelope. The MCR/ESGR ACS also provides cooling for the MCR/
ESGR envelope during routine unit operation.
The MCR/ESGR ACS consists of two independent and redundant subsystems that provide cooling of MCR/ESGR envelope air. Each subsystem consists of tw o air handling units (one for the MCR and one for the ESGR), one chiller in one subsystem and two chillers in the other, valves, piping, instrumentation, and controls to provide for MCR/ESGR envelope cooling. One subsystem has one chiller, the other has two chillers, either of which can be used by that subsystem, but which are not electrically independent from each other.The MCR/ESGR ACS is an emergency system, parts of which may also operate during normal unit op erations. A single subs ystem will provide the required cooling to maintain the MCR/ESGR envelope within design limits. The MCR/ESGR ACS operation in maintaining the MCR/ESGR
envelope temperature is discussed in the UFSAR, Section9.4 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis of the MCR/ESGR ACS is to maintain the MCR/ESGR envelope temperature within limits for 30days of continuous occupancy
after a DBA.
The MCR/ESGR ACS components ar e arranged in redundant, safety related subsystems. During emergency operation, the MCR/ESGR ACS maintains the temperature within desi gn limits. A single active failure of a component of the MCR/ESGR ACS, with a loss of offsite power, does not impair the ability of the system to perform its design function. The MCR/ESGR ACS is designed in accordance with Seismic CategoryI requirements. The MCR/ESGR ACS is capable of removing sensible and latent heat loads from the M CR/ESGR envelope, which include consideration of equipment heat loads and personnel occupancy requirements, to ensure equipment OPERABILITY.
(continued)
North Anna Units 1 and 2B 3.7.11-2Revision 20 MCR/ESGR ACSB 3.7.11BASESAPPLICABLE SAFETY ANALYSES(continued)
The MCR/ESGR ACS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo independent and redundant subsystems of the MCR/ESGR ACS, providing cooling to the unit ESGR and associated portion of the MCR, are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits in the event of an accident.
The MCR/ESGR ACS is considered to be OPERABLE when the individual components necessary to c ool the MCR/ESGR envelope air are OPERABLE in both required subsystems
. Each subsystem consists of two air handling units (one for the MCR and one for the ESGR), one chiller,
valves, piping, instrumentation and c ontrols. The two subsystems provide air temperature cooling to the por tion of the MCR/ESGR envelope associated with the unit. In a ddition, an OPERABLE MCR/ESGR ACS must be capable of maintaining air circulation. An MCR/ESGR ACS subsystem does not have to be in operation to be considered OPERABLE.
The MCR/ESGR ACS is considered OPERABLE when it is capable of being started by manual actions within 10minutes. The time of 10minutes is based on the time required to start the system manually following
required testing.APPLICABILITYIn MODES1, 2, 3, and4, and during movement of recently irradiated fuel assemblies, the MCR/ESGR ACS must be OPERABLE to ensure that the MCR/ESGR envelope temperature wi ll not exceed equipment operational requirements following isolation of the MCR/ESGR envelope. The MCR/ESGR ACS is only required to be OPERABLE during fuel handling involving handling recently i rradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 300 hours), due to radioactive decay.ACTIONSA.1With one or more required MCR/ESGR ACS subsystem inoperable, and at
least 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken to restore OPERABLE status within 30days. In (continued)
MCR/ESGR ACSB 3.7.11BASESNorth Anna Units 1 and 2B 3.7.11-3Revision 20ACTIONSA.1 (continued) this Condition, the remaining OPERAB LE MCR/ESGR ACS subsystem is adequate to maintain the MCR/ESGR envelope temperature within limits.
However, the overall reliability is reduced because a single failure in the OPERABLE MCR/ESGR ACS subsys tem could result in loss of MCR/ESGR ACS function. The 30day Completion Time is based on the
low probability of an event requiring MCR/ESGR envelope isolation, the consideration that the remaining subsystem can provide the required protection, and that alternate safety or nonsafety related cooling means are available.
The LCO requires the OPERABILIT Y of a number of independent components. Due to the redundancy of subsystems and the diversity of components, the inoperability of one active component in a subsystem does not render the MCR/ESGR ACS incap able of performing its function. Neither does the inoperability of two different components, each in a different subsystem, necessarily result in a loss of function for the
MCR/ESGR ACS (e.g., an inoperable chiller in one subsystem, and an
inoperable air handler in the other). This allows increased flexib ility in unit operations under circumstances when components in opposite subsystems are inoperable.
B.1 and B.2In MODE1, 2, 3, or4, if the inoperable MCR/ESGR ACS subsystem cannot be restored to OPERABLE st atus within the required Completion Time, the unit must be placed in a MODE that minimizes the risk. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.
C.1 and C.2 During movement of recen tly irradiated fuel, if the required inoperable MCR/ESGR ACS subsystems cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCR/ESGR ACS subsystem must be placed in operation immediately. This action ensures that the remaining subsystem is OPERAB LE and that active failures will be readily detected.
(continued)
North Anna Units 1 and 2B 3.7.11-4Revision 46 MCR/ESGR ACSB 3.7.11BASESACTIONSC.1 and C.2 (continued)An alternative to Required ActionC.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes accident risk. This doe s not preclude the movement of fuel to a safe position.
D.1During movement of recently irradiated fuel assemblies, with less than 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the MCR/ESGR e nvelope. This places the unit in a condition that minimizes ri sk. This does not preclude the movement of fuel to a safe position.
E.1With less than 100% of the MCR/ES GR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available in MODE1, 2, 3, or4, the MCR/ESGR ACS may not be capable of performing its intended function. Therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE
REQUIREMENT
SSR3.7.11.1 This SR verifies that the heat rem oval capability of any one of the three chillers for the unit is sufficient to remove the heat load assumed in the safety analyses in the MCR/ESGR envelope. This SR consists of a combination of testing and calculat ions. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section9.4.
North Anna Units 1 and 2B 3.7.12-1Revision 45 ECCS PREACS B 3.7.12B 3.7  PLANT SYSTEMSB 3.7.12Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS)BASESBACKGROUNDThe ECCS PREACS filters ai r from the area of the active ECCS components during the reci rculation phase of a loss of coolant accident (LOCA). The ECCS PREACS, in conjunction with other normally operating systems, also provides envir onmental control of temperature in the ECCS pump room areas.The charging/high head safety injecti on pump motors have internal fans that provide design cooling requireme nts without reliance on the central exhaust fans. The associated equipment in the Safeguards Building, Low Head Safety Injection (LHSI) and Outside Recirculat ion Spray (OSRS) pumps, remain operable for at least 60minutes without the safeguards exhaust fans in service.
The ECCS PREACS consists of two subsystems, the Safeguards Area Ventilation subsystem and the A uxiliary Building Central Exhaust subsystem. There are two redundant trains in the Safeguards Area Ventilation subsystem. Each train of the Safeguards Area Ventilation subsystem consists of one Safeguards Area exhaust fan, prefilter, and high efficiency particulate air (HEPA) filte r and charcoal adsorber assembly for removal of gaseous activit y (principally iodines) (shared with the other unit), and controls for the Safegua rds Area exhaust filter and bypass
dampers. Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem automatically initiates f iltered ventilation of the safeguards pump room followi ng receipt of a Containment Hi-Hi signal from the affected unit.
The Auxiliary Building Central exhaust subsystem consists of the following: three redundant central area exhaust fans (shared with other
unit), two redundant filter banks consisting of HEPA filter and charcoal adsorber assembly for removal of gase ous activity (principally iodines)
(shared with the other unit), and two redundant trains of controls for the Auxiliary Building Central exhaust subsystem filter (continued)
North Anna Units 1 and 2B 3.7.12-2Revision 45 ECCS PREACS B 3.7.12BASESBACKGROUND (continued) and bypass dampers (shared with the other unit). Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem initiates filtered ventilation of the charging pump cubicles following manual actuation.
The Auxiliary Building filter banks are shared by the Safeguards Area Ventilation subsystem and the A uxiliary Building Central Exhaust subsystem. Either Auxili ary Building filter bank ma y be aligned to either ECCS PREACS train. These filter banks are also used by the Auxiliary Building General area exhaust, fuel building exhaust, decontamination
building exhaust, and containment purge exhaust.
One Safeguards Area exhaust fan is normally operating and dampers are aligned to bypass the HEPA filters and charcoal adsorbers. During emergency operations, the ECCS PREACS dampers are realigned to begin filtration. Upon r eceipt of the actuating Engi neered Safety Feature Actuation System signal(s), normal air discharges from the Safeguards
Area room are diverted through the filter banks. Two Auxiliary Building Central Exhaust fans are normally operating. Air discharges from the Auxiliary Building Central Exhaust ar ea are manually diverted through the filter banks. Required Safeguards Ar ea and Auxiliary Building Central
Exhaust area fans are manually actuated if they are not already operating. The prefilters remove any large partic les in the air to prevent excessive loading of the HEPA filters and charcoal adsorbers.
The ECCS PREACS is discussed in the UFSAR, Section9.4 (Ref.1) and it may be used for normal, as well as post accident, atmospheric cleanup functions. The primary purpose of the heaters is to maintain the relative humidity at an acceptable level during normal operations, generally consistent with iodine removal efficiencies per Regulatory Guide1.52 (Ref.3). The heaters are not requi red for post-accident conditions.APPLICABLE SAFETY ANALYSESThe design basis of the ECCS PREACS is established by the large break
LOCA. The system evaluation as sumes ECCS leakage outside containment, such as safety in jection pump leakage, during the recirculation mode. In such a case, if ECCS leakage exceeds certain levels, the system is required in order to limit radioactive release to within the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (continued)
ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-3Revision 45APPLICABLE SAFETY ANALYSES (continued)(Ref.4) for alternative source terms. The analysis of the effects and consequences of a large break LOCA is presented in Reference2. The
ECCS PREACS also may actuate foll owing a small brea k LOCA, in those cases where the ECCS goes into the recirculation mode of long term cooling, to clean up releases of smalle r leaks, such as from valve stem packing. The analyses assume the fi ltration by the ECCS PREACS does not begin for 60minutes following an accident.
The ECCS PREACS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo redundant trains of the ECCS PREACS are required to be OPERABLE to ensure that at least one is available. Total system failure could result in elevated temperatures within the Safeguards Area, or in exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.4) for alternative source terms.
ECCS PREACS is considered OPERABLE when the individual components necessary to maintain th e ECCS pump room ventilation and filtration are OPERAB LE in both trains.
An ECCS PREACS train is considered OPERABLE when its associated:a.Safeguards Area exhaust fan is OPERABLE;b.One Auxiliary Building HEPA filter and charcoal adsorber assembly (shared with the other unit) is OPERABLE;c.One Auxiliary Building Central exhaust system fan (shared with other unit) is OPERABLE;d.HEPA filter and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; ande.Ductwork, valves, and dampers are OPERABLE.
Safeguards Area and Auxiliary Building Central exhaust will fail safe to the FILTER position upon loss of power or instrument air. Dampers are considered OPERABLE if capable of moving to the safety position, or if administratively placed in the accident position.
(continued)
North Anna Units 1 and 2B 3.7.12-4Revision 45 ECCS PREACS B 3.7.12BASESLCO(continued)
Portions of ECCS PREACS may be removed from serv ice (e.g., tag out fans, open ductwork, etc.), in orde r to perform required testing and
maintenance. The system is OPERABLE in this condition if it can be
restored to service and perform its function within 60minutes following an accident.
In addition, the required Safeguards Area and charging pump cubicle boundaries for charging pumps not isol ated from the Reactor Coolant System must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors, except for those openings which are left open by design, including charging pump ladder wells.
The LCO is modified by a Note a llowing the ECCS pump room boundary openings not open by design to be opened intermittently under administrative controls. For entry a nd exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for ECCS pump room isolation is indicated.APPLICABILITYIn MODES1, 2, 3, and4, th e ECCS PREACS is required to be OPERABLE consistent with the OPERABILITY requirements of the
ECCS.In MODE5 or6, the ECCS PREACS is not required to be OPERABLE since the ECCS is not required to be OPERABLE.ACTIONSA.1With one ECCS PREACS train inopera ble for reasons other than Condition B (for example, insufficient ventilati on exhaust flow rate), action must be taken to restore OPERABLE status within 7days. During this time, the remaining OPERABLE train is adequa te to perform the ECCS PREACS function.The 7day Completion Time is appropria te because the risk contribution is less than that for the ECCS (72hour Completion Time), and there are backup ventilation systems for thes e ECCS pump rooms available to provide cooling as (continued)
ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-5Revision 45ACTIONSA.1 (continued)needed. The 7day Completion Time is based on the low probability of a Design Basis Accident (DBA) occu rring during this time period, and ability of the remaining train to provide the required capability.With two ECCS PREACS trains in operable for reas ons other than Condition C or D, LCO3.0.3 must be entered immediately.
B.1.1, B.1.2, and B.1.3With one ECCS PREACS train inoper able due to loss of its filtration capability, action must be taken wi thin one hour to determine if the filtration capability is required (ActionB.1.1). This is determined based on comparing the most recent ECCS system operational leakage log value against design basis unfiltered leakage assumptions. If the current total ECCS leakage is less than the maximum allowable unfiltered leakage assumed in the design bases, then the filtration capability of ECCS
PREACS is not required and an extende d period to restore operability can be applied. The value for "maximum allowable unfiltered ECCS leakage"
is documented in the UFSAR (reference 6). During this time, both trains remain operable to perform the ventilation exhaust/cool ing function. (For example, a problem with th e filter itself or its housing affects a single train, and both trains remain operable to perform the ventilation function using either the flow path of the remaining filter or the flow path of the bypass ductwork.)
The action to restore the inoperable train's filtration to operable status within 30days (ActionB.1.3) is reasonable, consistent with:(a)the dose analysis shows that no filtration function is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betwee n operating limits and actual dose limits,(c)the time necessary to complete repairs on the filter assembly and/or associated dampers may be significant, and(d)the other train of ECCS filtra tion remains operable to perform its intended safety function if needed.
(continued)
North Anna Units 1 and 2B 3.7.12-6Revision 45 ECCS PREACS B 3.7.12BASESACTIONSB.1.1, B.1.2, and B.1.3 (continued)
In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12hours in order to determine whether or not filtration capability is required (ActionB.1.2). Establishing monitoring on a 12hour frequency is based on operating history, which i ndicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the design basis dose calculations.
B.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filt ration capability of ECCS PREACS is required and actions must be taken to restore Operability of the filter within
seven days consistent with an inop erable PREACS train for any other reason.C.1.1, C.1.2, and C.1.3 If two ECCS PREACS trains are inopera ble due to loss of their filtration capability, action must be taken w ithin one hour to determine if the filtration capability is required (ActionC.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage is less than the maximum allowable unfiltered leakage, then the filtration
capability of ECCS PREACS is not immediately required and an extended period to restore operability can be applied. During this time, both trains
remain operable to perform the ventil ation exhaust/cooling function. Both trains of ECCS PREACS may be made inoperable without affecting the ventilation exhaust function by potenti al problems such as an inoperable bypass damper or a charcoal adsorber issue.
If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and rest ore at least one inoperable train to operable status within 14days (ActionC.1.3) are reasona ble, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betw een operating limits and actual dose limits,(continued)
ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-7Revision 45ACTIONSC.1.1, C.1.2, and C.1.3 (continued)(c)operating history indi cates that a sudden cha nge in ECCS leakage to greater than the maximum allowable unfiltered leakage is not expected,(d)the time necessary to complete repairs on the filter assembly and/or associated dampers may be significant, and(e)unnecessary two-unit shut down has associated risks.
In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12hours in order to determine whether or not filtration capability is required (ActionC.l.2)
. Establishing monitoring on a 12hour frequency is based on operating history, which indicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the
design basis dose calculations.
C.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filtration capability of ECCS PREACS is
required and actions must be taken to restore Operability of at least one train within sixty minutes, consistent with the dose analysis. The analysis assumes the filtration by PREACS does not begin for sixty minutes following an accident (see Applicable Safety Analyses).
D.1.1, D.1.2, and D.1.3 Breaching an ECCS pump room boundary would affect the filtration function of both trains of ECCS PR EACS, since the exhaust system may not be able to maintain a negative pressure on the boundary. However, the ventilation/cooling function would not be affected since the charging pump motors have internal fans that provi de design cooling re quirements without reliance on the central exhaust fans
, and the Safeguards Area boundaries are to the exterior atmosphere. Since the inlet to the exhaust ductwork in each pump cubicle in Safeguards is located just above the motor, cooler
outside air entering through a breach in a cubicle or the building general area (e.g., the outside door), would even tually be drawn into the cubicle, and out by the exhaust system. Thus, the ventilation and cooling function will not be affected by boundary breaches.
(continued)
North Anna Units 1 and 2B 3.7.12-8Revision 45 ECCS PREACS B 3.7.12BASESACTIONSD.1.1, D.1.2, and D.1.3 (continued)
If two ECCS PREACS trains are inope rable due to loss of the pump room boundary, action must be taken within one hour to determine if the filtration capability is required (ActionD.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage is
less than the maximum allowable unfiltered leakage, then the filtration
capability of ECCS PREACS is not immediately required and an extended period to restore operability can be applied. During th is time, the ability to perform the ventilation exhaust/cooling function remains unaffected.
If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and rest ore the boundary to operable status within 14days (ActionD.l.3) are reasonable, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betw een operating limits and actual dose limits,(c)operating history indi cates that a sudden chan ge in ECCS leakage to greater than the maximum allo wable unfiltered leakage is not expected, and(d)the time necessary to complete repairs and perform required testing may be significant.
In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12 hours in order to determine whether or not filtration capability is required (Action D.1.2)
. Establishing monitoring on a 12 hour frequency is based on operating history, which i ndicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the design basis dose calculations.
D.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filt ration capability of ECCS PREACS is
required and actions must be taken to restore an operable ECCS pump room boundary within 24hours. Duri ng the period that the ECCS pump room boundary (continued)
ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-9Revision 46ACTIONSD.2 (continued) is inoperable, appropriate compensato ry measures consistent with the intent of GDC19 should be utilized to protect control r oom operators from potential hazards such as radioactive contamination. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24hour Completion Time is reasonable based on the low probabilit y of a DBA occurring during this time period, and the use of compensatory measures. The 24hour Completion Time is a typically reas onable time to diagnose, plan and possibly repair, and test most pr oblems with the ECCS pump room boundary.
E.1 and E.2 If the ECCS PREACS tr ain(s) or ECCS pump room boundary cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.7.12.1Standby systems should be checked periodically to ensure that they function properly. As the environment and norma l operating conditions on this system are not severe, testi ng each train once a month provides an adequate check on this system. Mont hly heater operations dry out any moisture that may have accumulated in the charcoal and HEPA filters from humidity in the ambient air. The system must be operated 10 continuous hours with the heaters energized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
North Anna Units 1 and 2B 3.7.12-10 Revision 46 ECCS PREACS B 3.7.12BASESSURVEILLANCE REQUIREMENT
S (continued)SR3.7.12.2This SR verifies that Safeguards Ar ea exhaust flow and Auxiliary Building Central Exhaust subsystem flow, when actuated from the control room, diverts flow through the Auxiliary Building HEPA filter and charcoal adsorber assembly for the operating train. Exhaust flow is diverted
manually through the filters in case of a DBA requiring their use. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.12.3 This SR verifies that the required ECCS PREACS testi ng is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorbers efficiency, minimum system flow rate, and the ph ysical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP.SR3.7.12.4 This SR verifies that Safeguards Area exhaust flow for the operating Safeguards Area fan is diverted th rough the filters on an actual or simulated actuation signal. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.12.5 This SR verifies the integrity of the ECCS pump room enclosure. The ability of the ECCS pump room to ma intain a negative pressure, with respect to potentially uncontaminated ad jacent areas, is periodically tested in a qualitative manner to verify pr oper functioning of each train of the ECCS PREACS. During the post accide nt mode of operation, the ECCS PREACS is designed to maintain a sl ight negative pressure in the ECCS pump room, with respect to adjacent areas, to prevent unfiltered LEAKAGE. A single train of ECCS PREACS is designed to maintain a negative pressure relative to adjacent areas. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section9.4.2.UFSAR, Section15.4.3.Regulatory Guide1.52 (Rev.2).
4.10CFR50, AppendixA.
ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-11Revision 455.NUREG-0800, Rev.2, July1981.6.UFSAR, Figure15.4-110 Intentionally Blank North Anna Units 1 and 2B 3.7.13-1Revision 39 B 3.7.13B 3.7  PLANT SYSTEMSB 3.7.13Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.14-1Revision 39 B 3.7.14B 3.7  PLANT SYSTEMSB 3.7.14Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.15-1Revision 20 FBVSB 3.7.15B 3.7  PLANT SYSTEMSB 3.7.15Fuel Building Vent ilation Syst em (FBVS)BASESBACKGROUNDThe FBVS discharges airborne radioactive particul ates from the area of the fuel pool following a fuel handling accident. The FBVS, in conjunction with other normally operating systems, also provides environmental control of temperature and hum idity in the fuel pool area.
The FBVS consists of duc twork, valves and damper s, instrumentation, and two fans.
The FBVS, which may also be operated during normal plant operations, discharges air from the fuel building.The FBVS is discussed in the UFSAR, Sections9.4.5 and15.4.5 (Refs.1 and2, respectively) because it may be used for normal, as well as post accident functions.APPLICABLE SAFETY ANALYSESThe FBVS design basis is established by the consequences of the limiting Design Basis Accident (DBA), which is a fuel handling accident involving handling recently irradiated fuel.
The analysis of the fuel handling accident, given in Reference2, assumes that all fuel rods in an assembly are damaged. The DBA analysis of the fuel handling accident assumes that the FBVS is functional with at l east one fan operating. The amount of fission products available for release from the fuel building is determined for a fuel handling accident. Due to radioactive decay, FBVS is only required to be OPERABLE during fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100hours). These assumptions and the analysis follow the guidance provided in Regulatory Guide1.183 (Ref.3).The fuel handling accident analysis for the fuel building assumes all of the radioactive material available for release is discharged from the fuel building by the FBVS.The FBVS satisfies Criterion3 of the 10CFR 50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.7.15-2Revision 20 FBVSB 3.7.15BASESLCOThe FBVS is required to be OPERABLE and in operation. Total system failure could result in the atmospheric release from the fuel building exceeding the 10CFR50, AppendixA, GDC-19 (Ref.4) limits for
alternative source terms, in the even t of a fuel handling accident involving handling recently irradiated fuel.
The FBVS is considered OPERABLE when the individual components are OPERABLE. The FBVS is considered OPERABLE when at least one fan is OPERABLE and in operation, the a ssociated FBVS ductwork, valves,
and dampers are OPERABLE, and air ci rculation can be maintained. In addition, an OPERABLE FBVS must ma intain a pressure in the fuel building pressure envelope &#xa3;-0.125inch es water gauge with respect to atmospheric pressure.
The LCO is modified by a Note allo wing the fuel building boundary to be opened intermittently under administr ative controls. For entry and exit through doors the administrative contro l of the opening is performed by the person(s) entering or exiting the area.
For other openings, these controls consist of stationing a dedicated in dividual at the opening who is in continuous communication with the c ontrol room. This individual will have a method to rapidly close the ope ning when a need for fuel building isolation is indicated.APPLICABILITYDuring movement of recently irradiated fuel in the fuel handling area, the FBVS is required to be OPERABLE to al leviate the consequences of a fuel handling accident.ACTIONSLCO3.0.3 is not applicable while in MODE5 or6. However, since irradiated fuel assembly movement can occur in MODE1, 2, 3, or4, the ACTIONS have been modified by a Note stating that LCO3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not specify any act ion. If moving irradiated fuel assemblies while in MODE1, 2, 3, or4, the fuel movement is independent of reactor operations. Entering LCO3.0.3while in MODE1, 2, 3, or4, would require the unit to be shutdown unnecessarily.
FBVSB 3.7.15BASESNorth Anna Units 1 and 2B 3.7.15-3Revision 46ACTIONS(continued)
A.1When the FBVS is inoperable or not in operation during movement of recently irradiated fuel assemblies in the fuel building, action must be taken to place the unit in a condition in which the LCO does not apply. Action must be taken immediately to suspend movement of recently irradiated fuel assemblies in the fu el building. This does not preclude the movement of fuel to a safe position.SURVEILLANCE
REQUIREMENT
SSR3.7.15.1 This SR verifies the integrity of th e fuel building pressure envelope. The ability of the fuel building to maintain negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the FBVS. The FBVS is designed to maintain a slight negative pressure in the fuel bui lding, to prevent unfiltered LEAKAGE.
The FBVS is designed to maintain a -0.125inches water gauge with respect to atmospheric pressure. The Surveillance Fre quency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.4.5.2.UFSAR, Section15.4.5.3.Regulatory Guide1.183, July2000.4.10CFR50, AppendixA, GDC-19.
Intentionally Blank North Anna Units 1 and 2B 3.7.16-1Revision 20Fuel Storage Pool Water Level B 3.7.16B 3.7  PLANT SYSTEMSB 3.7.16Fuel Storage Pool Water LevelBASESBACKGROUNDThe minimum water le vel in the fuel storage pool meets the assumptions of iodine decontamination factors foll owing a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides
shielding during the movement of spent fuel.
A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1). A desc ription of the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section9.1.3 (Ref.2). The assumptions of the fuel handling accident are given in the UFSAR, Section15.4.5 (Ref.3).APPLICABLE SAFETY ANALYSESThe minimum water level in the fuel storage pool meets the assumptions of the fuel handling accident described in Regulatory Guide1.183 (Ref.4). The resultant 2hour dose per person at the exclusion area boundary is within the Regulatory Guide1.183 limits.According to Reference4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a fuel handling accident. With 23ft of water, the assumptions of Reference4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the
fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be <23ft of water above the top of the fuel bundl e and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that all fuel rods fail, alt hough analysis shows that only the first few rows fail from a hypothetical maximum drop.
The fuel storage pool water level satisfies Criteria 2 and3 of 10CFR50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.7.16-2Revision 46Fuel Storage Pool Water Level B 3.7.16BASESLCOThe fuel storage pool wate r level is required to be 23ft over the top of irradiated fuel assemblies seated in the storage racks. The specified water level preserves the assumptions of the fuel handling accident analysis (Ref.3). As such, it is the mini mum required for fuel storage and movement within the fuel storage pool.APPLICABILITYThis LCO applies during movement of irradiated fuel assemblies in the fuel storage pool, since the potential fo r a release of fissi on products exists.ACTIONSA.1Required ActionA.1 is modified by a Note indicating that LCO3.0.3 does not apply.When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the
occurrence of a fuel handling accident
. This does not preclude movement of a fuel assembly to a safe position.
If moving irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not specify any action.
If moving irradiated fu el assemblies while in MODES1, 2, 3, and4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reas on to require a reactor shutdown.SURVEILLANCE
REQUIREMENT
SSR3.7.16.1This SR verifies sufficient fuel stor age pool water is available in the event of a fuel handling accident.
The water level in the fu el storage pool must be checked periodically. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
Fuel Storage Pool Water Level B 3.7.16BASESNorth Anna Units 1 and 2B 3.7.16-3Revision 20SURVEILLANCE REQUIREMENT
SSR3.7.16.1 (continued)
During refueling operations, the level in the fuel storage pool is in equilibrium with the refueling canal, and the level in the refueling canal is checked daily in accordance with SR3.9.7.1.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section9.1.3.3.UFSAR, Section15.4.5.
4.Regulatory Guide1.183, July2000.
Intentionally Blank North Anna Units 1 and 2B 3.7.17-1Revision 0Fuel Storage Pool Boron Concentration B 3.7.17B 3.7  PLANT SYSTEMSB 3.7.17Fuel Storage Pool Boron ConcentrationBASESBACKGROUNDThe water in the spent fuel storage pool contains soluble boron, which results in large subcriticality marg ins under normal ope rating conditions. However, the NRC guidelines assume ac cident conditions, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel
assemblies in the fuel storage pool in a geometry which li mits the reactivity of the fuel assemblies and by the use of soluble boron in the fuel storage pool water. The required geometry for fuel assembly storage in the fuel storage pool is described in LCO3.7.18, "Spent Fuel Pool Storage." The accident analyses assume the presen ce of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool water, or a dilution of the boron dissolved in the fuel storage pool.
A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1).APPLICABLE SAFETY ANALYSESCriticality of the fuel assemblies in the fuel storage pool racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel storage pool geometry (Ref.2). There are three basic acceptance criteria
which ensure conformance with the design bases (Ref.3). They are:a.keff <1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure keff<0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postula ted accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.APPLICABLE SAFETY ANALYSES(continued)The postulated accidents considered when determining the required fuel
storage pool boron concentr ation are the misloading of a fuel assembly, an increase in fuel storage pool temp erature, and boron dilution. Analyses have shown that the amount of boron required by the LCO is sufficient to ensure that the most limiting misloadi ng of a fuel assembly results in a keff<0.95. The boron concentration limit also accommodates decreases in water density due to temperature in creases in the fuel storage pool.
Analyses have also shown that there is sufficient time to detect and North Anna Units 1 and 2B 3.7.17-2Revision 0Fuel Storage Pool Boron Concentration B 3.7.17BASESmitigate a boron dilution event prior to exceeding the design basis of keff<0.95. The fuel storage pool analys es do not credit the Boraflex neutron absorbing material in the fuel storage pool racks.The concentration of dissolved boron in the fuel storage pool satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe fuel storage pool boron c oncentration is required to be 2600ppm.
The specified concentration of dissolved boron in the fuel storage pool
preserves the assumptions used in the analyses which take credit for soluble boron and for fuel loading restrictions based on fuel enrichment
and burnup. The fuel loading restrictions are described in LCO3.7.18. The fuel storage pool boron concentration limit, when combined with fuel burnup and geometry limits in LCO3.
7.18, ensures that the fuel storage pool keff meets the limits in Section4.3, "Design Features."APPLICABILITYThis LCO applies whenever fuel assemblies are stored in the spent fuel storage pool. The required boron concentration ensures that the keff limits in Section4.3 are met when fuel is stored in the fuel storage pool.ACTIONSA.1 andA.2 The Required Actions are modified by a Note indicating that LCO3.0.3 does not apply.
When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accide nt in progress. This is most efficiently achieved by im mediately suspending the movement (continued)ACTIONSA.1 andA.2 (continued)of fuel assemblies. The concentration of boron is restored simultaneously with suspending movement of fuel assemblies. Prior to resuming movement of fuel assemblies, the con centration of boron must be restored
to within limit. This does not preclude movement of a fuel assembly to a safe position.If the LCO is not met while moving irradiated fuel assemblies in MODE5 or6, LCO3.0.3 would not be applicab le. If moving irradiated fuel assemblies while in MODE1, 2, 3, or4, the fuel movement is independent of reactor operation. Therefore, inabili ty to suspend movement of fuel assemblies is not sufficient reas on to require a reactor shutdown.
Fuel Storage Pool Boron Concentration B 3.7.17BASESNorth Anna Units 1 and 2B 3.7.17-3Revision 46SURVEILLANCE REQUIREMENT
SSR3.7.17.1 This SR verifies that th e concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. Th e Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section4.3.2.7.3.UFSAR, Section3.1.53.
Intentionally Blank North Anna Units 1 and 2B 3.7.18-1Revision 0Spent Fuel Pool Storage B 3.7.18B 3.8  PLANT SYSTEMSB 3.7.18Spent Fuel Pool StorageBASESBACKGROUNDThe fuel storage pool contains racks which hold the fuel assemblies. The arrangement of the fuel assemblies in th e fuel racks can be used to limit the interaction of the fuel assemblies and the resulting reactivity of the fuel in the fuel storage pool. The geometrical arrangement is based on classifying fuel assemblies as "high reactivity" or "low reactivity" based on the burnup and initial enrichment of the fuel assemblies. A 5x5 fuel location matrix is employed with acceptable locations for high and low reactivity fuel assemblies. Fuel assemblies may also be stored in fu el locations not associated with a storage matrix if the assemblies meet certain requirements.Storing the fuel assemblies in the locations required by the LCO ensures a fuel storage pool keff<1.0 for normal conditions. In addition, the water in the spent fuel storage pool contains soluble boron, which results in large subcriticality margins under normal operating conditions. However, the NRC guidelines assume accident conditi ons, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel assemblies as described in the LCO and by the use of soluble boron in the fuel storage pool water as required by LCO3.7.17, "Fuel Storage Pool Boron
Concentration." The accident analyses assume the presence of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO3.7
.18, a loss of cooling to the fuel storage pool resulting in a temperatur e increase of the fuel storage pool water, or a dilution of the boron di ssolved in the fuel storage pool.
A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1).APPLICABLE SAFETY ANALYSESCriticality of the fuel assemblies in the fuel storage pool racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel
storage(continued)
North Anna Units 1 and 2B 3.7.18-2Revision 0Spent Fuel Pool Storage B 3.7.18BASESAPPLICABLE SAFETY ANALYSES(continued)pool geometry (Ref.2). There are th ree basic acceptance criteria which ensure conformance with the design bases (Ref.3). They are:a.keff<1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure keff<0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postula ted accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.The postulated accidents considered wh en determining the required fuel storage pool arrangement and minimum boron concentration are the misloading of a fuel assembly, an incr ease in fuel storage pool temperature, and boron dilution. Analyses have show n that a combination of the fuel storage pool geometric arrangement and the amount of boron required by the LCO is sufficient to ensure that the most limiting misloading of a fuel
assembly results in a keff<0.95.The configuration of fuel assemblies in the fuel storage pool satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe restrictions on the placement of fuel assemblies within the spent fuel pool, in accordance with Figures3.7.18-1 and3.7.18-2, in the accompanying LCO, ensures the keff of the spent fuel storage pool will always remain <1.0. Figure3.7.18-1 is used to determine if a fuel assembly is acceptable for storage with out use of a fuel assembly matrix.
Based on the initial enrich ment and burnup, a fuel a ssembly may be stored without using a fuel assembly matrix, or must be stored in a high or low reactivity location of a fuel assembly matrix. Figure3.7.18-2 describes the fuel assembly matrix storage confi guration. These stor age restrictions, when combined with the fuel storage pool boron concentration limit in LCO3.7.17, ensure that the fuel storage pool keff meets the limits in Section4.3, "Design Features."APPLICABILITYThis LCO applies whenever any fuel assembly is stored in the fuel storage pool.
Spent Fuel Pool Storage B 3.7.18BASESNorth Anna Units 1 and 2B 3.7.18-3Revision 0ACTIONSA.1Required ActionA.1 is modified by a Note indicating that LCO3.0.3 does not apply.
When the configuration of fuel assemblies stored in the spent fuel storage pool is not in accordance with Figure3.7.18-1 and Figure3.7.18-2, the immediate action is to initiate action to make the necessary fuel assembly movement(s) to bring the configuration into compliance with the LCO.
If unable to move irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE1, 2, 3, or4, the action is independent of reactor operation. Therefore, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.SURVEILLANCE
REQUIREMENT
SSR3.7.18.1 This SR verifies by a combination of visual inspection and administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Figure3.7.18-1 and the fu el assembly storage location is in accordance with Figure3.7.18-2.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section4.3.2.7.3.UFSAR, Section3.1.53.
Intentionally Blank North Anna Units 1 and 2B 3.7.19-1Revision 0CC System B 3.7.19B 3.7  PLANT SYSTEMSB 3.7.19Component Cooling Water (CC) SystemBASESBACKGROUNDThe CCSystem provides a heat sink for the removal of process and operating heat from components during normal operation. The CCSystem serves as a barrier to the releas e of radioactive byproducts between potentially radioactive systems and the Service Water Syst em, and thus to the environment.The CCSystem consists of four subsystems shared between units. Each subsystem consists of one pump and one heat exchanger. The design basis of the CCSystem is a fast cooldown of one unit while maintaining normal
loads on the other unit. Three CC subsystems are required to accomplish this function. With only two CC subsyste ms available, a slow cooldown of one unit while maintaining normal loads on the other unit can be
accomplished. The removal of norma l operating heat loads (including common systems) requires two CC s ubsystems. During normal operation, the CC subsystems are cross connected between the units with two CC pumps and four CC heat exchangers in operation. Two pumps are normally running, with the other two in standby. A vented surge tank common to all four pumps ensures that sufficient net positive suction head is available.The CCSystem serves no accident mitigation function and is not a system which functions to mitigate the failur e of or presents a challenge to the integrity of a fission product barrier. The CCSystem is not designed to withstand a single failure. The CC System supports the Residual Heat Removal (RHR) System. The RHR syst em does not perform a design basis accident mitigation function.
Additional information on the design and operation of the system, along with a list of the components serv ed, is presented in the UFSAR, Section9.2.2 (Ref.1). The principal function of the CCSystem is the removal of decay heat from the reactor via the Residual Heat Removal (RHR) System.
North Anna Units 1 and 2B 3.7.19-2Revision 0CC System B 3.7.19BASESAPPLICABLE SAFETY ANALYSESThe CCSystem serves no accident mitigation function. The CCSystem
functions to cool the unit from RHR entry conditions (T cold <350F), to Tcold <140F. The time required to cool from 350F to 140F is a function of the number of CC and RHR trains operating. The CCSystem is
designed to reduce the temperature of the reactor coolant from 350&deg;F to 140&deg;F within 16hours based on a serv ice water temperature of 95&deg;F and having two CC subsystems in service for the unit being cooled down.The CCSystem has been identified in the probabilistic safety assessment as significant to public health and safety. The CCSystem satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).
LCOShould the need arise to cooldown one unit quickly while the other unit is operating, three CC subsyste ms would be needed -
two to support the quick cooldown of one unit and one to support the normal heat loads of the operating unit. To ensure this function can be performed a total of three CC subsystems shared with the other unit are required to be OPERABLE.
A CC subsystem is considered OPERABLE when:
a.The pump and common surge tank are OPERABLE; andb.The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the function are OPERABLE.Each CC subsystem is considered OPERABLE if it is operat ing or if it can be placed in service from a sta ndby condition by manually unisolating a standby heat exchanger and/or manually starting a standby pump.APPLICABILITYIn MODES1, 2, 3, and4, the CCSystem is a normally operating system. In MODE4 the CCSystem must be pr epared to perform its RCS heat removal function, which is achieved by cooling the RHR heat exchanger.In MODE5 or6, the OPERABILITY requirements of the CCSystem are determined by the systems it supports.
CC System B 3.7.19BASESNorth Anna Units 1 and 2B 3.7.19-3Revision 0ACTIONSA.1 If one required CC subsystem is inopera ble, action must be taken to restore OPERABLE status within 7days.
In this Condition, the remaining OPERABLE CC subsystems are adequate to perform the heat removal function. The 7day Completion Time is reasonable, based on the redundant capabilities afforded by the OPERABLE subsystems.B.1 andB.2If the required CC subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 30hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.C.1 andC.2If two required CC subsystems are inoperable, action must be taken to cool the unit to MODE4 within 12hours. Action must be initiated to place the unit in MODE5, where the LCO does not apply, within 13hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.D.1 andD.2With no CC water available to suppl y the residual heat removal heat exchangers, action must be taken to cool the unit to MODE4 within 12hours. Alternate means to cool the unit must be found and the unit placed in MODE5, where the LCO does not apply. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an orderly
manner and without challenging unit systems.
North Anna Units 1 and 2B 3.7.19-4Revision 46CC System B 3.7.19BASESSURVEILLANCE REQUIREMENT
SSR3.7.19.1Verifying the correct alignment for manual, power operated, and automatic valves in the CC flow path to the RHR heat exchangers provides assurance that the proper flow paths exist for CC operation. This SR does not apply to valves that are locked, sealed, or ot herwise secured in position, since these valves are verified to be in the corr ect position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather
, it involves verification that those valves capable of being misposit ioned are in the correct position.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.2.
North Anna Units 1 and 2B 3.8.1-1Revision 18 AC Sources-Operating B 3.8.1B 3.8ELECTRICAL POWER SYSTEMSB 3.8.1AC Sources-OperatingBASESBACKGROUNDThe unit Class1E AC Electrical Power Distribution System AC sources consist of offsite (preferred) power (via normal and alternate feeds), the Alternate AC (AAC) diesel, and the onsite standby power sources (TrainA(H) and TrainB(J) emergency diesel generators (EDGs)). As required by GDC17 (Ref.1), the design of the preferred AC electrical power system provides independence and redundancy to ensure an acceptable (i.e., qualified) source of power to the Engineered Safety Feature (ESF) systems.Additionally, the unit's electrical sour ces must include electrical sources from the other unit that are required to support the Service Water (SW), Main Control Room (MCR)/Emergen cy Switchgear Room (ESGR) Emergency Ventilation System (EVS),
Auxiliary Building central exhaust system, or Component Cooling Wate r (CC) safety functions. This requirement could include both of the other unit's offsite circuits and EDGs for this unit.
The onsite Class1E AC Dist ribution System is divi ded into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from bei ng performed. Each train, for a given unit, must have a connection to a qualified offsite (preferred) power source and a dedicated EDG. Also, for each unit, the two qualified offsite sources must be independent of each other. A minimum of two independent qualified offsite sources connecting the 230/500kV switchyard to each unit's ESF (emergency) buses is required. Since the Unit1 and2 offsite
sources may be shared, a minimum of two sources are required for the station. To be considered independent, a qualified offsite source must be both electrically and physically separated from other offsite sources. This independence must be maintained during possible automatic switching operations such as is initiated following a Unit2 trip when ESF bus1J is connected to the station service bus2B. In this situation, ESF bus1J is transferred to reserve station service transformer (RSST)B.
(continued)
North Anna Units 1 and 2B 3.8.1-2Revision 18 AC Sources-Operating B 3.8.1BASESBACKGROUND (continued)The 230/500kV switchyard, which is an integral part of the transmission network, is the source of offsite (preferred) power to the station Class1E electrical system. From the 230/500kV switchyard, five electrically and physically separated circuits are available to provide AC power, through either the system reserve transformers (SRTs) and RSSTs or the station service transformers (SSTs), to the 4.16kV ESF buses. A detailed description of the offsite power network and the circuits to the Class1E ESF buses is found in the UFSAR, Chapter8 (Ref.2).An offsite circuit consists of al l breakers, transformers, switches, interrupting devices, cabling, and contro ls required to transmit power from the offsite transmission network to the onsite Class1E ESF bus(es). Each one is "qualified" via anal ysis to show that they meet the requirements of GDc17.
Certain required unit loads are energi zed in a predetermined sequence in order to prevent overloading the transformers supplying offsite power to the onsite Class1E Distribution Syst em. After the initiating signal is received, permanently connected load s and all automatically connected loads, via the load sequencing timing re lays, needed to recover the unit or maintain it in a safe condition are energized.
The onsite standby power source for each 4.16kV ESF bus is a dedicated EDG. EDGsH andJ are dedicated to ESF busesH andJ, respectively. An EDG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF
bus degraded voltage or undervoltage signal (refer to LCO3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation"). After the EDG has started, it will automatically tie to its respective bus after offsite power is isolated as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. The EDGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal or a moment ary undervoltage condition. Following the loss of offsite power, an undervol tage signal strips nonpermanent loads from the ESF bus. When the EDG is tied to the ESF bus, loads are then
sequentially connected to their re spective ESF bus by the sequencing timing relays. The specific ESF equipment's sequencing timer controls the permissive and starting signals to motor breakers to prevent overloading the EDG by automatic load application.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-3Revision 18BACKGROUND (continued)
In the event of a loss of preferred (offsite) power, the ESF electrical loads are automatically connected to the EDGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA) without overloading the EDGs.Ratings for TrainH and TrainJ EDGs satisfy the require ments of Safety Guide9 (Ref.3). The continuous service rating of each EDG is 2750kW with 3000kW allowable for up to 2000hours per year. The ESF loads that are powered from the 4.16kV ESF buses are listed in Reference2.APPLICABLE SAFETY ANALYSESThe initial conditions of DBA and transient analyses in the UFSAR, Chapter6 (Ref.4) and Chapter15 (Ref.5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the
availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.
These limits are discusse d in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4,Reactor Coolant System (RCS);
and Section3.6, Containment Systems.The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accide nt analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of:
a.An assumed loss of all offsite power or all onsite AC power; andb.A worst case single failure.
The AC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOA minimum of two qualified offsite circuits between the 230/500kV switchyard and the onsite Class1E Electrical Power System and two separate and independent EDGs for supplying the redundant trains for each unit ensure (continued)
North Anna Units 1 and 2B 3.8.1-4Revision 21 AC Sources-Operating B 3.8.1BASESLCO(continued)availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.Qualified offsite circuits include the two 500-34.5kV transformers and one 230-34.5kV transformers (collectively referred to as the SRTs) that feed three independent 34.5kV buses which supply the RSSTs. In addition, there are two 500kV lines from the switchyard to the Unit1 and Unit2 generator step-up transformers and SST
: s. These circuits are described in the UFSAR and are part of th e licensing basis for the unit.In addition, the required automatic load sequencing timing relays must be OPERABLE. A "required" load sequen cing timing relay is one whose host component is capable of automatically loading onto an emergency bus.Each independent qualified offsite s ource must be capable of maintaining rated frequency and voltage, and accepting required loads during an
accident, while connected to the ESF buses.Normally, the qualified offsite sources for the Unit1 and2 ESF buses are from the 34.5kV buses3, 4, and5 which supply the RSSTs which feed the transfer buses. RSSTsA andB may be fed from the same 34.5kV bus, but RSSTC must be fed from a different 34.5kV bus than RSSTA and RSSTB. The D, E, andF transfer bus es supply the onsite electrical power to the four ESF buses for the two units. In addition to the normal alignment, the D andE transfer buses can be tied together via the 4160V bus0L installed as part of the AAC modifications.ESF bus1H is normally fed through the Ftransfer bus from RSSTC. ESF bus1J is normally fed through the Dtransfer bus from RSSTA. Station service bus1B can provide an alternate preferred feed for the ESF 1Hbus, while the ESF 1J has an alternate pr eferred feed from station service bus2B. ESF bus2H is normally fed through the Etransfer bus from RSSTB. In addition, ESF bus2H can also be fed through E transfer bus from RSSTA with breakers05L1 and05L3 on AAC bus0L closed. ESF bus2J is normally fed through the Ftransfer bus from RSSTC.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-5Revision 38 LCO(continued)The two 500kV lines connecting each unit's main step-up and SSTs with the switchyard are the remaining qualified sources of offsite (preferred) power that are available to power ESF buses. For Unit1, this source is
normally available followi ng a unit trip since there is an installed main generator breaker. Therefore, station service bus1B, which provides the
alternate preferred feed to the 1H ESF bus, normally will not be affected.
For Unit2, where there is no installed main generator breaker, station service bus2B, which provides the alternate preferred feed to ESF bus1J, will automatically transfer to RSSTB following a unit trip.Each EDG must be capable of starting, accelerating to rated speed and
voltage, and connecting to its resp ective ESF bus on detection of bus undervoltage or degraded voltage.
This will be accom plished within 10seconds. Each EDG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as EDG in standby with the engine hot and EDG in standby with the engine at ambient conditions. Additional EDG capabilities must be demonstrated to meet required Surveillances.
Proper sequencing of loads is a required function for EDG OPERABILITY.In the event of a loss of offsite (preferred) power supply to the emergency bus, the EDG will auto start and re-energize its associated bus. In this configuration the EDG will become i noperable due to the defeat of load sequencing timers. Upon completion of guidance in abnormal procedures for reconfiguration of the affected el ectrical bus to control loads, TS 3.8.1 Condition K may be exited as seque ncing timing relays are no longer required as long as the associated emergency bus is not subsequently paralleled to another bus. The diesel can be considered operable which would allow exiting TS 3.8.1 Conditions B and H and remaining in TS 3.8.1 Condition A.The other unit's offsite circuit(s) and EDG(s) are required to be OPERABLE to support the SW, MCR/
ESGR EVS, Auxiliary Building central exhaust, and CC functions ne eded for this unit. These functions share components, pump or fans, whic h are electrically powered from both units.(continued)
North Anna Units 1 and 2B 3.8.1-6Revision 38 AC Sources-Operating B 3.8.1BASESLCO(continued)The AC sources in one train must be separate and i ndependent (to the extent possible) of the AC sources in the other train. For the EDGs, separation and indepe ndence are complete.For the offsite AC sources, separati on and independence are to the extent practical.APPLICABILITYThe AC sources and sequencing timing relays are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.The AC power requirements for MODES5 and6 are covered in LCO3.8.2, "AC Sources-Shutdown."ACTIONSA.1To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to veri fy the OPERABILITY of the remaining required offsite circuit(s) on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR3.8.1.1 acceptance criteria
does not result in a Required Action not met. However, if a second required circuit fails SR3.8.1.1, the second offs ite circuit is inoperable, and ConditionG, for two offsite circ uits inoperable, is entered.
A.2Required ActionA.2, which only applie s if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated EDG will not result in a complete loss of safety function of critical redundant required features.
These features are powered from the redundant AC electrical power trains.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-7Revision 38ACTIONSA.2 (continued)The Completion Time for Required ActionA.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"
for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The train has no offsite power supplying its loads; andb.A required feature on the other train is inoperable.
If at any time during the existence of ConditionA (one offsite circuit inoperable) a redundant required featur e subsequently becomes inoperable, this Completion Time begins to be tracked.Discovering no offsite power to one train of the onsite Class1E Electrical Power Distribution System coincide nt with one or more inoperable required support or supported features, or both, that ar e associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time fo r restoration before subjecting the unit to transients asso ciated with shutdown.The remaining OPERABLE offsite circ uit and EDGs are adequate to supply electrical power to TrainH and TrainJ of the onsite Class1E Distribution System. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
A.3According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionA for a period that should not exceed 72hours. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE (continued)
North Anna Units 1 and 2B 3.8.1-8Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSA.3 (continued)offsite circuit and EDGs are adequate to supply electrical power to the onsite Class1E Distribution System.The 72 hour Completion Time takes into account the capacity and capability of the remaining AC sources
, a reasonable time for repairs, and the low probability of a DBA occurring during this period.The second Completion Time for Required ActionA.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionA is en tered while, for instance, an EDG is inoperable and that EDG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14days. This could lead to a total of 17days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, an EDG could again become inoperable, the circuit restored OPERABLE, and an additional 14days (for a total of 31days) allowed prior to complete restorati on of the LCO. The 17 day Completion Time provides a limit on the time al lowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The "AND" connector between the 72hour and 17day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.As in Required ActionA.2, the Completion Time allows for an exception to the normal "time zero" for beginni ng the allowed outage time "clock." This will result in establishing the "t ime zero" at the time that the LCO was initially not met, instead of at the time ConditionA was entered.
B.1Condition B is entered for an inoperable EDG and requires the OPERABILITY of additional electrical sources for the allowed Completion Time of 14 days. The addi tional electrical s ources required to be OPERABLE are the AAC diesel generator (DG) (Station Black Out
diesel generator), and both EDGs of the other unit. If any of these
additional sources are (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-9Revision 38ACTIONSB.1 (continued) inoperable at the time an EDG become s inoperable, or become inoperable with an EDG in Condition B, Condition C must also be entered for the inoperable EDG.To ensure a highly reliab le power source remains with an inoperable EDG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR3.8.1.1 accepta nce criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and
Required Actions must then be entered.
B.2Required ActionB.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a
complete loss of safety function of critical systems. These features are designed with redundant safety related trains. Redundant required feature
failures consist of inoperable features associated with a train, redundant to the train that has an inoperable EDG.The Completion Time for Required ActionB.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"
for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.An inoperable EDG exists; andb.A required feature on the other train (TrainH or TrainJ) is inoperable.
If at any time during the existence of this Condition (one EDG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.
Discovering one required EDG inoperabl e coincident with one or more inoperable required support or suppor ted features, or both, that are associated with the OPERABLE EDG, results (continued)
North Anna Units 1 and 2B 3.8.1-10 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSB.2 (continued)in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time fo r restoration before subjecting the unit to transients asso ciated with shutdown.
In this Condition, the remaining OPERABLE EDG and offsite circuits are adequate to supply elect rical power to the onsite Class1E Distribution System. Thus, on a component basis, single failure protection for the
required feature's function may have been lost; however, function has not been lost. The 4hour Completion Time takes into account the OPERABILITY of the redundant counter part to the inoperable required feature. Additionally, the 4hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
B.3.1 and B.3.2Required ActionB.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG. If it can be determined that the cause of the inoperable EDG does not exist on the OPERABLE EDG, SR3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other EDG, the other EDG would be decl ared inoperable up on discovery and ConditionI of LCO3.8.1 would be ente red. Once the failure is repaired, the common cause failure no longer exists, and Required ActionB.3.1 is satisfied. If the cause of the initial inoperable EDG cannot be confirmed not to exist on the remaining EDG, performance of SR3.8.1.2 suffices to
provide assurance of continued OPERABILITY of that EDG.In the event the inoperable EDG is restored to OPERABLE status prior to
completing either B.3.1 or B.3.2, the pl ant corrective action program will continue to evaluate the common cause possibility, in cluding the other unit's EDGs. This continued evaluation, however, is no longer under the 24hour constraint imposed while in Condition B.According to Generic Letter84-15 (Ref.7), 24hours is reasonable to confirm that the OPERABLE EDG is not affected by the same problem as the inoperable EDG.
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-11Revision 38ACTIONS(continued)
B.4In ConditionB, the remaining OPERABLE EDG, offsite circuits, AAC DG, and the other unit's E DGs are adequate to suppl y electrical power to the onsite Class1E Distribution System. The 14day Completion Time takes into account the capac ity and capability of th e remaining AC sources, a reasonable time for repairs, and th e low probability of a DBA occurring during this period.The second Completion Time for Required ActionB.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any si ngle contiguous occurr ence of failing to meet the LCO. If ConditionB is entered while, for instance, an offsite circuit is inoperable and that circuit is subseque ntly restored OPERABLE, the LCO may already have been not met for up to 72hours. This could lead to a total of 17days, since initial failure to meet the LCO, to restore the EDG. At this time, an offsite circuit could again become inoperable, the
EDG restored OPERABLE, and an additional 72hours (for a total of 20days) allowed prior to complete restoration of the LCO. The 17day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The "AND" connector between the 14day and 17day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.As in Required ActionB.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time ConditionB was entered.
C.1 and C.2To ensure a highly reliable electrical power source remains available when one EDG is inoperable, ConditionC is established to monitor the OPERABILITY of the AAC DG and the other unit's EDGs. ConditionB is entered any time an EDG becomes i noperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of the other unit's EDG(s) is inoperable, or become (continued)
North Anna Units 1 and 2B 3.8.1-12 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSC.1 and C.2 (continued) inoperable, in addition to the Required Actions of ConditionB, Required ActionsC.1 andC.2 limit the time th e EDG may be out of service to 72hours. If the AAC DG or the other un it's EDG(s) is inoperable when the EDG becomes inoperable, the allowed outage time (AOT) is limited to 72hours, unless the AAC DG and the other unit's EDG(s) are returned to OPERABLE status. If during the 72hour Completion Time ofC.1 orC.2,
the AAC DG and the other unit's EDG(s) are returned to OPERABLE status, ConditionC is exited and AOT is restricted by the Completion Time tracked in ConditionB. If the AAC DG or one or more of the other unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, ConditionC requires the restoration of the EDG or the AAC DG and the other unit's EDG(s) within 72hours or ConditionL is required to be entered.The 72hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.D.1, D.2, andD.3ConditionD is modified by a Note indi cating that separate Condition entry is allowed for each offsite circuit on th e other unit that provides electrical power to required shared components.To provide the necessary electrical power for the SW, MCR/ESGR EVS, Auxiliary Building central exhaust, and CC functions for a unit, AC electrical sources of both units ma y be required to be OPERABLE. ActionD is entered for one or more inoperable offsite circuit(s) on the other unit that is necessary to support required shared components. These shared components are the SW pump(s), MCR/ESGR EVS fan(s),
Auxiliary Building central exhaus t fan(s), and CC pumps. Required ActionD.1 verifies the OPERABILITY of the remaining required offsite
sources within an hour of the inoperability and every 8hours thereafter.
Since the Required Action only specifi es "perform," a failure of the SR3.8.1.1 acceptance criteria does not result in a Required Action not met.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-13Revision 38ACTIONSD.1, D.2, andD.3 (continued)The Completion Time for Required ActionD.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"
for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The required shared component has no offsite power; andb.A required shared component(s) in the same system is inoperable.
If at any time during the existence of ConditionD (one offsite circuit inoperable on the other unit needed to supply electrical power for a required shared component) another required shared component in the same system subsequently becomes inoperable, this Completion Time begins to be tracked.Discovering no offsite power on the ot her unit that supports a required shared component and an additional required shared component in the same system inoperable, results in starting the Completion Times for the Required Action.Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.
The remaining OPERABLE offsite circ uits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC functions. The 24hour Completion Time takes into account the component OPERABILITY of the remaining shared component(s), a reasonable time for repairs, and the low probability of a DBA occurring during this period.
Operation may continue in Condition D for a period of 72hours. With one offsite circuit inoperable on the othe r unit supplying electrical power to a required shared component, the reliability of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust syst em, and CC functi ons are degraded. The potential for the loss of offsite power to the other required shared
components is increased, w ith the attendant potential for a challenge to SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC
functions.
(continued)
North Anna Units 1 and 2B 3.8.1-14 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSD.1, D.2, andD.3 (continued)The required offsite circuit must be returned to OPERABLE status within 72hours, or the support function for th e associated shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCO3.7.8, "Service Water System," LCO3.7.10, "MCR/ESGR Emergency Ventilation System," LCO3.7.12, "Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System," and LCO3.7.19, "Component Cooling Water (CC) System," must be entered. The 72hour Completion Time takes into account the capacity and capability of the
remaining AC sources providing electri cal power to the required shared components, a reasonable time for repa irs and the low probability of a DBA occurring during this period of time.
E.1, E.2, and E.3To ensure a highly reliable power sour ce remains with an inoperable EDG, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Requi red Action only specifies "perform," a failure of SR3.8.1.1 accepta nce criteria does not result in a Required Action being not met. Required Action E.1 verifies the OPERABILITY of the required offsite sources within an hour of the inoperability and every 8hours thereafter. However, if a circuit fails to pass SR3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and
Required Actions must be entered.Required ActionE.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a complete loss of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or CC functions.
The Completion Time for Required ActionE.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The required shared component with an inoperable EDG; andb.A required shared component(s) in the same system is inoperable.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-15Revision 38ACTIONSE.1, E.2, and E.3 (continued)
If at any time during the existence of Condition E (one EDG inoperable on the other unit needed to supply elec trical power for a required shared component) another required shared component subsequently becomes inoperable, this Completion Ti me begins to be tracked.
Discovering an EDG on the other unit that supports a required shared component and an additional require d shared component inoperable, results in starting the Completion Times for the Required Action. Four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.The remaining OPERABLE offsite circ uits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or CC functions. The 4hour Completion T ime takes into account the component OPERABILITY of the remaining shar ed components, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
Operation may continue in ConditionE for a period of 14days. With one EDG inoperable on the other unit supplyi ng electrical power to a required shared component, the reliability of the respective Function is degraded.
The potential for the loss of EDGs to the other required shared components is increased, with the attendant potential for a challenge to respective
Function.
The required EDG must be returned to OPERABLE status within 14days, or the support function for the associat ed shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 must be entered. The 14day Completion Time takes into account the capacity and capability of the remaining AC sources providing electrical power to the required shared components, a reasonable time for repairs and the low probability of a DBA occurring during this period of time.
North Anna Units 1 and 2B 3.8.1-16 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONS(continued)
F.1 and F.2To ensure a highly reliable electrical power source remains available when one EDG is inoperable that is re quired to support a required shared component on the other unit, Condition F is established to monitor the OPERABILITY of the AAC DG and the LCO3.8.1.b EDGs. ConditionF is entered any time an EDG that is required to support a required shared component that receives its electrical power from the other unit becomes inoperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of this unit's EDG(s) is inoperable, or become inoperable, in addition to the Required Actions of ConditionE, Required ActionsF.1 andF.2 limit the time the EDG may be out of service to 72hours. If the AAC DG or this unit's EDG(s) is inoperable when the other unit's ED G becomes inoperable, the AOT is limited to 72hours, unless the AAC DG a nd this unit's EDG(s) are returned to OPERABLE status. If during the 72hour Completion Time of F.1 orF.2, the AAC DG and this unit's EDG are return to OPERABLE status, ConditionF is exited and AOT is restricted by the Completion Time tracked in ConditionE. If the AAC DG or one or more of this unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, ConditionF re quires the restoration of the AAC DG and this unit's EDG(s) within 72hours or the supported shared component must be declared inoperable and LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 provides
the appropriate restrictions.The 72hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.
G.1 and G.2Required ActionG.1, which applies when two offsite circuits are inoperable, is intended to provide assura nce that an event with a coincident single failure will not result in a complete lo ss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12hours from that allowed for one train without offsite power (Required ActionA.2).
The rationale for the reduction to 12hours is that Regulatory Guide1.93 (Ref.6) allows a Completion Time of 24hours for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE.
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-17Revision 38ACTIONSG.1 and G.2 (continued)
When a concurrent redundant require d feature failure exists, this assumption is not the case, and a shorter Completion Time of 12hours is appropriate. These features are power ed from redundant AC safety trains.The Completion Time for Required ActionG.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"
for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:a.All required offsite circuits are inoperable; andb.A required feature is inoperable.
If at any time during the existence of ConditionG (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionG for a period that should not exceed 24 hours. This level of degradation means that the offsite el ectrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sour ces have not been degraded. This level of degradation generally co rresponds to a total loss of the immediately accessible offsite power sources.
Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more EDGs inoperable.
However, two factors tend to decrea se the severity of this level of degradation:a.The configuration of the redundant AC electri cal power system that remains available is not susceptible to a single bus or switching failure; andb.The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.
(continued)
North Anna Units 1 and 2B 3.8.1-18 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSG.1 and G.2 (continued)With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain th e unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case singl e failure were postulated as a part of the design basis in the safety analysis. Thus, the 24hour Completion Time provides a period of time to eff ect restoration of one of the offsite circuits commensurate with the importa nce of maintaining an AC electrical power system capable of m eeting its design criteria.According to Reference6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24hours. If two offsite sources are restored within 24hours, unrestricted operation may continue. If only one offsite source is restored within 24hours, power operation continues in accordance with ConditionA.
H.1 and H.2Pursuant to LCO3.0.6, the Distributi on System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of ConditionH are modified by a Note to indicate that when ConditionH is entered with no
AC source to any train, the C onditions and Required Actions for LCO3.8.9, "Distribution Systems-Op erating," must be immediately entered. This allows ConditionH to provide requirements for the loss of one offsite circuit and one EDG, wit hout regard to whether a train is de-energized. LCO3.8.9 provides the appropriate restrictions for a de-energized train.According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionH for a period that should not exceed 12hours.In ConditionH, individual redundancy is lost in both the offsite electrical power system and the onsite AC el ectrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the pow er systems in this Condition may appear higher than that in ConditionG (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-19Revision 38ACTIONSH.1 and H.2 (continued) single bus or switching failure. The 12hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
I.1With TrainH and TrainJ EDGs inope rable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources ar e available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this leve l of degradation, the risk associated with continued operation for a very s hort time could be less than that associated with an immediate c ontrolled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadve rtent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controll ed shutdown and to minimize the risk associated with this level of degradation.According to Reference6, with bo th EDGs inoperable, operation may continue for a period that should not exceed 2hours.
J.1With two LCO3.8.1.c required EDGs inoperable, as many as two required shared and potentially re quired components have no remaining standby AC sources. Thus, with an assumed loss of offsite power condition, the
required shared components powered from the other unit would be significantly degraded. Therefore, the required shared component would immediately be declared inoperable and LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 would provide the appropriate restrictions.
K.1 and K.2ConditionK is modified by a Note indi cating that separate Condition entry is allowed for each inoperable sequencing timing relay.
(continued)
North Anna Units 1 and 2B 3.8.1-20 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSK.1 and K.2 (continued)ConditionK is entered any time a required sequencing timing relay (STR) becomes inoperable. Required ActionK.1 directs the entry into the Required Actions and Completion Times associated for the individual
component served by the inoperable relay. The instrumentation signals that provide the actuation are governed by LCO3.3.2, "Engineered Safety Features Actuation System Instrument ation" for safety injection (SI),
Containment Spray (Containment Depressurization Actuation (CDA)) and LCO3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG)
Start Instrumentation" for the LOP.
The STRs provide a time delay for the individual component to close its breaker to the associated emergency electrical bus. Each component is sequenced onto the emergency bus by an initiating signal. Required ActionK.2 provides for the immediat e isolation of the component(s) ability to automatically load on an emergency electrical bus with an inoperable STR. This provides an assura nce that the component will not be loaded onto an emergency bus at an incorrect time. Improper loading sequence may cause the emergency bus to become inoperable. Rendering a component with an inoperable STR incapable of loading to the emergency bus prevents a possible overload condition. Upon implementation of ActionK.2.1, the inoperable sequencing timing relay is no longer required. Required ActionK.2.2 provides an alte rnative option for isolating the
component with an inoperable STR from the emergency bus by allowing the associated EDG to be declared inoperable.
L.1 and L.2If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this
status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,
based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-21Revision 38ACTIONS(continued)
M.1ConditionM corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additiona l time is justified for continued operation. The unit is required by LCO3.0.3 to commence a controlled shutdown.SURVEILLANCE
REQUIREMENT
SThe AC sources are designed to perm it inspection and testing of all important areas and featur es, especially those that have a standby function, in accordance with GDC18 (Ref.1). Periodic component tests are
supplemented by extensive functional te sts during refueling outages (under simulated accident conditions).
The SRs for demonstrating the OPERABILITY of the EDGs are in accordance with the recommendations of Safety Guide9 (Ref.3), Regulatory Guide1.108 (Ref.8), and Regulatory Guide1.137 (Ref.9),
as addressed in the UFSAR.Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The mini mum steady state output voltage of 3740V is 90% of the nominal 4160V out put voltage. This value, which is specified in ANSIC84.1 (Ref.10), allows for voltage drop to the terminals of 4000V motors whose minimum operati ng voltage is specified as 90% or 3600V. It also allows for voltage drops to motors and other equipment down through the 120V level where minimum operating voltage is also usually specified as 90% of name plate rating. The specified maximum steady state output voltage of 4580V is equal to the maximum operating voltage specified for 4000V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the EDG are 59.5Hz and 60.5Hz, respectively. These values are <+/-1% of the 60Hz nominal frequency and are derived from the safety analysis assumptions for operation of ECCS pump criteria.
North Anna Units 1 and 2B 3.8.1-22 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignmen t verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected
to the preferred or alternate power sources for Unit1 or the preferred power source for Unit2, and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.2 and SR3.8.1.7These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe
shutdown condition.To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note1 for SR3.8.1.2) to indicate that all EDG star ts for these Surv eillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.For the purposes of SR3.8.1.2 and SR3.8.1.7 testing, the EDGs are started from standby conditions. Standby conditi ons for an EDG mean that the diesel engine coolant and oil are being continuously circulated, as required, and temperature is being maintain ed consistent with manufacturer recommendations.
In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in wh ich the starting speed of EDGs is limited, warmup is limited to this lower speed, and the EDGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note2.
SR3.8.1.7 requires that the EDG star ts from standby conditions and achieves required voltage and frequency within 10seconds. The 10second start requirement supports the assu mptions of the design basis LOCA analysis in the UFSAR, Chapter15 (Ref.5).
(continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-23Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.2 and SR3.8.1.7 (continued)The 10second start requirement is not applicable to SR3.8.1.2 (see Note2) when a modified start procedur e as described above is used. If a modified start is not used, the 10second start requirement of SR3.8.1.7
applies.Since SR3.8.1.7 requires a 10second start, it is more restrictive than SR3.8.1.2, and it may be performed in lieu of SR3.8.1.2.
In addition to the SR requirements, the time for the EDG to reach steady state operation, unless the modified EDG start method is employed, is periodically monitored and the trend ev aluated to identify degradation of governor and voltage re gulator performance.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.3This Surveillance verifies that the EDGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of 90% to 100% of continuous rating (2500 to 2600 kW). A minimum run time of 60minutes is required to stabilize engine temperatures, while minimizing the time that the EDG is connected to the offsite source.
Although no power factor requirements are established by this SR, the EDG is normally operated at a power factor between 0.8 lagging and 1.0.
The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the EDG. Routine
overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
(continued)
North Anna Units 1 and 2B 3.8.1-24 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
SSR3.8.1.3 (continued)
This SR is modified by four Notes. Note1 indicates that diesel engine runs
for this Surveillance may include gr adual loading, as recommended by the manufacturer, so that mechanical stre ss and wear on the diesel engine are minimized. Note2 states that moment ary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note3 indicates that this Surveillance should be conducted on only one EDG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note4 stipulates a prer equisite requirement for performance of this SR. A successful EDG start must precede this test to credit satisfactory performance.SR3.8.1.4This SR provides verification that the level of fuel oil in the day tank is at or above the level which is required. The level is expressed as an
equivalent volume in gallons
, and is selected to ensu re adequate fuel oil for a minimum of 1hour of EDG operation at full load plus 10%.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.5 Microbiological fouling is a major cause of fuel oi l degradation. There are numerous bacteria that can grow in fu el oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is the most effectiv e means of controlling microbiological fouling. In addition, it elim inates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several
sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water mi nimizes fouling and provides data regarding the watertight integrity of the fuel (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-25Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.5 (continued)oil system. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Progr am. This SR is for preventative maintenance. The presence of water does not necessarily represent failure
of this SR, provided the accumulated water is removed during the performance of this Surveillance.SR3.8.1.6This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fu el oil piping system is intact, the fuel delivery piping is not obstructed, and the cont rols and control systems for fuel transfer systems are OPERABLE. Only one fuel oil transfer subsystem is required to support an OPERABLE EDG.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.7See SR3.8.1.2.
SR3.8.1.8Transfer of each 4.16kV ESF bus power supply from the normal offsite circuit to the alternate offsite circ uit demonstrates the OPERABILITY of the alternate circuit dist ribution network to power the shutdown loads for Unit1 only. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.
(continued)
North Anna Units 1 and 2B 3.8.1-26 Revision 38 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
SSR3.8.1.8 (continued)This SR is modified by two Notes. Note1 states that the SR is applicable to Unit1 only. The SR is not applicable to Unit2 because it does not have an alternate offsite feed for the emergency buses. The reason for Note2 is
that, during operation with the reacto r critical, performance of this SR could cause perturbations to the electr ical distribution systems that could challenge continued steady state operation and, as a result, unit safety
systems. This restriction from norma lly performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post
work testing following corrective maintenance, corrective modification,
deficient or incomplete surveillan ce testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients a ssociated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or opera ted independently for the Surveillance; as well as the operator procedures avai lable to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.9 Each EDG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, wh ich, if excessive, might result in a trip of the engine. This Surveillan ce demonstrates the EDG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the single load for each EDG is 610kW. This Surveillance may be accomplished by:a.Tripping the EDG output breaker with the EDG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-27Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.9 (continued)b.Tripping its associated single larges t post-accident load with the EDG solely supplying the bus.As required by IEEE-308 (Ref.11), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between
synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.
The time, voltage, and frequency tolerances specified in this SR are derived from Safety Guide9 (Ref.3) recommendations for response during load sequence intervals.The 3seconds specified is equal to 60% of a typical 5second load sequence interval associated with sequencing of the largest load. The voltage and frequency speci fied are consistent with the design range of the equipment powered by the EDG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR3.8.1.9.b and SR3.8.1.9.c are steady state voltage and frequency values to whic h the system must recover following load rejection. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note. The Note ensures that the EDG is tested under load conditions that are as cl ose to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, the Note allows the surveillance to be conducted at a power factor other than 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.9 results in voltages on the emergency busses that are too high.
Under these conditions, the power factor should be maintained as clos e as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excita tion levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.
North Anna Units 1 and 2B 3.8.1-28 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE (continued)SR3.8.1.10 Consistent with the recommendations of Regulatory Guide1.108 (Ref.8), paragraph2.a.(1), this Surveillance de monstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the EDG. It further demonstrates the capability of the EDG to automatically achieve the required voltage and frequency within the specified time.The EDG autostart time of 10seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The
Surveillance should be continued for a minimum of 5minutes in order to demonstrate that all star ting transients have decayed and stability is achieved.
The requirement to verify the conn ection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logi
: c. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valv es are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, and not desi red to be realigned to th e ECCS mode of operation.
In lieu of actual demonstration of c onnection and loading of loads, testing that adequately shows the capability of the EDG systems to perform these functions is acceptable. This testing may include any seri es of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated, as required, and temperature (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-29Revision 38SURVEILLANCE REQUIREMENT
SSR3.8.1.10 (continued)maintained consistent with manufactu rer recommendations. The reason for Note2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribut ion system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is fu rther amplified to allow portions of the Surveillance to be performe d for the purpose of reestablishing
OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and
other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or
operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.11This Surveillance demonstrates that the EDG automatically starts and achieves the required voltage and frequency within the specified time (10seconds) from the design basis actuation signal (LOCA signal) and operates for 5minutes. The 5minute period provides sufficient time to demonstrate stability. SR3.8.1.11.d and SR3.8.1.11.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on an ESF signal without loss of offsite power.The requirement to verify the connect ion of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded w ithout undue hardship or potential for undesired operation. For instance, ECCS in jection valves are not desired to be stroked open, or high pressure (continued)
North Anna Units 1 and 2B 3.8.1-30 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
SSR3.8.1.11 (continued)injection systems are not cap able of being operated at full flow. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perform these functions is acceptable. This testing may include any seri es of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated and temperature maintained consistent with manufacturer recommendations. The reason for Note2 is that during operation with the reac tor critical, performance of this Surveillance could cause perturbations to the elect rical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g.,
post work testing following corr ective maintenance, corrective modification, deficient or incomple te surveillance testing, and other unanticipated OPERABILITY conc erns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or
operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit sh utdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1 or2. Risk insights or deterministic methods may be
used for this assessment.
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-31Revision 46SURVEILLANCE (continued)SR3.8.1.12 This Surveillance demonstrates that EDG noncritical protective functions (e.g., high jacket water temperature) are bypassed on actual or simulated signals from an ESF actuation, a loss of voltage, or a loss of voltage signal concurrent with an ESF actuation test signal, and critical protective
functions (engine overspeed and generator differential current) trip the EDG to avert substantial damage to the EDG unit. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with suff icient time to react appropriately. The EDG availability to mitigate the DBA is more critical than protecting the engine against mi nor problems that ar e not immediately detrimental to emergency operation of the EDG.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required EDG from service. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following
corrective maintenance, corrective m odification, deficient or incomplete surveillance testing, and other unant icipated OPERABILITY concerns)
provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the
operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk in sights or deterministic methods may be used for this assessment.
North Anna Units 1 and 2B 3.8.1-32 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
S(continued)SR3.8.1.13Regulatory Guide1.108 (Ref.8), paragraph2.a.(3), provides an acceptable method to demonstrate once per 18months that the EDGs can start and run continuously at full load capability for an interval of not less than 24hours, 2hours of which is at a load equivalent from 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent
from 90% to 100% of the continuous duty rating of the EDG. The EDG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubr icating and warmup, discussed in SR3.8.1.2, and for gradual loading, discussed in SR3.8.1.3, are applicable to this SR.
The load band is provided to avoid routine overloading of the EDG.
Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This Surveillance is modified by three Notes. Note1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients a bove the power factor limit will not invalidate the test. The reason for Note2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safe ty systems. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for th e purpose of reestablishing OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Su rveillance, and a perturbation of the offsite or onsite system when th ey are tied together or operated independently for the Surveillance; as well as (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-33Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.13 (continued)the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk in sights or deterministic methods may be used for this assessment. Note3 en sures that the EDG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.9. This power factor is repr esentative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, Note3 allows the
surveillance to be conducted at a power factor other than 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.9 results in voltages on the emergency busses that are too high.
Under these conditions, the power factor should be maintained as clos e as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excita tion levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.SR3.8.1.14This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to s hutdown from normal Surveillances, and achieve the required voltage and frequency within 10seconds. The 10second time is derived fr om the requirements of th e accident analysis to respond to a design basis large break LOCA. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and
is controlled under the Surveill ance Frequency Control Program.This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the EDG. Routine overloa ds may result in more frequent
teardown inspections in accordance with vendor recomme ndations in order to maintain EDG OPERABILITY. The requirement that the (continued)
North Anna Units 1 and 2B 3.8.1-34 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
SSR3.8.1.14 (continued)diesel has operated for at least 2hour s at full load conditions, or after operating temperatures reach a stabilized state, prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot
conditions. Momentary transients due to changing bus loads do not invalidate this test. Note2 allows all EDG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.SR3.8.1.15 Consistent with the recommendations of Regulatory Guide1.108 (Ref.8), paragraph2.a.(6), this Surveillance ensures that the manual synchronization and load transfer from the EDG to the offsite source can be made and the EDG can be returned to ready to load status when offsite
power is restored. It also ensures that the autostart logic is reset to allow the EDG to reload if a subsequent loss of offsite power occurs. The EDG is considered to be in ready to load status when the EDG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequenc ing timing relays are reset. EDG loading of the emergency bus is limited to normal energized loads.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow th e Surveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential
outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-35Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.15 (continued)of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the
avoided risk of a unit shutdown and star tup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1, 2, 3, or4. Risk insights or deterministi c methods may be used for this assessment.SR3.8.1.16 Under accident conditions, with a loss of offsite power, safety injection, containment spray, or recirculation spray, loads are sequentially connected to the bus by the automatic load se quencing timing relays. The sequencing timing relays control the permissive and starting signals to motor breakers
to prevent overloading of the EDGs due to high motor starting currents.
The load sequence time interval tolerances, listed in the Technical Requirements Manual (Ref.12), ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference2 provides a su mmary of the automatic loading of
ESF buses.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.
This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow th e Surveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corre ctive modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed (continued)
North Anna Units 1 and 2B 3.8.1-36 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT
SSR3.8.1.16 (continued)Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied togeth er or operated inde pendently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.17In the event of a DBA coincident with a loss of offsite power, the EDGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.
This Surveillance demonstrates the EDG operation, as discussed in the Bases for SR3.8.1.10, during a loss of offs ite power actuati on test signal in conjunction with an ESF actuation signal.
In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perfor m these functions is acceptable. This testing may include any series of seque ntial, overlapping, or total steps so that the entire connection and loading sequence is verified.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated and temperature maintained consistent with manufacturer reco mmendations for EDGs. The reason for Note2 is that the performance of th e Surveillance would remove a required offsite circuit from service, perturb the electrical distri bution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is fu rther amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (continued)
AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-37Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.1.17 (continued)
(e.g., post work testing following co rrective maintenance, corrective modification, deficient or incomple te surveillance testing, and other unanticipated OPERABILITY conc erns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or
operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.18This Surveillance demonstrates that the EDG starting independence has not been compromised. Also, this Surveill ance demonstrates that each engine can achieve proper speed within the specified time when the EDGs are started simultaneously.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note. The reason for the Note is to minimize wear on the EDG during testing. For the purpos e of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperat ure maintained c onsistent with manufacturer recommendations.REFERENCES1.UFSAR, Chapter3.2.UFSAR, Chapter8.
3.Safety Guide9, March1971.
4.UFSAR, Chapter6.
5.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.8.1-38 Revision 21 AC Sources-Operating B 3.8.1BASESREFERENCES (continued)6.Regulatory Guide1.93, Rev.0, December1974.7.Generic Letter84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July2,1984.8.Regulatory Guide1.108, Rev.1, August1977.9.Regulatory Guide1.137, Rev.1, October1979.
10.ASME Code for Operation and Main tenance of Nuclear Power Plants.11.IEEE Standard308-1971.
12.Technical Requirements Manual.
North Anna Units 1 and 2B 3.8.2-1Revision 0 AC Sources-Shutdown B 3.8.2B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.2AC Sources-ShutdownBASESBACKGROUNDA description of the AC sources is provided in the Bases for LCO3.8.1, "AC Sources-Operating."APPLICABLE SAFETY ANALYSESThe OPERABILITY of the minimum AC sources during MODES5 and6 and during movement of recently irradi ated fuel assemblies ensures that:a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, AC electrical power is only required to mitigate fuel handling accident involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term
recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)
In general, when the unit is shut down, the Technica l Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the f act that many Desi gn Basis Accidents (DBAs) that are analyzed in MODES1, 2, 3, and4 have no specific analyses in MODES5 and6. Worst case bounding events are deemed not credible in MODES5 and6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in (continued)
North Anna Units 1 and 2B 3.8.2-2Revision 0 AC Sources-Shutdown B 3.8.2BASESAPPLICABLE SAFETY ANALYSES(continued) minimal consequences. These deviati ons from DBA analysis assumptions and design requirements during shut down conditions are allowed by the LCO for required systems.
During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in re cognition that certain testing and maintenance activities must be conduc ted provided an acceptable level of risk is not exceeded. During MODES5 and6, performance of a significant number of required testing and maintenance activities is also required. In MODES5 and6, the activities are generally planned and administratively
controlled. Relaxations from MODE1, 2, 3, and4 LCO requirements are acceptable during shutdown modes based on:a.The fact that time in an outage is limited. This is a ri sk prudent goal as well as a utility economic consideration.b.Requiring appropriate compensatory measures for cer tain conditions.
These may include administrative c ontrols, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.c.Prudent utility consid eration of the risk associated with multiple activities that could affect multiple systems.d.Maintaining, to the extent practic al, the ability to perform required functions (even if not meeting MODE1, 2, 3, and4 OPERABILITY requirements) with systems assu med to function during an event.
In the event of an accident dur ing shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite pow er or a loss of all onsite emergency diesel generator (EDG) power.
The AC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOOne offsite circuit capable of supplying the onsite Class1E power distribution subsystem(s) of LCO3.8.10, "Distribution Systems-Shutdown," ensures that all required loads are (continued)
AC Sources-Shutdown B 3.8.2BASESNorth Anna Units 1 and 2B 3.8.2-3Revision 0 LCO(continued)powered from offsite power. An OPERABLE EDG, associated with the distribution system trains required to be OPERABLE by LCO3.8.10,
ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and EDG ensures the availability of sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling recently irradiated fuel).The qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es). Qualified offsite circuits are those that are desc ribed in the UFSAR and are part of the licensing basis for the unit.Offsite circuits consist of 34.5kV buses3, 4, and5 supplying the Reserve Station Service Transformer(s) (RSST) which feed the transfer buses. The D, E, andF transfer buses supply the onsite electrical power to the four emergency buses for the two units. Unit1 emergency busH is fed through the Ftransfer bus from the CRSST. Unit1 emergency busJ is fed through the Dtransfer bus from the ARSST. Unit1 station service bus1B can be an alternate feed for Unit1 Hemergency bus, while Unit1 J bus may be fed from Unit2 station service bus2B. Unit2 emergency busH is fed through the Etransfer bus from the BRSST. Unit2 emergency busJ is fed through the Ftransfer bus from the CRSST. The RSSTs can be fed by any 34.5kV bus (3, 4, or5) provided RSSTsA andB are fed from a different 34.5kV bus than RSSTC.
The EDG must be capable of starti ng, accelerating to rated speed and voltage, and connecting to its resp ective ESF bus on detection of bus undervoltage or degraded voltage. The EDG must be capable of accepting required loads within the assumed load ing sequence intervals, and continue to operate until offsite power can be restored to the ESF bus. These capabilities are required to be met fro m a variety of initial conditions such as EDG in standby with th e engine hot and the EDG in standby at ambient conditions.
Proper sequencing of loads is a required function for EDG OPERABILITY.
(continued)
North Anna Units 1 and 2B 3.8.2-4Revision 20 AC Sources-Shutdown B 3.8.2BASESLCO(continued)It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circ uit to supply all required trains.APPLICABILITYThe AC sources required to be OPERABLE in MODES5 and6 and during movement of recently irradiated fuel assemblies provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel assemblies in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.
The AC power requirements for MODES1, 2, 3, and4 are covered in LCO3.8.1.ACTIONSA.1An offsite circuit would be considered inoperable if it were not available to the necessary portions of the electri cal power distribution subsystem(s). One train with offsite power avai lable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By the allowance
of the option to declare required features inoperable, with no offsite power available, appropriate restrictions w ill be implemented in accordance with the affected required features LCO's ACTIONS.
AC Sources-Shutdown B 3.8.2BASESNorth Anna Units 1 and 2B 3.8.2-5Revision 0ACTIONS(continued)
A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4With the offsite circuit not available to all required trains, the option would still exist to declare all required features inoperabl
: e. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required EDG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive
reactivity additions that could result in loss of required SDM (MODE5) or boron concentration (MODE6). Suspending positive reactivity additions
that could result in failure to meet the minimum SDM or boron
concentration limit is required to assure continued safe operation.
Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for
minimum SDM or refueling boron concen tration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increas es when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of
required SDM.
Suspension of these activities does not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability or the occurrence of postula ted events. It is further required to immediately initiate action to rest ore the required AC sources and to continue this action until restoration is accomplis hed in order to provide the necessary AC power to the unit safety systems.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during wh ich the unit safety systems may be without sufficient power.Pursuant to LCO3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of ConditionA are modified by a Note to indicate that when ConditionA is entered with no AC power to (continued)
North Anna Units 1 and 2B 3.8.2-6Revision 0 AC Sources-Shutdown B 3.8.2BASESACTIONSA.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) any required ESF bus, the ACTIONS for LCO3.8.10 must be immediately entered. This Note allows ConditionA to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO3.8.10 would provide the appropriate restrict ions for the situation involving a de-energized train.SURVEILLANCE
REQUIREMENT
SSR3.8.2.1SR3.8.2.1 requires the SRs from LCO3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES1, 2, 3, and4.
SR 3.8.1.8 is not required to be met since only one of fsite circuit is required to be OPERABLE. SR3.8.1.11 and SR 3.8.1.17 are not required because the ESF actuation signals are not required to be OPERABLE. SR3.8.1.18 is excepted because starting independence is not required with the EDG(s) that is not required to be OPERABLE.
This SR is modified by a Note. The reason for this Note is to preclude requiring the required OPER ABLE EDG(s) from being paralleled with the offsite power network or otherw ise rendered inoperable during performance of SRs, and to preclude de-energizing a required 4160 V ESF bus or disconnecting a required offsite circuit duri ng performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the EDG. It is th e intent that these SRs must still be capable of being met, bu t actual performance is not required during periods when the EDG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO3.8.1 fo r a discussion of each SR.REFERENCESNone.
North Anna Units 1 and 2B 3.8.3-1Revision31Diesel Fuel Oil and Starting Air B 3.8.3B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.3Diesel Fuel Oil and Starting AirBASESBACKGROUNDThe fuel oil storage system has sufficient capacity to operate two EDGs for a period of 7days with each supplyi ng the maximum post loss of coolant accident load demand discussed in the UFSAR, Section9.5.4.2 (Ref.1). This onsite fuel oil capacity is suffic ient to operate the EDGs for longer than the time to replenish the ons ite supply from outside sources.The fuel oil storage system consists of two underground tanks. Fuel oil is transferred from an underground tank to each EDG day tank by a lead fuel oil transfer pump. An additional underground tank and fuel oil transfer pump is associated with each E DG day tank to provide a redundant subsystem. Independent level switches on the day tank operate the lead and backup fuel oil transfer subsystems. Only one fuel oil tran sfer subsystem is required for the EDG to be consid ered OPERABLE. All outside tanks, pumps, and piping are located underground or in a missile protected area.
For proper operation of the standby EDGs, it is necessary to ensure the
proper quality of the fuel oil. Regulatory Guide1.137 (Ref.2) addresses the recommended fuel oil practices as supplemented by ANSIN195 (Ref.3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity),
and impurity level.Each EDG has an air start system that contains two separate and independent subsystems. Normally, each subsystem is aligned to provide starting air to the associated EDG. Ea ch subsystem consists of a receiver and a compressor, however, the receiver pressurized to 175psig is the only component required to maintain ope rability of each diesel starting air subsystem. Only one air start receiver is required for the EDG to be considered OPERABLE.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.4), and in the UFSAR, Chapter15 (Ref.5), assume Engineered Safety (continued)
North Anna Units 1 and 2B 3.8.3-2Revision31Diesel Fuel Oil and Starting Air B 3.8.3BASESAPPLICABLE SAFETY ANALYSES(continued)Feature (ESF) systems are OPERABLE. The EDGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolan t System (RCS); and Section3.6, Containment Systems.The DBA and transient analyses assume the operation of one EDG associated with the unit on which an ac cident is postulated to occur and the operation of one EDG on the unit which is unaffected by the accident to support shared systems. LCO3.8.1 re quires two EDGs to be OPERABLE and one EDG from the other unit to be OPERABLE. However, only sufficient fuel oil to operate one EDG and one EDG on the other unit is required to satisfy the assumptions of the DBA and transient analysis and to support EDG OPERABILITY.Since diesel fuel oil and the air star t subsystem support the operation of the standby AC power sources, they satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOStored diesel fuel oil is required to have sufficient supply for 7days of full load operation for two EDGs. It is also required to meet specific standards for quality. This requirement, in c onjunction with an ability to obtain replacement supplies within 2days, supports the availability of EDGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurren ce (AOO) or a postulated DBA with loss of offsite power. EDG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO3.8.1, "AC Sources-Operating," and LCO3.8.2, "AC
Sources-Shutdown."One air start receiver is required to ensure EDG OPERABILITY. The required starting air receiver is required to have a minimum of 175psig to provide the EDG with more than one start attempt without recharging the air start receivers.APPLICABILITYThe AC sources (LCO3.8.1 and LCO3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it
in a safe shutdown condition (continued)
Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-3Revision 37APPLICABILITY (continued) after an AOO or a postulated DBA. Si nce stored diesel fuel oil and the starting air subsystem support LCO3.8.1 and LCO3.8.2, stored diesel fuel oil and starting air are required to be within limits when the EDG(s) is required to be OPERABLE.
All four EDGs (two per unit) are normally associated with both tanks which make up the fuel oil storage syst em. All EDGs that are required to be OPERABLE are associated with the fuel oil storage system. The determination of which EDGs are re quired to be OPERABLE is based on the requirements of LCO3.8.1, "AC Sources-Operating," and LCO3.8.2, "AC Sources-Shutdown."ACTIONSThe ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each EDG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable EDG subsys tem. Complying with the Required Actions for one inoperable EDG s ubsystem may allow for continued operation, and subsequent inoperable EDG subsystem(s) are governed by separate Condition entry and application of asso ciated Required Actions.
A.1, A.2, A.3, and A.4In this Condition, an underground fuel oi l storage tank is not within limits for the purpose of tank repair or inspection. Every ten years each fuel oil
tank must be inspected. Because both tanks are the source of fuel oil for all EDGs on both units, a dual unit outage would be required in order to provide the necessary time to complete the required maintenance or
inspection. Prior to removal of the ta nk for repairs or inspection, verify 50,000gallons of replacement fuel oil is available offsite and
transportation is availabl e to deliver that volume of fuel oil within 48hours. Restrictions are placed on th e remaining fuel oil storage tank and the 210,000-gallon above ground tank. Under this Condition, verification
of the redundant fuel oil tank is requi red to confirm the required minimum amount of diesel fuel oil. In additi on, the above ground tank, used to supply make up to the underground tanks, is requi red to be verified to contain the minimum level corresponding to 100,000gallons. Verifications of onsite fuel oil are required on a 12 hour frequency to ensure an adequate source (continued)
North Anna Units 1 and 2B 3.8.3-4Revision 37Diesel Fuel Oil and Starting Air B 3.8.3BASESACTIONS(continued) of fuel oil to the EDGs remains available. The underground fuel oil tank that is being inspected or repaired must be restored within limits in 7days. This time is considered reasonable based on the required maintenance and the requirements provided by the Required Actions.
A note is provided which permits a one-time extension of the 7-day Completion Time to 14days for each fuel oil storage tank. To extend the Completion Time from 7 to 14days
, the Incremental Conditional Core Damage Probability and incremental conditional large early release probability limits of RG1.177 were used as the criteria to identify
potentially risk significant configur ations. The results of the analysis identified several components that should not be scheduled for planned maintenance during the one-time extended Completion Time. The
following components will not be sc heduled for planned maintenance during the extended Completion Time nor will the 14-day Completion Time be entered with any of the following components out of service:
?Reserve Station Service Transformers 1-EP-ST 2A, 2B, and2C
?Transfer BusesD, E, andF
?Buses1 and2
?Transformers1 and2
?BreakersL102 andL202
?Emergency Diesel Generators 1/2 EE-EG-1/2 H andJ
?Emergency Switchgear Air Handlers 1/2-HV-AC-6/7
?Charging Pumps 1/2 CH-P-1A/B/C (two pumps on the same unit)
In the event one of the components above become inoperable during the extended Completion Time th e risk will be managed in accordance with the Tier3, Risk-Informed Plant Configurat ion Control Management practices.
(continued)
Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-5Revision 37ACTIONS(continued)
In addition, the following compensatory measure will be established and implemented prior to entry and while in the extended AOT:1.The condition of the offsite power supply and switchyard will be evaluated prior to entering the ex tended EDG UFOST CT for elective maintenance.2.Determine acceptable grid conditions for entering an extended EDG UFOST CT to perform elective maintenance. An extended EDG UFOST CT will not be entered to perform elective maintenance when grid stress conditions are high.3.No elective maintenance will be scheduled in the switchyard that would challenge offsite power availability and no elective maintenance will be scheduled on the main, auxiliary [station service], or startup [res erve station service] transformers associated with the unit during the proposed extended EDG UFOST CT.4.The system dispatcher will be contacted once per day to ensure no significant grid perturbations ar e expected during the extended EDG UFOST CT.5.The turbine-driven AFW pump will not be removed from service for planned maintenance activities during the extended EDG UFOST CT.6.Operating crews will be briefe d on the EDG UFOST work plan and procedural actions regarding:LOOP and Station Black Out 4 kV safeguards bus cross-tie [Unit 2 emergency bus cross-tie]Reactor Coolant System bleed and feed7.Weather conditions will be evalua ted prior to entering the extended EDG CT for elective maintenance. An extended EDG UFOST CT will not be entered for elective maintenance purposes if official
weather forecasts are predicting severe conditions (tornado or thunderstorm warnings).8.No elective maintenance will be scheduled for the plant DC system.
(continued)
North Anna Units 1 and 2B 3.8.3-6Revision 37Diesel Fuel Oil and Starting Air B 3.8.3BASESACTIONS(continued)9.Perform an assessment of the overall impact of maintenance on plant risk using a Configuration Risk Management Program before entering TS for planned EDG UFOST maintenance activities.
B.1In this Condition, the 7day fuel oil s upply is not available. The EDG fuel oil transfer pumps are aligned so th at the lead pump for each EDG takes suction on the 'A'tank. The backup pum ps are aligned to take suction on the 'B'tank. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6day supply. These circumstances may
be caused by events, such as full load operation required after an inadvertent start while at minimum required leve l, or feed and bleed operations, which may be necessitated by increasing particulate levels or
any number of other oil quality degradations. This restriction allows sufficient time for obtaining th e requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48hours is considered sufficie nt to complete restoration of the required level prior to declaring th e EDG inoperable. This period is acceptable based on the remaining capacity (>6days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. This Condition applies for reasons other than ConditionA.
C.1This Condition is entered as a result of a failure to meet the acceptance criterion of SR3.8.3.2. Normally, trending of particulate levels allows sufficient time to correc t high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and er rors in laboratory analys is can produce failures that do not follow a trend. Since the pr esence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31days), it is pr udent to allow a brief period prior to declaring the associated EDG inoperable. The 7day Completion Time allows for further evaluation, resamp ling and re-analysis of the EDG fuel oil stored in th e below ground tanks.
Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-7Revision 37ACTIONS(continued)
D.1With the new fuel oil properties defined in the Bases for SR3.8.3.2 not within the required limits, a period of 30days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with
previously stored fuel oil, remains accep table, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these pr ocedures. Even if an EDG start and load was required during this time inte rval and the fuel oil properties were outside limits, there is a high like lihood that the EDG would still be capable of performing its intended function.
E.1With the one required starting air receiver pressure <175psig, sufficient capacity for several EDG start attempts does not exist. However, as long as the receiver pressure is >150psig, ther e is adequate capacity for at least one start attempt, and the EDG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48hours is considered sufficient to complete restoration to the required pressure prior to declaring the EDG inoperable.
This period is acceptable based on the remaining air start capacity, the fact that most EDG starts are accomplished on the first attempt, a nd the low probability of an event during this brief period.F.1With a Required Action and associated Completion Time not met, or one or more EDG's fuel oil or the required starting air receiver not within limits for reasons other than addressed by ConditionsA throughE, the associated EDG(s) may be incapable of performi ng its intended function and must be immediately declared inope rable. Only one starting air receiver is required.
North Anna Units 1 and 2B 3.8.3-8Revision 46Diesel Fuel Oil and Starting Air B 3.8.3BASESSURVEILLANCE REQUIREMENT
SSR3.8.3.1This SR provides verification that there is an adequate inve ntory of fuel oil in the storage tanks to support two EDGs' operation for 7days at full load. The 7day period is sufficient time to place the unit in a safe shutdown
condition and to bring in replenishment fuel from an offsite location.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.3.2The tests listed below are a means of determining whet her new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrim ental impact on diesel engine combustion. If results from these tests ar e within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storag e tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31days. The tests, limits, and applicable ASTM Standards are as follows:a.Sample the new fuel oil in accordance with ASTM D4057-88 (Ref.6);b.Verify in accordance with the tests specified in ASTM D975-89 (Ref.6) that the sample has an ab solute specific gravity at 60/60F of 0.83 and 0.89 or an API gravity at 60&deg;F of 27x and 39x when tested in accordance with ASTMD287-82 (Ref.6), a kinematic viscosity at 40&deg;C of 1.9 centistokes and 4.1 centistokes, and a flash point of 125F; andc.Verify that the new fuel oil is checked for water and sediment content within limits when tested in accordance with ASTMD1796-83 (Ref.6).(continued)
Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-9Revision 37SURVEILLANCE REQUIREMENT
SSR3.8.3.2 (continued)
Failure to meet any of th e above limits is cause fo r rejecting the new fuel oil, but does not represent a failure to meet the LCO con cern since the fuel oil is not added to the storage tanks.Within 31days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table1 of ASTMD975-89 (Ref.7) are met for ne w fuel oil when tested in accordance with ASTMD975-89 (Ref.6), except that the analysis for sulfur may be performed in accordance with ASTMD4294-98 (Ref.6), ASTMD1552-88 (Ref.6) or ASTMD2622-82 (Ref.6). The 31day period is acceptable because the fuel oil propert ies of interest, even if they were not within stated limits, would not have an immediate effect on EDG operation. This Surveillance ensures the availability of hi gh quality fuel oil for the EDGs.Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not
mean the fuel oil will not burn properl y in a diesel engi ne. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.
Particulate concentrations should be determined in accordance with ASTMD6217-98 (Ref.6). This me thod involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. Each tank is considered and tested separately.
The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.SR3.8.3.3 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each EDG is available. The system design requirements were verified for a mini mum of five engine start cycles without recharging. A start cycle is measured in terms of time (continued)
North Anna Units 1 and 2B 3.8.3-10 Revision 46Diesel Fuel Oil and Starting Air B 3.8.3BASESSURVEILLANCE REQUIREMENT
SSR3.8.3.3 (continued)(seconds of cranking). With receiver pressurized >150psig, there is adequate capacity for at least one start. The pressure specified in this SR is intended to reflect the lowest value at which more than one start can be accomplished.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.3.4 Microbiological fouling is a major cause of fuel oi l degradation. There are numerous bacteria that can grow in fu el oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks eliminates the necessary environment for bacterial survival. This is the most effectiv e means of controlling microbiological fouling. In addition, it elim inates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several
sources, including condensation, ground water, rain water, and contaminated fuel oil, and from br eakdown of the fuel oil by bacteria.
Frequent checking for and removal of accumulated water minimizes fouling and provides data re garding the watertight integrity of the fuel oil
system. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.5.4.2.2.Regulatory Guide1.137.3.ANSIN195-1976, AppendixB.
4.UFSAR, Chapter6.
5.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.8.3-11 Revision 37 Diesel Fuel Oil and Starting Air B 3.8.3BASESREFERENCES (continued)6.ASTM Standards: D4057-88; D975-89; D1522-88; D2622-82; D2276-82; D4292-98; D6217-98; D287-82; D1796-83.7.ASTM Standards, D975, Table1, 1989.
Intentionally Blank North Anna Units 1 and 2B 3.8.4-1Revision 0 DC Sources-Operating B 3.8.4B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.4DC Sources-OperatingBASESBACKGROUNDThe station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety relate d equipment and preferred AC vital bus power (via inverters). As required by Reference1, the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functi ons, assuming a single failur
: e. The DC electrical power system also conforms to the recommendations of Safety Guide6 (Ref.2) and IEEE-308 (Ref.3).The 125VDC electrical power system consists of two independent and redundant safety related Class1E DC electrical power subsystems (TrainH and TrainJ). Each subsystem consists of two 125VDC batteries, the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling. A spare battery charger is installed on each train and can be substituted for either of the train's chargers.During normal operation, the 125VDC load is powered from the battery chargers with the batteries floating on th e system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.The TrainH and TrainJ DC electri cal power subsystems provide the control power for its associated Class1E AC power load group, 4.16kV switchgear, and 480V load centers. Th e DC electrical power subsystems also provide DC electrical power to th e inverters, which in turn power the AC vital buses.
The DC power distribution system is de scribed in more detail in Bases for LCO3.8.9, "Distribution Systems-Operating," and LCO3.8.10, "Distribution Systems-Shutdown."
Each battery has adequate storage ca pacity to carry the required load continuously for at least 2hours.
(continued)
North Anna Units 1 and 2B 3.8.4-2Revision 8 DC Sources-Operating B 3.8.4BASESBACKGROUND (continued)Each 125VDC battery is se parately housed in a vent ilated room apart from its charger and distribution centers. E ach subsystem is located in an area separated physically and el ectrically from the other subsystem to ensure that a single failure in one subsys tem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class1E subsystems, such as batteries, battery chargers, or distribution panels.The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref.5).Each TrainH and TrainJ DC electri cal power subsyste m has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24hours while supplying normal steady state loads discussed in the UFSAR, Chapter8 (Ref.4).
The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.
For the other unit, the DC electrical power system provides control power for breakers and electrical power fo r solenoid operated valves that are needed to support operation of each required Service Water (SW) pump, Main Control Room (MCR)/Emergen cy Switchgear Room (ESGR) Emergency Ventilation System (EVS
) fan, Auxiliary Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, Auxiliary Building central e xhaust system, and CC are shared systems.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.6), and in the UFSAR, Chapter15 (Ref.7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical pow er system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during al l MODES of operation.
(continued)
DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-3Revision 43APPLICABLE SAFETY ANALYSES(continued)The OPERABILITY of the DC sources is consistent with the initial assumptions of the accide nt analyses and is ba sed upon meeting the design basis of the unit. This includes ma intaining the DC sources OPERABLE during accident conditions in the event of:a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.The OPERABILITY of the EDG DC el ectrical power system ensures the EDG may perform its required safety function.
The DC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it
in a safe condition after an anticipa ted operational occurr ence (AOO) or a postulated DBA. Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref.4).
The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to the associated DC bus(es).
Additionally, the unit's electrical sour ces must include DC sources from the other unit that are required to support the SW, MCR/ESGR EVS, or CC safety functions. Control power for breakers and electrical power for solenoid operated valves are examples of support systems required to be
OPERABLE that are needed for the operation of each required SW pump, MCR/ESGR EVS fan, (continued)
North Anna Units 1 and 2B 3.8.4-4Revision 43 DC Sources-Operating B 3.8.4BASESLCO(continued)
Auxiliary Building central exhaust fan, and CC pump. SW, MCR/ESGR EVS, and CC are shared systems.APPLICABILITYThe DC electrical power sources are required to be OPERABLE in MODES1, 2, 3, and4 to ensure safe unit operation and to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provide d, and containment integrity and other vital functions are maintained in the event of a postulated DBA.The EDG DC system is required to be OPERABLE in MODES1, 2, 3, and4 to ensure the OPERABILITY of the associated EDG in accordance with LCO3.8.1. In MODES5 or6, the OPERABILITY requirements of the EDG DC system are determined by the EDGs that they support in accordance with LCO3.8.2.
The DC electrical power requirements for MODES5 and6 are addressed in the Bases for LCO3.8.5, "DC Sources-Shutdown."ACTIONSA.1ConditionA represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized
during normal operation. It is, therefor e, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2hour limit is consistent with the allowed time for an inoperable DC distribution system train.If one of the required LCO3.8.4.a DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and asso ciated inoperable battery), the remaining LCO3.8.4.a DC electrical power subsystem has the capacity to support a safe shutdown and to miti gate an accident condition. For the Station batteries, a spare battery char ger may be substituted for the normal charger without (continued)
DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-5Revision 43ACTIONSA.1 (continued)entry into ConditionA. Since a subse quent worst case si ngle failure would, however, result in the complete loss of the remaining 125VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2hours. The 2hour Completion Time is based on Regulatory Guide1.93 (Ref.8) and reflects a reasonable time to assess unit status as a function of the inope rable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.
B.1 and B.2 If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,
based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems. The Completion Time to bring the unit to MODE5 is consistent with the time required in Regulatory Guide1.93 (Ref.8).
C.1ConditionC represents the loss of the ability of the EDG DC system (e.g., inoperable battery charger or inoperabl e battery) to supply necessary power to the associated EDG. In this condition, the associated EDG is immediately declared inoperable and the associated Conditions or Required Actions of LCO3.8.1 are followed.
D.1ConditionD represents the loss of one or more required LCO3.8.4.c DC electrical power subsystem(s) needed to support the operation of required shared components on the other unit. SW, MCR/ESGR EVS, and CC are
shared systems. In this conditi on, the associated required shared components are declared inoperable immediately. The associated Conditions or Required Actions of LCO3.7.8, "Service Water System,"
(continued)
North Anna Units 1 and 2B 3.8.4-6Revision 46 DC Sources-Operating B 3.8.4BASESACTIONSD.1 (continued)LCO3.7.10, "MCR/ESGR Emergency Ventilation Systems," LCO3.7.12, "Emergency Core Cooling System Pump Room Exhaust Air Cleanup System," and LCO3.7.19, "Component Cooling Water (CC) System," are followed.SURVEILLANCE
REQUIREMENT
SSR3.8.4.1For Station and EDG batteries, verifyi ng battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of th e batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged
state. The voltage requirements are ba sed on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surv eillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.4.2Visual inspection of both Station and EDG batteries to de tect corrosion of the battery cells and connections, or measurement of the resistance of each intercell, interrack, intertier, a nd terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.
The presence of visible corrosion does not necessarily represent a failure of this SR provided visible corrosion is removed during performance of SR3.8.4.4.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-7Revision 46SURVEILLANCE REQUIREMENT
S(continued)SR3.8.4.3Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage
or deterioration does not necessarily re present a failure of this SR, provided an evaluation determines that the phys ical damage or de terioration does not affect the OPERABILITY of the battery (its ability to perform its design function). The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.8.4.4 and SR3.8.4.5Station and EDG battery visual inspect ion and resistance measurements of intercell, interrack, intertier, a nd terminal connections provide an indication of physical dama ge or abnormal deteriorat ion that could indicate degraded battery condition. The anticorr osion material is used to help ensure good electrical connections a nd to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible
corrosion is a preventive maintenance SR. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.8.4.6 and SR3.8.4.7SR3.8.4.6 requires that each Station battery charger be capable of supplying 270amps and 125V for 4hours. These requirements are based on the design capacity of the chargers (Ref.4). According to Regulatory Guide1.32 (Ref.10), the battery charger supply is required to be based on the largest combined dema nds of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit
during these demand occurrences.
The minimum required amperes and duration ensures that these re quirements can be satisfied.SR3.8.4.7 requires that each EDG battery charger be capable of supplying 10amps and 125V for 4hours. These values ar e based on the design requirements of the charger.
(continued)
North Anna Units 1 and 2B 3.8.4-8Revision 46 DC Sources-Operating B 3.8.4BASESSURVEILLANCE REQUIREMENT
SSR3.8.4.6 and SR3.8.4.7 (continued)
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The spare charger for the Station batteries is
required to be tested to the same criteria as the normal charger if it is to be used as a substitute charger.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.4.8A Station battery service te st is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference4.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by three Notes. Note1 allows the performance of a modified performance discharge test in lieu of a service test.A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest
rate of the duty cycle). This will confirm the battery's ability to meet the critical period of the load duty cycl e, in addition to determining its percentage of rated capacity. In itial conditions for the modified performance discharge test should be identical to those specified for a
service test.It may consist of just two rates; for instance, the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performan ce test, both of which envelope the duty cycle of the service test. Sin ce the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the (continued)
DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-9Revision 46SURVEILLANCE REQUIREMENT
SSR3.8.4.8 (continued)performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the batter y service test for the duration of time equal to that of the service test.Note2 allows the performance discharge test in lieu of the service test.The reason for Note3 is that performing the Surveillance on the Station batteries would perturb the electrical distribution system and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amp lified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and
other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or
operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.4.9A battery performance discharge test for Station and EDG batteries is a test of constant current capacity of a ba ttery to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.
A battery modified performance discharge test is described in the Bases for SR 3.8.4.8. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.9.
(continued)
North Anna Units 1 and 2B 3.8.4-10 Revision 46 DC Sources-Operating B 3.8.4BASESSURVEILLANCE REQUIREMENT
SSR3.8.4.9 (continued)The acceptance criteria for this Surv eillance are consiste nt with IEEE-450 (Ref.9) and IEEE-485 (Ref.5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's
rating. A capacity of 80% shows that th e battery rate of deterioration is increasing, even if there is ample cap acity to meet the load requirements.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. If the ba ttery shows degradation, or if the battery has reached 85% of its expected life, the Surveillance Frequency is reduced to 18months. Degradation is indicated, according to IEEE-450 (Ref.9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. The 60month Fr equency is consistent with the recommendations in IEEE-450 (Ref.9) and the 18month Frequency is consistent with operating experience.
This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would perturb the electrical distri bution system and challenge safety systems for the Statio n batteries. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow portions of the Su rveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of
the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or determinis tic methods may be used for this
assessment.
DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-11Revision 0REFERENCES1.UFSAR, Chapter3.2.Safety Guide6, March10,1971.3.IEEE-308-1971.
4.UFSAR, Chapter8.
5.IEEE-485-1983, June1983.
6.UFSAR, Chapter6.
7.UFSAR, Chapter15.
8.Regulatory Guide1.93, December1974.
9.IEEE-450-1987.
10.Regulatory Guide1.32, February1977.
11.Regulatory Guide1.129, December1974.
Intentionally Blank North Anna Units 1 and 2B 3.8.5-1Revision 0 DC Sources-Shutdown B 3.8.5B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.5DC Sources-ShutdownBASESBACKGROUNDA description of the DC sources is provided in the Bases for LCO3.8.4, "DC Sources-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2), assume that Engineered Safety Feature system s are OPERABLE. Th e DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during all MODES of operation. The EDG DC system provides power for the required EDG as described in LCO3.8.2, "AC Sources-Shutdown."The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum DC electrical power sources during MODES5 and6 and during movement of recently irradiated fuel assemblies ensures that:
a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term
recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)
North Anna Units 1 and 2B 3.8.5-2Revision 20 DC Sources-Shutdown B 3.8.5BASESAPPLICABLE SAFETY ANALYSES(continued)
The DC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe DC electrical power subsystem(s), each subsystem consisting of two batteries, one battery charger per battery, and the co rresponding control equipment and interconnecting cabling within the train, are required to be OPERABLE to support required trains of the distribution systems required OPERABLE by LCO3.8.10, "Distribut ion Systems-Shutdown." The EDG DC system, consisting of a battery, battery charger, and the corresponding control equipment and interconnection cabling for the EDG, are required to be OPERABLE to support the EDG required by LCO3.8.2, "AC Sources-Shutdown." This ensures the availability of sufficient DC
electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated even ts during shutdown (e.g., fuel handling accidents involving handling r ecently irradiated fuel).APPLICABILITYThe DC electrical power sour ces and EDG DC system required to be OPERABLE in MODES5 and6, and during movement of recently
irradiated fuel assemblies
, provide assurance that:a.Required features to provide ade quate coolant inventory makeup are available for the recently irradiated fuel assemblies in the core;b.Required features needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a
critical reactor core within the previous 300hours) are available;c.Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.The DC electrical power and EDG DC system requirements for MODES1, 2, 3, and4 are covered in LCO3.8.4.
DC Sources-Shutdown B 3.8.5BASESNorth Anna Units 1 and 2B 3.8.5-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, and A.2.4 The train with DC power available may be capable of supporting sufficient systems to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allo wing the option to declare required features inoperable with the associat ed DC power sour ce(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. In many instances, this option
may involve undesired administrative ef forts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity a dditions) that could result in loss of required SDM (MODE5) or boron concentration (MODE6).
Suspending positive reactiv ity additions that could re sult in failure to meet the minimum SDM or boron concentrat ion limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentrat ion greater than what would be required in the RCS for minimum SD M or refueling boron concentration.
This may result in an overall re duction in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action unt il restoration is accomplis hed in order to provide the necessary DC electrical power to the unit safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC
electrical power subsystems should be completed as quickly as possible in order to minimize the time during wh ich the unit safety systems may be without sufficient power.
North Anna Units 1 and 2B 3.8.5-4Revision 0 DC Sources-Shutdown B 3.8.5BASESACTIONS(continued)
B.1With the required EDG's DC system inoperable, the EDG is not OPERABLE and the applicable Conditions and Required Actions of LCO3.8.2, "AC Sources-Shutdown," must be entered immediately.SURVEILLANCE
REQUIREMENT
SSR3.8.5.1SR3.8.5.1 requires performance of all Surveillances required by SR3.8.4.1 through SR3.8.4.9. Therefore, see the corresponding Bases for LCO3.8.4 for a discussion of each SR.
This SR is modified by a Note. The reason for the Note is to preclude requiring the required OPERABLE DC sources or EDG DC system from being discharged below their capabili ty to provide the required power supply or otherwise rende red inoperable during the pe rformance of SRs. It is the intent that these SRs must stil l be capable of be ing met, but actual performance is not required.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.8.6-1Revision 0Battery Cell Parameters B 3.8.6B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.6Battery Cell ParametersBASESBACKGROUNDThis LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the Station and EDG batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO3.8.5, "DC Sources-Shutdown."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2),
assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries, and control and switching during all MODES of operation. The EDG DC electri cal power system consists of the battery, battery charger, and interc onnecting cabling supplying power to the associated EDG components to supply the required DC voltage to allow the EDG to perform the required safety function.The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accide nt analyses and is ba sed upon meeting the design basis of the unit. This includes maintain ing at least one train of DC sources OPERABLE during accident conditions, in the event of:
a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.
Battery cell parameters satisfy the Criterion3 of 10CFR 50.36(c)(2)(ii).
LCOBattery cell parameters must remain within acceptable limits to ensure availability of the required DC pow er to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical system function even with CategoryA andB limits not met.
North Anna Units 1 and 2B 3.8.6-2Revision 0Battery Cell Parameters B 3.8.6BASESAPPLICABILITYThe battery cell parameters are required so lely for the support of the associated DC electrical power subs ystem(s) and EDG DC system(s).
Therefore, the battery is only requi red when the DC power source is required to be OPERABLE. Refer to th e Applicability discussion in Bases for LCO3.8.4 and LCO3.8.5.ACTIONSA.1, A.2, and A.3With one or more cells in one or more batteries not within limits (i.e., CategoryA limits not met, CategoryB limits not met, or CategoryA andB limits not met) but within the CategoryC limits specified in Table3.8.6-1 in the accompanying LCO, the batter y is degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be consider ed inoperable solely as a result of Category A or B limits not met and operation is permitted for a limited period.The pilot cell electrolyte level and float voltage are required to be verified to meet the CategoryC limits within 1hour (Required ActionA.1). This check will provide a quick indication of the status of the remainder of the
battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to pe rform the required verification.Verification that the CategoryC limits are met (Required ActionA.2) provides assurance that during the time needed to restore the parameters to the CategoryA and B limits, the batter y is still capable of performing its intended function. A period of 24hours is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to
perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable.
The verification is repeated at 7day intervals until the parameters are restored to Category A orB limits. This periodic verification is consistent with the normal Frequency of pilot cell Surveillances.
(continued)
Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-3Revision 46ACTIONSA.1, A.2, and A.3 (continued)
Continued operation is only permitted for 31days before battery cell parameters must be restored to within CategoryA andB limits. With the consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limit s, this time is ac ceptable prior to declaring the battery inoperable.
B.1With one or more batteries with one or more battery cell parameters outside the CategoryC limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not assured and the
corresponding DC electrical power subsystem or EDG DC system must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of ConditionA within the required Completion Time or average electrolyte temperature of representative cells falling below 60F for the Station batteries, are also cause for immediately declaring the associated DC electrical power subsystem inoperable. Representative cells will consist of at least 10cells.SURVEILLANCE
REQUIREMENT
SSR3.8.6.1This SR verifies that CategoryA battery cell parameters are consistent with IEEE-450 (Ref.3), which recommends re gular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte level of pilot cells. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the
Surveillance Frequency Control Program.SR3.8.6.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. In addition, within 24hours of a battery discharge <110V or a battery overcharge >150V, the battery must be demonstrated to meet CategoryB limits. Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to 110V, do not constitute a battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also(continued)
North Anna Units 1 and 2B 3.8.6-4Revision 46Battery Cell Parameters B 3.8.6BASESSURVEILLANCE REQUIREMENT
SSR3.8.6.2 (continued)consistent with IEEE-450 (Ref.3), wh ich recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.SR3.8.6.3This Surveillance verification that the average temperature of representative cells of the Station batteries is >60F, is consistent with a recommendation of IEEE-450 (Ref.3). The Surveillance Frequency is
based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.
Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an
acceptable operating range. This limit is based on manufacturer
recommendations.Table 3.8.6-1This table delineates the limits on el ectrolyte level, float voltage, and specific gravity for three differen t categories. The meaning of each category is discussed below.
CategoryA defines the normal paramete r limit for each designated pilot cell in each battery. The cells selected as pilot cel ls are those whose level, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.The CategoryA limits specified for electrolyte level are based on manufacturer recommendations and are consistent with the guidance in IEEE-450 (Ref.3), with the extra 1/4inch allowance above the high water level indication for operating margin to account for temperatures and charge effects. In addition to this allowance, footnote a to Table3.8.6-1
permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physi cal damage, and that adequate electron transfer capability is maintained in the event of transient conditions.
IEEE-450 (Ref.3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72hours.
(continued)
Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-5Revision 0SURVEILLANCE REQUIREMENT
STable 3.8.6-1 (continued)The CategoryA limit specified for float voltage is 2.13V per cell. This value is based on the recommendations of IEEE-450 (Ref.3
), which states that prolonged operation of cells <2.13V can reduce the life expectancy of cells.The CategoryA limit specified for specific gravity for each pilot cell is 1.200 (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging current th at had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref.3), the specific gravity readings are based on
a temperature of 77F (25C).The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3F (1.67C) above 77F (25C), 1point (0.001) is added to the reading; 1point is subtr acted for each 3F below 77F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.CategoryB defines the normal parameter limits for each connected cell.
The term "connected cell" excludes any battery cell that may be jumpered out.
The CategoryB limits specified for el ectrolyte level and float voltage are the same as those specified for CategoryA and have been discussed above. The CategoryB limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells >1.205 (0.010 below the manufacturer fully charged, nominal specific gravity). These values are based on manufacturer's recommendati ons. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell will not mask overall degradation of the battery.CategoryC defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the CategoryC limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.
(continued)
North Anna Units 1 and 2B 3.8.6-6Revision 0Battery Cell Parameters B 3.8.6BASESSURVEILLANCE REQUIREMENT
STable 3.8.6-1 (continued)The CategoryC limits specified for el ectrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The CategoryC limits for float voltage is based on IEEE-450 (Ref.3
), which states that a cell voltage of 2.07V or below, unde r float conditions and not caused by elevated temperature of the cell, i ndicates internal cel l problems and may require cell replacement.The CategoryC limit of average specific gravity 1.195 is based on manufacturer recommendations (0.020 below the manufacturer recommended fully charged, nominal spec ific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery.
The footnotes to Table3.8.6-1 are applicable to CategoryA, B, andC specific gravity. Footnote(b) to Table3.8.6-1 requires the above
mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when Station battery charging current is <2amps on float charge. This current provides, in general, an indication of overall battery condition.
Because of specific gravity gradie nts that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity meas urement for determining the state of charge. This phenomenon is discussed in IEEE-450 (Ref.3). Footnote(c) to Table3.8.6-1 allows the float charge cu rrent to be used as an alternate to specific gravity for up to 7days following a Station battery recharge. Within 7days, each connected cell's sp ecific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity
gradients are not significant, and c onfirming measurements may be made in less than 7days.
Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-7Revision 0REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.3.IEEE-450-1980.
Intentionally Blank North Anna Units 1 and 2B 3.8.7-1Revision 0 Inverters-Operating B 3.8.7B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.7Inverters-OperatingBASESBACKGROUNDThe inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses. The inverters can be powered from a battery charger or from the station battery. The station battery provides an unint erruptible power source for the instrumentation and controls for the Reactor Trip System (RTS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on
inverters and their operating charact eristics are found in the UFSAR, Chapter8 (Ref.1).APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.2) and Chapter15 (Ref.3),
assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RTS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are
discussed in more deta il in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolant System (RCS); and Section3.6, Containment Systems.The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes ma intaining required AC vital buses OPERABLE during accident conditions in the event of:
a.An assumed loss of all offsite AC electrical power or all onsite AC electrical power; andb.A worst case single failure.Inverters are a part of the distribution system and, as such, satisfy Criterion3 of 10CFR50.36(c)(2)(ii).
North Anna Units 1 and 2B 3.8.7-2Revision 0 Inverters-Operating B 3.8.7BASESLCOThe inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated ope rational occurrence (AOO) or a
postulated DBA.
Maintaining the required inverter s OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is main tained. The four inverters (two per train) ensure an uninterruptible suppl y of AC electrical power to the AC vital buses even if the 4.16kV safety buses are de-energized.OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage within tolerances, and power input to the inverter from a 125VDC station battery. Alternatively, power supply may be from a battery charger as long as th e station battery is available as the uninterruptible power supply.
This LCO is modified by a Note that allows one inverter to be disconnected from its associated battery for 24hours, if the vital bus is powered from a constant voltage transformer and all other inverters are OPERABLE. This allows an equalizing charge to be placed on the associated battery. If the inverters were not disconnected, th e resulting voltage condition might damage the inverters. Th ese provisions minimize th e loss of equipment that would occur in the event of a loss of offsite power. The 24hour time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.
The intent of this Note is to lim it the number of inverters that may be disconnected. Only those inverters a ssociated with the single battery undergoing an equalizing charge may be disconnected. All other inverters must be aligned to their associated batteries, regardless of the number of inverters or unit design.
Inverters-Operating B 3.8.7BASESNorth Anna Units 1 and 2B 3.8.7-3Revision 11APPLICABILITYThe inverters are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.Inverter requirements for MODES5 and6 are covered in the Bases for LCO3.8.8, "Inverters-Shutdown."ACTIONSA.1With a required inverter inoperable, its associated AC vital bus becomes
inoperable until it is re-energized from its c onstant voltage source transformer.
For this reason a Note ha s been included in ConditionA requiring the entry into the Conditions and Required Actions of LCO3.8.9, "Distribution Systems-Operating." This ensures that the vital bus is re-energized within 2hours.Required ActionA.1 allows 7days to fi x the inoperable inverter and return it to service. The 7day limit is based upon a risk evaluation, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety system s such a shutdown might entail. When the AC vital bus is powered from its co nstant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter s ource to the AC vital buses is the preferred source for powering instrumentati on trip setpoint devices.The following compensatory measures will be implemented when an instrument bus inverter is unavailable:
a.Entry into ConditionA will not be planned concurrent with EDG maintenance, and (continued)
North Anna Units 1 and 2B 3.8.7-4Revision 46 Inverters-Operating B 3.8.7BASESACTIONSA.1 (continued)b.Entry into ConditionA will not be planned concurrent with planned maintenance on another RPS/ESFAS channel that results in that channel being in a tripped condition.
B.1With one or more required LCO3.8.7.b i nverters inoperable, the reliability of the shared component(s) on the othe r unit is degraded. In this condition, the associated shared component is declared inoperable within 7days. Service Water, Main Control Room/Emergency Switchgear Room Emergency Ventilation System, and Component Cooling Water are shared systems.C.1 and C.2 If the inoperable devices or compone nts cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on
operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE
REQUIREMENT
SSR3.8.7.1This Surveillance verifies that the inverters are functi oning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper vol tage output ensures that the required power is readily available for the instrumentation of the RTS and ESFAS connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter8.2.UFSAR, Chapter6.3.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.8.8-1Revision 0 Inverters-Shutdown B 3.8.8B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.8Inverters-ShutdownBASESBACKGROUNDA description of the inverters is provided in the Bases for LCO3.8.7, "Inverters-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2),
assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure th e availability of necessary power to the Reactor Trip System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum inve rters to each AC vital bus during MODES5 and6 ensures that:
a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the inverter(s) are only required to mitigate fuel handl ing accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time frame establishe d by analysis. The term recently is defined as all irradiated fuel assemb lies, until analysis is performed to determine a specific time frame.)
North Anna Units 1 and 2B 3.8.8-2Revision 20 Inverters-Shutdown B 3.8.8BASESAPPLICABLE SAFETY ANALYSES(continued)
The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe required inverter(s) ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anti cipated operational occurrence or a postulated DBA. The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16kV safety buses are de-energized. OPER ABILITY of the inverters requires that the AC vital bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during
shutdown (e.g., fuel handling acci dents involving handling recently
irradiated fuel). Supported system (s) that do not provide automatic function(s) may be connected to a vita l bus that is powered by a constant voltage transformer (example: Low Te mperature Overpres sure Protection, when not in automatic).APPLICABILITYThe inverters required to be OPERABLE in MODES5 and6 and during movement of recently irradiated fuel assemblies provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e
., fuel that has occupied part of a critical core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.Inverter requirements for MODES1, 2, 3, and4 are covered in LCO3.8.7.
Inverters-Shutdown B 3.8.8BASESNorth Anna Units 1 and 2B 3.8.8-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, and A.2.4 The required OPERABLE Inverters are capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, recently irradiated fuel movement, and opera tions with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoper able, appropriate restrictions will be implemented in accordance with the affected required
features LCOs' Required Actions. In many instances, this option may involve undesired administrative effo rts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity a dditions) that could result in loss of required SDM (MODE5) or boron concentration (MODE6).
Suspending positive reactiv ity additions that could re sult in failure to meet the minimum SDM or boron concentrat ion limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentrat ion greater than what would be required in the RCS for minimum SD M or refueling boron concentration.
This may result in an overall re duction in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability of the occurrence of postula ted events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quick ly as possible in order to minimize the time the unit safety systems may be without power or powered from a constant voltage source transformer.
North Anna Units 1 and 2B 3.8.8-4Revision 46 Inverters-Shutdown B 3.8.8BASESSURVEILLANCE REQUIREMENT
SSR3.8.8.1This Surveillance verifies that the inverters are functi oning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper vol tage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.8.9-1Revision 0Distribution Systems-Operating B 3.8.9B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.9Distribution Systems-OperatingBASESBACKGROUNDThe onsite Class1E AC, DC, and AC vital bus el ectrical power distribution systems are divided by train into tw o redundant and independent AC, DC, and AC vital bus electrical pow er distribution subsystems.The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16kV bus and secondary 480V buses and load centers. Each 4.16kV ESF bus has at least one separate and independent offsite source of power as well as a dedicated onsite emergency diesel generator (EDG) source. Unit1 has a normal offsite source and an alternate offsite source. Transfer to the alternate offsite source is a manual operation. Unit2 has a normal offsite source, and no
alternate source. In the event of a loss of offsite power, the EDGs for the affected buses will start and load. The EDGs for Unit1 will continue to run until (a)the safety bus is transferred to the alternate offsite source, or (b)the normal offsite source is restored. The Unit2 EDGs will continue to run until the normal offside source is restored. If offsite sources are unavailable, the onsite EDG supplies power to the 4.16kV ESF bus. Control power for the 4.16kV breakers is supplied from the Class1E
batteries. Additional description of th is system may be found in the Bases for LCO3.8.1, "AC Sources-Operating," and the Bases for LCO3.8.4, "DC Sources-Operating."
The secondary AC electrical power di stribution subsystem for each train includes the safety related buses and load centers shown in TableB3.8.9-1.The 120VAC vital buses are arranged in two load groups per train and are normally powered from the inverters.
The alternate power supply for the vital buses are constant voltage s ource transformers powered from the same train as the associated inverter, and its use is governed by LCO3.8.7, "Inverters-Operating." Each constant voltage source transformer is powered from a Class1E AC bus.
There are two independent 125VDC electrical power distribution subsystems for each train.
(continued)
North Anna Units 1 and 2B 3.8.9-2Revision 43 Distribution Systems-Operating B 3.8.9BASESBACKGROUND (continued)
For the other unit, one AC and DC bus on that unit is needed to support operation of each required Service Wa ter (SW) pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation
System (EVS) fan, Auxiliary Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/
ESGR EVS, and CC are shared systems.Two trains of electrical circuits on the AC Vital bus es provide power to the Auxiliary Building Central exhaust subsystem filter a nd bypass dampers. One circuit is associated with the manual control switch on the Unit1 ventilation Panel is powered from the Vital Bus 1-I. The other circuit is associated with the manual control switch on the Unit2 Ventilation Panel is powered from Vital Bus 2-III. Either circuit will realign all associated dampers to the filter position. Vital pow er is not required as the system is
aligned to operate the dampers to the filter (accident) position upon loss of power.The list of all required distribution buses is presented in TableB3.8.9-1.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1), and in the UFSAR, Chapter15 (Ref.2), assume ESF systems are OPERABLE. The AC, DC
, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensu re the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System,
and containment design li mits are not exceeded. Th ese limits are discussed in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolant System (RCS); and Section3.6, Containment Systems.The OPERABILITY of the AC, DC, a nd AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon m eeting the design basis of the unit.
This includes maintaining power di stribution systems OPERABLE during accident conditions in the event of:a.An assumed loss of all offsite power or all onsite AC electrical power; andb.A worst case single failure.
The distribution systems satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).
LCOThe distribution systems satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).
Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-3Revision 35The required power distribution subsystems listed in TableB3.8.9-1 ensure the availability of AC, DC, a nd AC vital bus electrical power for the systems required to shut down the re actor and maintain it in a safe condition after an anticipated ope rational occurrence (AOO) or a
postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.Maintaining the TrainH and TrainJ AC
, DC, and AC vita l bus electrical power distribution subsystems OPERABLE ensures that the redundancy
incorporated into the design of ESF is not defeated. Therefore, a single
failure within any system or with in the electrical power distribution subsystems will not prevent safe shutdown of the reactor.
OPERABLE AC electrical power di stribution subsystems require the associated buses and load centers to be energized to their proper voltages.
OPERABLE DC electrical power di stribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage from the associated inverter via i nverted DC voltage, or constant voltage transformer.
In addition, tie breakers between redundant safety related AC, DC, and AC vital bus power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsys tem, that could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable.
This applies to the onsite, safety related redundant electrical power di stribution subsystems. It does not, however, preclude redundant Class1E 4.16kV buses from being powered from the same offsite circuit.APPLICABILITYThe electrical power distribution subsys tems are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. Electrical power distribution subsystem requirements for MODES5 and6 are covered in the Bases for LCO3.8.10, "Distribution
Systems-Shutdown."
North Anna Units 1 and 2B 3.8.9-4Revision 35 Distribution Systems-Operating B 3.8.9BASESACTIONSA.1With one or more LCO3.8.9.a AC electrical power distribution subsystem(s) inoperable, the minimu m safety functions can still be accomplished, assuming no single failur e, as long as one set of redundant required equipment (AC buses and lo ad centers) supporting each safety function remains energized to their proper voltages. Redundant required equipment is listed in TableB3.8.9-1.
The overall reliability is reduced, however, because a single failure in the remaining power distribution
subsystems could result in the mini mum required ESF functions not being supported. Therefore, the required AC buses and load centers must be restored to OPERABLE status within 8hours.ConditionA worst scenario is one trai n without AC power (i.e., no offsite power to the train and the associated EDG inoperable).
In this Condition, the unit is more vulnerable to a complete loss of AC power.
It is, therefore, imperative that the unit operator's a ttention be focuse d on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8hour time limit before requiring a unit shutdown in this C ondition is acceptable because of:a.The potential for decreased safety if the unit operator's attention is diverted from the evalua tions and actions necessar y to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; andACTIONSA.1 (continued)b.The potential for an event in c onjunction with a si ngle failure of a redundant component in the train with AC power.The second Completion Time for Required ActionA.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionA is entered wh ile, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2hours. This could lead to a total of 10hours, since initial failure of the LCO, to restore the AC distribution syst em. At this time, a DC circuit could again become inoperable, and AC di stribution restored OPERABLE. This could continue indefinitely.The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionA was entered. The 16hour Completion Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-5Revision 35Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.Required ActionA.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO3.8.4, "DC Sources-Operating," to be entered for DC train(s) made inoperable power distribution subsystem(s). This is an exception to LCO3.0.6 and ensures the proper actions are taken for thes e components. Inoperability of a
distribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.
B.1With one or more LCO3.8.9.a AC vital buses inoperable and a loss of function has not yet occurred, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional singleACTIONSB.1 (continued) failure could result in the minimu m required ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 2hours by pow ering the bus from the associated inverter via inverted DC, or constant voltage transformer.ConditionB represents one or more AC vital buses without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the un it is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative
that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the re maining vital buses and restoring power to the affected vital bus.This 2hour limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power. Taking exception to LCO3.0.2 for com ponents without adequate vital AC power, that would have the Required Action Completion Times shorter than 2hours if declared inoperable, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable
operations to continue; North Anna Units 1 and 2B 3.8.9-6Revision 35 Distribution Systems-Operating B 3.8.9BASESb.The potential for decreased safety by requiring entry into numerous applicable Conditions and Require d Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary ev aluations and actions for restoring power to the affected train; andc.The potential for an event in c onjunction with a si ngle failure of a redundant component.The 2hour Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERAB LE status, the redundant capability afforded by the other OPERABLE vital bu ses, and the low probability of a DBA occurring during this period.The second Completion Time for Required ActionB.1 establishes a limit on the maximum allowed for any comb ination of required distribution subsystems to beACTIONSB.1 (continued) inoperable during any singl e contiguous occurrence of failing to meet the LCO. If ConditionB is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8hours. This could lead to a total of 10 hours, since initial failure of the LCO, to re store the vital bus distribut ion system. At this time, an AC train could again become i noperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionB was entered. The 16hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.
C.1With one or more LCO3.8.9.a DC buses inoperable and a loss of function has not yet occurred, the remaining DC electrical power distribution subsystems are capable of supporti ng the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown
condition, assuming no single failure. Th e overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimu m required ESF functions not being supported. Therefore, the DC bus(es) must be restored to OPERABLE status within 2hours by powering the bus(es) from the associated battery or charger.
Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-7Revision 35ConditionC represents one or more DC buses without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situat ion, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the rema ining trains and restoring power to the affected train.ACTIONSC.1 (continued)This 2hour limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO3.0.2 for components without adequate DC power,
which would have Required Action Completion Times shorter than 2hours, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;b.The potential for decreased safety by requiring entry into numerous applicable Conditions and Require d Actions for components without DC power and not providing sufficie nt time for the operators to perform the necessary evaluations a nd actions for restoring power to the affected train; andc.The potential for an event in c onjunction with a si ngle failure of a redundant component.The 2hour Completion Time for DC bus es is consistent with Regulatory Guide1.93 (Ref.3).
The second Completion Time for Required ActionC.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionC is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO
may already have been not met for up to 8hours. This could lead to a total of 10hours, since initial failure of th e LCO, to restore the DC distribution
system. At this time, an AC train c ould again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.
North Anna Units 1 and 2B 3.8.9-8Revision 43 Distribution Systems-Operating B 3.8.9BASESThis Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionC was entered. The 16hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.ACTIONSD.1With one or more required LCO3.8.9.b AC electrical power distribution
subsystem(s) inoperable, the shared co mponent(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems. The associated Conditions or Requi red Actions of LCO3.7.8, "Service Water System," LCO3.7.10, "MCR/ESGR Emergency Ventilation System," and LCO3.7.19, "Component Cooling Water (CC) System," are followed.
E.1With one or more required LCO3.8.9.b DC electrical power distribution subsystem(s) inoperable, the shared co mponent(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems. The associated Conditions or Requi red Actions of LCO3.7.8, 3.7.10, 3.7.12, and3.7.19 are followed.F.1With one or more required LCO3.8.9.b AC vital electrical power distribution subsystem(s) inoperable, the shared component(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems.G.1 and G.2If the inoperable LCO3.8.9.a distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this
status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,
based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.
Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-9Revision 46ACTIONSH.1ConditionH corresponds to a level of de gradation in the electrical power distribution system that causes a required safety function to be lost. When more than one inoperable LCO3.8.9.a electrical pow er distribution subsystem results in the loss of a required function, the unit is in a condition outside the accident analysis. Therefore, no additional time is
justified for continued operation. LCO3.0.3 must be entered immediately to commence a controlled shutdown.SURVEILLANCE
REQUIREMENT
SSR3.8.9.1This Surveillance verifies that th e required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independ ence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus.
The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as we ll as control functions for critical system loads connected to these buses. Verification of proper
voltage availability for 480volt buses and load ce nters may be performed by indirect methods. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.3.Regulatory Guide1.93, December1974.
North Anna Units 1 and 2B 3.8.9-10Revision0 Distribution Systems-Operating B 3.8.9BASES* Each train of the AC and DC electrical power distribution systems is a subsystem.TableB 3.8.9-1 (page1 of1)
AC and DC Electrical Po wer Distribution SystemsTYPEVOLTAGETRAIN H*TRAIN J*Unit 1Unit 2Unit 1Unit 2AC emergency buses4160 VESF BusESF Bus1H2H1J2J480 VLoad CentersLoad Centers1H2H1J2J1H12H11J12J1DC buses125 VBus 1-I2-IBus 1-III2-IIIBus 1-II2-IIBus 1-IV2-IV AC vitalbuses120 VBus 1-12-1Bus 1-32-3Bus 1-22-2Bus 1-42-4 North Anna Units 1 and 2B 3.8.10-1Revision 0 Distribution Systems-Shutdown B 3.8.10B 3.8  ELECTRICAL POWER SYSTEMSB 3.8.10Distribution Systems-ShutdownBASESBACKGROUNDA descripti on of the AC, DC, and AC vital bus electrical pow er distribution systems is provided in the Bases for LCO3.8.9, "Distribution Systems-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2), assume
Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power di stribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.The OPERABILITY of the AC, DC, a nd AC vital bus electrical power distribution system is cons istent with the initial as sumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum AC
, DC, and AC vital bus electrical power distribution subsystems during MODES5 and6, and during movement of recently irradiated fuel assemblies ensures that:a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the AC and DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time fram e established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)
North Anna Units 1 and 2B 3.8.10-2Revision 20 Distribution Systems-Shutdown B 3.8.10BASESAPPLICABLE SAFETY ANALYSES(continued)
The AC and DC electrical power distribution systems satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOVarious combinations of subsys tems, equipment, and components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the el ectrical distribution system necessary to support OPERABILITY of requi red systems, equipment, and components-all specifically addre ssed in each LCO and implicitly required via the definition of OPERABILITY.
Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postula ted events during shutdown (e.g., fuel handling accidents involving handli ng recently irradiated fuel).APPLICABILITYThe AC and DC electrical pow er distribution subsystems required to be OPERABLE in MODES5 and6, and during movement of recently irradiated fuel assemblies
, provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e
., fuel that has occupied part of a critical core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling
condition.The AC, DC, and AC vital bus electrical power distri bution subsystems requirements for MODES1, 2, 3, and4 are covered in LCO3.8.9.
Distribution Systems-Shutdown B 3.8.10BASESNorth Anna Units 1 and 2B 3.8.10-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant trains of electrical power distri bution subsystems to be OPERABLE, one OPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the af fected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently
conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fu el assemblies, and operations involving positive reactivity additions) that c ould result in loss of required SDM (MODE5) or boron concentration (MODE6). Suspending positive
reactivity additions that could result in failure to meet the minimum SDM or boron concentration limi t is required to assure continued safe operation.
Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for
minimum SDM or refueling boron concen tration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increas es when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of
required SDM.
Suspension of these activities does not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability of the occurrence of postula ted events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety
systems.Notwithstanding performance of the a bove conservative Required Actions, a required residual heat removal (RHR
) subsystem may be inoperable. In this case, Required Acti ons A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO3.0.6, the RHR ACTIONS would not be entered.
(continued)
North Anna Units 1 and 2B 3.8.10-4Revision 46 Distribution Systems-Shutdown B 3.8.10BASESACTIONSA.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)Therefore, Required Action A.2.5 is provided to direct declaring RHR inoperable, which results in ta king the appropria te RHR actions.The Completion Time of immediately is consistent with the required times for actions requiring prompt attent ion. The restoration of the required distribution subsystems should be co mpleted as quickly as possible in order to minimize the time the unit safety systems may be without power.SURVEILLANCE
REQUIREMENT
SSR3.8.10.1This Surveillance verifies that th e required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as
well as control functions for critical system loads connect ed to these buses. Verification of proper voltage availability for 480volt buses and load centers may be performed by indirect methods. The Surveillance
Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.
North Anna Units 1 and 2B 3.9.1-1Revision 0 Boron Concentration B 3.9.1B 3.9REFUELING OPERATIONSB 3.9.1Boron ConcentrationBASESBACKGROUNDThe limit on the boron concentrat ions of the Reactor Coolant System (RCS), the refueling canal, and th e refueling cavity during refueling ensures that the reactor remains subcritical during MODE6. Refueling boron concentration is the soluble bor on concentration in the coolant in each of these volumes having direct access to the reactor core during
refueling.The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the sp ecified boron concentration in order to maintain an overall core reactivity of keff 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowe d by plant procedures.GDC26 requires that two independent reactivity control systems of different design principles be provided (Ref.1). On e of these systems must
be capable of holding the reactor co re subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable
of maintaining the reactor subcritical in cold c onditions by maintaining the boron concentration.The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refu eling. After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed to form the refueling cavity. The refueling canal and the refueling cavity
are then flooded with borated water from the Refueling Water Storage Tank through the open reactor vesse l by gravity feeding or by the use of the Low Head Safety Injection System pumps.
The pumping action of the Residual He at Removal (RHR) System in the RCS and the natural circulation due to thermal driving heads in the reactor vessel and refueling cavity mix the added concentrated boric acid with the water in the refueling canal. The RHR System is in operation during (continued)
North Anna Units 1 and 2B 3.9.1-2Revision 0 Boron Concentration B 3.9.1BASESBACKGROUND (continued)refueling (see LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level") to provide forced circulation in the RCS and assist in ma intaining the boron concentrations in the RCS, the refueling canal, and th e refueling cavity above the COLR limit.APPLICABLE SAFETY ANALYSESDuring refueling operati ons, the reactivity condition of the core is established to protect against inadvertent positive reactivity addition and is conservative for MODE6. The boron concentration limit specified in the COLR is based on the core reactivity at the begi nning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.
The required boron concentration and th e plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensure that the keff of the core will remain 0.95 during the refueling operation. Hence, at least a 5% k/k margin of safety is established during refueling.
During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a
single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.
The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe LCO requires that a minimum bor on concentration be maintained in the RCS, the refueling canal, and the refueling cavity while in MODE6. The boron concentration limit specified in the COLR ensures that a core keff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE6.APPLICABILITYThis LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subc ritical. The required boron concentration ensures a keff 0.95. Above MODE6, (continued)
Boron Concentration B 3.9.1BASESNorth Anna Units 1 and 2B 3.9.1-3Revision 0APPLICABILITY (continued)LCO3.1.1, "SHUTDOWN MARGIN (SDM)"
ensures that an adequate amount of negative reactivity is avai lable to shut down the reactor and maintain it subcritical.
The applicability is modifi ed by a Note. The Note states that the limits on boron concentration are only applicable to the refuel ing canal and refueling cavity when those volumes are connected to the RCS. When the refueling canal and refueling cavity are isolated from the RCS, no potential path for
boron dilution exists.ACTIONSA.1 and A.2Continuation of CORE ALTERATIONS or positive reactivity additions
(including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron
concentration of any coolan t volume in the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivit y additions must be suspended immediately.Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operations that individually add limited positive reacti vity (e.g., temperature fluctuations from inventory addition or temperatur e control fluctuations), but when combined with all other operations affecting core reactivity (e.g.,
intentional boration) result in overa ll net negative react ivity addition, are not precluded by this action.
A.3In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must be initiated immediately.In determining the required combin ation of boration flow rate and concentration, no unique Design Basis Event must be satisfied. The only requirement is to restore the boron c oncentration to its required value as soon as possible. In order to rais e the boron concentration as soon as possible, the operator should begin borat ion with the best source available for unit conditions.
(continued)
North Anna Units 1 and 2B 3.9.1-4Revision 46 Boron Concentration B 3.9.1BASESACTIONSA.3 (continued)
Once actions have been initiated, th ey must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.SURVEILLANCE
REQUIREMENT
SSR3.9.1.1This SR ensures that the coolant boron concentration in the RCS, and
connected portions of the refueling canal and the refueling cavity, is within the COLR limits. The boron concentrat ion of the coolant in each required volume is determined periodically by chemical analysis. Prior to re-connecting portions of the refueling canal or the refueling cavity to the
RCS, this SR must be met per SR3.0.1. If any dilution activity has occurred while the cavity or canal were disconnected from the RCS, this SR ensures the correct boron concentration prior to communication with the RCS.The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.22.
North Anna Units 1 and 2B 3.9.2-1Revision 8Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2B 3.9  REFUELING OPERATIONSB 3.9.2Primary Grade Water Flow Path Isolation Valves-MODE6BASESBACKGROUNDDuring MODE6 operations, the is olation valves for primary grade water flow paths that are connected to the Reactor Cool ant System (RCS) must be closed to prevent unplanned boron di lution of the reactor coolant. The isolation valves must be locked, sealed or otherwise secured in the closed position.The Chemical and Volume Control Syst em is capable of supplying borated and unborated water to the RCS th rough various flow paths. Since a positive reactivity addition made by uncontrolled reduction of the boron concentration is inappropriate during MODE6, isolation of all primary grade water flow paths prevents an unplanned boron dilution.APPLICABLE SAFETY ANALYSESThe possibility of an inadvertent boron dilution event (Ref.1) occurring during MODE6 refueling operations is precluded by adherence to this LCO, which requires that primary grade water flow paths be isolated.
Closing the required valves during refueling operations prevents the flow of unborated water to the filled portion of the RCS. The valves are used to
isolate primary grade water flow paths.
These valves have the potential to indirectly allow dilution of the RCS boron concentration in MODE6. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODE6.The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that flow paths to the RCS from primary grade water sources be isolated to prevent unplanned boron dilution during MODE6 and thus avoid a reduction in SDM.For Unit1, primary grade water flow pa ths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be used in lieu of 1-CH-217. For Unit2, primary grade water (continued)
North Anna Units 1 and 2B 3.9.2-2Revision 8Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2BASESLCO(continued)flow paths may be isolated from the RCS by closing valve 2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be us ed in lieu of 2-CH-140.
The LCO is modified by a Note which allows the primary grade water flow path isolation valves to be opened unde r administrative control for planned boron dilution or makeup activities.APPLICABILITYIn MODE6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of primary grade water flow paths to the RCS.In MODES3, 4, and5, LCO3.1.8, Primary Grade Water Flow Path Isolation Valves, requires the primary grade water flow paths to the RCS to be isolated to prevent an inadvertent boron dilution.
In MODES1 and2, the boron dilution accident was analyzed and was found to be capable of being mitigated.ACTIONSA.1Continuation of CORE ALTERATIONS is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate primary grade water flow paths not lock ed, sealed or otherwise secured in the closed position, all operations involving CORE ALTERATIONS must be suspended immediately. The Completion Time of "immediately" for performance of Required ActionA.1 shall not preclude completion of movement of a component to a safe position.ConditionA has been modified by a Note to require that Required ActionA.3 be completed whenever ConditionA is entered.
A.2Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the primary grade water flow path isolation valves secured closed. Locking, sealing, or securing the valves in the
closed position ensures that the valv es cannot be inadvertently opened. The Completion Time of 15minutes provides sufficient time to close, lock,
seal, or otherwise secure the flow path isolation valve.
Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2BASESNorth Anna Units 1 and 2B 3.9.2-3Revision 46ACTIONS(continued)
A.3Due to the potential of having dilu ted the boron concentration of the reactor coolant, SR3.9.1.1 (verification of boron concentration) must be performed to demonstrate that the re quired boron concentration exists. The Completion Time of 4hours is sufficient to obtain and analyze a reactor coolant sample for boron concentration.SURVEILLANCE
REQUIREMENT
SSR3.9.2.1These valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODE6 operations is remote due to the large mass of borated water in the refueling cavity and the fact that the primary
grade water flow paths are isolated, precluding a dilution. The boron concentration is checked during MODE6 under SR3.9.1.1. The
Frequency is based on verifying that the isolation valves are locked, sealed, or otherwise secured within 15mi nutes following a boron dilution or makeup activity. This Frequency is based on engineering judgment and is considered reasonable in view of othe r administrative controls that will ensure that the valve opening is an unlikely possibility.REFERENCES1.UFSAR, Section15.2.4.
Intentionally Blank North Anna Units 1 and 2B 3.9.3-1Revision 0Nuclear Instrumentation B 3.9.3B 3.9  REFUELING OPERATIONSB 3.9.3Nuclear InstrumentationBASESBACKGROUNDThe source range neutron flux monitors are used during refueling operations to monitor the core reac tivity condition. The installed source range neutron flux monitors are part of the Nuclear Instrumentation System (NIS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core.The installed source range neutron flux monitors are BF3 detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the ne utron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6cps). The
detectors also provide c ontinuous visual indication and an audible alarm in the control room to alert operators to a possible dilution accident. The NIS is designed in accordance with the criteria presented in Reference1.APPLICABLE SAFETY ANALYSESTwo OPERABLE source range neutron flux monitors are required to provide a signal to alert the operato r to unexpected changes in core reactivity such as with a boron dilution accident (Ref.2) or an improperly loaded fuel assembly. The need for a safety analysis for an uncontrolled
boron dilution accident is eliminated by isolating all unborated water sources as required by LCO3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE6."
The source range neutron flux monitors satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant m onitoring capability is available to detect changes in core reactivity.
North Anna Units 1 and 2B 3.9.3-2Revision 0Nuclear Instrumentation B 3.9.3BASESAPPLICABILITYIn MODE6, the source range ne utron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES2, 3, 4, and5, these same installed source range detectors a nd circuitry are also required to be OPERABLE by LCO3.3.1, "Reactor Trip System (RTS) Instrumentation."ACTIONSA.1 and A.2With only one source ra nge neutron flux monitor OPERABLE, redundancy has been lost. Since these instrume nts are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO3.9.1 must be suspended immediately. Suspending positive reactivity additions that could result in failure to m eet the minimum boron concen tration limit is required to assure continued safe operation. In troduction of coolant inventory must be from sources that have a boron concentration greater than that what would be required in the RCS for mi nimum refueling bor on concentration.
This may result in an overall reducti on in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operations.
Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.
B.1With no source range neutron flux monitor OPERABLE, action to restore a
monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.
B.2With no source range neutron flux m onitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR3.9.1.1 to ensure that the required boron concentration exists.(continued)
Nuclear Instrumentation B 3.9.3BASESNorth Anna Units 1 and 2B 3.9.3-3Revision 46ACTIONSB.2 (continued)The Completion Time of once per 12hours is sufficient to obtain and analyze a reactor coolant sample for boron concentration and ensures that unplanned changes in boron concentr ation would be identified. The 12hour Frequency is reasonable, c onsidering the low probability of a change in core reactivity during this time period.SURVEILLANCE
REQUIREMENT
SSR3.9.3.1SR3.9.3.1 is the performance of a CHANNEL CHECK, which is a
comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in
fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.9.3.2SR3.9.3.2 is the performance of a CHANNEL CALIBRATION every 18months. This SR is modified by a Note stating that ne utron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the source range ne utron flux monitors consists of obtaining the detector plateau or pr eamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The 18month Frequency is based on the need to perform this Surveillance under the conditions that apply duri ng a unit outage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter3.2.UFSAR, Chapter15.
Intentionally Blank North Anna Units 1 and 2B 3.9.4-1Revision 20 Containment Penetrations B 3.9.4B 3.9  REFUELING OPERATIONSB 3.9.4Containment PenetrationsBASESBACKGROUNDDuring movement of recently irradiated fuel assemblies within containment, a release of fission produc t radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES1, 2, 3, and4, this is accomplished by maintaining containment OPERABLE as described in LCO3.6.1, "Containment." In MODE6, the potenti al for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the
containment from the outside atmos phere can be less stringent. The LCO requirements are referred to as "c ontainment closure" rather than "containment OPERABILITY." Contai nment closure means that all potential escape paths are closed or cap able of being closed. Since there is no potential for containment pressurization, the AppendixJ leakage criteria and tests are not required.
The containment serves to contain fission product ra dioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained wi thin the requirements of Regulatory Guide1.183 (Ref.2). Additionally, th e containment provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.
The containment equipment hatch, wh ich is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containm ent. During movement of recently irradiated fuel assemblies within cont ainment, the equipment hatch must be held in place by at least fourbolts. G ood engineering practice dictates that the bolts required by this LCO be approximately equally spaced.
The containment air locks, which are al so part of the containment pressure boundary, provide a means for personnel access during MODES1, 2, 3, and4 unit operation in accordance with LCO3.6.2, "Containment Air Locks." One of the containment air lo cks is an integral part of the containment equipment hatch. During refueling the air lock (continued)
North Anna Units 1 and 2B 3.9.4-2Revision 20 Containment Penetrations B 3.9.4BASESBACKGROUND (continued)that is part of the containment equipment hatch is typically replaced by a temporary hatch plate. While the tempor ary hatch plate is installed, there is only one air lock by which to enter c ontainment. The LCO only applies to containment air locks that are insta lled. Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of unit shutdown when containment closure is not required, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain
open for extended periods when frequent containment entry is necessary.
During movement of recently irradiated fuel assemblies within containment, containment closure is re quired; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed.The requirements for contai nment penetration closure ensure that a release of fission product radioactivity within containment will be restricted from escaping to the environment. The closure restrictions are sufficient to restrict fission product radioactivity release from the containment due to a fuel handling accident involving handling of recently irradiated fuel.The Containment Purge and Exhaust System includes a 36inch purge penetration and a 36inch exhaust penetration. During MODES1, 2, 3, and4, the two valves in each of the purge and exhaust flow paths are secured in the closed pos ition. The Containment Purge and Exhaust System is not subject to a Specification in MODE5.In MODE6, large air exchanges ar e necessary to conduct refueling operations. The 36inch purge system is used for this purpose.
The containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side.
Isolation may be achieved by an OPERABLE automatic isolation valve, or
by a manual isolation valve, blind fl ange, or equivalent. Equivalent isolation methods must be approved and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the
other containment penetrat ions during recently irradiated fuel movements.
Containment Penetrations B 3.9.4BASESNorth Anna Units 1 and 2B 3.9.4-3Revision 20APPLICABLE SAFETY ANALYSESDuring movement of irradiated fuel assemblies within containment, the most severe radiological consequences result from a fuel handling accident involving handling recently irradiated fu el. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref.1). Fuel handling accidents, analyzed in Reference2, involve dropping a single irradiated fuel assembly and handling tool. The requirements of LCO3.9.7, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100hours prior to movement of irradiated fu el (i.e., fuel that has not been recently irradiated) without containment closure capability
ensures that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses th at are within the guideline values specified in Regulatory Guide1.183 (Ref.2).
Containment penetrations satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThis LCO limits the consequences of a fuel handling accident involving handling recently irradiat ed fuel in containment by limiting the potential escape paths for fission product radioactivity released within containment.
The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge an d exhaust penetrations. For the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by a containment purge and exhaust isolation valve.
The LCO is modified by a Note allowing penetration flow paths with direct access from the containment atmosphere to the outside atmosphere to be unisolated under administrative controls. Administrative controls ensure that 1)appropriate personnel are aware of the open st atus of the penetration flow path during movement of recently irradiated fuel assemblies within containment, and 2)specified indi viduals are designated and readily available to isolate the flow path in the event of a fuel handling accident.APPLICABILITYThe containment penetration requirements are applicable during movement of recently irradiated fuel assemblies within containment because this is
when there is a potential for the limiting fuel handling accident. In MODES1, 2, 3, (continued)
North Anna Units 1 and 2B 3.9.4-4Revision 46 Containment Penetrations B 3.9.4BASESAPPLICABILITY (continued)and4, containment penetration requirements are addressed by LCO3.6.1. In MODES5 and6, when movement of irradiated fuel assemblies within containment is not being conducted, th e potential for a design basis fuel handling accident does not exist. Additionally, due to radioactive decay, containment closure capability is onl y required during a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has
occupied part of a cri tical reactor core within the previous 100hours). A fuel handling accident involving fuel with a minimum decay time of 100hours prior to movement will resu lt in doses that are within the guideline values specified in Regulatory Guide1.183 (Ref.2) even without containment closure capability. Th erefore, under these conditions no requirements are placed on cont ainment penetration status.ACTIONSA.1 If the containment equipment hatc h, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere is not in the required status, including the Containment Purge and Exhaust Isolat ion System not capable of manual actuation when the purge and exhaus t valves are open, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending movement of rece ntly irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.SURVEILLANCE
REQUIREMENT SSR3.9.4.1This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open purge and exhaust valves will demonstrate that the valves are not blocked from closing. Also the Surveillance will demonstrate that each valve operator has motive power, which will ensure that each valve is
capable of being manually closed.
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Containment Penetrations B 3.9.4BASESNorth Anna Units 1 and 2B 3.9.4-5Revision 46SURVEILLANCE REQUIREMENT
SSR3.9.4.2This Surveillance demonstrates that each containment purge and exhaust valve actuates to its isolati on position on manual initiation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This Surveillance will ensure that the valves are capable of being closed after a postulated fuel handling accident involving handling recently irradiated fuel to limit a release of fission product radioactivity from the containment. The SR is modified by a Note stating that this Surveillance is not required to be met for valves in isolated
penetrations. The LCO provides the option to close penetrations in lieu of requiring manual initiation capability.REFERENCES1.UFSAR, Section15.4.7.2.Regulatory Guide1.183, July2000.
Intentionally Blank North Anna Units 1 and 2B 3.9.5-1Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5B 3.9  REFUELING OPERATIONSB 3.9.5Residual Heat Removal (RHR) and Coolant Circulation-High Water LevelBASESBACKGROUNDThe purpose of the RHR System in MODE6 is to remove decay heat and sensible heat from the Reactor Coolan t System (RCS) to provide mixing of borated coolant and to prevent boron stratification (Ref.1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold
leg(s). Operation of the RHR System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlli ng the flow of reactor coolant through the RHR heat exchanger(s) and the bypa ss. Mixing of the reactor coolant is maintained by this continuous circul ation of reactor coolant through the RHR System.APPLICABLE SAFETY ANALYSESIf the reactor coolant temperat ure is not maintained below 200F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant
would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE6, with the water level 23ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit
removal of the RHR loop from oper ation for short durations, under the condition that the boron concentrati on is not diluted. This conditional removal from operation of the RHR l oop does not result in a challenge to the fission product barrier.The RHR System satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).
LCOOnly one RHR loop is required for decay heat removal in MODE6, with the water level 23ft above the top of the reactor vessel flange. Only one RHR loop is required to be (continued)
North Anna Units 1 and 2B 3.9.5-2Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5BASESLCO(continued)OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one RHR loop must be OPERABLE and in operation to provide:a.Removal of decay heat;b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.
An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and cont rols to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.The LCO is modified by a Note th at allows the required operating RHR loop to be removed from operation for up to 1hour per 8hour period, provided no operations ar e permitted that would dilute the RCS boron concentration by introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is
maintained is prohibited because uniform concentrat ion distribution cannot be ensured without forced circulation.
This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles
and RCS to RHR isolation valve testing. During this 1hour period, decay
heat is removed by natural convection to the large mass of water in the refueling cavity.APPLICABILITYOne RHR loop mu st be OPERABLE and in operation in MODE6, with the water level 23ft above the top of the react or vessel flange, to provide decay heat removal. The 23ft wate r level was selected because it corresponds to the 23ft requirement established for fuel movement in LCO3.9.7, "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section3.4, Reactor
Coolant System (RCS). RHR loop requirements in MODE6 with the water level <23ft are located in LCO3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level."
RHR and Coolant Circulation-High Water Level B 3.9.5BASESNorth Anna Units 1 and 2B 3.9.5-3Revision 0ACTIONSRHR loop requirements are me t by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.
A.1If RHR loop requirements are not met, th ere will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inve ntory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum refueling boron concentrati on. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.
A.2If RHR loop requirements ar e not met, actions shal l be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat rem oval from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23ft above the reactor vessel flange
provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a
prudent action under this condition.
A.3If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE6 and the refueling water level 23ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.
A.4, A.5, A.6.1, and A.6.2If LCO3.9.5 is not met, the foll owing actions must be taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; and (continued)
North Anna Units 1 and 2B 3.9.5-4Revision 46 RHR and Coolant Circulation-High Water Level B 3.9.5BASESACTIONSA.4, A.5, A.6.1, and A.6.2 (continued)c.each penetration pr oviding direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation system.With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmo sphere. Performing the actions described above ensures th at all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.The Completion Time of 4 hours allows fixing of most RHR problems and is reasonable, based on the low probabi lity of the coolant boiling in that time.SURVEILLANCE
REQUIREMENT
SSR3.9.5.1 This Surveillance demonstrates that the RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. The Surveillance
Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section5.5.4.
North Anna Units 1 and 2B 3.9.6-1Revision 0RHR and Coolant Circulation-Low Water Level B 3.9.6B 3.9  REFUELING OPERATIONSB 3.9.6Residual Heat Removal (RHR) and Coolant Circulation-Low Water LevelBASESBACKGROUNDThe purpose of the RHR System in MODE6 is to remove decay heat and sensible heat from the Reactor Coolan t System (RCS) to provide mixing of borated coolant, and to prevent bor on stratification (Ref.1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlli ng the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor
coolant is maintained by this conti nuous circulation of reactor coolant through the RHR System.APPLICABLE SAFETY ANALYSESIf the reactor coolant temperat ure is not maintained below 200F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.The RHR System satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).LCOIn MODE6, with the water level <23f t above the top of the reactor vessel flange, both RHR loops must be OPERABLE. Additionally, one loop of RHR must be in operati on in order to provide:a.Removal of decay heat; (continued)
North Anna Units 1 and 2B 3.9.6-2Revision 0RHR and Coolant Circulation-Low Water Level B 3.9.6BASESLCO(continued)b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.
This LCO is modified by two Notes. Note1 permits the RHR pumps to be removed from operation for 15minutes when switching from one train to another. The circumstan ces for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained >10F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped. Note2 allows one RHR loop to be inoperable for a period of 2hours
provided the other loop is OPERABLE a nd in operation. Prior to declaring the loop inoperable, consideration s hould be given to the existing unit configuration. This consideration should include that the core time to boil is short, there is no draining operati on to further reduce RCS water level and that the capability exists to inject borated water into the reactor vessel.
This permits surveillance tests to be performed on the inoperable loop during a time when these te sts are safe and possible.
An OPERABLE RHR loop consists of an RHR pump, a heat exchanger,
valves, piping, instruments and contro ls to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.APPLICABILITYTwo RHR loops are required to be OPERABLE, and one RHR loop must be in operation in MODE6, with the water level <23ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs in Section3.4,
Reactor Coolant System (RCS). RHR loop requirements in MODE6 with the water level 23ft are located in LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level."ACTIONSA.1 and A.2If less than the required number of RHR loops are OPERABLE, action
shall be immediately initiated and con tinued until the RHR loop is restored to OPERABLE status and to operation (continued)
RHR and Coolant Circulation-Low Water Level B 3.9.6BASESNorth Anna Units 1 and 2B 3.9.6-3Revision 0ACTIONSA.1 and A.2 (continued) or until 23ft of water level is establishe d above the reactor vessel flange. When the water level is 23ft above the reacto r vessel flange, the Applicability changes to that of LCO3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.
B.1If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron
concentrations cannot occur by the a ddition of water with a lower boron concentration than that contained in the RCS, because all of the unborated water sources are isolated.
B.2If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in ConditionsA andB concurrently, the restoration of two OPERABLE RHR
loops and one operating RHR loop should be accomplished expeditiously.
B.3, B.4, B.5.1, and B.5.2 If no RHR is in operation, the following actions must be taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; andc.each penetration pr oviding direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPER ABLE Containment Purge and Exhaust Isolation system.With RHR loop requirements not met, the potential exists for the coolant to
boil and release radioactive gas to th e containment atmo sphere. Performing the actions described (continued)
North Anna Units 1 and 2B 3.9.6-4Revision 46RHR and Coolant Circulation-Low Water Level B 3.9.6BASESACTIONSB.3, B.4, B.5.1, and B.5.2 (continued)above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.The Completion Time of 4 hours allows fixing of most RHR problems and is reasonable, based on the low probabi lity of the coolant boiling in that time.SURVEILLANCE
REQUIREMENT
SSR3.9.6.1This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, during operation of the RHR loop with the water level lowered to the level of the reactor vessel nozzles, the RHR pump net positive suction head requirements must be met. The Surveillance Frequency is based on
operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.9.6.2Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be pl aced in operation, if needed, to maintain decay heat rem oval and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to
the required pump. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that st ates the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCES1.UFSAR, Section5.5.4.
North Anna Units 1 and 2B 3.9.7-1Revision 20Refueling Cavity Water Level B 3.9.7B 3.9  REFUELING OPERATIONSB 3.9.7Refueling Cavity Water LevelBASESBACKGROUNDThe movement of irradiated fuel assemblies within containment requires a minimum water level of 23ft above th e top of the reactor vessel flange. During refueling, this maintains sufficient water level in the containment, refueling canal, fuel transfer canal, refueling cavity, and spent fuel pool. Sufficient water is necessary to reta in iodine fission product activity in the water in the event of a fuel handling accident (Refs.1 and2). Sufficient iodine activity would be retained to limit offsite dos es from the accident to the limits of Regulatory Guide1.183.APPLICABLE SAFETY ANALYSESDuring movement of irradiated fuel assemblies, the water level in the refueling canal and the refueling ca vity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide1.183 (Ref.1). A minimum water level of 23ft allows an effective iodine decontamination factor of 200 (AppendixB Assumption2 of Ref.1) to be used in the accident analysis for iodine. This relates to the assumption that 99.5% of the total iodine released from the pellet to cladding gap of all the droppe d fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 8% of the fuel rod I-131 inventory and 5% of all other iodine isotopes, which are included as other halogens (Ref.1).The fuel handling accident analysis inside containment is described in Reference2. With a minimum water level of 23ft, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref.1).
Refueling cavity water level satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOA minimum refueling cavity water level of 23ft above the reactor vessel flange is required to ensure that the radiological c onsequences of a postulated fuel handling accident inside containment are within acceptable limits.
North Anna Units 1 and 2B 3.9.7-2Revision 46Refueling Cavity Water Level B 3.9.7BASESAPPLICABILITYLCO3.9.7 is applicable when moving irradiated fuel assemblies within containment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO3.7.16, "Fuel Storage Pool Water Level."ACTIONSA.1With a water level of <23ft above the top of the reactor vessel flange, all operations involving movement of irradi ated fuel assemblies within the containment shall be suspended immediat ely to ensure that a fuel handling accident cannot occur.
The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.SURVEILLANCE REQUIREMENT
SSR3.9.7.1Verification of a minimum water level of 23ft above the top of the reactor vessel flange ensures that the design ba sis for the analysis of the postulated fuel handling accident during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fu el rods that are postulate d to result from a fuel handling accident inside containment (Ref.2).
The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.183, July2000.2.UFSAR, Section15.4.7.}}

Revision as of 19:28, 3 July 2018

North Anna, Units 1 and 2, Technical Specification Bases
ML13302B892
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 10/02/2013
From:
Virginia Electric & Power Co (VEPCO)
To:
Office of Nuclear Reactor Regulation
Shared Package
ML13302B894 List:
References
13-518
Download: ML13302B892 (732)
v  d  e


Text

TECHNICAL SPECIFICATIONS BASESFOR NORTH ANNA UNITS 1 & 2

TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iRevision 39 B 2.1SAFETY LIMITS (SLs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 2.1.1-1B 2.1.1Reactor Core SLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 2.1.1-1 B 2.1.2Reactor Coolant System (RCS) Pressure SL . . . . . . . . . . . . . . . . . .B 2.1.2-1B 3.0LIMITING CONDITION FOR OPERATION (LCO)APPLICABILITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3.0-1B 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITY . . . . . . . . B 3.0-12B 3.1REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.1-1B 3.1.1SHUTDOWN MARGIN (SDM) . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.1-1 B 3.1.2Core Reactivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.2-1 B 3.1.3Moderator Temperature Coefficient (MTC). . . . . . . . . . . . . . . . . . .B 3.1.3-1 B 3.1.4Rod Group Alignment Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.4-1 B 3.1.5Shutdown Bank Insertion Limits . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.5-1B 3.1.6Control Bank Insertion Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.6-1B 3.1.7Rod Position Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.7-1 B 3.1.8Primary Grade Water Flow Path IsolationValves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.1.8-1B 3.1.9PHYSICS TESTS Exceptions-MODE2 . . . . . . . . . . . . . . . . . . . .B 3.1.9-1B 3.2POWER DISTRIBUTION LIMITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.2.1-1B 3.2.1Heat Flux Hot Channel Factor (F Q(Z)). . . . . . . . . . . . . . . . . . . . . . .B 3.2.1-1B 3.2.2Nuclear Enthalpy Rise Hot Channel Factor () . . . . . . . . . . . . . . .B 3.2.2-1 B 3.2.3AXIAL FLUX DIFFERENCE (AFD) . . . . . . . . . . . . . . . . . . . . . . .B 3.2.3-1B 3.2.4QUADRANT POWER TILT RATIO (QPTR). . . . . . . . . . . . . . . . .B 3.2.4-1B 3.3INSTRUMENTATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.1-1 B 3.3.1Reactor Trip System (RTS) Instrumentation . . . . . . . . . . . . . . . . . .B 3.3.1-1B 3.3.2Engineered Safety Feature Actuation System(ESFAS) Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.2-1B 3.3.3Post Accident Monitoring (PAM)Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.3-1B 3.3.4Remote Shutdown System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.4-1 B 3.3.5Loss of Power (LOP) Emergency Diesel Generator(EDG) Start Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.5-1B 3.3.6Main Control Room/Emergency Switchgear Room (MCR/ESGR) Envelope Isolation ActuationInstrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.3.6-1B 3.4REACTOR COOLANT SYSTEM (RCS) . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.1-1 B 3.4.1RCS Pressure, Temperat ure, and Flow Departurefrom Nucleate Boiling (DNB) Limits. . . . . . . . . . . . . . . . . . . .B 3.4.1-1B 3.4.2RCS Minimum Temperature for Criticality . . . . . . . . . . . . . . . . . . .B 3.4.2-1 B 3.4.3RCS Pressure and Temperature (P/T) Limits . . . . . . . . . . . . . . . . . .B 3.4.3-1B 3.4.4RCS Loops-MODES1 and2. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.4-1 B 3.4.5RCS Loops-MODE3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.5-1B 3.4.6RCS Loops-MODE4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.6-1B 3.4.7RCS Loops-MODE5, Loops Filled. . . . . . . . . . . . . . . . . . . . . . . .B 3.4.7-1B 3.4.8RCS Loops-MODE5, Loops Not Filled . . . . . . . . . . . . . . . . . . . .B 3.4.8-1B 3.4.9Pressurizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.9-1 FNH North Anna Units 1 and 2iiRevision 39 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSB 3.4REACTOR COOLANT SYSTEM (RCS) (continued)B 3.4.10Pressurizer Safety Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.10-1 B 3.4.11Pressurizer Power Operated Relief Valves(PORVs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.11-1B 3.4.12Low Temperature Overpressure Protection(LTOP) System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.12-1B 3.4.13RCS Operational LEAKAGE. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.13-1 B 3.4.14RCS Pressure Isolation Valve (PIV) Leakage. . . . . . . . . . . . . . . . .B 3.4.14-1 B 3.4.15RCS Leakage Detection Instrumentation. . . . . . . . . . . . . . . . . . . .B 3.4.15-1 B 3.4.16RCS Specific Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.16-1 B 3.4.17RCS Loop Isolation Valves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.17-1 B 3.4.18RCS Isolated Loop Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.18-1B 3.4.19RCS Loops-Test Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.4.19-1 B 3.4.20Steam Generator (SG) Tube Integrity. . . . . . . . . . . . . . . . . . . . . . .B 3.4.20-1B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS) . . . . . . . . . . . . .B 3.5.1-1 B 3.5.1Accumulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.1-1 B 3.5.2ECCS-Operating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.2-1 B 3.5.3ECCS-Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.3-1 B 3.5.4Refueling Water Storage Tank (RWST) . . . . . . . . . . . . . . . . . . . . . .B 3.5.4-1 B 3.5.5Seal Injection Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.5-1 B 3.5.6Boron Injection Tank (BIT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.5.6-1B 3.6CONTAINMENT SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.1-1B 3.6.1Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.1-1B 3.6.2Containment Air Locks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.2-1 B 3.6.3Containment Isolation Valves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.3-1 B 3.6.4Containment Pressure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.4-1 B 3.6.5Containment Air Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.5-1 B 3.6.6Quench Spray (QS) System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.6-1 B 3.6.7Recirculation Spray (RS) System. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.7-1B 3.6.8Chemical Addition System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.6.8-1B 3.7PLANT SYSTEMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.1-1B 3.7.1Main Steam Safety Valves (MSSVs) . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.1-1 B 3.7.2Main Steam Trip Valves (MSTVs). . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.2-1 B 3.7.3Main Feedwater Isolation Valves (MFIVs), MainFeedwater Pump Discharge Valves (MFPDVs),

Main Feedwater Regulating Valves (MFRVs),

and Main Feedwate r Regulating BypassValves (MFRBVs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.3-1B 3.7.4Steam Generator Power Operated Relief Valves(SG PORVs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.4-1B 3.7.5Auxiliary Feedwater (AFW) System . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.5-1B 3.7.6Emergency Condensate Storage Tank (ECST). . . . . . . . . . . . . . . . .B 3.7.6-1 B 3.7.7Secondary Specific Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.7-1B 3.7.8Service Water (SW) System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.8-1B 3.7.9Ultimate Heat Sink (UHS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.9-1 TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTSNorth Anna Units 1 and 2iiiRevision 39 B 3.7PLANT SYSTEMS (continued)B 3.7.10Main Control Room/Emergency Switchgear Room(MCR/ESGR) Emergency Ventilation System (EVS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.10-1B 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS). . . . . . . . . . .B 3.7.11-1B 3.7.12Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS). . . . . . . . . . .B 3.7.12-1B 3.7.13Not Used B 3.7.14Not Used B 3.7.15Fuel Building Ventilation System (FBVS). . . . . . . . . . . . . . . . . . .B 3.7.15-1B 3.7.16Fuel Storage Pool Water Level. . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.16-1 B 3.7.17Fuel Storage Pool Boron Concentration. . . . . . . . . . . . . . . . . . . . .B 3.7.17-1B 3.7.18Spent Fuel Pool Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.7.18-1 B 3.7.19Component Cooling Water (CC) System. . . . . . . . . . . . . . . . . . . .B 3.7.19-1B 3.8ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.1-1 B 3.8.1AC Sources-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.1-1B 3.8.2AC Sources-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.2-1B 3.8.3Diesel Fuel Oil and Starting Air. . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.3-1B 3.8.4DC Sources-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.4-1B 3.8.5DC Sources-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.5-1B 3.8.6Battery Cell Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.6-1B 3.8.7Inverters-Operating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.7-1B 3.8.8Inverters-Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.8-1B 3.8.9Distribution Systems-Operating. . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.9-1 B 3.8.10Distribution Systems-Shutdown. . . . . . . . . . . . . . . . . . . . . . . . . .B 3.8.10-1B 3.9REFUELING OPERATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.1-1 B 3.9.1Boron Concentration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.1-1 B 3.9.2Primary Grade Water Flow Path IsolationValves-MODE6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.2-1B 3.9.3Nuclear Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.3-1B 3.9.4Containment Penetrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.4-1B 3.9.5Residual Heat Removal (RHR) and CoolantCirculation-High Water Level . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.5-1B 3.9.6Residual Heat Removal (RHR) and CoolantCirculation-Low Water Level. . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.6-1B 3.9.7Refueling Cavity Water Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B 3.9.7-1 Intentionally Blank North Anna Units 1 and 2B 2.1.1-1Revision 13 Reactor Core SLs B 2.1.1B 2.1SAFETY LIMITS (SLS)B 2.1.1Reactor Core SLsBASESBACKGROUNDGDC10 (Ref.1) requires that specified acceptable fuel design limits are not exceeded during steady state opera tion, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (the 95/95DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.

The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant.

Overheating of the fuel is prevented by maintaining the steady st ate peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. The maximum fuel centerline temperatures are given by the best

-estimate relationships defined in SL2.1.1.2 and are dependent upon whether the Westinghouse or Framatome fuel is evalua ted. Overheating of the fu el cladding is prevented by restricting fuel operation to with in the nucleate boiling regime, where the heat transfer coefficient is large and the cladding su rface temperature is slightly above the coolant saturation temperature.

Fuel centerline melting occurs when th e local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline

melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

Operation above the boundary of the nu cleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient.

Inside the steam film, high cladding temperatures are reache d, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally (continued)

North Anna Units 1 and 2B 2.1.1-2Revision 9 Reactor Core SLs B 2.1.1BASESBACKGROUND (continued)weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.The proper functioning of the Reactor Protection System (RPS) and main steam safety valves prevents vi olation of the reactor core SLs.APPLICABLE SAFETY ANALYSESThe fuel cladding must not sustain da mage as a result of normal operation and AOOs. The reactor core SLs are es tablished to preclude violation of the following fuel design criteria:a.There must be at least 95% probabili ty at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; andb.The hot fuel pellet in the core must not experience centerline fuel melting.The Reactor Trip System allowable values (Ref.2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and flow, AFD, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.

Automatic enforcement of these re actor core SLs is provided by the appropriate operation of the RPS a nd the main steam safety valves.

The SLs represent a design requireme nt for establishing the RPS trip allowable values identified previously (as indicated in the UFSAR, Ref.2). LCO3.4.1, "RCS Pressure, Temperat ure, and Flow Departure from Nucleate Boiling (DNB) Limits," or th e assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not exceeded.SAFETY LIMITSThe figure provided in the CO LR shows the loci of points of THERMAL POWER, RCS pressure, and average temperature for which the minimum DNBR is not less than the safety analyses limit, that fuel centerline temperature remains below (continued)

Reactor Core SLs B 2.1.1BASESNorth Anna Units 1 and 2B 2.1.1-3Revision 9 SAFETY LIMITS (continued) melting, that the average enthalpy in the hot leg is less than or equal to the enthalpy of saturated liquid, or that the exit quality is within the limits defined by the DNBR correlation.The reactor core SLs are established to preclude violation of the following fuel design criteria:

a.There must be at least a 95% probability at a 95%

confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; andb.There must be at leas t a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.The reactor core SLs are us ed to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipate d operational occurrences (AOOs). To ensure that the RPS precludes the viol ation of the above criteria, additional criteria are applied to the Overtemperature and Overpower T reactor trip functions. That is, it must be demonstr ated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and that the core exit quality is within the limits define d by the DNBR correlation. Appropriate functioning of the RPS and main steam safety valves ensures that for variations in the THERMAL POWER, RCS pressure, RCS average

temperature, RCS flow rate, and AFD that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and

AOOs.APPLICABILITYSL2.1.1 only applies in MODES1 and2 because these are the only MODES in which the reactor is critical. Automatic protec tion functions are required to be OPERABLE during MODES1 and2 to ensure operation within the reactor core SLs. The main steam safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor tr ip function, which forces the unit into MODE3. Allowable values for the reactor trip functions are specified in LCO3.3.1, "Reactor Trip System (RTS) Instrumentation." In MODES3, 4, 5, and6, Applicability is not required since the re actor is not generating significant THERMAL POWER.

North Anna Units 1 and 2B 2.1.1-4Revision 0 Reactor Core SLs B 2.1.1BASESSAFETY LIMIT VIOLATIONSIf SL2.1.1 is violated, the requirement to go to MODE3 places the unit in a MODE in which this SL is not applicable.The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probabil ity of fuel damage.REFERENCES1.UFSAR, Section3.1.6.2.UFSAR, Section7.2.

North Anna Units 1 and 2B 2.1.2-1Revision 20RCS Pressure SL B 2.1.2B 2.1 SAFETY LIMITS (SLs)B 2.1.2Reactor Coolant Syst em (RCS) Pressure SLBASESBACKGROUNDThe SL on RCS pressure protects the inte grity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant.

The RCS then serves as the primary barrier in preventing the release of fi ssion products into the atmosphere. By establishing an upper li mit on RCS pressure during operating conditions, the continued integrity of the RCS is ensured. According to GDC14, "Reactor Coolant Pressure Boundary," and GDC15, "Reactor Coolant System Design" (Ref.1), the reacto r coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs). Also, in accordance with GDC28, "Reactivity Limits" (Ref.1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.

The design pressure of the RCS is 2500psia. During norma l operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with SectionIII of the ASME Code (Ref.2). To ensure system integrity, all RCS components are hydrostatically tested

at 125% of design pressure, accordi ng to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS component s shall be pressure tested, in accordance with the requirements of ASME Code, SectionXI (Ref.3).Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission

products could enter the containment at mosphere, raising concerns relative to limits on radioactive releases specified in 10CFR50.67 (Ref.4).APPLICABLE SAFETY ANALYSESThe RCS pressurizer safety valves, the main steam safety valves (MSSVs),

and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded.

(continued)

North Anna Units 1 and 2B 2.1.2-2Revision 0RCS Pressure SL B 2.1.2BASESAPPLICABLE SAFETY ANALYSES(continued)The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in SectionIII of the ASME Code for Nuclear Power Plant Components (Ref.2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control actions are assumed, except that the sa fety valves on the secondary plant are assumed to open when the steam pr essure reaches the secondary plant safety valve settings, and nominal feedwater supply is maintained.The Reactor Trip System allowable values (Ref.5), together with the

settings of the MSSVs, provide pre ssure protection for normal operation and AOOs. The reactor high pressure trip allowable value is specifically determined to provide protection against overpressurization (Ref.5). The

safety analyses for both the high pres sure trip and the RCS pressurizer safety valves are performed using c onservative assumptions relative to pressure control devices.More specifically, no credit is ta ken for operation of the following:a.Pressurizer power operated relief valves (PORVs);b.Steam Generator PORVs;c.Steam Dump System;d.Reactor Control System;e.Pressurizer Level Control System; orf.Pressurizer spray valve.SAFETY LIMITSThe maximum transient pressure allowed in the RCS pressure vessel under the ASME Code, SectionIII, is 110%

of design pressure. The maximum transient pressure allowed in the RCS piping, valves, and fittings under USAS, SectionB31.1 (Ref.6) is 120%

of design pressure. The most limiting of these two allowances is the 110% of design pressure; therefore, the SL on maximum allowable RCS pressure is 2735psig.APPLICABILITYSL2.1.2 applies in MODES1, 2, 3, 4, and5 because this SL could be approached or exceeded in these MODES due to overpressurization events.

The SL is not applicable in MODE6 because the reactor vessel head closure bolts are not fully tightened, making it unl ikely that the RCS can be pressurized.

RCS Pressure SL B 2.1.2BASESNorth Anna Units 1 and 2B 2.1.2-3Revision 20 SAFETY LIMIT VIOLATIONSIf the RCS pressure SL is violated when the reactor is in MODE1 or2, the requirement is to restore compliance and be in MODE3 within 1hour.Exceeding the RCS pressure SL ma y cause immediate RCS failure and create a potential for radioactive releases in excess of 10CFR50.67 limits (Ref.4).The allowable Completion Time of 1hour recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.

If the RCS pressure SL is exceeded in MODE3, 4, or5, RCS pressure must be restored to within the SL value within 5minutes. Exceeding the RCS pressure SL in MODE3, 4, or5 is more severe than exceeding this SL in MODE1 or2, since the reactor vessel temperature may be lower and the vessel material, consequently, less ducti le. As such, pressure must be reduced to less than the SL within 5minutes. The action does not require reducing MODES, since this would re quire reducing temperature, which would compound the problem by adding th ermal gradient stresses to the existing pressure stress.REFERENCES1.UFSAR, Sections3.1.10, 3.1.11, and 3.1.24.2.ASME, Boiler and Pressure Vessel Code, SectionIII, ArticleNB-7000.3.ASME, Boiler and Pressure Vessel Code, SectionXI, ArticleIWX-5000.4.10CFR50.67.5.UFSAR, Section7.2.

6.USASB31.1, Standard Code for Pre ssure Piping, American Society of Mechanical Engineers,1967.

Intentionally Blank North Anna Units 1 and 2B 3.0-1Revision 44 LCO Applicability B 3.0B 3.0LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITYBASESLCOsLCO3.0.1 through LCO3.0.9 establish the general requirements applicable to all Specifications a nd apply at all times

, unless otherwise stated.LCO3.0.1LCO3.0.1 establishes the Applicability statemen t within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the

Applicability statement of each Specification).LCO3.0.2LCO3.0.2 establishes that upon discovery of a fail ure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applic able from the point in time that

an ACTIONS Condition is entered. Th e Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:a.Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; andb.Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedi al measures that permit continued operation of the (continued)

North Anna Units 1 and 2B 3.0-2Revision 0 LCO Applicability B 3.0BASESLCO3.0.2(continued)unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherw ise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Re quired Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Ac tions where this is the case. An example of this is in LCO3.4.3, "RCS Pressure and Temperature (P/T)

Limits."The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons

for intentionally relying on the ACTI ONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of ope rational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTION S should not be ma de for operational convenience. Additionally, if intenti onal entry into ACTIONS would result in redundant equipment be ing inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety

function are inoperable and limits th e time conditions exist which may result in LCO3.0.3 being entered. I ndividual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this ti me limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of th e associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-3Revision 0LCO3.0.3LCO3.0.3 establishes the actions that must be implemented when an LCO is not met and:a.An associated Required Action and Completion Time is not met and no other Condition applies; orb.The condition of the unit is not speci fically addressed by the associated ACTIONS. This means that no combin ation of Conditions stated in the ACTIONS can be made that exactl y corresponds to the actual condition of the unit. Sometimes, possible co mbinations of Conditions are such that entering LCO3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corres ponding to such combinations and also that LCO3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition wh en operation cannot be maintained within the limits for safe opera tion as defined by the LCO and its ACTIONS. It is not intended to be us ed as an operational convenience that permits routine voluntary removal of redundant systems or components

from service in lieu of other alternatives that w ould not result in redundant systems or components being inoperable.Upon entering LCO3.0.3, 1hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation.

This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to re ach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well

within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor

Coolant System and the potential fo r a unit upset that could challenge safety systems under conditions to wh ich this Specification applies. The use and interpretation of specified times to complete the actions of LCO3.0.3 are consistent with the discussion of Section1.3, Completion Times.(continued)

North Anna Units 1 and 2B 3.0-4Revision 0 LCO Applicability B 3.0BASESLCO3.0.3(continued)

A unit shutdown required in accordance with LCO3.0.3 may be terminated and LCO3.0.3 exited if any of the following occurs:a.The LCO is now met.b.A Condition exists for which the Required Actions have now been performed.c.ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable fr om the point in time that the Condition is initially entered and not from the time LCO3.0.3 is exited.The time limits of Specification3.0.3 allow 37hours for the unit to be in MODE5 when a shutdown is required during MODE1 operation. If the unit is in a lower MODE of opera tion when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE5, or other applicable MODE, is not reduced. For example, if MODE3 is reached in 2hours, then the time allowed for reaching MODE4 is the next 11hours, because the total time for reaching MODE4 is not reduced from the allowable limit of 13hours. Theref ore, if remedial measures are completed that would permit a return to MODE1, a penalty is not incurred by having to reach a lo wer MODE of operation in less than the total time allowed.In MODES1, 2, 3, and4, LCO3.0.3 provi des actions for Conditions not covered in other Specifications. The requirements of LCO3.0.3 do not apply in MODES5 and6 because the unit is already in the most restrictive Condition required by LCO3.0.3. The requirements of LCO3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.Exceptions to LCO3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO3.7.16, "Fuel Storage Pool Water Level." LCO3.7.16 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO (continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-5Revision 0LCO3.0.3(continued) can be applicable in any or all MODES. If the LCO and the Required Actions of LCO3.7.16 are not met while in MODE1, 2, or3, there is no safety benefit to be ga ined by placing the unit in a shutdown condition. The Required Action of LCO3.7.16 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO3.0.3. These exceptions are

addressed in the individual Specifications.LCO3.0.4LCO3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing the unit in a MODE or other specified condition stated in that Applicability (e.g., Applicability desired to be entered) when the following exist:a.Unit conditions are such that the requirements of the LCO would not be met in the Applicability desired to be entered; andb.Continued noncompliance with the LCO requirements, if the Applicability were entered, would re sult in the unit being required to exit the Applicability desired to be entered to comply with the Required Actions.Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an accep table level of safety for continued operation.

This is without regard to the status of the unit before or after the MODE

change. Therefore, in such cases, en try into a MODE or other specified

condition in the Applicability may be made in accordance with the provisions of the Required Actions.When an LCO is not met, LCO3.0.4 al so allows entering MODES or other specified conditions in th e Applicability following assessment of the risk impact and determination that the impact can be managed. The risk evaluation may use quantitative, qualita tive, or blended approaches, and the risk evaluation will be conducted using the plant program, procedures, and criteria in place to implement 10CFR50.65(a)(4), which requires that risk impacts of maintenance activi ties to be assessed and managed. The risk evaluations will be condu cted using the procedures and (continued)

North Anna Units 1 and 2B 3.0-6Revision 0 LCO Applicability B 3.0BASESLCO3.0.4(continued) guidance endorsed by Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activi ties at Nuclear Power Plants."

The results of the risk evaluation sha ll be considered in determining the

acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions.

Consideration will be given to the pr obability of comp leting restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times th at would require exiting the Applicability.A risk assessment and establishment of risk management actions, as appropriate, are required for determin ation of acceptable risk for entering MODES or other specified conditions in the Applicability when an LCO is not met. The elements of the risk as sessment and risk management actions are included in Regulatory Guide1.182 which addresses general guidance for conduct of the risk evaluation, quantitative and qualitative guidelines

for establishing risk management act ions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and

management personnel, actions to reduce the duration of the condition, actions to minimize the ma gnitude of risk increas es (establishment of backup success paths or co mpensatory measures), and determination that the proposed MODE change is acceptable.

A quantitative, qualitative, or blended risk evaluation must be performed to assess the risk impact of entering the MODE or other specified condition in the Applicability, based on the specific plant configuration at that time and the risk impacts must be managed in accordance with the assessment results.From generic evaluations, systems/components can be identified which are equally or more important to risk in MODE1 than in the transition MODES. The Technical Specifications allow continued operation with this equipment unavailable during MODE1 operation for the duration of the Completion Time. Since this is allowa ble, and since the risk impact bounds the risk of transitioning up in MODE and entering the Conditions and

Required Actions, the use of the LCO3.0.4 allowance for these systems should be generally accepta ble, as long as the risk is assessed and managed as(continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-7Revision 0LCO3.0.4(continued)stated above. However, there is a small subset of systems/components that have been generically determined to be more important to risk in MODES2-5 and do not have the LCO3.0.4 allowance. These system/components are listed below.

The Applicability should be reviewed with respect to the actual plant configuration at that time. Each individual application of LCO3.0.4.b, whether due to one or more than one LCO3.0.4.b allowance at the same time, is required to be evaluated under the auspices of 10CFR50.65(a)(4) and consideration of risk manageme nt actions discussed in Regulatory Guide1.182. For those cases where the ri sk of the MODE change may be greater (i.e., the systems and component s listed below), prior NRC review and approval of a specific LCO3.0.4 allowance is required.The LCO3.0.4.b allowance typically only applies to systems and

components. The values and parameters of the Technical Specifications (e.g., Containment Air Temperature, Containment Pressure, Moderator Temperature Coefficient, etc.) ar e typically not addressed by this LCO3.0.4.b allowance. These values a nd parameters are addressed by the LCO3.0.4.c allowance.A list of the LCO3.0.4.c specific value and parameter allowances approved by the NRC is provided below.LCO3.4.16, RCS Sp ecific Activity In order to support the conduct of the appropriate assessments, each Owners Group has performed an evaluation to identify plant systems or components which are more important to risk in the transition MODES than in MODE1. To apply the LCO3.0.4 allowance to these systems and

components, prior NRC re view and approval is required. These systems are listed in the following table.

(continued)

North Anna Units 1 and 2B 3.0-8Revision 0 LCO Applicability B 3.0BASESLCO3.0.4(continued)NUMARC93-01, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"

states that the rigor of the risk analysis should be commensurate with the risk impact of the proposed configuration. For unavailable plant systems or components listed on the above table, a plant MODE change has been determined, through generic evaluation, to result in a potential risk increase. Therefore, prior NRC review and approval is required to apply the LCO3.0.4 allowance to these systems and components.

For unavailable plant systems or co mponents not appearing in the above table, proposed plant MODE changes will generally not involve a risk increase greater than the system or component being unavailable in MODE1. The risk assessment performed to support use of LCO3.0.4.b for systems or components not appeari ng on the above table must meet all considerations of NUMARC93-01, but need not be documented.LCO3.0.4.b may be used with single, or multiple systems or components unavailable. NUMARC93-01 provides gui dance relative to consideration of simultaneous unavailability of multiple systems or components.

The provisions of this Specification s hould not be interpreted as endorsing

the failure to exercise the good practice of restor ing systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

(continued)

System*MODE or Other Specified

Condition in the Applicability RCS Loops (RHR) 5LTOP System 4, 5ECCS Shutdown (ECCS High

Head Subsystem) 4AFW System 1AC Sources (Diesel Generators)1, 2, 3, 4, 5, 6*Including systems supporting the OPERABILITY of the listed systems.

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-9Revision 0LCO3.0.4(continued)The provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in th e Applicability th at are required to comply with ACTIONS. In addition, the provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.LCO 3.0.4 is only applicable when entering MODE 4 from MODE5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from

MODE 2. Furthermore, LCO 3.0.4 is a pplicable when entering any other specified condition in the Applicabili ty only while operating in MODES 1, 2, 3, or 4. The requirements of LCO 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, in compliance with LCO3.0.4, is not a violation of SR3.0.1 or SR3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.LCO3.0.5LCO3.0.5 establishes the allowanc e for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO3.0.2 (e.g., to not comply with the applicable Required Action(

s)) to allow the performance of required testing to demonstrate:

a.The OPERABILITY of the equipment being returned to service; orb.The OPERABILITY of other equipment.

(continued)

North Anna Units 1 and 2B 3.0-10Revision 0 LCO Applicability B 3.0BASESLCO3.0.5(continued)

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perfor m the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance.

An example of demonstrating the OP ERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Acti ons and must be reopened to perform the required testing.An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip sy stem out of the tripped condition to prevent the trip function from oc curring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPER ABILITY of other equipment is

taking an inoperable channel or trip sy stem out of the tripped condition to permit the logic to function and indi cate the appropriate response during the performance of required testing on another channel in the same trip system.LCO3.0.6LCO3.0.6 establishes an exception to LCO3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO3.0.2 would require that the Conditions and

Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperab ility of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Ac tions may include entering the supported system's Conditions and Required Actions or may specify other

Required Actions.

When a support system is i noperable and there is an LCO specified for it in the TS, the supported system(s) are requ ired to be declared inoperable if determined to be inoperabl e as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unl ess directed to do so by the support system's Required Actions. The potential c onfusion and inconsistency of requirements related to the entry into multiple support and supported (continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-11Revision 0LCO3.0.6(continued)systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the supp ort system's Required Actions.However, there are instances where a support system's Required Action

may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Ac tions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whet her it is immediate or after some delay, when a support system's Requir ed Action directs a supported system to be declared inoperable or direct s entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO3.0.2.Specification5.5.14, "Safety Function Determination Program (SFDP),"

ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability an d corresponding exception to entering supported system Conditions and Re quired Actions. The SFDP implements the requirements of LCO3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and re dundant safety systems are required.

The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPER ABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and:a.A required system redundant to sy stem(s) supported by the inoperable support system is also inoperable; or (EXAMPLE B3.0.6-1)b.A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable; or (EXAMPLE B3.0.6-2)

(continued)

North Anna Units 1 and 2B 3.0-12Revision 0 LCO Applicability B 3.0BASESLCO3.0.6(continued)c.A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable. (EXAMPLE B3.0.6-3)EXAMPLE B3.0.6-1If System 2 of Train A is inoperable, and System 5 of Trai n B is inoperable, a loss of safety function exists in supported System 5.EXAMPLE B3.0.6-2If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.EXAMPLE B3.0.6-3If System 2 of Train A is inoperable, and System 1 of Trai n B is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.

If this evaluation determines that a loss of safety function exists, the appropriate Conditions a nd Required Actions of th e LCO in which the loss of safety function exists are required to be entered.

(continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-13Revision 0LCO3.0.6(continued)

(continued)TRAIN ATRAIN BSystem 8System 8System 4System 4System 9System 9System 2System 2System 10System 10 System 5System 5System 11System 11 System 1System 1System 12System 12 System 6System 6System 13System 13 System 3System 3System 14System 14 System 7System 7System 15System 15 North Anna Units 1 and 2B 3.0-14Revision 0 LCO Applicability B 3.0BASESLCO3.0.6(continued)

This loss of safety function does not require consideration of additional single failures or loss of offsite power. Since operati on is being restricted in accordance with the ACTIONS of the support system, this accounts for any temporary loss of redundancy or single failure protection. Similarly, the ACTIONS for inoperable offsite ci rcuit(s) and i noperable diesel generator(s) provide the ne cessary restriction for cr oss train inoperabilities.

This explicit cross train verificati on for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency

electrical power source (refer to the definition of OPERABILITY).When a loss of safety function is determined to exist, and the SFDP

requires entry into the appropriate C onditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be

given to the specific type of function affected. Where a loss of function is solely due to a single Technical Sp ecification support system (e.g., loss of

automatic start due to inoperable inst rumentation, or loss of pump suction source due to low tank level) the a ppropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple

support systems, the appr opriate LCO is the LCO for the supported system.LCO3.0.7There are certain special tests and operations required to be performed at various times over the life of the unit.

These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical

Specification (TS) require ments to be changed to permit performances of these special tests and operations, whic h otherwise could not be performed if required to comply with the require ments of these TS. Unless otherwise specified, all the other TS require ments remain unchanged. This will

ensure all appropriate requirements of the MODE or other specified condition not directly associated with or require d to be changed to perform the special test or operation will remain in effect.

(continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-15Revision32LCO3.0.7(continued)The Applicability of a Test Excep tion LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other appl icable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.LCO3.0.8LCO3.0.8 establishes conditions u nder which systems are considered to remain capable of performing thei r intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not cap able of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical

Specifications (TS) unde r licensee control. The snubber requirements do not meet the criteria in 10CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.

If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the C onditions and Required Actions entered in accordance with LCO3.0.2.LCO3.0.8.a applies when one or mo re snubbers are not capable of providing their associated support functi on(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO3.0.8.a allows 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the snubber(s) before declaring the supported system inoperable. The 72hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of

performing their associated support function and due to the availability of the redundant train of the supported system.

(continued)

North Anna Units 1 and 2B 3.0-16Revision 38 LCO Applicability B 3.0BASESLCO3.0.8(continued)LCO3.0.8.b applies when one or mo re snubbers are not capable of providing their associated support function(s) to mo re than one train or subsystem of a multiple train or subsystem supported system. LCO3.0.8.b allows 12hours to restore the snubbe r(s) before declaring the supported system inoperable. The 12hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported syst em occurring while the snubber(s) are not capable of performing th eir associated support function.In order to use LCO3.0.8 for an inoperable snubber(s) the following conditions required by the NRC must be satisfied:

?When applying LCO3.0.8.a, at least one train of Aux iliary Feedwater (AFW) System must be OPERAB LE during MODES when AFW is required to be OPERABLE. When applying LCO3.0.8.a during MODES when AFW is not required to be OPERABLE, at least one train of the mode specific credited core cooling method (i.e., Residual Heat Removal System) must be OPERABLE.

Reliance on the availability of credited core cooling source during modes where AFW is not required to be OPERABLE, provides an equivalent safety margin for plant

operations and meets the intent of Technical Specification Task Force (TSTF) 372.

?When applying LC0 3.0.8.b, at leas t one AFW train (including a minimum set of supporting equipmen t required for its successful operation) not associated with the inoperable snubber(s) shall be OPERABLE, or some alternative means of core cooling (e.g., feed and

bleed, fire water system, or "aggres sive secondary cooldown" using the steam generators) must be available.

?Confirm that at least one train (or subsystem) of systems supported by the inoperable snubbers would rema in capable of performing their required safety or support functions for postulated design loads other than seismic loads. LCO3.0.8 does not apply to non-seismic snubbers.In addition, LCO3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10CFR50.65(a)(4)

(the Maintenance Rule) does not address seismic risk. However, use of LCO3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the exis ting Maintenance Rule process to the extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and com ponents when one or more snubbers

are not able to perform their associated support function.

North Anna Units 1 and 2B 3.0-17Revision 44 LCO Applicability B 3.0LCO3.0.9LCO3.0.9 establishes conditions which under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providi ng their related support function(s).Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications, that support the perf ormance of the safety function of systems described in Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO3.0.9 allows 30days before declaring the supported system(s) inoperable and the LCO(s) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored. However, the allowable duration may be less than the specified maximum time based on risk assessment.

If the allowed time expires and the barriers are unable to perform their related support function(s), the supported system's LCO(s) must be

declared not met and the Conditions and Required Actions entered in accordance with LCO3.0.2.

This provision can be applied to barriers that protect against the initiating events listed below. The provision can not be applied to the TS ventilation systems since specific Conditions are provided for an inoperable barrier.

The provision cannot be applied to a fire barrier. However, if the barrier performs multiple functions (e.g., fire and HELB) and if the fire barrier program requirements can be satisfied then LCO3.0.9 can be applied to the barrier for the HELB function. This provision does not apply to barriers which are not required to suppor t system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, "Contro l of Hazard Barriers," dated April2,2001).The provisions of LCO3.0.9 are just ified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following uniting event categories:

?Loss of coolant accidents; (continued)

North Anna Units 1 and 2B 3.0-18Revision 44 LCO Applicability B 3.0BASESLCO3.0.9(continued)

?High energy line breaks;

?Feedwater line breaks;

?Internal flooding;

?External flooding;

?Turbine missile ejection; and

?Tornado or high wind The risk impact of the barriers whic h cannot perform their related support function(s) must be a ddressed pursuant to the risk assessment and management provision of the Maintenance Rule, 10CFR50.65(a)(4), and the associated implementation guidance, Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide1.182 endorses the guidance in Section11 of NUMARC93-01, "Industr y Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." This guidance

provides for the consideration of dynamic plant configuration issues, emergent conditions, and ot her aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).

The resultant risk management actions may impose time limits for barrier removal. In addition, other considera tions, such as the administrative provisions for controlling fire barriers and the plant technical

specifications, may place limitations on continued reactor operation with a hazard barrier removed. It may be possi ble to take compensatory measures to maintain SSC operability and avoid entering the technical specifications action statement for shutting down the reactor (e.g., installing a temporary barrier that provides equivalent protection or establishing administrative controls). Also, if the hazard does not exist at the time, the SSC would remain operable.LCO3.0.9 may be applied to one or more trains or subsystems of a system supported by barriers th at cannot provide their (continued)

LCO Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-19Revision 44LCO3.0.9(continued) related support function(s), provided th at risk is assessed and managed (including consideration of the effects on Large Early Release and from external events.) LCO3.0.9 cannot be applied concurrently to more than

one train or subsystem of a multiple train or subs ystem supported system, if the barrier supporting each of these trains or subsys tems provides it related support function(s) for same category of initiating events. If applied

concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting each of these trains or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO3.0.9 may be applied for up to 30days for more than one train of a multiple train supported system if the affected barrier for one train pr otects against internal flooding and the affected barrier for the other train prot ects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection f unctions for each train.If during the time that LCO3.0.9 is being used, the required OPERABLE

train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24hours. Otherwise, th e train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be

declared inoperable and the associat ed LCOs declared not met. This 24hour period provides time to respond to emergent conditions that would likely lead to entry into LCO3.0.3 a nd a rapid plant shutdown, which is not justified given the low probability of an initiating event which would

require the barrier(s) not capable of performing their related support function(s). During this 24hour period, th e plant risk associated with the existing conditions is assessed a nd managed in accordance with 10CFR50.65(a)(4).

North Anna Units 1 and 2B 3.0-20Revision 44 SR Applicability B 3.0BASESB 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITYBASESSRsSR3.0.1 through SR3.0.4 establish the ge neral requirements applicable to all Specifications and apply at all times, unless otherwise stated.SR3.0.1SR3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise spec ified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency.

Systems and components are assume d to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE

when:a.The systems or components are known to be inoperable, although still meeting the SRs; orb.The requirements of the Surveillance(s) are known not to be met between required Survei llance performances.

Surveillances do not have to be perform ed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the re quirements of a Specification.

Unplanned events may satisfy the requirements (incl ude applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normall y precluded in a given MODE or other specified condition.

(continued)

SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-21Revision 44SR3.0.1(continued)Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inopera ble equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR3.0.2, prior to returning equipment to OPERABLE status.

Upon completion of maintenance, appropr iate post mainte nance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR3.0.2. Post main tenance testing may not be possible

in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters no t having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This

will allow operation to proceed to a MODE or other specified condition

where other necessary post mainte nance tests can be completed.SR3.0.2SR3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..."

interval.SR3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillan ce scheduling and considers unit operating c onditions that may not be suitable for conducting the Surveillance (e.g., transi ent conditions or other ongoing Surveillance or maintenance activities).

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular

Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR3.0.2 are thos e Surveillances for which the 25%

extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications.

The requirements of regulations take precedence over the TS. An example of where SR3.0.2 does not apply is the Containment Leakage Rate Testing (continued)

North Anna Units 1 and 2B 3.0-22Revision 44 SR Applicability B 3.0BASESSR3.0.2(continued)

Program. This program establishes testing requirem ents and Frequencies in accordance with the requirements of regulations.As stated in SR3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25% extensi on applies to each performance after the initial performance.

The initial performanc e of the Required Action, whether it is a particular Surveillan ce or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.The provisions of SR3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.SR3.0.3SR3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24hours or up to the limit of the specified Frequency, whichever is greater, applie s from the point in time that it is di scovered that the Surveillance has not been performed in accordance with SR3.0.2, and

not at the time that the sp ecified Frequency was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay pe riod permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period incl udes consideration of unit conditions, adequate planning, availability of pe rsonnel, the time required to perform the Surveillance, the safety significance of the delay in completing the

required Surveillance, and the recognition that the most probable result of

any particular Su rveillance being (continued)

SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-23Revision 44SR3.0.3(continued) performed is the verification of conformance with the requirements.When a Surveillance with a Frequenc y based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE1 after eac h fuel loading, or in accordance with 10CFR50, AppendixJ, as modified by approved exemptions, etc.) is discov ered to not have been performed when specified, SR3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.SR3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Freque ncies for SRs is expected to be an infrequent occurrence. Use of the de lay period established by SR3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillan ce will be performed at the first reasonable opportunity.

The determination of the first reasonable opportunity should include c onsideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required to perform the Surveillance or shutting the plan t down to perform the Surveillance) and impact on any analysis assumptions

, in addition to unit conditions, planning, availability of personnel, and th e time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10CFR50.65(a)(4) and its implementation guidance, NRC Regulatory Guide1.182, "Assessing and Managing Risk Before Maintenance Activities at Nu clear Power Plants."

This Regulatory Guide addresses consideration of temporary and aggregate risk impacts,

determination of risk management act ion thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide.

The risk evaluation may use quantitativ e, qualitative, or blended methods.

The degree of depth and rigor of th e evaluation should be commensurate with the(continued)

North Anna Units 1 and 2B 3.0-24Revision 44 SR Applicability B 3.0BASESSR3.0.3(continued)importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk

evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed wi thin the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the

equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO

Conditions begin immediately upon th e failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR3.0.1.SR3.0.4SR3.0.4 establishes the requirement th at all applicable SRs must be met

before entry into a MODE or other specified condition in the Applicability.This Specification ensures that sy stem and component OPERABILITY requirements and variable limits are me t before entry into MODES or other specified conditions in the Applicability for which these systems and

components ensure safe operation of the unit.

The provisions of this Specification s hould not be interpreted as endorsing the failure to exercise the good practi ce of restoring syst ems or component to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entr y into a MODE or other specified condition in the Applicability:

a.When the associated ACTIONS to be entered permit continued operation in the MODE or other specific condition in the Applicability for an unlimited period of time, (continued)

SR Applicability B 3.0BASESNorth Anna Units 1 and 2B 3.0-25Revision 44SR3.0.4(continued)b.After performance of a risk evaluation, consider ation of the results, determination of the acceptabil ity of the MODE change, and establishment of risk manageme nt actions, if appropriate, orc.When a specific value or parame ter allowance has been approved by the NRC.However, in certain circumstances, faili ng to meet an SR will not result in SR3.0.4 restricting a MODE change or other specified condition change.

When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the as sociated SR(s) are not required to be performed, per SR3.0.1, which states that surveillances do

not have to be performed on inopera ble equipment. When equipment is inoperable, SR3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be perfor med is removed. Therefore, failing to perform the Surveillance(s) within th e specified Frequency does not result in an SR3.0.4 restriction to ch anging MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO3.0.4 will govern any re strictions that may (or may not) apply to MODE or other specified condition changes.The provisions of SR3.0.4 shall not prevent changes in MODES or other

specified conditions in th e Applicability th at are required to comply with ACTIONS. In addition, the provisions of LCO3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that

result from any unit shutdown.

The precise requirements for performance of SRs are specified such that exceptions to SR3.0.4 are not necessary. The specific time frames and conditions necessary for me eting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specifi ed condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that c ould not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not (continued)

North Anna Units 1 and 2B 3.0-26Revision 44 SR Applicability B 3.0BASESSR3.0.4(continued) required (to be met or pe rformed) until a particul ar event, condition, or time has been reached. Further discus sion of the specific formats of SRs' annotation is found in Section1.4, Frequency.SR3.0.4 is only applicable when entering MODE4 from MODE5, MODE3 from MODE4, MODE2 from MODE3, or MODE1 from MODE2. Furthermore, SR 3.0.4 is appl icable when entering any other specified condition in the Applicabili ty only while operating in MODES 1, 2, 3, or4. The requirements of SR3.0.4 do not apply in MODES5 and6,

or in other specified conditions of the Applicability (unless in MODES1, 2, 3, or4) because the ACTIONS of i ndividual Specifications sufficiently define the remedial measures to be taken.

North Anna Units 1 and 2B 3.1.1-1Revision 0 SDMB 3.1.1B 3.1REACTIVITY CONTROL SYSTEMSB 3.1.1SHUTDOWN MARGIN (SDM)BASESBACKGROUNDAccording to GDC26 (Ref.1), the reactivity control systems must be independent and one must be capable of holding the reactor core subcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity even ts will not damage the fuel.SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (

AOOs). As such, the SDM defines the

degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest reactivity worth is fully withdrawn.

The system design requires that two i ndependent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions

. These requirements are provided by the use of movable control assemblies and soluble boric acid in the Reactor Coolant System (RCS). The Rod Control System can compensate for the reactivity effects of the fuel and wa ter temperature changes accompanying

power level changes over th e range from full load to no load. In addition, the Rod Control System, together with the boration system, provides the

SDM during power operation and is capable of maki ng the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rod of highest reactivity worth remains fully withdrawn.

The soluble boron system can compen sate for fuel depletion during operation and all xenon burnout reactivit y changes and maintain the reactor subcritical under cold conditions.

During power operation, SDM control is ensured by operating with the

shutdown banks fully withdr awn and the control banks within the limits of LCO3.1.6, "Control Bank In sertion Limits." When the unit is in the shutdown and refueling m odes, the SDM requirement s are met by means of adjustments to the RCS boron concentration.

North Anna Units 1 and 2B 3.1.1-2Revision 0 SDMB 3.1.1BASESAPPLICABLE SAFETY ANALYSESThe minimum required SDM is assumed as an initial condition in safety analyses. The safety analysis (Ref.2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal

operation and AOOs, with the assumpti on of the highest worth rod stuck out on scram.

The acceptance criteria for the SD M requirements are that specified acceptable fuel design limits are main tained. This is done by ensuring that:a.The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;b.The reactivity transients associated with postulated accident conditions are controllable within acceptabl e limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limits for AOOs, and 225cal/gm energy deposition to unirradiated fuel and 200cal/gm energy deposition to irradiated fuel for the rod ejection accident); andc.The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

The most limiting accident for the SD M requirements is based on a main steam line break (MSLB), as described in the accident analysis (Ref.2). The increased steam flow resulting fr om a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG), and consequently the RC S. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As RCS temperature decreases, the severity of an MSLB decreases until the MODE5 value is reached. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The

positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the MS LB, a post trip return to power may occur; however, no fuel (continued)

SDMB 3.1.1BASESNorth Anna Units 1 and 2B 3.1.1-3Revision 0APPLICABLE SAFETY ANALYSES(continued) damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL) requirement of SL2.1.1.In addition to the limiting MSLB transient, the SDM requirement must also protect against:a.An uncontrolled rod withdrawal from subcritical or low power condition;b.Startup of an inactive reactor coolant pump (RCP); andc.Rod ejection.Each of these events is discussed below.

Depending on the system initial conditions and reactivity in sertion rate, the uncontrolled rod withdrawal transient is terminated by either a high source range trip or a high power range neut ron flux trip, an intermediate range neutron flux trip, a high pressurizer pressure or water level trip, or an OTT. In all cases, power level, RCS pr essure, linear heat rate, and the DNBR do not exceed allowable limits.

The startup of an inactive loop even t is defined as an uncontrolled reduction in SHUTDOWN MARGIN resul ting from the startup of an RCP on an idle loop containing a reduc ed coolant temperature or boron concentration. Adherence to LCO3.4.18, "RCS Isolated Loop Startup,"

ensures that the preconditions necessary for significant reactivity insertion during the startup of an inactive loop (i.e., reduced coolant temperature or boron concentration on an idle and unisolated loop) cannot be achieved under credible circumstan ces. Recirculation of reactor coolant in an isolated loop through a loop stop valve bypass line prior to loop unisolation

when performed in accordance with LCO3.4.18 does not constitute an

uncontrolled boron dilution event. The a ccident analysis demonstrates that sufficient time exists for corrective operator action in response to a

postulated reactivity insertion resulting from the recirculation activity.

(continued)

North Anna Units 1 and 2B 3.1.1-4Revision 20 SDMB 3.1.1BASESAPPLICABLE SAFETY ANALYSES(continued)The ejection of a control rod rapidly adds reactivity to the reactor core, causing both the core power level and heat flux to increase with

corresponding increases in reactor cool ant temperatures and pressure. The ejection of a rod also produces a time dependent redistribution of core power.SDM satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Even though it is not directly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.LCOSDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through

the soluble boron concentration.The MSLB (Ref.2) accident is the most limiting analysis that establishes the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed Regulatory Guide1.183 limits (Ref.3).APPLICABILITYIn MODE2 with keff <1.0 and in MODES3, 4, and5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE6,

the shutdown reactivity requirements are given in LCO3.9.1, "Boron Concentration." In MODES1 and2 with keff>1.0, SDM is ensured by complying with LCO3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6, "Control Bank Insertion Limits."ACTIONSA.1If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly

align and start the required systems an d components. It is assumed that boration will be continued until the SDM requirements are met.

In the determination of the required co mbination of boration flow rate and boron concentration, there is no unique re quirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon

as(continued)

SDMB 3.1.1BASESNorth Anna Units 1 and 2B 3.1.1-5Revision 0ACTIONSA.1 (continued) possible, the boron concentration shoul d be a highly concentrated solution, such as that normally found in the bor ic acid storage tank, or the Refueling Water Storage Tank. The operator should borate with the best source available for the unit conditions.

In determining the boration flow rate

, the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle when the boron concentration may approach or exceed 2000ppm. Assuming that a value of 1%k/k must be recovered and a boration flow rate of 10gpm, it is possible to increase the boron concentration of the RCS by 100ppm in approximately 59minutes. If a boron worth of 10pcm/ppm is assumed, this combination of parameters will increase the SDM by 1%k/k. These boration parameters of 10gpm and 12,950ppm represent typical values and are provided for the purpose of offering a specific example.SURVEILLANCE

REQUIREMENT

SSR3.1.1.1In MODES1 and2 with keff1.0, SDM is verified by observing that the requirements of LCO3.1.5 and LCO3.1.6 are met. In the event that a rod is known to be untrippable, however, SDM verification must account for the worth of the untrippable rod as we ll as another rod of maximum worth.In MODE2 with keff<1.0 and MODES3, 4, and5, the SDM is verified by performing a reactivity balance cal culation, considering the listed reactivity effects:a.RCS boron concentration;b.Control and shutdown bank position;c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation; e.Xenon concentration;f.Samarium concentration; andg.Isothermal temperature coefficient (ITC).

North Anna Units 1 and 2B 3.1.1-6Revision 46 SDMB 3.1.1BASESSURVEILLANCE REQUIREMENT

SSR3.1.1.1 (continued)

Using the ITC accounts for Doppler re activity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.22.2.UFSAR, Chapter15.3.Regulatory Guide1.183, July2000.

North Anna Units 1 and 2B 3.1.2-1Revision 0 Core Reactivity B 3.1.2B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.2Core ReactivityBASESBACKGROUNDAccording to GDC26, GDC28, and GDC29 (Ref.1), reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of

unanticipated changes in fuel, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity

validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be brought safely to cold, subcritical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady stat e power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron

leakage, and materials in the core th at absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an

indication of the soluble boron conc entration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS

boron concentration for comparison with the predicted value with other

variables fixed (such as rod height, temperature, pressure, and power),

provides a convenient method of ensuri ng that core reactivity is within design expectations and that the calcul ational models used to generate the safety analysis are adequate.

(continued)

North Anna Units 1 and 2B 3.1.2-2Revision 0Core Reactivity B 3.1.2BASESBACKGROUND (continued)In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the

previous cycle, provides excess posi tive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperat ure, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and

the RCS boron concentration.

When the core is producing THER MAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduc ed to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be

evaluated.APPLICABLE SAFETY ANALYSESThe acceptance criteria for core reactivity are that the reactivity balance limit ensures unit operation is maintain ed within the assumptions of the safety analyses.

Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis ev aluations. Every accident evaluation (Ref.2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating unit data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods pr ovide an accurate representation of the core reactivity.

Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining r eactivity behavior and the RCS boron concentration requirement s for reactivity control during fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and (continued)

Core Reactivity B 3.1.2BASESNorth Anna Units 1 and 2B 3.1.2-3Revision 0APPLICABLE SAFETY ANALYSES(continued) predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict

soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration.

Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculati onal model is not adequate for core burnups beyond BOC, or that an unexp ected change in core conditions has occurred.

The normalization of pred icted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performe d at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

Core reactivity satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).

LCOLong term core reactivity behavior is a result of the core physics design and cannot be easily controlled onc e the core design is fixed. During operation, therefore, the LCO can onl y be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that

the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the reactivity balance of +/-1%k/k has been established based on engin eering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.When measured core reactivity is within 1%k/k of the predicted value at steady state thermal conditions, the co re is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between (continued)

North Anna Units 1 and 2B 3.1.2-4Revision 0Core Reactivity B 3.1.2BASESLCO(continued)measured and predicted values would be approximately 100ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.APPLICABILITYThe limits on core reactivity must be maintained during MODES1 and2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fu el depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES3, 4, and5 because the reactor is shut down and the reactivity balance is not changing.In MODE6, fuel loading results in a continually changing core reactivity.

Boron concentration requirements (LCO3.9.1, "Boron C oncentration") ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have al tered core reactivity (e.g., fuel movement, control rod replacement, control rod shuffling).ACTIONSA.1 and A.2 Should an anomaly develop betwee n measured and predicted core reactivity, an evaluation of the core design and safety analysis must be

performed. Core conditions are evalua ted to determine their consistency with input to design calculations. M easured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculat ional models are re viewed to verify that they are adequate for repres entation of the core conditions. The required Completion Time of 7days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and co mplete the evaluation of the core design and safety analysis.Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity

anomaly is a (continued)

Core Reactivity B 3.1.2BASESNorth Anna Units 1 and 2B 3.1.2-5Revision 0ACTIONSA.1 and A.2 (continued) mismatch in core conditions at th e time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity a nomaly is in the calculation technique, then the calculational models must be revised to provide mo re accurate predictions. If any of these results are demonstrated

, and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve

may be renormalized and power oper ation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.The required Completion Time of 7days is adequate for preparing

whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.

B.1If the core reactivity cannot be restored to within the 1%k/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours. If the SDM for MODE3 is not met, then the boration required by SR3.1.1.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.1.2.1 Core reactivity is verified by pe riodic comparisons of measured and predicted RCS boron concentrations. Th e comparison is made, considering that other core conditions are fixe d or stable, including control rod

position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentrat ion. The Surveillan ce is performed prior to entering MODE1 as an init ial check on core conditions and design calculations at BOC. The SR is modified by a Note. The Note indicates that any normalization of predicted core reactivity to the (continued)

North Anna Units 1 and 2B 3.1.2-6Revision 46Core Reactivity B 3.1.2BASESSURVEILLANCE REQUIREMENT

SSR3.1.2.1 (continued) measured value must take place within the first 60effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establ ishing a benchmark for the design calculations. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.22, 3.1.24, and 3.1.25.2.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.1.3-1Revision 0 MTCB 3.1.3B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.3Moderator Temperature Coefficient (MTC)BASESBACKGROUNDAccording to GDC11 (Ref.1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with

increasing moderator temperature; conversely, a ne gative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolan t temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increase s that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.

MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less than or equal to zero when THERMAL POWER is at RTP. The actual value of the MTC is dependent on core characteristics, such as fuel loading

and reactor coolant soluble boron c oncentration. The core design may require additional fixed distributed pois ons to yield an MTC at BOC within the range analyzed in the unit accident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles are evaluated to ensure that the MTC does not exceed the EOC limit.

The limitations on MTC are provided to ensure that the value of this coefficient remains within the limi ting conditions assumed in the UFSAR accident and transient analyses.

(continued)

North Anna Units 1 and 2B 3.1.3-2Revision 0 MTCB 3.1.3BASESBACKGROUND (continued)

If the LCO limits are not met, the uni t response during transients may not be as predicted. For example, the core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violate d, which could lead to a loss of the fuel cladding integrity.

The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits, since this coefficient changes slowly, due principally to the reduction in RCS boron concentra tion associated with fuel burnup.APPLICABLE SAFETY ANALYSESThe acceptance criteria for the specified MTC are:a.The MTC values must remain within the bounds of those used in the accident analysis (Ref.2); andb.The MTC must be such that inhere ntly stable power operations result during normal operation and accide nts, such as overheating and overcooling events.The UFSAR, Chapter15 (Ref.2), contains analyses of accidents that result in both overheating and overc ooling of the reactor co re. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure th at the accident results are bounding (Ref.3).The consequences of accidents that cause core overheating must be evaluated when the MTC is positive. Such accidents include the rod withdrawal transient from either zero or RTP, loss of main feedwater flow,

and loss of forced reactor coolant flow

. The consequences of accidents that cause core overcooling must be evaluated when the MTC is negative. Such accidents include sudden feedwater flow increase and sudden decrease in feedwater temperature.

In order to ensure a bo unding accident analysis, th e MTC is assumed to be its most limiting value for the analys is conditions appropriate to each accident. The bounding value is dete rmined by considering rodded and unrodded conditions, whether the reactor is at full or zero power, and whether it (continued)

MTCB 3.1.3BASESNorth Anna Units 1 and 2B 3.1.3-3Revision 0APPLICABLE SAFETY ANALYSES(continued)is the BOC or EOC life. The most conservative combination appropriate to the accident is then used for the analysis (Ref.2).

MTC values are bounded in reload safety evaluations assuming steady state conditions at BOC and EOC. An EOC measurement is conducted at conditions when the RCS boron conc entration reaches approximately 300ppm. The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.MTC satisfies Criterion2 of 10CFR 50.36(c)(2)(ii). Even though it is not directly observed and cont rolled from the control r oom, MTC is considered an initial condition process variable because of its dependence on boron concentration.LCOLCO3.1.3 requires the MTC to be with in specified limits of the COLR to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to

determine that its values remain with in the bounds of the original accident analysis during operation.Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positi ve than a given lower bound. The MTC is most positive at BOC; th is upper bound must not be exceeded.

This maximum upper limit occurs at BO C, all rods out (ARO), hot zero power conditions. At EOC the MTC takes on its most negative value, when the lower bound becomes important. This LCO exists to ensure that both the upper and lower bounds are not exceeded.

During operation, therefore, the conditi ons of the LCO can only be ensured through measurement. The Surveillan ce checks at BOC and EOC on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met.

The LCO establishes a maximum posit ive value that cannot be exceeded.

The upper limit and the lower limit are established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating schedule.

North Anna Units 1 and 2B 3.1.3-4Revision 0 MTCB 3.1.3BASESAPPLICABILITYTechnical Specifications place both LCO and SR values on MTC, based on the safety analysis assu mptions described above.In MODE1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL PO WER operation will not violate the design assumptions of the accident analysis. In MODE2 with the reactor critical, the upper limit must also be maintained to ensure that startup and

subcritical accidents (such as the unc ontrolled control rod assembly or group withdrawal) will not violate the assumptions of the accident analysis. The lower MTC limit must be maintained in MODES2 and3, in addition to MODE1, to ensure that cooldow n accidents will not violate the assumptions of the accident analysis. In MODES4, 5, and6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.ACTIONSA.1 If the upper MTC limit is violated, ad ministrative withdr awal limits for control banks must be established to maintain the MTC within its limits.

The MTC becomes more negative wi th control bank insertion and decreased boron concentration. A Completion Time of 24hours provides

enough time for evaluating the MTC measurement and computing the required bank withdrawal limits.

As cycle burnup is increased, the RC S boron concentration will be reduced. The reduced boron concentration causes the MTC to become more negative. Using physics calculations

, the time in cycle life at which the calculated MTC will meet the LCO requirement can be determined. At this point in core life ConditionA no longer exists. The unit is no longer in the Required Action, so the administrati ve withdrawal li mits are no longer in effect.

B.1If the required administrative withdrawal limits at BOC are not established within 24hours, the unit must be brought to MODE2 with keff <1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.

(continued)

MTCB 3.1.3BASESNorth Anna Units 1 and 2B 3.1.3-5Revision 0ACTIONSB.1 (continued)The allowed Completion Time of 6hour s is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.

C.1Exceeding the lower MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To

achieve this status, the unit must be brought to at least MODE4 within 12hours.The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.1.3.1This SR requires measurement of the MTC at BOC prior to entering MODE1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering MODE1 ensures that the limit will also be met at higher power levels.The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measuremen ts obtained during the physics tests after refueling. The ARO value can be directly compared to the upper MTC limit of the LCO. If required, meas urement results and predicted design values can be used to establish admini strative withdrawal limits for control banks.

SR3.1.3.2 In similar fashion, the LCO demands th at the MTC be less negative than the specified value for EOC full pow er conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated to the conditions of RTP and all banks withdrawn in order to make a proper comparison with the LCO value. Because the RTP MTC (continued)

North Anna Units 1 and 2B 3.1.3-6Revision 9 MTCB 3.1.3BASESSURVEILLANCE REQUIREMENT

SSR3.1.3.2 (continued) value will gradually become more nega tive with further core depletion and boron concentration reduction, a 300ppm SR value of MTC should necessarily be less negative than the lower LCO limit. The 300ppm SR value is sufficiently less negative than the lower LCO limit value to ensure that the LCO limit will be met when the 300ppm Surveillance criterion is met.SR3.1.3.2 is modified by three Note s that include the following requirements:

a.The SR is not required to be performed until 7Effective Full Power Days (EFPDs) after reaching the equivalent of an equilibrium RTP all rods out (ARO) boron concentration of 300ppm.b.If the 300ppm Surveillance limit is exceeded, it is possible that the lower limit on MTC could be reac hed before the planned EOC. Because the MTC changes slowly with core depletion, the Frequency of 14EFPDs is sufficient to avoid exceeding the EOC limit.c.The Surveillance limit for RTP boron concentration of 60ppm is conservative. If the measured MTC at 60ppm is more positive than the 60ppm Surveillance limit, the lower limit will not be exceeded because of the gradual manner in which MTC changes with core burnup.REFERENCES1.UFSAR, Section 3.1.7.2.UFSAR, Chapter15.3.VEP-FRD-42-A, "Reload Nuclear Design Methodology."

North Anna Units 1 and 2B 3.1.4-1Revision 0 Rod Group Alignment Limits B 3.1.4B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.4Rod Group Alignment LimitsBASESBACKGROUNDThe OPERABILITY (i.e

., trippability) of the s hutdown and control rods is an initial assumption in all safety an alyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly af fects core power distributions and assumptions of available SDM.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Capability" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergenc y Core Cooling Systems for Light Water Nuclear Power Plants" (Ref.2).

Mechanical or electrical failures may cause a control or shutdown rod to become inoperable or to become misaligned from its group. Rod inoperability or misalignment may ca use increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on rod alignment have been es tablished, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defi ned by the design power peaking and

SDM limits are preserved.

Rod cluster control asse mblies (RCCAs), or r ods, are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its RCCA one step (approximately 5/8inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.

The RCCAs are divided among contro l banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. If a bank of RCCAs consists of two groups,(continued)

North Anna Units 1 and 2B 3.1.4-2Revision 0 Rod Group Alignment Limits B 3.1.4BASESBACKGROUND (continued) the groups are moved in a staggered fash ion, but always with in one step of each other. There are four cont rol banks and two shutdown banks.

The shutdown banks are maintained eith er in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, using the following withdrawal sequence: When control bankA reaches a predetermined height in the core, control bankB begins to move out with control bankA. Control bankA stops at the position of maximum withdrawal, and control bankB cont inues to move out. When control bankB reaches a predetermi ned height, control bank C begins to move out with control bankB. This sequence continues until control banksA, B, andC are at the fully withdrawn position, and control bankD is approximately halfway wi thdrawn. The insertion sequence is the opposite of the withdrawal sequence. The cont rol rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.

The axial position of shutdown rods a nd control rods is indicated by two separate and independent systems, which are the Bank Demand Position

Indication System (comm only called group step counters) and the Rod Position Indication (RPI) System.

The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods

. There is one step counter for each group of rods. Individual rods in a gr oup all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication

System is considered highly precise (+/-1step or +/-5/8inch). If a rod does not move one step for each demand pulse

, the step counter will still count the pulse and incorrectly reflect the position of the rod.The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a

hollow tube. The RPI system is capabl e of monitoring rod position within at least +/-12steps.

Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-3Revision 0APPLICABLE SAFETY ANALYSESRod misalignment accidents are analyzed in the safety analysis (Ref.3). The acceptance criteria for addressing rod inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System (RCS) pressure boundary integrity; andb.The core remains subcritical after accident transients.Two types of misalignment are distinguished. During movement of a rod

group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking. The second

type of misalignment occurs if one rod fails to inse rt upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity wo rth is held in the rods to meet the SDM requirement, with the maximum worth rod stuck fully withdrawn.Two types of analysis are performed in regard to static rod misalignment (Ref.4). With control and shutdown ba nks at their insertion limits, one type of analysis considers the case wh en any one rod is completely inserted

into the core. The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit.

Satisfying limits on departure from nuc leate boiling ratio in both of these cases bounds the situation when a r od is misaligned from its group by 12steps.Another type of misalignment occurs if one RCCA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition is assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref.5).

The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the requirements on SDM and ejected rod worth are preserved.

(continued)

North Anna Units 1 and 2B 3.1.4-4Revision 0 Rod Group Alignment Limits B 3.1.4BASESAPPLICABLE SAFETY ANALYSES(continued)

Continued operation of the reactor wi th a misaligned rod is allowed if power is reduced or if the heat flux hot channel factor (F Q(Z)) and the nuclear enthalpy rise hot channel factor are verified to be within their limits in the COLR and the safety an alysis is verified to remain valid.

When a rod is misaligned, the assumpti ons that are used to determine the rod insertion limits, AFD limits, a nd quadrant power tilt limits are not preserved. Therefore, the limits ma y not preserve the design peaking factors, and F Q(Z) and must be verified directly by incore mapping. Bases Section3.2 (Power Distribution Limits) contains more complete discussions of the relation of F Q(Z) and to the operating limits.

Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed in safety analyses. Therefore they satisfy Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe limits on shutdown or contro l rod alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on rod OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be inserted. The rod OPERABILITY requirements (i.e., trippability) ar e separate from the alignment

requirements which ensure that the RCCAs and banks maintain the correct power distribution and rod ali gnment. The rod OPERABILITY requirement is satisfied provided the rod will fully insert in the required rod drop time assumed in the safety anal ysis. Rod control malfunctions that result in the inability to move a rod (e

.g., rod lift coil failures), but that do not impact trippability, do not result in rod inoperability.

The requirement to maintain the rod alignment to within plus or minus 12steps is conservative. The minimum misalignment assumed in safety analysis is 24steps (15inches), and in some cases a total misalignment from fully withdrawn to fully inserted is assumed.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, a ll of which may constitute initial conditions incons istent with the safety analysis.

(continued)

FHNFHNFHN Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-5Revision 0 LCO(continued)

The LCO has been modified by a Note. The Note permits a wider tolerance on indicated rod position for a maximum of one hour in every 24hours to allow stabilization of known thermal drift in the individual rod position indicator channels. This thermal so ak time is available both for a continuous one hour period or several disc rete intervals as long as the total time does not exceed 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in any 24hour period and the indicated rod position does not exceed 24steps from the group step counter demand position. This allowance applies to the indicated position of the rod, not its actual position. If the actual position is known to be greater than 12steps

from the group step counter demand pos ition, the Conditions and Required Actions of the specificat ion must be followed.APPLICABILITYThe requirements on RCCA OPERABILITY and alignment are applicable in MODES1 and2 because these are the only MODES in which neutron

(or fission) power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the unit. In MODES3, 4, 5, and6, the alignment limits do not apply because the rods

are normally bottomed and the reactor is shut down and not producing fission power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron

concentration of the RCS. See LCO3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES3, 4, and5 and LCO3.9.1, "Boron

Concentration," for boron concentrat ion requirements during refueling.ACTIONSA.1.1 and A.1.2 When one or more rods are inopera ble (i.e., untrippable), there is a possibility that the required SDM may be adversely affected. Under these

conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1hour is adequate for determining SDM and, if necessary, for initiating emerge ncy boration and restoring SDM.

In this situation, SDM verification must include the worth of the

untrippable rod, as well as a rod of maximum worth.

North Anna Units 1 and 2B 3.1.4-6Revision 0 Rod Group Alignment Limits B 3.1.4BASESACTIONS(continued)

A.2If the inoperable rod(s) cannot be restored to OPERABLE status, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this st atus, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from fu ll power conditions in an orderly manner and without challenging unit systems.

B.1.1 and B.1.2With a misaligned rod, SDM must be veri fied to be within limit or boration must be initiated to restore SDM to within limit.

In many cases, realigning the remainde r of the group to the misaligned rod may not be desirable. For example, realigning control bankC to a rod that is misaligned 15steps from the top of the core would require a significant power reduction, since control bankD must be moved in significantly to

meet the overlap requirements.

Power operation may continue with one RCCA OPERABLE but misaligned, provided that SDM is verified within 1hour. The Completion Time of 1hour represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration. Si nce the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12hours is sufficient to ensure this requirement continues to be met.

B.2.1, B.2.2.1, B.2.2.2, and B.3 For continued operation with a misaligned rod, RTP must be reduced or hot channel factors (F Q(Z) and ) must be verified within limits, and the safety analyses must be re-evaluat ed to confirm continued operation is permissible.

Reduction of power to 75%RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core design criteria to be exceeded (Ref.4). The Completion Time (continued)

FHN Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-7Revision 0ACTIONSB.2.1, B.2.2.1, B.2.2.2, and B.3 (continued)of 2hours gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor Protection System.Alternatively, verifying that F Q(Z) and are within the required limits ensures that current operation with a rod misaligned does not result in power distributions that may invalida te safety analysis assumptions. The Completion Time of 72hours allows suffic ient time to obtain flux maps of the core power distribution using th e incore flux mappi ng system and to calculate F Q(Z) and .

Once current conditions have been verified acceptable, time is available to perform evaluations of acci dent analysis to determin e that core limits will not be exceeded during a Design Basi s Event for the duration of operation under these conditions. The accident analyses presented in UFSAR, Chapter15 (Ref.3) that may be adversely affected will be evaluated to ensure that the analysis results rema in valid for the dur ation of continued operation under these conditions. A Completion Time of 5days is sufficient time to obtain the required input data and to perform the analysis.

C.1When Required Actions cannot be co mpleted within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to at least MODE3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, which obviates concerns about the development of unde sirable xenon or power di stributions. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching MODE3 from full power c onditions in an or derly manner and without challenging the unit systems.

D.1.1 and D.1.2 More than one rod becoming misaligne d from its group average position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. One hour allows the ope rator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as (continued)

FHNFHN North Anna Units 1 and 2B 3.1.4-8Revision 46 Rod Group Alignment Limits B 3.1.4BASESACTIONSD.1.1 and D.1.2 (continued)described in the Bases or LCO3.1.1. The required Completion Time of 1hour for initiating boration is reasona ble, based on the time required for

potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required valves and start the boric acid pumps.

Boration will continue until th e required SDM is restored.

D.2If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from fu ll power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.1.4.1Verification that individual rod posi tions are within alignment limits provides a history that allows the opera tor to detect a rod that is beginning to deviate from its expected position. If an individual rod position is not within the alignment limit of the group step counter demand position, a

determination must be ma de whether the problem is the actual rod position or the indicated rod position. If the act ual rod position is not within the alignment limit, follow the Condi tions and Requir ed Actions in Specification3.1.4. If the indicated, not actual, r od position is not within the alignment limit, follow the Conditions and Required Actions of Specification3.1.7, Rod Position Indi cation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and

is controlled under the Surveill ance Frequency Control Program.

Rod Group Alignment Limits B 3.1.4BASESNorth Anna Units 1 and 2B 3.1.4-9Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.1.4.2Verifying each rod is OPERABLE would require that each rod be tripped. However, in MODES1 and2, tripping each rod would result in radial or axial power tilts, or oscillations.

Exercising each indi vidual rod provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each rod by 10steps will not ca use radial or axia l power tilts, or oscillations, to occur. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Between required performances of SR3.1.4.2 (determination of rod OP ERABILITY by movement), if a rod(s) is discovered to be immovable, but remains trippable, the rod(s) is considered to be OPERABLE. At any time, if a rod(s) is immovable, a determination of the trippability (O PERABILITY) of the rod(s) must be made, and appropriate action taken.SR3.1.4.3Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is c onsistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect rod motion or drop time. This test ing is performed with all RCPs operating and the average moderator temperature 500F to simulate a reactor trip under actual conditions. Fo r this surveillance, a fully withdrawn position of 230steps is used in order to provide consistent test

conditions to facilitate trending. This rod position is not necessarily the same as the cycle-dependent fully wi thdrawn rod position specified in the COLR and will yield conservative drop times relative to the COLR position. The surveillance procedure limi ts for rod drop time ensure that the Surveillance Requirement criterion and the Safety Analysis Limit are met.This Surveillance is performed during a unit outage, due to the unit conditions needed to perform the SR and the potential for an unplanned unit transient if the Surveillance were performed with the reactor at power.

North Anna Units 1 and 2B 3.1.4-10 Revision 3 Rod Group Alignment Limits B 3.1.4BASESREFERENCES1.UFSAR, Sections3.1.6 and 3.1.22.2.10CFR50.46.3.UFSAR, Chapter15.

4.UFSAR, Section15.2.3.

5.UFSAR, Section4.3.1.5.

North Anna Units 1 and 2B 3.1.5-1Revision 0 Shutdown Bank Insertion Limits B 3.1.5B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.5Shutdown Bank Insertion LimitsBASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses th at assume rod insertion upon reactor trip. The insertion limits directly affect co re power and fuel burnup distributions and assumptions of av ailable ejected rod worth, SDM and initial reactivity insertion rate.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Protecti on," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion ha ve been established, a nd all rod positions are monitored and controlled during power operation to ensure that the power

distribution and reactivity limits defi ned by the design power peaking and

SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for prec ise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that ar e moved in a staggered fashion, but always within one step of each other. There are f our control banks and two shutdown banks. See LCO3.1.4, "Rod Gr oup Alignment Limits," for control and shutdown rod OPERABIL ITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication

requirements.

The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally automatically controlled by the Rod Control System, but they can also be manually controlled. They are capable of adding negative reactivity very quickly (compared to borating).

The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.

(continued)

North Anna Units 1 and 2B 3.1.5-2Revision 0 Shutdown Bank Insertion Limits B 3.1.5BASESBACKGROUND (continued)

Hence, they are not capable of adding a large amount of positive reactivity.

Boration or dilution of the Reactor C oolant System (RCS) compensates for the reactivity changes associated with large changes in RCS temperature.

The design calculations are performed with the assumption that the shutdown banks are withdrawn first.

The shutdown banks can be fully withdrawn without the core going critic al. This provides av ailable negative reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted.

The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left in this position until the reactor is shut down.

They add negative reactivity to s hut down the reactor upon receipt of a reactor trip signal.APPLICABLE SAFETY ANALYSESOn a reactor trip, all RCCAs (shut down banks and control banks), except the most reactive RCCA, are assumed to insert into the core. The shutdown

banks shall be at or above their insertion limits a nd available to insert the maximum amount of negative reactiv ity on a reactor trip signal. The control banks may be partially inserted in the core, as allowed by LCO3.1.6, "Control Bank Insertion Limits." The shutdown bank and

control bank insertion limits are established to ensure that a sufficient amount of negative reactivity is avai lable to shut down the reactor and maintain the required SDM (see LCO3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of control banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref.3). The shutdown bank insertion limit also limit s the reactivity worth of an ejected shutdown rod.The acceptance criteria for addressi ng shutdown rod bank insertion limits and inoperability or misalignment is that:a.There be no violations of:1.specified acceptable fuel design limits, or 2.RCS pressure boundary integrity; andb.The core remains subcritical after accident transients.

Shutdown Bank Insertion Limits B 3.1.5BASESNorth Anna Units 1 and 2B 3.1.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)

As such, the shutdown bank insertion limits affect safety analysis involving core reactivity and SDM (Ref.3).

The shutdown bank insertion limits pres erve an initial condition assumed in the safety analyses and, as such, satisfy Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is avai lable to shut down the reactor and

maintain the required SDM following a reactor trip.

The shutdown bank insertion limit s are defined in the COLR.APPLICABILITYThe shutdown banks must be within their insertion limits, with the reactor in MODES1 and2. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE3, unless an approach to criticality is being made. In MODE3, 4, or5, the shut down banks are fully inserted in the core and contribute to the SDM. Refer to LCO3.1.1 for SDM requirements in MODES3, 4, and5. LCO3.9.1, "Boron Concentration," ensures adequate SDM in MODE6.

The Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR3.1.4.2. This SR verifies the freedom of the rods to move, and requires the shutdown bank to move below the LCO limits, which would nor mally violate the LCO. Should the SR testing be suspended due to e quipment malfunction with a rod bank below the insertion limit, the appl icable Condition should be entered.ACTIONSA.1.1, A.1.2 and A.2 When one or more shutdow n banks is not within insertion limits, except as allowed by ConditionB, 2hours is allo wed to restore the shutdown banks to within the insertion limits. This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion li mits. Also, verification (continued)

North Anna Units 1 and 2B 3.1.5-4Revision 0 Shutdown Bank Insertion Limits B 3.1.5BASESACTIONSA.1.1, A.1.2 and A.2 (continued)of SDM or initiation of boration within 1hour is required, since the SDM in MODES1 and2 is ensured by adhering to the control and shutdown

bank insertion limits (see LCO3.1.1).If shutdown banks are not within their insertion limits, then SDM will be

verified by performing a reactivity balance calculati on, considering the effects listed in the BASES for SR3.1.1.1.The allowed Completion Time of 2hours provides an acceptable time for evaluating and repairing minor probl ems without allowing the unit to remain in an unacceptable condition for an extended period of time.

B.1 and B.2 If a shutdown bank is inserted below the insertion limits, power operation may continue for up to 72hours provided that the bank is not inserted more than 18steps below the insertion limi ts, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO3.1.4, and the control banks are within the insertion limits provided in LCO3.1.6. The requirement to be in compliance with LCO3.1.4 and LCO3.1.6 ensures that the rods are trippable, and power distribution is

acceptable during the time allowed to restore the inserted rod. If any of these Conditions are not met, Condition A must be applied.The Completion Time of 72hours is based on operating experience and provides an acceptable time for evaluating and repairing problems with the

rod control system.

C.1If the Required Action and associated Completion Time of ConditionsA orB are not met, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full

power conditions in an orderly manner and without challenging unit

systems.

Shutdown Bank Insertion Limits B 3.1.5BASESNorth Anna Units 1 and 2B 3.1.5-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.1.5.1Verification that the shutdown banks are within their insertion limits prior to an approach to criticality ensures th at when the reactor is critical, or being taken critical, the s hutdown banks will be availa ble to shut down the reactor, and the required SDM will be maintained following a reactor trip.

This SR and Frequency ensure that the shutdown banks are withdrawn before the control banks are withdrawn during a unit startup.Since the shutdown banks are positioned manually by the control room operator, a verification of shutdown bank position, afte r the reactor is taken critical, is adequate to ensure that th ey are within their insertion limits. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.6, 3.1.22, and 3.1.24.2.10CFR50.46.3.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.1.6-1Revision 0 Control Bank Insertion Limits B 3.1.6B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.6Control Bank Insertion LimitsBASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses th at assume rod insertion upon reactor trip. The insertion limits directly affect co re power and fuel burnup distributions and assumptions of available SDM, and initial reactivity insertion rate.The applicable criteria for these re activity and power distribution design requirements are GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Protecti on," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion ha ve been established, a nd all rod positions are monitored and controlled during power operation to ensure that the power

distribution and reactivity limits defi ned by the design power peaking and

SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for prec ise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that ar e moved in a staggered fashion, but always within one step of each other. There are f our control banks and two shutdown banks. See LCO3.1.4, "Rod Gr oup Alignment Limits," for control and shutdown rod OPERABIL ITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication

requirements.

The control bank insertion limits are specified in the COLR. An example is provided for information only in FigureB3.1.6-1. The control banks are required to be at or above the insertion limit lines.

FigureB3.1.6-1 also indicates how th e control banks are sequenced and moved in an overlap pattern. Overlap is the distance travelled together by two control banks. Sequencing is the order in which the banks are moved. For example, if the fully withdrawn position is 231steps, as in (continued)

North Anna Units 1 and 2B 3.1.6-2Revision 0 Control Bank Insertion Limits B 3.1.6BASESBACKGROUND (continued)FigureB3.1.6-1, control bankD will begin to move with bankC on a withdrawal when control bankC is at 128steps. The fully withdrawn position, as well as proper overlap and sequence, are defined in the COLR.

The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally controlled automatically by the Rod Control System, but can also be manually controlled. They are capable of adding reactivity ve ry quickly (compared to borating or diluting).

The power density at any poi nt in the core must be limited, so that the fuel design criteria are maintained. Together, LCO3.1.4, LCO3.1.5, "Shutdown Bank Insertion Limits," LCO3.1.6, LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," provide limit s on control component operation and on monitored process variables, which ensure that the core operates within the fuel design criteria.

The shutdown and control bank inserti on and alignment limits, AFD, and QPTR are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident

, and the shutdown and control bank insertion limits ensure the required SDM is maintained.

Operation within the subject LCO limit s will limit fuel cladding failures that would breach the primary fissi on product barrier a nd release fission products to the reactor coolant to with in acceptable limits in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.APPLICABLE SAFETY ANALYSESThe shutdown and control bank insertion limits, AFD, and QPTR LCOs

are required to maintain power distributi ons that limit fuel cladding failures to within acceptable limits in the event of a LOCA, loss of flow, ejected

rod, or other accident requiring termination by an RTS trip function.

(continued)

Control Bank Insertion Limits B 3.1.6BASESNorth Anna Units 1 and 2B 3.1.6-3Revision 0APPLICABLE SAFETY ANALYSES(continued)The acceptance criteria for addressing control bank insertion limits and inoperability or mi salignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System pres sure boundary integrity; andb.The core remains subcritical after accident transients.

As such, the shutdown and control bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref.3).

The SDM requirement is ensured by limiting the control bank insertion limits so that allowable inserted worth of the RCCAs is such that sufficient reactivity is available in the rods to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth RCCA remains fully withdrawn upon trip (Ref.3).

Operation at the insertion limits or AFD limits ma y approach the maximum allowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the inse rtion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficien tly high ejected RCCA worths.

The control bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and powe r distribution peaking factors are preserved (Ref.3).

The insertion limits satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).

LCOThe limits on control banks sequenc e, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensu ring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate

negative reactivity insertion is av ailable on trip. The overlap between control banks provides more uniform rates of (continued)

North Anna Units 1 and 2B 3.1.6-4Revision 0 Control Bank Insertion Limits B 3.1.6BASESLCO(continued)reactivity insertion and withdrawal and is imposed to maintain acceptable power peaking during control bank motion.APPLICABILITYThe control bank sequence, overl ap, and physical insert ion limits shall be maintained with the reactor in MODES1 and2 with keff1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions. Applicability in MODE2 with keff<1.0, and MODES3, 4, and5 is not required, since neither the power distribution nor ejected rod

worth assumptions would be exceeded in these MODES.The applicability requirements have been modified by a Note indicating the LCO requirements are suspe nded during the performance of SR3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the

LCO. Should the SR testing be susp ended due to equipment malfunction with a rod bank below the insertion limits, the applicable Condition should

be entered.ACTIONSA.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2If the control banks are found to be out of sequence or in the wrong overlap

configuration, they must be restored to meet the limits.

Operation beyond the LCO limits is al lowed for a short time period in order to take conservative action beca use the simultaneous occurrence of either a LOCA, loss of flow accide nt, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.

Also, verification of SDM or initia tion of boration to regain SDM is required within 1hour, since the SDM in MODES1 and2 normally ensured by adhering to the control a nd shutdown bank insertion limits (see LCO3.1.1, "SHUTDOWN MARGIN (SDM)"

) has been upset. If control banks are not within their limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR3.1.1.1.

(continued)

Control Bank Insertion Limits B 3.1.6BASESNorth Anna Units 1 and 2B 3.1.6-5Revision 0ACTIONSA.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 (continued)

When the control banks are outside th e acceptable insertion limits, except as allowed by ConditionC, they must be restored to within those limits.

This restoration can occur in two ways:a.Reducing power to be consis tent with rod position; orb.Moving rods to be consistent with power.The allowed Completion Time of 2hours for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor probl ems without allowing the unit to remain in an unacceptable condition for an extended period of time.

C.1 and C.2If Control BanksA, B, orC are insert ed below the insertion limits, power operation may continue for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> provided that the bank is not inserted more than 18steps below the insertion limits, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO3.1.4, and the shutdown banks are within the insertion limits provided in LCO3.1.5. The requirement to be in compliance with LCO3.1.4 and LCO3.1.5 ensures that the rods are trippable, and power distribution is acceptable during the time allowed to restore the inserted rod. If any of th ese Conditions are not met, Condition B must be applied.The Completion Time of 72hours is based on operating experience and provides an acceptable time for evaluating and repairing problems with the

rod control system.

D.1If Required ActionsA.1 andA.2, B.1 andB.2, or C.1 andC.2 cannot be completed within the associated Completion Times, the unit must be brought to MODE2 with keff<1.0, where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and wit hout challenging unit systems.

North Anna Units 1 and 2B 3.1.6-6Revision 46 Control Bank Insertion Limits B 3.1.6BASESSURVEILLANCE REQUIREMENT

SSR3.1.6.1This Surveillance is required to ensu re that the reactor does not achieve criticality with the control banks below their insertion limits.The estimated critical position (ECP) depends upon a number of factors,

one of which is xenon c oncentration. If the ECP wa s calculated long before criticality, xenon concentration could change to make the ECP substantially in error. Verifying th e predicted critical rod bank position within 4hours prior to criticality avoids a large error from changes in

xenon concentration, but al lows the operator some flexibility to schedule the verification with other startup activities.SR3.1.6.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.1.6.3When control banks are maintained within their insertion limits as checked by SR3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with requireme nts provided in the COLR. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Sections3.1.6, 3.1.22, and3.1.24.2.10CFR50.46.

3.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.1.6-7Revision 0 Control Bank Insertion Limits B 3.1.6FigureB 3.1.6-1 (page 1 of 1)

Control Bank Insertion vs. Percent RTP Intentionally Blank North Anna Units 1 and 2B 3.1.7-1Revision 0 Rod Position Indication B 3.1.7B 3.1 REACTIVITY CONTROL SYSTEMB 3.1.7Rod Position IndicationBASESBACKGROUNDAccording to GDC13 (Ref.1), in strumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO3.1.7 is required to ensure OPERABILITY of the rod position indicators to determine rod positions and thereby ensure compliance with the rod alignment and insertion limits.The OPERABILITY, including position indication, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximu m rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of ava ilable SDM. Rod posit ion indication is required to assess OPERABILITY and misalignment.

Mechanical or electrical failures may cause a rod to become inoperable or to become misaligned from its group.

Rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor

shutdown. Therefore, rod alignment and OPERABILITY are related to

core operation in design power peak ing limits and the core design

requirement of a minimum SDM.

Limits on rod alignment and OPERAB ILITY have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the co re (down or inserted) by their control rod drive mechanisms. The RCCAs ar e divided among control banks and shutdown banks. Each bank is furthe r subdivided into two groups to provide for precise reactivity control.

(continued)

North Anna Units 1 and 2B 3.1.7-2Revision 0 Rod Position Indication B 3.1.7BASESBACKGROUND (continued)

The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position

Indication System (comm only called group step counters) and the Rod Position Indication (RPI) System.

The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods

. There is one step counter for each group of rods. Individual rods in a gr oup all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication

System is considered highly precise (+/-1step or +/-5/8inch). If a rod does not move one step for each demand pulse

, the step counter will still count the pulse and incorrectly reflect the position of the rod.The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. The RPI System is capable of monitoring rod position within at least +/-12steps.APPLICABLE SAFETY ANALYSESControl and shutdown rod position accuracy is essential during power operation. Power peaking, ejected rod worth, or SDM limits may be

violated in the event of a Design Basis Accident (Ref.2), with control or shutdown rods operating outside thei r limits undetected. Therefore, the acceptance criteria for rod position indi cation is that rod positions must be known with sufficient accuracy in orde r to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6, "Control Bank Insertion Limits"). The rod positions must also be known in orde r to verify the alignment limits are preserved (LCO3.1.4, "Rod Group Alignment Limits"). Control rod

positions are continuously monitored to provide operators with information that ensures the unit is operating within the bounds of the accident analysis assumptions.The control rod position indicator channels satisfy Criterion2 of 10CFR50.36(c)(2)(ii).

Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-3Revision 0 LCOLCO3.1.7 specifies that the RPI Sy stem and the Bank Demand Position Indication System be OPERABLE fo r each rod. For the rod position indicators to be OPERAB LE requires meeting the SR of the LCO and the following:a.The RPI System indicates within 12 or 24steps of the group step counter demand position as required by LCO3.1.4, "Rod Group Alignment Limits";b.For the RPI System there are no failed coils; andc.The Bank Demand Indication System ha s been calibrated either in the fully inserted position or to the RPI System.

The 12 step agreement li mit between the Bank Demand Position Indication System and the RPI System indicates that the Bank Demand Position Indication System is adequately calib rated, and can be used for indication of the measurement of rod bank position.

A deviation of less than the allowable limit, given in LCO3.1.4, in position indication for a single rod, ensure s high confidence that the position uncertainty of the corresponding rod group is within the assumed values used in the analysis (that speci fied rod group insertion limits).These requirements ensure that rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions

are not challenged.OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositi oned rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.APPLICABILITYThe requirement s on the RPI and step counter s are only applicable in MODES1 and2 (consistent with LCO3.1.4, LCO3.1.5, and LCO3.1.6),

because these are the only MODES in which power is generated, and the

OPERABILITY and alignment of rods have the potential to affect the

safety of the unit. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron

concentration of the Reactor Coolant System.

North Anna Units 1 and 2B 3.1.7-4Revision 0 Rod Position Indication B 3.1.7BASESACTIONSThe ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because the Required Actions for each Condition provide a ppropriate compensatory actions for each inoperable position indicator.

A.1When one RPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable incore detectors. The Required Action may also be satisfied by ensuring at least once per 8hours that FQ(Z) satisfies LCO3.2.1, satisfies LCO3.2.2, and SHUTDOWN MARGIN is within the limits pr ovided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. If a bank has been significantly moved, the Required Action of C.1 orC.2 below is required. Therefore, verification of RCCA position within the Completion Time of 8hours is adequate for al lowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

A.2Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factors (Ref.2).The allowed Completion Time of 8hour s is reasonable, based on operating experience, for reducing power to 50%RTP from full power conditions without challenging unit system s and allowing for rod position determination by Required ActionA.1 above.

B.1, B.2, B.3, and B.4 When more than one RPI per group fail

, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident analyses are lim ited. Placing the Rod Control System in manual assures unplanned rod motion will not occur. Together with the indirect position determin ation available via movable incore detectors will minimize the potential for rod (continued)

FHN Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-5Revision 0ACTIONSB.1, B.2, B.3, and B.4 (continued)misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod

motion must be prevented while in this Condition.

Monitoring and recording reactor coolant T avg help assure that significant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at stea dy state plant operating conditions.

The position of the rods may be dete rmined indirectly by use of the movable incore detectors. The Requi red Action may also be satisfied by ensuring at least once per 8hours that F Q(Z) satisfies LCO3.2.1, satisfies LCO3.2.2, and SHUTDOWN MARGIN is within the limits

provided in the COLR, provided the nonindicating rods have not been moved. Verification of control rod position once per 8hours is adequate for allowing continued full power operation for a limited, 24hour period, since the probability of simultaneously havi ng a rod significantly out of position and an event sensitive to that rod position is small. The 24hour Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with a shutdown without fu ll rod position indication.

Based on operating experience, norma l power operation does not require excessive rod movement. If one or more rods has been significantly moved, the Required Action of C.1 orC.2 below is required.C.1 andC.2 These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24steps in one direction, since the position was last determ ined, the Required Actions of A.1 andA.2, or B.1, as applicable, are sti ll appropriate but must be initiated promptly under Required ActionC.1 to be gin verifying that these rods are still properly positio ned, relative to their group positions.

(continued)

FHN North Anna Units 1 and 2B 3.1.7-6Revision 0 Rod Position Indication B 3.1.7BASESACTIONSC.1 andC.2 (continued)If, within 4hours, the rod positions have not been determined, THERMAL POWER must be reduced to 50%RTP within 8hours to avoid undesirable power distributi ons that could result from continued operation at >50%RTP, if one or more rods are misaligned by more than 24steps. The allowed Completion Time of 4hours provides an acceptable period of time to verify the rod positions.

D.1.1 and D.1.2With one demand position indicator pe r bank inoperable, the rod positions can be determined by the RPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indicat ors are OPERABLE and the most withdrawn rod and the least withdrawn rod are 12steps apart within the allowed Completion Time of once every 8hours is adequate.

D.2Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits (Ref.2). The allowed Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> provides an acceptable period of time to veri fy the rod positions per Required ActionsD.1.1 andD.1.2 or reduce power to 50%RTP.E.1If the Required Actions cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status

, the unit must be brought to at least MODE3 within 6hours. The allowed Completion Time is reasonable, based on operating experience, for reaching the required

MODE from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.1.7.1Performing a CHANNEL CALIBRATION on each RPI channel ensures

that the RPI electronics are operating properly. This CHANNEL CALIBRATION involves injecting a test signal into the RPI electronics

and verifying or adjusting the (continued)

Rod Position Indication B 3.1.7BASESNorth Anna Units 1 and 2B 3.1.7-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.1.7.1 (continued) calibration from that point forward. The CHANNEL CALIBRATION also verifies all alarms and indications, such as the Rod Bottom lights. The CHANNEL CALIBRATION does not include the coil stack, as it cannot be adjusted. The indicated RP I position is adjusted as needed to compensate for thermal drift. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.9.2.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.1.8-1Revision 8Primary Grade Water Flow Path Isolation Valves B 3.1.8B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.8Primary Grade Water Flow Path Isolation ValvesBASESBACKGROUNDDuring MODES3, 4, and5 operati ons, the isolation valves for primary grade water flow paths that are conne cted to the Reactor Coolant System (RCS) must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves must be locked, sealed, or otherwise secured in the closed position.The Chemical and Volume Control Syst em is capable of supplying borated and unborated water to the RCS th rough various flow paths. Since a positive reactivity addition made by an uncontrolled reduction of the boron concentration is inappropriate during MODES3, 4 and5, isolation of all primary grade water flow paths pr events an unplanned boron dilution.APPLICABLE SAFETY ANALYSESThe possibility of an inadvertent boron dilution event (Ref.1) occurring during MODES3, 4, or5 is precluded by adherence to this LCO, which requires that the primary grade water flow path be isolated. Closing the required valves prevents the flow of significant volumes of primary grade water to the RCS. The valves are used to isolate primary grade water flow

paths. These valves have the potential to indirectly al low dilution of the RCS boron concentration. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODES3, 4 or5.The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that primary grade water be isolated from the RCS to prevent unplanned boron dilution during MODES3, 4, and5.For Unit1, primary grade water flow pa ths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be used in lieu of 1-CH-217. For Unit2, primary grade water (continued)

North Anna Units 1 and 2B 3.1.8-2Revision 8Primary Grade Water Flow Path Isolation Valves B 3.1.8BASESLCO(continued)flow paths may be isolated from the RCS by closing valve 2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be us ed in lieu of 2-CH-140.

The LCO is modified by a Note which allows the primary grade water flow path isolation valves to be opened unde r administrative control for planned boron dilution or makeup activities.APPLICABILITYThis LCO is applicable in MODES3, 4, and5 to prevent an inadvertent boron dilution event by ensuring closure of all primary grade water flow

path isolation valves.In MODE6, LCO3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6," requires al l primary grade water is olation valves to be closed to prevent an inadvertent boron dilution.In MODES1 and2, the boron dilution accident was analyzed and was found to be capable of being mitigated.ACTIONSA.1, A.2, and A.3 Preventing inadvertent dilution of the reactor coolant boron concentration

is dependent on maintaining the primary grade water flow path isolation valves locked, sealed, or otherwise s ecured closed, except as allowed under administrative control by the LCO Note. Because of the possibility of an

inadvertent boron dilution, Required ActionA.1 prohibits other positive

reactivity additions while securing th e isolation valves on the primary grade water system. The Completion Time of "Immediately" for

suspending positive reactivity addi tions reflects the importance of preventing known positive reactivity addi tions so that any boron dilution event can be readily identified and terminated.The Required ActionA.2 Completion Time of 15minutes for securing the isolation valves provides sufficient ti me to close and secure the isolation valves on the primary grade wate r flow paths while minimizing the probability of an unintentional dilution during the Completion Time.

Securing the valves in th e closed position ensures th at the valves cannot be inadvertently opened.

(continued)

Primary Grade Water Flow Path Isolation Valves B 3.1.8BASESNorth Anna Units 1 and 2B 3.1.8-3Revision 8ACTIONSA.1, A.2, and A.3 (continued)ConditionA has been modified by a Note to require that Required ActionA.3 be completed whenever ConditionA is entered.

The performance of Surveillance3.1.1.1 under Required ActionA.3 verifies that the SDM is within the limits provided in the COLR. It is performed to verify that the required SDM still exists and any inadvertent boron dilution that may have occurred has been detected and corrected. The Completion Time of 4hours is r easonable, based on the time required to request and analyze an RCS water sample to determine the boron concentration and to compute the SDM.SURVEILLANCE REQUIREMENT

SSR3.1.8.1The primary grade water flow path isolation valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODES3, 4, and5 is remote due to the large mass of borated water in the RCS and the fact that the specified primary grade water flow paths are isolated, precluding a dilution. The SHUTDOWN MARGIN is verified every 24hours during MODES3, 4, and5 under SR3.1.1.1. The Frequency is based on the time required to verify that the isolation valves

in the utilized flow path are locked, sealed, or otherwise secured in the closed position following a boron dilution or makeup activity.REFERENCES1.UFSAR, Section15.2.4.

Intentionally Blank North Anna Units 1 and 2B 3.1.9-1Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.9PHYSICS TESTS Exceptions-MODE2BASESBACKGROUNDThe primary purpose of the MODE2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.SectionXI of 10CFR50, AppendixB (Ref.1), requires that a test program be established to ensure that stru ctures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditi ons are not exceeded dur ing normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the unit.

Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10CFR50.59 (Ref.2).

The key objectives of a test program are to (Ref.3):a.Ensure that the facility has been adequately designed;b.Validate the analytical models used in the design and analysis;c.Verify the assumptions used to predict unit response; d.Ensure that installation of equipment in the facility has been accomplished in accordance with the design; ande.Verify that the operating and emergency procedures are adequate.To accomplish these objectives, test ing is performed prior to initial criticality, during st artup, during low power operations, during power ascension, at high power, and after ea ch refueling. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the de sign predictions and that the core can be operated as designed (Ref.4).

(continued)

North Anna Units 1 and 2B 3.1.9-2Revision 0 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESBACKGROUND (continued)PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of the test ing required to ensu re that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test re sults are approved prior to continued power escalation and long term power operation.The PHYSICS TESTS required for reload fuel cycles (Ref.5) are listed below:

a.Critical Boron Concentration-All Banks Withdrawn;b.Differential Boron Worth;c.Bank Worth;d.Isothermal Temperature Coefficient (ITC); and e.Neutron Flux Symmetry.

The first four tests are performed in MODE2, and the last test is performed in MODE1. These and other supplementary tests may be required to calibrate the nuclear instrumentation or to diagnose operational problems. These tests may cause the operating c ontrols and process variables to deviate from their LCO requireme nts during their performance.a.The Critical Boron Concentration-Control Rods Withdrawn Test measures the critical boron concen tration at hot zero power (HZP). With all rods out, the lead control ba nk is at or near its fully withdrawn position. HZP is where the core is critical (keff=1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Performance of this test shoul d not violate any of the referenced LCOs.b.The Differential Boron Worth Test determines if the measured differential boron worth is consistent with the predicted value. With the core at HZP, the change in e quilibrium boron concentration is determined at different rod bank pos itions. As the rod bank or banks are

moved, the reactivity change is measured using a reactivity computer. The measured reactivity change is divided by the difference in

measured critical boron (continued)

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-3Revision 24BACKGROUNDb.(continued) concentrations to determine the differential boron worth. The insertion of the rod bank could result in violation of LCO3.1.4, "Rod Group Alignment Limits," LOC3.1.5, "Shut down Bank Insertion Limits," or LCO3.1.6, "Control Bank Insertion Limits."c.The Bank Worth Test is used to meas ure the reactivity worth of selected banks. This test is performed at HZP and has three alternative methods of performance. The first method, the Boron Exchange Method, varies the reactor coolant boron concentrat ion and moves the selected bank in response to the changing boron conc entration. The reactivity changes are measured with a reactivity computer. This sequence is repeated for the remaining banks. The second method, the Rod Swap Method, measures the worth of a predetermi ned reference bank using the Boron

Exchange Method above. The refere nce bank is then nearly fully inserted into the core. The selected ba nk is then inserted into the core as the reference bank is withdrawn. The HZP critical conditions are then determined with the selected bank fully inserted (0-2steps withdrawn) into the core. The worth of the selected bank is inferred, based on the

position of the reference bank with respect to the selected bank. This sequence is repeated as necessary for the remaining banks. The third method, the Boron Endpoint Method, moves the selected bank over its

entire length of travel and then varies the reactor coolant boron concentration to achieve HZP criticality again. The difference in boron concentration is the worth of th e selected bank. This sequence is repeated for the remaining banks. Perf ormance of this test could violate LCO3.1.4, LCO3.1.5, or LCO3.1.6.d.The ITC Test measures the ITC of the reactor. This test is performed at HZP and has two methods of perfor mance. The first method, the Slope Method, varies RCS temperature in a slow and continuous manner. The reactivity change is measured with a reactivity computer as a function of the temperature change. The ITC is the slope of the reactivity versus the temperature plot. The test is re peated by reversing the direction of the temperature change, a nd the final ITC is the av erage of two or more calculated ITCs. The second method, the Endpoint Method, (continued)

North Anna Units 1 and 2B 3.1.9-4Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESBACKGROUNDd.(continued) changes the RCS temperature and measures the reactivity at the beginning and end of the temperature change. The ITC is the total reactivity change divided by the tota l temperature change. The test is repeated by reversing the direction of the temperature change, and the

final ITC is the average of the two or more calculated ITCs.

Performance of this test could violate LCO3.4.2, "RCS Minimum Temperature for Criticality."e.The Flux Symmetry Test measures the degree of azimuthal symmetry of the neutron flux at as low a power level as practical. The Flux Distribution Method uses the incore flux detectors to measure the azimuthal flux distributi on at selected locations with the core at 30%RTP.APPLICABLE SAFETY ANALYSESThe fuel is protected by LCOs that preserve the initial conditions of the core assumed during the safety analys es. The methods for development of the LCOs that are excepted by this LCO are described in Reference6. The above mentioned PHYSICS TE STS, and other tests that may be required to calibrate nuclear instrume ntation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.The UFSAR defines requirements for initial testing of the facility, including PHYSICS TESTS. Tables14.1-1, 14.1-2, and14.1-3 summarize the zero, low power, and power tests. Requirements for reload fuel cycle

PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref.4).

Although these PHYSICS TESTS are ge nerally accomplished within the limits for all LCOs, condi tions may occur when one or more LCOs must be suspended to make completion of PH YSICS TESTS possibl e or practical.

This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO3.1.3, "Moderator Temperature Coefficient (MTC)," LCO3.1.4, LCO3.1.5, LCO3.1.6, and LCO3.4.2 are suspended for PHYSICS TEST S, the fuel design criteria are preserved as long as the pow er level is limited to 5%RTP, the reactor coolant temperature is kept 531F, and SDM is within the limits provided in the COLR.

(continued)

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-5Revision 24APPLICABLE SAFETY ANALYSES(continued)The PHYSICS TESTS include measuremen t of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are AF D and QPTR, which represent initial conditions of the unit safety analys es. Also involved are the movable control components (control and shut down banks), which are required to shut down the reactor. The limits for these variable s are specified for each fuel cycle in the COLR. As described in LCO3.0.7, compliance with Test Exception LCOs is optional and, therefore, no criteria of 10CFR 50.36(c)(2)(ii) apply.Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.Reference7 allows special test excepti ons (STEs) to be included as part of the LCO that they affect. It was decided, however, to retain this STE as a separate LCO because it was less cumbersome and provided additional clarity.LCOThis LCO allows the reactor parameters of MTC and minimum temperature for criticality to be outside their specifi ed limits. In addition, it allows selected control and shutdown banks to be positioned outside of their specified alignment and insert ion limits. One Power Range Neutron Flux channel may be bypassed, reducing the number of required channels from "4" to "3" to provide input to the reactivity computer. Operation beyond specified limits is permitted for the purpose of performing

PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.The requirements of LCO3.1.3, LCO3.1.4, LCO3.1.5, LCO3.1.6, andLCO 3.4.2 may be suspended duri ng the performance of PHYSICS

TESTS provided:a.RCS lowest loop average temperature is 531F;b.SDM is within the limits provided in the COLR; andc.THERMAL POWER is 5% RTP.APPLICABILITYThis LCO is a pplicable when performing low power PHYSICS TESTS. The Applicability stated as "dur ing PHYSICS TESTS initiated in MODE2" to ensure that the 5% RTP maximum power (continued)

North Anna Units 1 and 2B 3.1.9-6Revision 24 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESAPPLICABILITY (continued) level is not exceeded. Should the THERMAL POWER exceed 5%RTP and, consequently, enter MODE 1, this Applicability statement prevents exiting the Specification and its Required Action.ACTIONSA.1 andA.2 If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly

align and start the required systems and components. The operator should begin boration with the best source available for the unit conditions.

Boration will be continued until SDM is within limit.

Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.

B.1When THERMAL POWER is >5%RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor

beyond its design limits. Immediately opening the RT Bs will shut down the reactor and prevent operation of the reactor outside of its design limits.

C.1When the RCS lowest T avg is <531F, the appropriate action is to restore Tavg to within its specified limit. The allowed Completion Time of 15minutes provides time for restoring T avg to within limits without allowing the unit to remain in an unacceptable condition for an extended period of time. Operation with the reactor critical and with temperature below 531F could violate the assumptions for accidents analyzed in the safety analyses.

D.1If the Required Actions and associated Completion Times cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within an additional 15minutes. The Completion Time of 15additional minutes is

reasonable, based on operating experience, for reaching MODE3 in an orderly manner and without challenging unit systems.

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESNorth Anna Units 1 and 2B 3.1.9-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.1.9.1 The power range and interm ediate range neutron det ectors must be verified to be OPERABLE in MODE2 by LCO3.3.1, "Reactor Trip System (RTS)

Instrumentation." A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel prior to initiation of the PHYSICS TESTS. This will ensure that the RTS is properly aligned to

provide the required degree of core protection during the performance of the PHYSICS TESTS. Performance of the normally scheduled COT is sufficient to ensure the equipment is OPERABLE. LCO3.3.1 requires a COT on the power range and intermediate range channels every 92days.

These Frequencies have been determined to be sufficient for verification that the equipment is working properly. Because initiation of PHYSICS TESTS does not affect the ability of the equipment to perform its function or the RTS trip capability, and does not invalidate the previous

Surveillances, requiring the testing to be performed at a fixed time prior to the initiation of PHYSICS TESTS has no benefit.SR3.1.9.2Verification that the RCS lowest loop T avg is 531F will ensure that the unit is not operating in a condition that could invalidate the safety analyses.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.3Verification that th e THERMAL POWER is 5% RTP will ensure that the unit is not operating in a condition that could invalidate the safety analyses.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.1.9.4The SDM is verified by performing a reactivity ba lance calculation, considering the following reactivity effects:

a.RCS boron concentration;b.Rod bank position; North Anna Units 1 and 2B 3.1.9-8Revision 46 PHYSICS TESTS Exceptions-MODE 2 B 3.1.9BASESSURVEILLANCE REQUIREMENT

SSR3.1.9.4 (continued)c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration;f.Samarium concentration; g.Isothermal temperature coefficien t (ITC), when below the point of adding heat (POAH);h.Moderator Defect when above the POAH; and i.Doppler Defect when above the POAH.

Using the ITC accounts for Doppler reactivity in this calculation when the reactor is subcritical or critical but below the POAH, and the fuel temperature will be changing at the same rate as the RCS.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixB, SectionXI.2.10CFR50.59.3.Regulatory Guide1.68, Revision2, August,1978.

4.ANSI/ANS-19.6.1-1997, August22, 1997.

5.Letter from W.L. Stewart to NRC, "Virginia Electric and Power Company, Surry Power Station, Units1 and2, North Anna Power Station, Units1 and2, Modification of Startup Physics Testing

Program Inspector Follow-Up Item280, 281/88-29-01," dated 12/8/89.6.VEP-FRD-42-A, "Reload Nuclear Design Methodology."7.WCAP-11618, including Addendum1, April1989.

North Anna Units 1 and 2B 3.2.1-1Revision 0 FQ(Z)B 3.2.1B 3.2POWER DISTRIBUTION LIMITSB 3.2.1Heat Flux Hot Channel Factor (F Q(Z))BASESBACKGROUNDThe purpose of the limits on the values of F Q(Z) is to limit the local (i.e.,pellet) peak power density. The value of F Q(Z) varies along the axial height(Z) of the core.

FQ(Z) is defined as the maximum local fuel rod linea r power density divided by the average fuel rod linear power density, assuming nominal fuel pellet and fuel rod dimensions. Therefore, F Q(Z) is a measure of the peak fuel pellet power within the reactor core.

During power operation, the global pow er distribution is limited by LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPT R)," which are directly and continuously measured process variables. These LCOs, along with LCO3.1.6, "Control Bank Inse rtion Limits," mainta in the core limits on power distributions on a continuous basis.

FQ(Z) varies with fuel loading patter ns, control bank inse rtion, fuel burnup, and changes in axial power distribution.

FQ(Z) is measured periodi cally using the incore detector system. These measurements are generall y taken with the core at or near steady state conditions.

Using the measured three dimensional pow er distributions, it is possible to derive a measured value for F Q(Z), (Z). However, because this value represents a steady state condition, it does not encompass the variations in the value of F Q(Z) that are present during none quilibrium situations, such as load changes.

To account for these possible variat ions, the steady state limit for F Q(Z) is adjusted by an elevation dependent fact or that accounts for the calculated worst case transient conditions.

Core monitoring and control unde r nonsteady state conditions are accomplished by operating the core within the limits of the appropriate LCOs, including the limits on AFD, QPTR, and control rod insertion.

FQM North Anna Units 1 and 2B 3.2.1-2Revision 13 FQ(Z)B 3.2.1BASESAPPLICABLE SAFETY ANALYSESThis LCO precludes core pow er distributions that violate the following fuel design criteria:a.During a loss of coolant accide nt (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200°F, and there must be a high level of pr obability that the peak cladding

temperature does not exceed 2200°F for the large breaks (Ref.1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleat e boiling (DNB) condition;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.3).

Limits on F Q(Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains valid. Other criteria must also be met (e.g., maximum cladding oxida tion, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.

FQ(Z) limits assumed in the LOCA anal ysis are typically limiting relative to (i.e.,lowerthan) the F Q(Z) limit assumed in safety analyses for other postulated accidents. Therefore, this LCO provides conserva tive limits for other postulated accidents.

FQ(Z) satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-3Revision 13 LCOThe Measured Heat Flux Hot Channel Factor, (Z), shall be limited by the following relationships, as described in Reference4:

(Z) for P > 0.5 (Z) for P 0.5where:CFQ is the F Q(Z) limit at RTP provided in the COLR, K(Z) is the normalized F Q(Z) as a function of core height provided in the COLR, N(Z) is a cycle dependent f unction that accounts for power distribution transients encountered during normal operation.

N(Z) is included in the COLR; andP is the fraction of RATED THERMAL POWER defined as P =The actual values of CFQ, K(Z),

and N(Z) are given in the COLR; however, CFQ is normally approximately 2, K(Z) is a function that looks like the one provided in FigureB3.2.1-1, and N(Z) is a value greater than 1.0.An (Z) evaluation requires obtaining an incore flux map in MODE1.

From the incore flux map results we obtain the measured value of F Q(Z). Then, the measured (Z) is increased by 1.03 which is a factor that

accounts for fuel manufacturing tolerances and 1.05 which accounts for flux map measurement uncertainty (Ref.4).The FQ(Z) limits define limiting values for core power peaking that precludes peak cladding temperatures above 2200°F during a small break LOCA and assures with a high level of probability that the peak cladding temperature does not exceed 2200°F for large breaks (Ref.1).

This LCO requires operation within the bounds assumed in the safety analyses. Calculations ar e performed in the core design process to confirm that the core can be controlled in (continued)

FQMFQMCFQKZ()PNZ()--------------

-FQMCFQKZ()0.5NZ()--------------

-HERMAL POWE RTP-------------------------------------------

FQMFQM North Anna Units 1 and 2B 3.2.1-4Revision 13 FQ(Z)B 3.2.1BASESLCO(continued) such a manner during operation that it can stay within the LOCA F Q(Z) limits. If F Q(Z) cannot be maintained within the LCO limits, reduction of the core power is required.Violating the LCO limits for F Q(Z) produces unacceptable consequences if a design basis event occurs while F Q(Z) is outside its specified limits.APPLICABILITYThe F Q(Z) limits must be maintained in MODE1 to prevent core power distributions from exceeding the limits assumed in the safety analyses.

Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require a limit on the distribution of core power.ACTIONSA.1If (Z) exceeds its specified limits, reducing the AFD limit by 1% for each 1% by which (Z) exceeds its l imit within the allowed Completion Time of 15minutes, restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded. The maximum AFD limits initially determined by Required ActionA.1 may be affected by subsequent determinations of (Z

) and would require AFD reductions with 15minutes of the (Z) determination, if necessary.

A.2.1Reducing THERMAL POWER by 1%RTP for each 1% by which (Z) exceeds its limit, maintains an acceptable absolute power density. The percent that (Z) exceeds the limit can be determined from: for P>0.5 for P0.5(continued)

FQMFQMFQMFQMFQMFQMmaximum over z FQMZ()CFQKZ()PNZ()------------------------

1.0-100maximum over z FQMZ()CFQKZ()0.5NZ()------------------------

1.0-

100 FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-5Revision 13ACTIONSA.2.1 (continued)

(Z) is the measured F Q(Z) multiplied by factors accounting for manufacturing tolerances and measurement uncertainties. (Z) is the measured value of F Q(Z). The Completion Time of 15minutes provides an acceptable time to reduce power in an orderly manner and without allowing the unit to remain in an unacceptable condition for an extended period of time. The maximum allowable power level initially determined by Required ActionA.2.1 may be affected by subsequent determinations of (Z) and would require power reductions within 15minutes of the (Z) determination, if necessary to co mply with the decreased maximum allowable power level. Decreases in (Z) would allow increasing the

maximum allowable power level and in creasing power up to this revised limit.A.2.2A reduction of the Power Range Ne utron Flux-High trip setpoints by 1% for each 1% by which (Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72hours is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required ActionA

.2.1. The maximum allowable Power Range Neutron Flux-High trip setpoint s initially determined by Required ActionA.2.2 may be affected by subsequent determinations of (Z) and

would require Power Range Neutron Flux-High trip setpoint reductions within 72hours of the (Z) determina tion, if necessary to comply with the decreased maximum allowable Po wer Range Neutron Flux-High trip setpoints. Decreases in (Z) w ould allow increasing the maximum allowable Power Range Neutr on Flux-High trip setpoints.

A.2.3Reduction in the Overpower T trip setpoints (value of K

4) by 1% (in T span) for each 1% by which (Z) excee ds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72hours is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER in accordance with Required ActionA.2.1. The (continued)

FQMFQMFQMFQMFQMFQMFQMFQMFQMFQM North Anna Units 1 and 2B 3.2.1-6Revision 13 FQ(Z)B 3.2.1BASESACTIONSA.2.3 (continued) maximum allowable Overpower T trip setpoints initially determined by Required ActionA.2.3 may be affected by subsequent determinations of (Z) and would require Overpower T trip setpoint reductions within 72hours of the (Z) determination, if necessary to comply with the decreased maximum allowable Overpower T trip setpoints. Decreases in (Z) would allow increasing the maximum Overpower T trip setpoints.

A.2.4Verification that (Z) has been restored to within its limit, by performing SR3.2.1.1 prior to increasing THERMAL POWER above the limit imposed by Required ActionA.2.1, ensu res that core conditions during operation at higher power levels are consistent with safety analyses assumptions.

B.1If Required ActionsA.1, A.2.1, A.2.2, A.2.3, orA.2.4 are not met within their associated Completion Times, the unit must be placed in a MODE or

condition in which the LCO requirement s are not applicable. This is done by placing the unit in at least MODE2 within 6hours.This allowed Completion Time is reasonable based on operating experience regarding the amount of time it takes to reach MODE2 from full power operation in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENT

SSR3.2.1.1 is modified by a Note. It states that THERMAL POWER may be increased until a power level for extended operation has been achieved at which a power distribution map can be obtained. This allowance is modified, however, by one of the Frequency conditions that requires verification that (Z) is within its sp ecified limit after a power rise of more than 10%RTP over the THERMAL POWER at which it was last

verified to be within specified limi ts. In the absence of this Frequency condition, it is possible to increase power to RTP and operate for 31days without verification of (Z). The Frequency condition is not intended to

require verification of these parameters after every 10%increase in power level above the last verification. It only requires (continued)

FQMFQMFQMFQMFQMFQM FQ(Z)B 3.2.1BASESNorth Anna Units 1 and 2B 3.2.1-7Revision 46SURVEILLANCE REQUIREMENT

S(continued) verification after a power level is achieved for extended operation that is 10%higher than that power at which F Q was last measured.SR3.2.1.1 The nuclear design process includes ca lculations performed to determine that the core can be operated within the F Q(Z)limits. Because flux maps are taken in steady state conditions, th e variations in power distribution resulting from normal operational mane uvers are not present in the flux map data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation, Z, is called N(Z).The limit with which (Z) is compared varies inversely with power above 50% RTP and N(Z) and directly with a function called K(Z) provided in the COLR.Performing this Surveillance in MODE1 prior to exceeding 75% RTP ensures that the (Z) limit is met wh en RTP is achieved, because peaking factors generally decrease as power level is increased.

If THERMAL POWER has been increased by 10%RTP since the last determination of (Z), another eval uation of this f actor is required 12hours after achieving equilibrium condi tions at this higher power level (to ensure that (Z) values are being reduced sufficiently with power increase to stay within the LCO limits).

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Flux map data are taken for multiple core elevations. (Z) evaluations are not applicable for the following axial core regions, measured in percent of core height:

a.Lower core region, from 0to15% inclusive; andb.Upper core region, from 85to100% inclusive.

FQMFQMFQMFQMFQM North Anna Units 1 and 2B 3.2.1-8Revision 13 FQ(Z)B 3.2.1BASESSURVEILLANCE REQUIREMENT

SSR3.2.1.1 (continued)

The top and bottom 15% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making a precise measurement in these regions.

This Surveillance has been modified by a Note that may require that more frequent surveillances be performe

d. An evaluation of the expression below is required to account for any increase to (Z) that may occur and cause the (Z) limit to be exceeded before the next required (Z) evaluation.If the two most recent (Z) evaluations show an increase in the expression maximum over z

,it is required to meet the (Z) limit with the last (Z) increased by the appropriate factor, or to evaluate (Z) more frequently, each 7EFPD. These alternative requirements prevent F Q(Z) from exceeding its limit without detection.REFERENCES1.10CFR50.46.2.VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."3.UFSAR, Section3.1.22.4.VEP-NE-1-A, "VEPCO Relaxe d Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications."

FQMFQMFQMFQMFQMZ()KZ()-----------------

FQMFQMFQM North Anna Units 1 and 2B 3.2.1-9Revision 13 FQ(Z)B 3.2.1FigureB 3.2.1-1 (page 1 of 1)

K(Z)-Normalized F Q(Z) as a Function of Core Height(6, 1.0)(12, .925) 0.00.10.20.30.40.5 0.60.70.80.91.01.11.20123456789101112 CORE HEIGHT (FT)

K(Z)DO NOT OPERATE IN THIS AREATHIS FIGURE FOR ILLUSTRATION ONLY. DO NOT USE FOR OPERATIONCORE HEIGHT* FOR CORE HEIGHT OF 12FEETFT.(*)%16.633.350.066.783.3100 Intentionally Blank North Anna Units 1 and 2B 3.2.2-1Revision 0 B 3.2.2FHNB 3.2 POWER DISTRIBUTION LIMITSB 3.2.2Nuclear Enthalpy Rise Hot Channel Factor ()BASESBACKGROUNDThe purpose of this LCO is to es tablish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are expressed in terms of hot channel factors. Control of th e core power distribution with respect to these factors ensures th at local conditions in th e fuel rods and coolant channels do not challenge core inte grity at any locat ion during either normal operation or a postulated accident analyzed in the safety analyses.

is defined as the ratio of the integral of the linear power along the fuel rod with the highest inte grated power to the average integrated fuel rod power. Therefore, is a measure of the maximum total power produced in a fuel rod.

is sensitive to fuel loading patterns, bank inse rtion, and fuel burnup. typically increases with c ontrol bank insertion and typically decreases with fuel burnup.

is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by a computer to determine . This fact or is calculated at least every 31EFPD. However, during power opera tion, the global power distribution is monitored by LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which address directly and continuously me asured process variables.

The COLR provides peaking factor limits that ensu re that the design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and a ny transient condition arising from events of moderate frequency. Th e DNB design basis precludes DNB and is met by limiting the minimum local DNB heat flux ratio to a value greater than the design limits. All DNB limited transient events are assumed to begin with an value that satisfies the LCO requirements.

(continued)

FHNFHNFHNFHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-2Revision 13 B 3.2.2BASESFHNBACKGROUND (continued)Operation outside the LCO limits ma y produce unacceptable consequences if a DNB limiting event occurs. The DNB design basis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission produc ts to the reactor coolant.APPLICABLE SAFETY ANALYSESLimits on preclude core power distri butions that exceed the following fuel design limits:a.There must be at least 95% probabil ity at the 95% confidence level (the 95/95DNB criterion) that the hottest fuel rod in the core does not experience a DNB condition;b.During a loss of coolant accident (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200°F, and there must be a high level of pr obability that the peak cladding temperature does not exceed 2200°F for large breaks;c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.1); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.2).For transients that may be DNB limited, the Reactor Coolant System flow, temperature, and pressure, and are th e parameters of most importance. The limits on ensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from events of moderate frequency. The DNB de sign basis is met by limiting the minimum DNBR to a value which provide s a high degree of assurance that the hottest fuel rod in the core does not experience a DNB.The allowable limit increases with decreasing power level. This functionality in is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL2.1.1. Th erefore, any DNB events in which the calculation of the core limits is modeled implicitly use this variable value of in the analyses. Likewise, all transients that (continued)

FHNFHNFHNFHNFHNFHN B 3.2.2BASESFHNNorth Anna Units 1 and 2B 3.2.2-3Revision 9APPLICABLE SAFETY ANALYSES(continued)may be DNB limited are a ssumed to begin with an initial as a function of power level defined by the COLR limit equation.

The LOCA safety analysis indirectly models as an input parameter.

The Nuclear Heat Flux Hot Channel Factor (F Q(Z)) and the axial peaking factors are inserted directly into the LOCA safety analyses that verify the

acceptability of the resulting peak cladding temperature (Ref.3).The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the sa fety and accident analyses remain valid. The following LCOs ensure this: LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO3.1.6, "Control Bank Insertion Limits," LCO3.2.2,

"Nuclear Enthalpy Rise Hot Channel Factor ()," LCO3.2.1, "Heat Flux Hot Channel Factor (F Q(Z))," and LCO3.4.1, "RCS Pressure, Temperature, and Flow DNB Limits."

and FQ(Z) are measured periodically using the movable incore detector system. Measurements are ge nerally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition1 events) are acc omplished by operating the core within the limits of the LCOs on AF D, QPTR, and Bank Insertion Limits. satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCO shall be maintained within the limi ts of the relationship provided in the COLR.The limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has th e highest probability for a DNB.The limiting value of , described by the equation contained in the COLR, is the design radial peaking factor used in the unit safety analyses.A power multiplication factor in this equation includes an additional margin for higher radial peaking fr om reduced thermal feedback and greater control rod insertion at low power levels.

FHNFHNFHNFHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-4Revision 0 B 3.2.2BASESFHNAPPLICABILITYThe limits must be maintained in MODE1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT.

Applicability in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. The design bases events that are sensitive to in other modes (MODES2 through5) have sufficient margin to DNB, and therefore, there is no need to restrict in these modes.ACTIONSA.1 and A.2ConditionA is modified by a Note that requires that Required ActionsA.3 andA.4 must be completed whenever ConditionA is entered. Thus, because even if is restored to within limits, Required ActionA.3 nevertheless requires another measurement and calculation of within 24hours in accordance with SR3.2.2.1.However, if power is reduced below 50%RTP, Required ActionA.4 requires that another determination of must be done prior to exceeding 50%RTP, prior to exceeding 75%RTP, and within 24hours after reaching or exceeding 95%RTP. In addition, Required ActionA.3 is performed if power ascension is delayed past 24hours.If the value of is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, the alternative option is to reduce THERMAL POWER to <50%RTP in accordance with Required ActionA.1 and reduce the Power Range

Neutron Flux-High to 55%RTP in accordance with Required ActionA.2. Reducing RTP to <50%RTP increases the DNB margin and

does not likely cause the DNBR limi t to be violated in steady state operation. The reduction in tr ip setpoints ensures th at continuing operation remains at an acceptable low power level with adequate DNBR margin.

The allowed Completion Time of 4hours for Required ActionA.1

provides an acceptable time to reach the required power level from full power operation without allowing the uni t to remain in an unacceptable condition for an extended period of time.The allowed Completion Time of 72hour s to reset the tr ip setpoints per Required ActionA.2 recognizes that, once power is reduced, the safety analysis assumptions are (continued)

FHNFHNFHNFHNFHNFHNFHN B 3.2.2BASESFHNNorth Anna Units 1 and 2B 3.2.2-5Revision 0ACTIONSA.1 and A.2 (continued)satisfied and there is no urgent need to reduce the trip setpoints. This is a sensitive operation that may inadve rtently trip the Reactor Protection System.A.3Once the power level has been reduced to <50%RTP per Required ActionA.1, an incore flux map (SR3.2.2.1) must be obtained and the measured value of verified not to ex ceed the allowed limit at the lower power level. The unit is provided 20a dditional hours to perform this task over and above the 4hours allowed by ActionA.1. The Completion Time of 24hours is acceptable because of the increase in the DNB margin, which is obtained at lower power levels, a nd the low probability of having a DNB

limiting event within this 24hour period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain the incore flux map, perform the required calculations, and evaluate .

A.4Verification that is within its specified limits after an out of limit occurrence ensures that the cause that led to the exceeding its limit is corrected, and that subsequent operation proceeds within the LCO limit. This Action demonstrates that the limit is within the LCO limits prior to exceeding 50%RTP, again prior to exceeding 75%RTP, and within 24hours after THERMAL POWER is 95%RTP.This Required Action is modified by a Note that states that THERMAL POWER does not have to be reduced prior to performing this Action.

B.1When Required ActionsA.1 throughA.4 cannot be completed within their required Completion Times, the unit must be placed in a mode in which the LCO requirements are not applicable. This is done by placi ng the unit in at least MODE2 within 6hour

s. The allowed Completion Time of 6hours is reasonable, based on opera ting experience regardi ng the time required to reach MODE2 from full power conditions in an orderly manner and

without challenging unit systems.

FHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.2-6Revision 46 B 3.2.2BASESFHNSURVEILLANCE REQUIREMENT

SSR3.2.2.1The value of is determined by us ing the movable incore detector system to obtain a flux distributi on map. A data re duction computer program then calculates the maximum value of from the measured flux distributions. The limit contai ns an allowance of 1.04 to account for measurement uncertainty.After each refueling, must be determined in MODE1 prior to exceeding 75%RTP. This requirement ensures that limits are met at the beginning of each fuel cycle.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.VEP-NFE-2-A, "VEPCO Ev aluation of the Control Rod Ejection Transient."2.UFSAR, Section3.1.22.3.10CFR50.46.

FHNFHNFHNFHNFHN North Anna Units 1 and 2B 3.2.3-1Revision 0 AFDB 3.2.3B 3.2 POWER DISTRIBUTION LIMITSB 3.2.3AXIAL FLUX DIFFERENCE (AFD)BASESBACKGROUNDThe purpose of this LCO is to esta blish limits on the values of the AFD in order to limit the amount of axial power distributi on skewing to either the top or bottom of the core. By limit ing the amount of power distribution skewing, core peaking factors are consis tent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.

Relaxed Power Distribution Control (R PDC) is a calculational procedure that defines the allowed operational space of the AFD versus THERMAL POWER. The AFD limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AFD. Subsequently, power peaking fa ctors and power distributions are examined to ensure that the loss of coolant accident (LOCA), loss of flow

accident, and anticipated transient limits are met. Violation of the AFD limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity.

The AFD is monitored on an auto matic basis using the unit process computer, which has an AFD monitor al arm. The computer determines the 1minute average of each of the OP ERABLE excore detector outputs and provides an alarm message immediat ely if the AFD for two or more OPERABLE excore channels is outside its specified limits.APPLICABLE SAFETY ANALYSESThe AFD is a measure of the axial power distribution skewing to either the top or bottom half of the core. The AFD is sensitive to many core related

parameters such as control bank posi tions, core power level, axial burnup, axial xenon distribution, a nd, to a lesser extent, react or coolant temperature and boron concentration.

The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.

(continued)

North Anna Units 1 and 2B 3.2.3-2Revision 0 AFDB 3.2.3BASESAPPLICABLE SAFETY ANALYSES(continued)The RPDC methodology (Ref.1) establ ishes a xenon distribution library with tentatively wide AFD limits. Axial power dist ribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, and for initial conditions of anticipated transients. The tentative limits are adjusted as

necessary to meet the safe ty analysis requirements.

The limits on the AFD ensure that the Heat Flux Hot Channel Factor

(FQ(Z)) is not exceeded during either normal operation or in the event of xenon redistribution follow ing power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition2, 3, or4 ev ents. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important Condition4 event is the LOCA. The most important Condition3 event is the loss of flow accident. The most important Condition2 events

are uncontrolled rod withdr awal, excessive heat re moval, and boration or dilution accidents. Condition2 accidents simulated to begin from within the AFD limits are used to confir m the adequacy of the Overpower T and OvertemperatureT trip setpoints.

The limits on the AFD satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe shape of the power profile in th e axial (i.e., the vertical) direction is largely under the control of the ope rator through the manual operation of the control banks or automatic moti on of control banks. The automatic motion of the control banks is in re sponse to temperature deviations resulting from manual operation of the Chemical and Volume Control System to change boron concentra tion or from power level changes.Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors (Ref.2). Separate signals are taken from the top and bottom detectors. The AFD is defined as the difference in normalized flux signals between the t op and bottom excore detectors in each detector well. For convenience, this flux difference is converted to provide flux difference units expressed as a percentage and labeled as % flux or%I.(continued)

AFDB 3.2.3BASESNorth Anna Units 1 and 2B 3.2.3-3Revision 46 LCO(continued)

The AFD limits are provided in the COLR. FigureB3.2.3-1 shows typical RPDC AFD limits. The AFD limits for RPDC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.Violating this LCO on the AFD could produce unacceptable consequences if a Condition2, 3, or4 event occurs while the AFD is outside its specified limits.The LCO is modified by a Note which states that AFD shall be considered outside its limit when two or more OPERABLE excore channels indicate AFD to be outside its limit.APPLICABILITYThe AFD requirements are applicable in MODE1 greater than or equal to 50%RTP when the combination of THERMAL POWER a nd core peaking factors are of primary importance in safety analysis.

For AFD limits developed using RPDC methodology, the value of the AFD does not affect the limiting accide nt consequences with THERMAL POWER <50%RTP and for lower operating power MODES.ACTIONSA.1As an alternative to restoring the AFD to within its specified limits, Required ActionA.1 requires a THERMAL POWER reduction to

<50%RTP. This places the core in a condition for which the value of the

AFD is not important in the applicable safety analyses. A Completion Time of 30minutes is reasonable, base d on operating experience, to reach 50%RTP without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.2.3.1This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limit

s. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.

North Anna Units 1 and 2B 3.2.3-4Revision 9 AFDB 3.2.3BASESREFERENCES1.VEP-NE-1-A, "VEPCO Re laxed Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications."2.UFSAR, Chapter7.

North Anna Units 1 and 2B 3.2.3-5Revision 0 AFDB 3.2.3FigureB 3.2.3-1 (page 1 of 1)AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER Intentionally Blank North Anna Units 1 and 2B 3.2.4-1Revision 13 QPTRB 3.2.4B 3.2 POWER DISTRIBUTION LIMITSB 3.2.4QUADRANT POWER TILT RATIO (QPTR)BASESBACKGROUNDThe QPTR limit ensures that th e gross radial power distribution remains consistent with the design values used in the safety analyses. Precise radial power distribution measurements are made during startup testing, after refueling, and periodically during power operation by using the movable incore detector system to obtain full core flux maps. Between these full core flux maps, the excore neutron detectors are used to monitor QPTR,

which is a measure of changes in th e radial power dist ribution. QPTR is defined in Section1.1 in terms of rati os of excore detector calibrated output. However, the movable incore detector system can measure changes in the relative power of symmetrically located incore locations or changes in the incore tilt, which can be used to calculate an equivalent QPTR.

The power density at any point in the co re must be limited so that the fuel design criteria are maintained. Together, LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO3.2.4, and LCO3.1.6, "Control Rod Insertion Limits," provide limits on process variable s that characterize and control the three dimensional power distribution of the reactor core.

Control of these variables ensures that the core operates within the fuel

design criteria and that the power distribution remains within the bounds used in the safety analyses.APPLICABLE SAFETY ANALYSESThis LCO precludes core pow er distributions that violate the following fuel design criteria:a.During a loss of coolant accide nt (LOCA), the peak cladding temperature during a small break LOCA must not exceed 2200°F, and there must be a high level of pr obability that the peak cladding temperature does not exceed 2200°F for large breaks (Ref.1);b.During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% c onfidence level (the 95/95 departure from nucleate boiling (DNB) criterion) th at the hot fuel rod in the core does not experience a DNB condition; (continued)

North Anna Units 1 and 2B 3.2.4-2Revision 9QPTRB 3.2.4BASESAPPLICABLE SAFETY ANALYSES(continued)c.During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225cal/gm and irradiated fuel is limited to 200cal/gm (Ref.2); andd.The control rods must be capable of shutting down the reactor with a minimum required SDM with the highe st worth control rod stuck fully withdrawn (Ref.3).The LCO limits on the AFD, the QPTR

, the Heat Flux Hot Channel Factor (FQ(Z)), the Nuclear Enthalpy Rise Hot Channel Factor (), and control bank insertion are established to pr eclude core power distributions that exceed the safety analyses limits.The QPTR limits ensure that and F Q(Z) remain below their limiting values by preventing an undetected change in the gross radial power distribution.In MODE1, the and F Q(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.The QPTR satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

LCOThe QPTR limit of 1.02, at which co rrective action is re quired, provides a margin of protection for both the DNB ra tio and linear heat generation rate contributing to excessive power peak s resulting from X-Y plane power tilts. A limiting QPTR of 1.02 can be tolerated before the margin for uncertainty in F Q(Z) and () is possibly challenged.APPLICABILITYThe QPTR limit must be maintained in MODE1 with THERMAL POWER >50%RTP to prevent core pow er distributions from exceeding the design limits.Applicability in MODE1 50%RTP and in other MO DES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, ther efore, not important. Note that the and FQ(Z) LCOs still apply, but allo w progressively higher peaking factors at 50%RTP or lower.

FHNFHNFHNFHNFHN QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-3Revision 0ACTIONSA.1With the QPTR exceeding its li mit, a power level reduction of 3% from RTP for each 1% by which the QP TR exceeds 1.00 is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2hours allows sufficient time to id entify the cause and correct the tilt. Note that the power reduction itself may cause a change in the tilted condition.The maximum allowable power level initially determined by Required ActionA.1 may be affected by subs equent determinations of QPTR.

Increases in QPTR would require power reduction within 2hours of QPTR determination, if necessary to co mply with the decreased maximum allowable power level. Decreases in QPTR would allow increasing the maximum allowable power level and increasing power up to the revised limit.A.2After completion of Required Action A

.1, the QPTR alarm may still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12hours thereafter. A 12hour Completion Time is sufficient becau se any additional change in QPTR would be relatively slow.

A.3The peaking factors and F Q(Z) are of primary im portance in ensuring that the power distributio n remains consistent with the initial conditions used in the safety analyses. Performing SRs on and F Q(Z) within the Completion Time of 24hours after achi eving equilibrium conditions from a THERMAL POWER reduction per Required ActionA.1 ensures that these primary indicators of power di stribution are within their respective limits. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to support flux mapping. A Completion Time of 24hours after achi eving equilibrium conditions from

a THERMAL POWER reduction per Required ActionA.1 takes into consideration the rate at which peaking factors are likely to change, and the time required to stabiliz e the unit and perform a flux map. If these peaking factors are not within their limi ts, the Required Actions of these Surveillances provide an appropriate response for the abnormal condition.

(continued)

FHNFHN North Anna Units 1 and 2B 3.2.4-4Revision 0QPTRB 3.2.4BASESACTIONSA.3 (continued)If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7days thereafter to evaluate and F Q(Z) with changes in power distribution.Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.

A.4Although and F Q(Z) are of primary importance as initial conditions in the safety analyses, other changes in the power distribution may occur as the QPTR limit is exceeded and may ha ve an impact on the validity of the safety analysis. A change in the power distribution can affect such reactor parameters as bank worths and pe aking factors for rod malfunction accidents. When the QPTR exceeds its limit, it doe s not necessarily mean a safety concern exists. It does mean that there is an indication of a change in the gross radial power distribution that requires an investigation and evaluation that is accomplished by examining the incore power distribution. Specifically, the core pe aking factors and the quadrant tilt must be evaluated because they are the factors that best characterize the core power distribution. This re-evalu ation is required to ensure that, before increasing THERMAL POWER to above the limit of Required ActionA.1, the reactor core conditions are consistent with the assumptions in the safety analyses.

A.5If the QPTR has exceeded the 1.02 limit and a re-evaluation of the safety analysis is completed and shows that safety requirements are met, the excore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL POWER to above the limit of Required ActionA.1. Normalization is accomplished in su ch a manner that the indicated QPTR following normalization is ne ar 1.00. This is done to detect any subsequent significant changes in QPTR.Required ActionA.5 is modified by two Notes. Note1 states that the QPTR is not restored to within limits until after the re-evaluation of the safety analysis has determined that core conditions at RTP are within the

safety analysis assumptions (i.e., Required ActionA.4). Note2 states that (continued)

FHNFHN QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-5Revision 0ACTIONSA.5 (continued)if Required ActionA.5 is performed, the Required ActionA.6 shall be performed. Required ActionA.5 normalizes the excore detectors to restore QPTR to within limits, which restores compliance with LCO3.2.4. Thus, Note2 prevents exiting the Actions prior to completing flux mapping to

verify peaking factors, per Required ActionA.6. These notes are intended to prevent any ambiguity about the required sequence of actions.

A.6Once the flux tilt is restored to with in limits (i.e., Required Action A.5 is performed), it is acceptable to return to full power operation. However, as an added check that the core power distribution is consistent with the safety analysis assumptions, Required ActionA.6 requires verification that F Q(Z) and are within their specified limits within 24hours of reaching equilibrium conditions at RTP. As an added precaution, if the core power does not reach equilibrium conditions at RTP within 24hours, but is increased slowly, then the peaking fact or surveillances must be performed within 48hours after increasing po wer above the limit of Required ActionA.1. These Completion Times are intended to allow adequate time to increase THERMAL POWER to above the limit of Required ActionA.1, while not permitting the core to remain with unconfirmed power distributions for extended periods of time.Required ActionA.6 is modified by a Note that states that the peaking factor surveillances may only be done after the exco re detectors have been normalized to restore QPTR to within limits (i.e., Required ActionA.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, wh ich can only be accomplished after the excore detectors are normalized to restore QPTR to within limits and the core returned to power.

B.1If Required ActionsA.1 throughA.6 are not completed within their associated Completion Times, the un it must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to 50%RTP within 4hours. The allowed Completion Time of (continued)

FHN North Anna Units 1 and 2B 3.2.4-6Revision 46QPTRB 3.2.4BASESACTIONSB.1 (continued)4hours is reasonable, based on operati ng experience regarding the amount of time required to reach the reduced power level without challenging unit systems.SURVEILLANCE REQUIREMENT

SSR3.2.4.1SR3.2.4.1 is modified by two Notes. Note 1 allows QPTR to be calculated with three power range cha nnels if THERMAL POWER is 75%RTP and the input from one Power Range Neutr on Flux channel is inoperable. Note 2 allows performance of SR 3.2.4.2 in lieu of SR 3.2.4.1.This Surveillance verifies that th e QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

For those causes of QPT that occu r quickly (e.g., a dropped rod), there typically are other indications of abnor mality that prompt a verification of core power tilt.

SR3.2.4.2This Surveillance verifies that the QP TR, as determined using the movable incore detectors, is within its limits

. This Surveillance may be performed in lieu of SR3.2.4.1, as provided by a SR3.2.4.1 Note. SR3.2.4.2 is modified by a Note, which states that it is not required until 12hours after the inputs from one or more Power Range Neutron Flux channels are

inoperable and the THERMAL POWER is >75%RTP. Therefore, this Surveillance is only required to be performed when one or more Power Range Neutron Flux channels are inope rable, but may be performed to satisfy the routine monitoring of QPTR.With an NIS power range channel inoperable, tilt moni toring for a portion of the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capabili ty for detection of small power tilts in some quadrants is decreased. Performing SR3.2.4.2 provides an accurate alternative means for ensuring that any tilt remains within its limits.(continued)

QPTRB 3.2.4BASESNorth Anna Units 1 and 2B 3.2.4-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.2.4.2 (continued)

QPTR is determined using the movabl e incore detectors performing a full core incore flux map or by monitoring two sets of four thimble locations with quarter core symmetry. The two se ts of four symmetric thimbles is a set of eight unique detector locations. These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, andN-8. The symmetric thimble flux map can be

used to generate symmetric thimble tilt. This can be compared to a reference symmetric thimble tilt, taken from the most recent full core flux map used to normalize the excore dete ctors, to calculate QPTR. If a full core flux map is used to determine QPTR, the measured incore tilt values from the full core flux map are compared to those from the most recent full core flux map used to normalize the excore detectors. The difference between these tilt values is the QP TR for the current core conditions.

Therefore, the movable incore detectors can be used to confirm that QPTR is within limits.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50.46.2.VEP-NFE-2-A, "VEPCO Evaluati on of the Control Rod Ejection Transient."3.UFSAR, Section3.1.22.

Intentionally Blank North Anna Units 1 and 2B 3.3.1-1Revision 0RTS Instrumentation B 3.3.1B 3.3INSTRUMENTATIONB 3.3.1Reactor Trip System (RTS) InstrumentationBASESBACKGROUNDThe RTS initiates a unit shutdown, based on th e values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is ach ieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.Technical specifications are required by 10CFR50.36 to contain LSSS defined by the regulation as "- setti ngs for automatic protective devices

- so chosen that automatic protecti ve action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Anal ytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety an alysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more

conservative than the Analytic Li mit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.The Trip Setpoint is a predetermined se tting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the Trip Setpoint accounts for unc ertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g.,

repeatability), changes in the point of action of the device over time (e.g.,

drift during surveillance intervals)

, and any other factors which may influence its actual perfo rmance (e.g., harsh accident environments). In this manner, the Trip Setpoint plays an im portant role in ensuring the SLs are not exceeded. As such, (continued)

North Anna Units 1 and 2B 3.3.1-2Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUND (continued)the Trip Setpoint meets the definition of an LSSS (Ref.9) and could be used to meet the requirement that they be contained in the technical specifications.Technical specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in technical specifications as

"- being capable of performing its safety function(s)." For automatic pr otective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10CFR50.36 is the same as the OPERABILITY limit for these devices. However, use of the Trip Se tpoint to define OPERABILITY in technical specifications and its corresponding designation as the LSSS required by 10CFR50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY li mit for the "as found" value of a protective device se tting during a surveillance. This would result in technical specification co mpliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic prot ective device with a setting that has been found to be different from the Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the Trip Setpoint and thus the automatic protective action would st ill have ensured that the SL would not be exceeded with the "as f ound" setting of the protective device. Therefore, the device would still be OPERABLE si nce it would have performed its safety function and the only corrective action required would be to reset the device to the Trip Setpoint to account for further drift during the next surveillance interval.Use of the Trip Setpoint to defi ne "as found" OPER ABILITY and its designation as the LSSS under the expe cted circumstances described above would result in actions required by both the rule and technical specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its

function due, for example, to greater than expected drift. This value needs to be specified in the technical specifications in order to define

OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-3Revision 20BACKGROUND (continued)The Allowable Value specified in Table3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT).

As such, the Allowable Value differs from the Trip Setpoint by an amount

primarily equal to the expected instrume nt loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the

device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable for a technical specification perspective. This requires corrective action in cluding those actions required by 10CFR50.36 when automatic protective devices do not function as

required. Note that, although the channel is "OPERABLE" under these

circumstances, the trip set point should be left adjust ed to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced set point methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

During AOOs, which are those events e xpected to occur one or more times during the unit life, the acceptable limits are:

1.The Departure from Nucleate Bo iling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);2.Fuel centerline melt shall not occur; and3.The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10CFR50 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10CFR50.67 limits. Different accident categories are allowed a different fraction of these limits, based on probability of (continued)

North Anna Units 1 and 2B 3.3.1-4Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUND (continued)occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.The RTS instrumentation is segmented in to four distinct but interconnected modules as described in UFSAR, Chapter7 (Ref.1), and as identified below:

1.Field transmitters or process sens ors: provide a meas urable electronic signal based upon the physical characteristics of the parameter being measured;2.Signal Process Control and Pr otection System, including Analog Protection System, Nuclear Instru mentation System (NIS), field

contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, proc ess algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscel laneous indications;3.Solid State Protection System (

SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process c ontrol and protection system; and4.Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods

," to trip, or de-energize, and fall into the core and shut down the reactor. Th e bypass breakers allow testing of the RTBs at power.

Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the ca libration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoints and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessme nt of field transmitter or sensor as related to the channel behavi or during performance of CHANNEL CHECK.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-5Revision 0BACKGROUND (continued)

Signal Process Control and Protection SystemGenerally, three or four channels of process control equipment are used for the signal processing of uni t parameters measured by the field instruments.

The process control equipment provi des signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter7 (Ref.1), Chapter6 (Ref.2), and Chapter15 (Ref.3). If the measured value of a unit parameter exceeds the predetermined set point, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit

parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while

others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

When a parameter is used only for i nput to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fail s, such that a partial Function trip occurs, a trip will not occur and th e Function is still OPERABLE with a one-out-of-two logic.

When a parameter is used for input to the SSPS and a co ntrol function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the

protection function actuation. Again, a si ngle failure will neither cause nor prevent the protection f unction actuation. These requi rements are described in IEEE-279-1971 (Ref.4). The actual number of channe ls required for each unit parameter is specified in Reference1.Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. Th e logic channels are designed such that testing required while the (continued)

North Anna Units 1 and 2B 3.3.1-6Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUNDSignal Process C ontrol and Protection System (continued) reactor is at power may be accomplis hed without causing trip. Provisions to allow removing logic channels fr om service during maintenance are unnecessary because of the logic system's designed reliability.

Allowable Values and RTS Setpoints The trip setpoints used in the bistables are based on the analytical limits cited in Reference3. The selection of these trip setpoints is such that adequate protection is pr ovided when all sensor a nd processing ti me delays are taken into account. To allow for calibration tole rances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10CFR50.49 (Ref.5), the Allowable Values specified in Table3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits. The methodology used to calcul ate the trip setpoints and Allowable Values, including their explicit uncertainties, is cited in the "RTS/ESFAS Setpoint Methodology Study" (Ref.6) wh ich incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the de termination of each trip setpoint and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interv al. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.The trip setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration.

The trip setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted based on stated channel uncertainties.

Any bistable is considered to be properly adjusted when the "as left"

setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/-rack calibration + comparator setting uncertainties). The trip (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-7Revision 0BACKGROUNDAllowable Valu es and RTS Setpoints (continued) setpoint value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.Trip setpoints consistent with the requirements of the Allowable Value ensure that SLs are not violated dur ing AOOs (and that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at th e onset of the AOO or DBA and the equipment functions as designed).

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Table3.3.1-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field

instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.Solid State Protection System The SSPS equipment is used for the d ecision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide re actor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy sepa ration and independence requirements.

The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic fo r actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the

required trip or actuation, and provi des the status, permissive, and

annunciator output signals to th e main control room of the unit.

(continued)

North Anna Units 1 and 2B 3.3.1-8Revision 0RTS Instrumentation B 3.3.1BASESBACKGROUNDSolid State Protection System (continued)

The bistable outputs from the signa l processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the uni t to a safe condition. Ex amples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.Reactor Trip SwitchgearThe RTBs are in the electrical power s upply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and

control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use.

When the required logic matrix comb ination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each RTB is also equipped with a shunt trip

attachment device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS.

Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providi ng a diverse trip mechanism.

The logic Functions are described in the functional diagrams included in Reference2. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in te sting device that can automatically test the logic Functions and the actuation devices while the unit is at power.

When any one train is taken out of se rvice for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-9Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITYThe RTS functions to maintain the SL s during all AOOs and mitigates the consequences of DBAs in all MODES in which the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.Each of the analyzed accidents and tr ansients can be detected by one or more RTS Functions. The accident anal ysis described in Reference3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide pr otection for conditions that do not require dynamic transient analysis to demonstrate Function performance.

They may also serve as backups to RTS trip Functions that were credited in

the accident analysis.The LCO requires all instrumentation performing an RTS Function, listed in Table3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel

is OPERABLE with a trip setpoint va lue outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip set point "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the

nominal trip setpoint. A tr ip setpoint may be set more conservative than the nominal trip setpoint as necessary in respons e to the unit conditions.

Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in

each logic Function, and two trains in each Automatic Trip Logic Function. Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other thr ee protection and channels. Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interact ion that could simultaneously create a need for RTS trip and disable one RTS channel. The (continued)

North Anna Units 1 and 2B 3.3.1-10 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)two-out-of-three and two-out-of-four configurations allow one channel to

be tripped during maintenance or te sting without causing a reactor trip.

Specific exceptions to the above gene ral philosophy exist and are discussed below.Reactor Trip Sy stem FunctionsThe safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1.Manual Reactor TripThe Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the au tomatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any

parameter is rapidly trending toward its trip setpoint.The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is cont rolled by a manual reactor trip switch. Each channel activates the r eactor trip breaker in both trains.

Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.In MODE1 or2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully wit hdrawn from the core. In MODE3, 4, or5, the manual initiation Function must also be

OPERABLE if one or more shut down rods or control rods are

withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE3, 4, or5, manual

initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or

control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need to be able to trip the reactor. In MODE6, neither the shutdown rods nor the control rods are pe rmitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods.

Therefore, the manual initia tion Function is not required.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-11Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)2.Power Range Neutron FluxThe NIS power range detectors are located external to the reactor vessel and measure neutrons leak ing from the core. The NIS power range detectors provide input to the Rod Control System and the

Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiti ng further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.a.Power Range Neutron Flux-High The Power Range Neutron Flux-Hi gh trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations.

These can be caused by rod withdrawal or reductions in RCS

temperature.

The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.In MODE1 or2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be

OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE3, 4, 5, or6, the NIS

power range detectors ca nnot detect neutron levels in this range.

In these MODES, the Power Ra nge Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and

reactivity excursions into the power range are extremely unlikely.

Other RTS Functions and admini strative controls provide protection against reactivity additions when in MODE3, 4, 5, or6.

North Anna Units 1 and 2B 3.3.1-12 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY2.Power Range Neutron Flux (continued)b.Power Range Neutron Flux-Low The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protec tion is provided against a positive reactivity excursion from low power conditions.

The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.In MODE1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE2, the Power Range Neutron Flux-Low trip must be OPERABLE. This Function may be manually

blocked by the operator when two out of four power range channels are greater than approxi mately 10% RTP (P-10 setpoint).

This Function is automatically unb locked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity addi tions are mitigated by the Power Range Neutron Flux-High trip Function.In MODE3, 4, 5, or6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactor is

shut down and the NIS power ra nge detectors cannot detect neutron levels in this range.

Other RTS trip Functions and administrative controls provi de protection against positive reactivity additions or power excursions in MODE3, 4, 5, or6.3.Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trips use the same channels as discussed for Function2 above.a.Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux-H igh Positive Rate trip Function ensures that protecti on is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accom panying ejection of the RCCA.

This Function compliments the Power Range Neutron (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-13Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)a.Power Range Neutron Flux-High Positive Rate (continued)

Flux-High and Low Setpoint trip Functions to ensure that the

criteria are met for a rod ej ection from the power range.

The LCO requires all four of the Power Range Neutron

Flux-High Positive Rate ch annels to be OPERABLE.In MODE1 or2, when there is a potential to add a large amount of positive reactivity from a r od ejection accident (REA), the Power Range Neutron Flux-High Po sitive Rate trip must be OPERABLE. In MODE3, 4, 5, or6, the Power Range Neutron

Flux-High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks may be fully withdrawn in MODE3, 4, or5, the remaining complement of

control bank (partial withdraw al allowed) worth ensures a sufficient degree of SDM in the event of an REA. In MODE6, no rods are withdrawn and the SDM is increased during refueling

operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.b.Power Range Neutron Flux-High Negative Rate The Power Range Neutron Flux-H igh Negative Rate trip Function ensures that protection is provided for multiple rod drop accidents. At high power levels

, a multiple rod drop accident could cause local flux peaking that would result in an

unconservative local DNBR. DNBR is defined as the ratio of the

heat flux required to cause a DNB at a particular location in the core to the local heat flux. The DNBR is indicative of the margin

to DNB. No credit is taken for the operation of this Function for

those rod drop accidents in which the local DNBRs will be greater than the limit.

(continued)

North Anna Units 1 and 2B 3.3.1-14 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY3.Power Range Neutron Flux Rate (continued)b.Power Range Neutron Flux-High Negative Rate (continued)

The LCO requires all four Po wer Range Neutron Flux-High Negative Rate channels to be OPERABLE.In MODE1 or2, when there is potential for a multiple rod drop accident to occur, the Power Range Neutron Flux-High Negative Rate trip must be OPERABLE. In MODE3, 4, 5, or6, the Power

Range Neutron Flux-High Negative Rate trip Function does not have to be OPERABLE because the core is not critical and DNB

is not a concern. Also, since onl y the shutdown banks may be fully withdrawn in MODE3, 4, or5, the remaining complement of

control bank (partial withdraw al allowed) worth ensures a sufficient degree of SDM in the event of an REA. In MODE6, no

rods are withdrawn and the re quired SDM is increased during refueling operations. In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.4.Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that

protection is provided against an uncontrolled RCCA bank rod

withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from th e core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may

terminate the transient and eliminate the need to trip the reactor.

The LCO requires two channels of Intermediate Range Neutron Flux

to be OPERABLE. Two OPERABLE channels are sufficient to

ensure no single random failure wi ll disable this trip Function.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-15Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY4.Intermediate Range Neutron Flux (continued)Because this trip Function is important only during startup, there is

generally no need to disable channels for testi ng while the Function is required to be OPERABLE. Therefor e, a third channel is unnecessary.In MODE1 below the P-10 setpoint, and in MODE2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range

Neutron Flux-High Positive Rate tr ip provide core protection for a rod withdrawal accident. In MODE2 below the P-6 setpoint, the Source Range Neutron Flux Trip provides the core protection for reactivity accidents. In MODE3, 4, or5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because Source

Range Instrumentation channels provide the required reactor trip protection. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron

levels present in this MODE.5.Source Range Neutron Flux The LCO requirement for the S ource Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accide nt from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low trip Function. In MODES3, 4, and5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS sour ce range detect ors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detect ors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES3, 4, and5 when rods are

capable of withdrawal or one or more rods are not fully inserted. Therefore, the functional capability at the trip setpoint is assumed to

be available.

(continued)

North Anna Units 1 and 2B 3.3.1-16 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY5.Source Range Neutron Flux (continued)

The Source Range Neutron Flux F unction provides protection for control rod withdrawal from subcritical, bor on dilution and control rod ejection events.In MODE2 when below the P-6 setpoint and in MODES3, 4, and5 when there is a potential for an uncontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be

OPERABLE. Two OPERABLE channels are sufficient to ensure no

single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power

Range Neutron Flux-Low Setpoint tr ip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energ ized and inoperable.In MODES3, 4, and5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE6, the outputs of the Function to RTS logic ar e not required OPERABLE. The requirements for the NIS source ra nge detectors to monitor core neutron levels and provide indication of reactivity changes that may

occur as a result of events lik e a boron dilution are addressed in LCO3.9.3, "Nuclear Instrumentation," for MODE6.6.Overtemperature TThe Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection.

The inputs to the Overtemperature T trip include pressurizer pressure, coolant temperature, ax ial power distribution, and reactor

power as indicated by loop T assuming full reactor coolant flow.

Protection from violating the DN BR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function m onitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-17Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY6.Overtemperature T (continued)

Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

?reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity

with changes in coolant temperature;

?pressurizer pressure-the trip set point is varied to correct for changes in system pressure; and

?axial power distribution-f(I), the trip setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range de tectors. If axial peaks are

greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the trip setpoint is reduced in accordance with Note1 of Table3.3.1-1.

Dynamic compensation is included fo r system piping delays from the core to the temperature measurement system.

The Overtemperature T trip Function is calculated for each loop as described in Note1 of Table3.3.1-1.

Trip occurs if Overtemperature T is indicated in two loops. The pr essure and temper ature signals are used for other control functions. The actuation logic must be able to withstand an input failure to th e control system, which may then require the protection function actua tion, and a single failure in the other channels providing the protec tion function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the trip setpoint. A tu rbine runback will reduce turbine power and reactor power

. Additionally, the turb ine runback setpoint blocks automatic and manual rod withdrawal. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.

The LCO requires all three channels of the Overtemperature T trip Function to be OPERABLE. Note that the Overtemperature T Function receives input from (continued)

North Anna Units 1 and 2B 3.3.1-18 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY6.Overtemperature T (continued) channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.In MODE1 or2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.7.Overpower TThe Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less

than 1% cladding strain) under al l possible overpower conditions.

This trip Function also limits the required range of the

Overtemperature T trip Function and provide s a backup to the Power Range Neutron Flux-High Set point trip. The Overpower T trip Function ensures that the allowable h eat generation rate (kW/ft) of the fuel is not exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

?reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and

?rate of change of reactor coolant average temperature-including dynamic compensation for the delays between the core and the temperature measurement system

. The function generated by the rate lag controller for T avg dynamic compensation is represented by the expression: 3s/1+3s. The time constant utilized in the rate lag controller for T avg is 3.The Overpower T trip Function is calculated for each loop as per Note2 of Table3.3.1-1. Trip occurs if Overpower T is indicated in two loops. Note that this Function al so provides a signa l to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-19Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY7.Overpower T (continued)Additionally, the turbine runback setpoint blocks automatic and

manual rod withdrawal. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.The LCO requires three cha nnels of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require en try into the Conditions applicable to all affected Functions.In MODE1 or2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned a bout the heat generation rates and overheating of the fuel. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel

overheating and fuel damage.8.Pressurizer Pressure The same sensors provide input to the Pressurizer Pr essure-High and

-Low trips and the OvertemperatureT trip.a.Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that

protection is provided against violating the DNBR limit due to low pressure.

The LCO requires three channels of Pressurizer Pressure-Low to be OPERABLE.

In MODE1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OP ERABLE. This trip Function is

automatically enabled on increa sing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full pow er equivalent (P-13)). On decreasing power, this trip Func tion is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power

distributions can occur that would cause DNB concerns.

North Anna Units 1 and 2B 3.3.1-20 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY8.Pressurizer Pressure (continued)b.Pressurizer Pressure-High The Pressurizer Pressure-High trip Function ensures that

protection is provided against overpressurizing the RCS. This trip Function operates in conjunction w ith the pressurizer relief and safety valves to prevent RCS overpressure conditions.The LCO requires three cha nnels of the Pressurizer Pressure-High to be OPERABLE.

The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuati on pressure and above the power operated relief valve (PORV) se tting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the

PORVs.In MODE1 or2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and

minimize challenges to the relief and safety valves. In MODE3, 4, 5, or6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the

operator will have sufficient time to evaluate unit conditions and take corrective actions. A dditionally, low temperature overpressure protection systems provide overpressure protection when below MODE4.9.Pressurizer Water Level-HighThe Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides protection against water relief through the pressurizer safety valves.

These valves are designed to pass steam in order to achieve their

design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. Th e LCO requires three channels of Pressurizer Water Level-High to be OPERABLE. The pressurizer

level channels are used as input to the Pressurizer Level Control

System. A fourth channel is not re quired to address control/protection (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-21Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY9.Pressurizer Water Level-High (continued)interaction concerns. The level ch annels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve

setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failur e cannot cause the safety valve to lift before reactor high pressure trip.In MODE1, when there is a potentia l for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enab led on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 set point, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit co nditions and take corrective actions.10.Reactor Coolant Flow-Low The Reactor Coolant Flow-Low trip Function ensures that protection is provided against violating the DNBR limit due to low

flow in one or more RCS loops, while avoiding reactor trips due to

normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled.

Above the P-8 setpoint, which is a pproximately 30% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow si gnals are not used for any control system input.The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE1 above P-7.

In MODE1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat

production to generate DNB conditions.

North Anna Units 1 and 2B 3.3.1-22 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)11.Reactor Coolant Pump (RCP) Breaker Position Both RCP Breaker Position trip Func tions operate from three pairs of auxiliary contacts, with one pa ir on each RCP breaker with one contact supplying each train. These Functions anticipate the Reactor Coolant Flow-Low trips to avoid RCS heatup that would occur

before the low flow trip actuates.

The RCP Breaker Position (Single L oop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The position of each RCP breaker is

monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is initiated. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Single Loop) trip setpoint is reached.The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this trip Function because the RCS Flow-Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to antici pate the low flow trip, minimizing the thermal transient associated with loss of a pump.

This Function measures only the disc rete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.In MODE1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be OPERABLE. In MODE1 below

the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip be cause of the lower power level and the greater margin to the design limit DNBR.

The RCP Breaker Position (Two L oops) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops

. The position of each RCP breaker is monitored. Above the P-7 setpoi nt and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-23Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY11.Reactor Coolant Pump (RCP) Breaker Position (continued) trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow-Low trip al one provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of an RCP.

This Function measures only the disc rete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.In MODE1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.12.Undervoltage Reactor Coolant PumpsThe Undervoltage RCPs reactor trip Function ensures that protection

is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP bus is monitored.

Above the P-7 setpoint, a loss of vol tage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor C oolant Flow-Low (Two Loops) trip setpoint is reached. Time dela ys are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

(continued)

North Anna Units 1 and 2B 3.3.1-24 Revision 8RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY12.Undervoltage Reactor Coolant Pumps (continued)

The LCO requires three Undervol tage RCPs channels to be OPERABLE. Each channel monitors one RCP bus voltage with two sensors. One sensor monitors from A to B phases, while the other sensor senses from the B to C phases.In MODE1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocke d since no conceivable power distributions could occur that woul d cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor tr ip on loss of flow in two or more RCS loops is automatically enabled.13.Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss

of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency c ondition will slow down the pumps, thereby reducing their coastdown ti me following a pump trip. The proper coastdown time is required so that reacto r heat can be removed immediately after reactor trip. Th e frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip befo re the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached. Time delays are incorporated

into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires three Underfrequency RCPs channels to be OPERABLE with each cha nnel monitoring one bus.In MODE1 above the P-7 setpoint

, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 se tpoint, all reactor trips on loss of flow are automatically bloc ked since no conceivable power distributions could occur that woul d cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor tr ip on loss of flow in two or more RCS loops is automatically enabled.Regarding RCP Underfrequency Testing, it should be noted that test circuits have not been installed on Unit1, therefore, such testing can only be performed on Unit2.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-25Revision 50APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)14.Steam Generator Water Level-Low LowThe SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the Auxiliary Feedwater (AFW) System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low

level in any SG is indicative of a lo ss of heat sink for the reactor. The

level transmitters provide input to the SG Level Control System.

Therefore, the actuation logic must be able to withstand an input

failure to the control system, whic h may then require the protection function actuation, and a single failur e in the other channels providing the protection function actuation. IEEE279 requirement s are satisfied by 2/3 logic for protection function actuation, thus allowing for a single failure of a cha nnel and still performing the protection function. For Unit1, the control/protection in terface is addre ssed with Steam Generator Water Level-Low, Coinci dent with Steam Flow/Feedwater

Flow Mismatch reactor trip function. For Unit2, the control/protection interaction is a ddressed by the use of the Median Signal Selector (MSS) which preven ts a single failure of a channel providing input to the control system requiring protec tive action. That is, a single failure of a channel prov iding input to the control system does not result in the control system initiating a condition requiring

protective action. The Median Signal Selector performs this by not selecting the channels i ndicating the highest or lowest steam generator levels as input to the control system. This Function also performs the

ESFAS function of starting the AFW pumps on low low SG level.The LCO requires three channels of SG Water Level-Low Low per SG to be OPERABLE. These channels for the SGs measure level with a narrow range span.In MODE1 or2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety

related). The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE3, 4, 5, or6, the SG Water Level-Low Low Function does not have to be OPERABLE because the reactor is not operating (continued)

North Anna Units 1 and 2B 3.3.1-26 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)14.Steam Generator Water Level-Low Low (continued) or even critical. Decay heat re moval is normally accomplished by Main Feedwater System or AFW System in MODE3 and by the Residual Heat Removal (RHR) System in MODE4, 5, or6.15.Steam Generator Water Level-Low, Coincident With Steam Flow/Feedwater Flow Mismatch

[Unit 1 only]

SG Water Level-Low, in conjunction with the Steam

Flow/Feedwater Flow Mismatch, ensures that protection is provided against a loss of heat sink. In addi tion to a decreasing water level in the SG, the difference between feed water flow and steam flow is evaluated to determine if feedwate r flow is significantly less than steam flow. With less feedwater flow than steam flow, SG level will

decrease at a rate dependent upon the magnitude of the difference in flow rates. There are two SG level channels and two Steam

Flow/Feedwater Flow Mi smatch channels per SG. One narrow range level channel sensing a low level coincident with one Steam

Flow/Feedwater Flow Mismatch channel sensing flow mismatch (steam flow greater than feed fl ow) will actuate a reactor trip.

The LCO requires two channels of SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.In MODE1 or2, when the reactor requires a heat sink, the SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch trip must be OPERABLE. The normal source of water for the SGs is the MFW System (not safety related). The AFW System is the safety

related backup source of water to ensu re that the SGs remain the heat sink for the reactor. In MODE3, 4, 5, or6, the SG Water Level-Low coincident with Steam Flow/Feedw ater Flow Mismatch Function does not have to be OPERABLE because the reactor is not operating or even critical. Decay heat remova l is normally accomplished by Main Feedwater System or AFW System in MODE3 and by the RHR System in MODE4, 5, or6.16.Turbine Tripa.Turbine Trip-Low Auto Stop Oil Pressure The Turbine Trip-Low Auto Stop Oil Pressure trip Function anticipates the loss of heat rem oval capabilities of the secondary system following a (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-27Revision 50APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)16.Turbine Trip (continued)a.Turbine Trip-Low Auto Stop Oil Pressure (continued) turbine trip. This trip Function acts to minimize the

pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-8 setpoint, approximately 30% power, will not actuate a reactor trip. Three pressure switches

monitor the Auto Stop oil pressure which interfaces with the Turbine Electrohydraulic Control System. A low pressure

condition sensed by two-out-of-th ree pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the turbine control system. The unit is designed to

withstand a complete loss of load and not sustain core damage or challenge the RCS pressure li mitations. Core protection is provided by the Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves.The LCO requires three channels of Turbine Trip-Low Auto Stop Oil Pressure to be OPERABLE in MODE1 above P-8.Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE2, 3, 4, 5, or6, there is no potential for a turbine

trip, and the Turbine Trip-Low Auto Stop Oil Pressure trip Function does not need to be OPERABLE.b.Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat rem oval capabilities of the secondary system following a turbine trip. Any turbine trip from a power

level below the P-8 setpoint, a pproximately 30% power, will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reacto r in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor

. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to wi thstand a complete loss of load and not (continued)

North Anna Units 1 and 2B 3.3.1-28 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)16.Turbine Trip (continued)b.Turbine Trip-Turbine Stop Valve Closure (continued) sustain core damage or challenge the RCS pressure limitations.

Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is en sured by the pressurizer safety valves. This trip Function is di verse to the Turbine Trip-Low Auto Stop Oil Pressure trip Function. Each turbine stop valve is

equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

The LSSS for this Function is set to assure channe l trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbin e Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE1 above P-8. All four channels must trip to cause reactor trip.

Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE2, 3, 4, 5, or6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not need to be OPERABLE.17.Safety Injection Input from Engineered Safety Feature Actuation SystemThe SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signa l that initiates SI. This is a condition of acceptability for the LOCA. However, other transients and accidents take credit for vary ing levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiate d every time an SI signal is present.Allowable Values are not applicable to this Function. The SI input is provided by logic in the ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-29Revision 50APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)17.Safety Injection Input from Engineered Safety Feature Actuation System (continued)

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE1 or2.

A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE1 or2, when the reactor is critical, and must be shut down in the event of an accident. In MODE3, 4, 5, or6, the reactor is not critical, and this trip Function does not need to be OPERABLE.18.Reactor Trip Sy stem Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for th e current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions unde r which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock

Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:a.Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated.

The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

?on increasing power, the P-6 inte rlock allows the manual block of the NIS Source Range, Neut ron Flux reactor trip. This prevents a premature block of th e source range trip and allows the operator to ensure that the intermediate range is

OPERABLE prior to leaving the source range. When the source

range trip is blocked, the high vol tage to the detectors is also removed; and

?on decreasing power, the P-6 interlock automatically energizes

the NIS source range detectors and enables the NIS Source

Range Neutron Flux reactor trip.

(continued)

North Anna Units 1 and 2B 3.3.1-30 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)18.Reactor Trip System Interlocks (continued)a.Intermediate Range Neutron Flux, P-6 (continued)

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE2 when below the P-6 interlock setpoint.

Above the P-6 interlock setpoint

, the NIS Source Range Neutron Flux reactor trip will be blocke d, and this Function will no longer be necessary.

In MODE3, 4, 5, or6, the P-6 interlock does not have to be OPERABLE because the NIS Sour ce Range is providing core protection.b.Low Power Reactor Trips Block, P-7The Low Power Reactor Trips Bloc k, P-7 interlock is actuated by input from either the Power Ra nge Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures th at the following Functions are

performed:(1)on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

?Pressurizer Pressure-Low;

?Pressurizer Water Level-High;

?Reactor Coolant Flow-Low (l ow flow in two or more RCS loops);

?RCPs Breaker Open (Two Loops);

?Undervoltage RCPs; and

?Underfrequency RCPs.

These reactor trips are only required when operating above

the P-7 setpoint (approximate ly 10% power). The reactor trips provide protection agains t violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing

sufficient natural circulat ion without any RCP running.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-31Revision 50APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)18.Reactor Trip Sy stem Interlocks (continued)b.Low Power Reactor Trips Block, P-7 (continued)(2)on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

?Pressurizer Pressure-Low;

?Pressurizer Water Level-High;

?Reactor Coolant Flow-Low (low flow in two or more

RCS loops);

?RCP Breaker Posi tion (Two Loops);

?Undervoltage RCPs; and

?Underfrequency RCPs.

Allowable Value is not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Func tion with train and not channel identity. Therefore, the LCO re quires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE2, 3, 4, 5, or6, this

Function does not have to be OPERABLE because the interlock performs its Function when pow er level increases above 10% power, which is in MODE1.c.Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at

approximately 30% power as dete rmined by two-out-of-four NIS

power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low and RCP Breaker Position

(Single Loop) reactor tr ips on low flow in one or more RCS loops on increasing power. The LCO requirement for this Function ensures that the Turbine Trip-Low Auto Stop Oil Pressure and

Turbine Trip-Turbine Stop Valve Closure reactor trips are enabled above the P-8 setpoint. Above the P-8 setpoint, a turbine

trip will (continued)

North Anna Units 1 and 2B 3.3.1-32 Revision 50RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)18.Reactor Trip System Interlocks (continued) setpoint. Above the P-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is

above the P-8 setpoint, to minimize the transient on the reactor.

The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that

could result in DNB conditions in the core when greater than

approximately 30% power. On decreasing power, the reactor trip on low flow in any one loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE1.In MODE1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Ne utron Flux, P-8 interlock must be OPERABLE. In MODE2, 3, 4, 5, or6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.d.Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at

approximately 10% power, as dete rmined by two-out-of-four NIS power range detectors.

If power level falls below approximately 10%RTP on3 of 4channels, the nuclear instrument low power trips will be automatically unblocked. The LCO requirement for

the P-10 interlock ensures that the following Functions are

performed:

?on increasing power, the P-10 inte rlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reacto r trip also blocks the signal to prevent automatic and manual rod withdrawal;

?on increasing power, the P-10 inte rlock allows the operator to manually block the Power Range Neutron Flux-Low reactor

trip;?on increasing power, the P-10 inte rlock automatically provides a backup signal to block the Sour ce Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors; (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-33Revision 50APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)18.Reactor Trip Sy stem Interlocks (continued)d.Power Range Neutron Flux, P-10 (continued)

?the P-10 interlock provides one of the two inputs to the P-7

interlock; and

?on decreasing power, the P-10 interlock automatically enables

the Power Range Neutron Flux-Low reactor trip and the

Intermediate Range Neutron Fl ux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE1 or2.OPERABILITY in MODE1 ensures the Function is available to perform its decreasing power Func tions in the event of a reactor shutdown. This Function must be OPERABLE in MODE2 to

ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE3, 4, 5, or6, this Function does not have to be OPERABLE because the

reactor is not at power and the Source Range Neut ron Flux reactor trip provides core protection.e.Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of th e high pressure turbine is greater than approximately 10% of the rate d full power pressure. This is determined by one-out-of-two pr essure detectors. The LCO

requirement for this Function ensure s that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE1.

The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The

interlock Function is not required to be OPERABLE in MODE2, 3, 4, 5, or6 because the turbine generator is not operating.

North Anna Units 1 and 2B 3.3.1-34 Revision 0RTS Instrumentation B 3.3.1BASESAPPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY (continued)19.Reactor Trip BreakersThis trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may

consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two

OPERABLE trains ensure no singl e random failure can disable the RTS trip capability.These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must

be OPERABLE when the Rod Control System is capable of rod

withdrawal or one or more rods are not fully inserted.20.Reactor Trip Breaker Undervol tage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function19 above.

OPERABILITY of both trip mechanis ms on each breaker ensures that no single trip mechanism failure w ill prevent opening any breaker on a valid signal.These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must

be OPERABLE when the Rod Control System is capable of rod

withdrawal or one or more rods are not fully inserted.21.Automatic Trip LogicThe LCO requirement for the RTBs (Functions19 and20) and Automatic Trip Logic (Function21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.

Each RTB is equipped with an undervo ltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-35Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, and APPLICABILITY21.Automatic Trip Logic (continued) bypass breaker to allow testing of th e trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip

Logic cause the RTBs and associat ed bypass breakers to open and shut down the reactor.

The LCO requires two trains of RT S Automatic Trip Logic to be OPERABLE. Having two OPERABLE ch annels ensures that random failure of a single logic channel will not prevent reactor trip.

These trip Functions must be OPERABLE in MODE1 or2 when the reactor is critical. In MODE3, 4, or5, these RTS trip Functions must

be OPERABLE when the Rod Control System is capable of rod

withdrawal or one or more rods are not fully inserted.The RTS instrumentation satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).ACTIONSA Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed in Table3.3.1-1. When the Required Channels in Table3.3.1-1 are specified (e.g., on a per loop, per RCP, per SG, per train, etc., basis)

, then the Condition may be entered separately for each loop, RCP, SG

, train, etc., as appropriate.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected

Functions provided by that channel mu st be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.When the number of inoperable channels in a trip Function exceed those

specified in one or other related Conditions associat ed with a trip Function, then the unit is outside the safety analysis. Therefore, LCO3.0.3 must be immediately entered if applicable in the current MODE of operation.

North Anna Units 1 and 2B 3.3.1-36 Revision 0RTS Instrumentation B 3.3.1BASESACTIONS(continued)

A.1ConditionA applies to all RTS protection Functions. ConditionA addresses the situation where one or mo re required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 and B.2ConditionB applies to the Manual Reactor Trip in MODE1 or2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperabl e channel must be restored to OPERABLE status within 48hours. In this Condition, the remaining

OPERABLE channel is adequate to perform the safety function.The Completion Time of 48hours is r easonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.If the Manual Reactor Trip Functi on cannot be restored to OPERABLE status within the allowed 48hour Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6additional hours (54hours total time). The 6additional hours to reach MODE3 is reasonable, based on operating experience, to reach MODE3 from full power operation in an orderly ma nner and without challenging unit systems. With the unit in MODE3, ActionC would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is

capable of rod withdrawal or one or more rods are not fully inserted.

C.1 and C.2ConditionC applies to the following reactor trip Functions in MODE3, 4, or5 with the Rod Control System capa ble of rod withdr awal or one or more rods not fully inserted:

?Manual Reactor Trip;

?RTBs;(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-37Revision 0ACTIONSC.1 and C.2 (continued)

?RTB Undervoltage and Shunt Trip Mechanisms; and

?Automatic Trip Logic.This action addresses the train orientat ion of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48hours. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48hour Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within 48hours to ensure that all rods are fully inserted, and the Rod

Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are

no longer required.The Completion Time is reasonable cons idering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1.1, D.1.2, D.2.1, D.2.2, and D.3ConditionD applies to the Power Range Neutron Flux-High Function.The NIS power range detectors provide input to the Rod Control System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in

the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72hours allowed to place the inoperable channel in the tripped condition is justified in Reference7.

In addition to placing the inoperabl e channel in the tripped condition, THERMAL POWER must be reduced to 75% RTP within 78hours. Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. With one of the NIS power range

detectors inoperable, 1/4 of the ra dial power distribution monitoring capability is lost.

(continued)

North Anna Units 1 and 2B 3.3.1-38 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSD.1.1, D.1.2, D.2.1, D.2.2, and D.3 (continued)

As an alternative to the above actions

, the inoperable cha nnel can be placed in the tripped condition within 72hours and the QPTR monitored once every 12hours as per SR3.2.4.2, QPTR verification. Calculating QPTR every 12hours compensates for the lost monitoring capability due to the

inoperable NIS power range channel a nd allows continued unit operation at power levels 75% RTP. The 72hour Completion Time and the 12hour Frequency are consistent with LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)" for the long te rm monitoring requirement.

As an alternative to the above Actions, the unit may be placed in a MODE

where this Function is no longer required OPERABLE. Seventy-eight hours are allowed to place the unit in MODE3. This is a reasonable time, based on operating experience, to reach MODE3 from full power in an

orderly manner and wit hout challenging unit systems. If Required Actionscannot be completed within their allowed Completion Times, LCO3.0.3 must be entered.

The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypass condition for up to 12hours while performing routine surveillance testin g of other channels. The Note also allows placing the inoperable channe l in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12hour time limit is justified in Reference7.

Required Action D.2.2 has been modifi ed by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capabi lity to monitor QPTR. As such, determining QPTR using the movable incore detectors once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may not be necessary.

E.1 and E.2ConditionE applies to the foll owing reactor tr ip Functions:

?Power Range Neutron Flux-Low;

?Overtemperature T;(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-39Revision 50ACTIONSE.1 and E.2 (continued)

?Overpower T;?Power Range Neutron Fl ux-High Positive Rate;

?Power Range Neutron Fl ux-High Negative Rate;

?Pressurizer Pressure-High;

?SG Water Level-Low Low; and

?SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch. [Unit 1 only]

A known inoperable channel must be pl aced in the tripped condition within 72hours. Placing the channel in the tr ipped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72hours allo wed to place the inoperable channel in the tripped condition is justified in Reference7.If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit mu st be placed in a MODE where these Functions are not required OPERABLE. An additional 6hours is allowed to place the unit in MODE3.

Six hours is a reasonable time, based on operating experience, to place the unit in MODE3 fr om full power in an orderly manner and without challenging unit systems.

The Required Actions have been modifi ed by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.

F.1 and F.2ConditionF applies to the Intermedia te Range Neutron Flux trip when THERMAL POWER is above the P-6 set point and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. If THERMAL POWER is greater than the (continued)

North Anna Units 1 and 2B 3.3.1-40 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSF.1 and F.2 (continued)

P-6 setpoint but less than the P-10 setpoint, 24hours is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the

capability of the source range, P-6, a nd below the capability of the power range, P-10. If THERMAL POWER is grea ter than the P-10 setpoint, the NIS power range detectors perfor m the monitoring and protection functions and the intermediate range protection function is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE cha nnel, and the low probability of its failure during this period. This action does not require the inoperable

channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only a pplicable when channel failure does not result in reactor trip.

G.1 and G.2ConditionG applies to two inoperabl e Intermediate Range Neutron Flux trip channels in MODE2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint.

Required Actions specified in this Condition are only applicable when cha nnel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. With no intermediate ra nge channels OPERABLE, suspending the introduction into the RCS of reactivity more positive than required to

meet the SDM is required to assure continued safe operation. Introduction of coolant inventory must be from s ources that have a boron concentration greater than what would be required in the RCS for minimum SDM. This may result in an overall reductio n in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation.

Introduction of temperature changes, including temperature increases when operating with a positive MTC, must al so be evaluated to not result in reducing core reactivity below the re quired SDM. This will preclude any power level increase si nce there are no OPERABLE Intermediate Range Neutron Flux channels. The opera tor must also reduce THERMAL POWER below the P-6 setpoint with in two hours. Below P-6, the Source Range(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-41Revision 0ACTIONSG.1 and G.2 (continued)

Neutron Flux channels will be able to monitor the core power level and provides a protection function. The Completion Time of 2hours will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.Required ActionG is modified by a Note to indicate that normal plant control operations that individually a dd limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action,

provided they are accounted for in the calculated SDM.

H.1ConditionH applies to one inoperabl e Source Range Neutron Flux trip channel when in MODE2, below th e P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations i nvolving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions

that add positive reactivity to the core must be suspended immediately.Required ActionH is modified by a Note to indicate that normal plant control operations that individually a dd limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action,

provided they are accounted for in the calculated SDM.

I.1ConditionI applies to two inoperable Source Range Neutron Flux trip channels when in MODE2, below the P-6 setpoint, and in MODE3, 4, or5 with the Rod Control System capa ble of rod withdrawal or one or more rod not fully inserted. With th e unit in this Condition, belowP-6, the NIS source range performs the monitoring and protection functions. With both(continued)

North Anna Units 1 and 2B 3.3.1-42 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSI.1 (continued) source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.

J.1 and J.2ConditionJ applies to one inoperable source range channel in MODE3, 4, or5 with the Rod Control System capa ble of rod withdr awal or one or more rods not fully inserted. With the unit in this Condition, belowP-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48hours is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48hours to ensure that all rods are fully inserte d, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The allowance of 48hours to restore the ch annel to OPERABLE status, and the additional hour, are justified in Reference7.

K.1 and K.2Condition K applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODES3, 4, or5 with the Rod Control System is not capable of rod withdrawal. With the unit in this Condition, the NIS source range performs the monitoring function only.

With less than the required number of source range channels OPERABLE, operations involving positive reactivit y additions shall be suspended immediately.

The SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12hours thereafter as per SR3.1.1.1, SDM verification. With no source range channels OPERABLE, the ability to m onitor the core is severely reduced. Verifying the SDM within 1hour allows sufficient time to perform the calculations and determine that th e SDM requirements are met. The SDM must also be verified once per 12hours thereafter to ensure that the core reactivity has not changed. Required ActionK.1 precludes any positive reactivity additions; theref ore, core reactivity s hould not be increasing, and a 12hour Frequency is adequate. The Completion Time of within 1hour and once per 12hours are (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-43Revision 0ACTIONSK.1 and K.2 (continued) based on operating experience in perf orming the Required Actions and the knowledge that unit conditions will change slowly.Required ActionK is modified by a No te which permits unit temperature changes provided the temperature change is accounted for in the calculated

SDM. Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do

not result in a loss of required SDM.

L.1 and L.2ConditionL applies to the foll owing reactor tr ip Functions:

?Pressurizer Pressure-Low;

?Pressurizer Water Level-High;

?Reactor Coolant Flow-Low;

?Undervoltage RCPs; and

?Underfrequency RCPs.With one channel inoperable, the inope rable channel must be placed in the tripped condition within 72hours. For the Pressurizer Pressure-Low, Pressurizer Water Level-High, Under voltage RCPs, a nd Underfrequency RCPs trip Functions, placing the cha nnel in the trippe d condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a r eactor trip. For the Reactor Coolant Flow-Low and RCP Breaker Position (Two Loops) trip Functions, placing the channel in the tripped c ondition results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. For the latter two trip Functions, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8

setpoint and above the P-7 setpoint.

These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips

below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72hours allowed to place the channel in the tripped condition is justified in Reference7. An additional 6hours is allowed (continued)

North Anna Units 1 and 2B 3.3.1-44 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSL.1 andL.2 (continued)to reduce THERMAL POWER to belowP-7 if the inoperable channel cannot be restored to OPERABLE stat us or placed in trip within the specified Completion Time.

Allowance of this time interval ta kes into considerat ion the redundant capability provided by the remaini ng redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with ConditionK.

The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.

M.1 and M.2ConditionM applies to the RCP Break er Position reactor trip Function.

There is one breaker position device per RCP breaker. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 72hours. If the channel cannot be restored to OPERABLE status within the 72hours, then THERMAL POWER must be reduced below the P-7 setpoint within the next 6hours.

This places the unit in a MODE wh ere the LCO is no longer applicable.

This Function does not have to be OPERABLE below the P-7 setpoint because other RTS Functions provide core protection below the P-8 setpoint. The 72hours allowed to restore the channel to OPERABLE status and the 6additional hours allowed to reduce THERMAL POWER to

below the P-7 setpoint are justified by a plant-specific risk assessment consistent with Reference7.

The Required Actions have been modi fied by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified by a plant-specific risk assessment consistent with Reference7.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-45Revision 0ACTIONS(continued)

N.1 and N.2ConditionN applies to Turbine Trip on Low Auto Stop Oil Pressure or on Turbine Stop Valve Closure. With one channel inoperable, the inoperable channel must be placed in the trip condition within 72hours. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a re actor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-8 setpoint within the next 4hours. The 72hours allowed to place the inoperabl e channel in the tripped condition and the 4hours allowed for reducing power are justified in Reference7.

The Required Actions have been modifi ed by a Note that allows placing the inoperable channel in the bypassed condition for up to 12hours while performing routine surveill ance testing of the other channels. The 12hour time limit is justified in Reference7.

O.1 and O.2ConditionO applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES1 and2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24hours are allowed to restore the tr ain to OPERABLE status (Required ActionO.1) or the unit must be placed in MODE3 within the next 6hours. The Completion Time of 24hours (Required ActionO.1) is reasonable considering that in this Condition, the remaining OPERABLE train is

adequate to perform the safety function and given the low probability of an event during this interval. The Completion Time of 6hours (Required ActionO.2) is reasonable, based on operating experience, to reach MODE3 from full power in an orde rly manner and without challenging unit systems.

The Required Actions have been modifi ed by a Note that allows bypassing one train up to 4hours for surveillance testing, provided th e other train is OPERABLE.

P.1 and P.2ConditionP applies to the RTBs in MODES1 and2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 1hour is allowed to (continued)

North Anna Units 1 and 2B 3.3.1-46 Revision 0RTS Instrumentation B 3.3.1BASESACTIONSP.1 andP.2 (continued)restore the train to OPERABLE status or the unit must be placed in MODE3 within the next 6hours. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and wi thout challenging unit systems. The 1hour and 6hour Completion Times ar e equal to the time allowed by LCO3.0.3 for shutdown actions in the event of a complete loss of RTS Function. Placing the unit in MODE3 results in ActionC entry while RTB(s) are inoperable.

The Required Actions have been modified by three Notes. Note1 allows one channel to be bypassed for up to 2hours for surveillance testing, provided the other channel is OPERABLE. Note1 applies to RTB testing that is performed independently from the corresponding logi c train testing.

For simultaneous testing of logic and RTBs, the 4hour test time limit of ConditionO applies. Note2 allows one RTB to be bypassed for up to 2hours for maintenance on undervoltage or shunt trip mechanisms if the other RTB train is OPERABLE. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time limit is justified in Reference7. Note3 applies to RTB test ing that is performed concurrently with the corresponding logic train test ing. For concurrent testing of the logic and RTB, the 4hour test time limit of ConditionO applies. The 4hour time limit is justified in Reference7.

Q.1 and Q.2ConditionQ applies to the P-6 and P-10 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1hour or the unit must be placed in MODE3 within the next 6hours. Veri fying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1hour is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and wi thout challenging unit systems. The 1hour and 6hour Completion Times ar e equal to the time allowed by LCO3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-47Revision 0ACTIONS(continued)

R.1 and R.2ConditionR applies to the P-7, P-8, and P-13 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1hour or the unit must be placed in MODE2 within the next 6hours. Thes e actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1hour is based on operating experience and the minimum amount of time

allowed for manual operator actions. The Completion Time of 6hours is

reasonable, based on operating experience, to reach MODE2 from full power in an orderly manner and without challenging unit systems.

S.1 and S.2ConditionS applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES1 and2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48hours or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE3 within the next 6hours (54hours total time). The Completion Time of 6hours is a

reasonable time, based on operating experience, to reach MODE3 from full power in an orderly manner a nd without challenging unit systems.With the unit in MODE3, ActionC would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the

diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2hours for the reasons stated under ConditionP.The Completion Time of 48hours for Required ActionS.1 is reasonable considering that in this Condition there is one rema ining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low proba bility of an event occurring during

this interval.

North Anna Units 1 and 2B 3.3.1-48 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SThe SRs for each RTS Function are identified by the SRs column of Table3.3.1-1 for that Function.A Note has been added to the SR Table stating that Table3.3.1-1 determines which SRs apply to which RTS Functions.Note that each channel of process pr otection supplies both trains of the RTS. When testing ChannelI, TrainA and TrainB must be examined.

Similarly, TrainA and TrainB must be examined when testing ChannelII, ChannelIII, and ChannelIV. The CHANNEL CALIBRATION and COTs are performed in a manner that is cons istent with the assumptions used in analytically calculating the required channel accuracies.SR3.3.1.1Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parame ter should read approximately the

same value. Significant deviations between the two instrument channels could be an indication of excessive inst rument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus

, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside th e criteria, it may be an indication that the sensor or the signal processing e quipment has drifted outside its limit.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-49Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.3.1.2SR3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the calorimetric heat balance calculation results exceeds the power range channel output by more than +2%RTP, the power range channel is not declared inoperabl e, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceeds the power range channel output by more than +2% RTP. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

If the calorimetric is performed at part power (<85% RTP), adjusting the power range channel indication in th e increasing power direction will assure a reactor trip below the safety analysis limit (<118% RTP). Making no adjustment to the power range channel in the decreasing power direction due to a part power calorimetr ic assures a reactor trip consistent with the safety analyses.

This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation power is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range

channels are normally adjusted when ope rating at or near full power during steady-state conditions. However, discre tion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (<85% RT P). This action may introduce a non-conservative bias at higher power levels which may re sult in an NIS reactor trip above the safety analysis limit (>118% RTP)

. The cause of the non-conservative bias is the decreased accuracy of the calorimetric at

reduced power conditions. The primary e rror contributor to the instrument uncertainty for a secondary side power calorimetric m easurement is the feedwater flow measurement, which is typically a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty increases as a square term. Thus a 1% flow error at 100% power can approach a 10% flow error at 30% RTP even though the P error has not changed. The ultrasoni c flow meter provides more accurate feedwater flow measurement than the existing venturis. Feedwater flow measurement from the(continued)

North Anna Units 1 and 2B 3.3.1-50 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.2 (continued) ultrasonic flow meter may be used to compute the secondary side power calorimetric. If feedwater ultrasonic flow meter data is used for the calorimetric at reduced flow, the accur acy is also reduced however not as

significantly as with th e feedwater venturi data. An evaluation of extended operation at part power c onditions would conclude that it is prudent to administratively adjust the set point of the Power Range Neutron Flux-High bistables when: (1)the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below 85% RTP; or (2)for a post refueling startup. The evaluation of extended

operation at part power conditions would also conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the

decreasing power direction is quite small, primari ly to address operation in the intermediate range about P-10 (nominally 10% RTP) to allow the enabling of the Power Range Neut ron Flux-Low Setpoint and the

Intermediate Range Neutron Flux reactor trips. Before the Power Range Neutron Flux-High bist ables are reset to 109% RTP, a calorimetric must be performed and the power range channels must be adjusted such that the high flux bistables will trip at £109% RTP. Consider ation must be given to calorimetric uncertainty, and its impact on decalibration of the power range channels.The Note clarifies that this Surveillan ce is required only if reactor power is 15%RTP and that 12hours are al lowed for performing the first Surveillance after reaching 15%RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-51Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.3.1.3SR3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference is 3%, the NIS channel is still OPERABLE, but it must be readjusted. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is 3%. The adjustment is a recalibration of the upper and lower Power Range detectors to incorporate the results of the flux map.

If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.A Note clarifies that the Surveillance is required only if reactor power is 15%RTP and that 72hours is allo wed for performing the first Surveillance after reaching 15%RTP.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.4SR3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices. A successful test of the

required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required fo r the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR3.3.1

.14. The test of the bypass breaker is a local shunt trip actuation. A Note has been added to indicate that this (continued)

North Anna Units 1 and 2B 3.3.1-52 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.4 (continued) test must be performed on the bypass breaker. The local manual shunt trip of the RTB bypass shall be conducted immediately after placing the bypass breaker into service.

This test must be conducted prior to the start of testing on the RTS or maintenance on a RTB. This checks th e mechanical operation of the bypass breaker.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.5SR3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation.

Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.6SR3.3.1.6 is the performance of a TADOT. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-53Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.1.6 (continued)

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and

underfrequency relays, setpoint veri fication requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.Regarding RCP Underfrequency Testing, it should be noted that test

circuits have not been installed on Unit1, therefore, such testing can only be performed on Unit2.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.7 A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.The nominal trip setpoints must be within the Allowable Values specified in Table3.3.1-1.The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shal l be left set consistent with the assumptions of the current unit specific setpoint methodology.

SR 3.3.1.7 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveill ance for source range instrumentation when entering MODE 3 from MODE2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs

closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

after entry into MODE 3.

(continued)

North Anna Units 1 and 2B 3.3.1-54 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.7 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.8SR3.3.1.8 is the performance of a COT as described in SR3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. A successful test of the requ ired contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the

other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable ex tensions. The Frequency is modified by a Note that allows this surveillan ce to be satisfied if it has been performed within the frequency specified in the Surveillance Frequency Control Program of the Frequencies prior to reactor startup and four hours

after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations

and applies to the source, intermedia te and power range low instrument channels. The Frequency of "12hour s after reducing power below P-10" (applicable to intermediate and power range low channels) and "4hours after reducing power below P-6" (appl icable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this survei llance without a delay to perform the testing required by this surveillance.

The Frequency applies if the unit remains in the MODE of Applicability after the initial performances of prior to reactor startup and twelve and four hours after reducing power below P-10 orP-6, respectively. The MODE of Applicability for this surveillance is <P-10 for the power range low and intermediate range channels and <P-6 for the source ra nge channels. Once the unit is in MODE3, this surveillance is no longe r required. If power is to be maintained <P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or < P-6 for more than 4hours, then the testing required by this surveillance must be performed prior to the

expiration of the time limit.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-55Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.1.8 (continued)Twelve hours and four hours are reasona ble times to complete the required testing or place the unit in a MODE wh ere this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (<P-10 or <P-6) for periods >12 and 4hours, respectively. Verification of the surveillance is

accomplished by observing the perm issive annunciator windows on the Main Control board. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.9SR3.3.1.9 is a comparison of the excore ch annels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements.

If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.Two notes modify SR3.3.1.9. Note1 indicates that the excore NIS channels shall be adjusted if the absolute difference between the incore and excore is 3%. Note2 states that this Su rveillance is required only if reactor power is 50% RTP and that 72hours is allowed for performing the first surveillance after reaching 50%RTP.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.10A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be pe rformed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values a nd the previous test "as left" values must be consistent with the drif t allowance used in the setpoint methodology.

(continued)

North Anna Units 1 and 2B 3.3.1-56 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.10 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.10 is modified by a Note stati ng that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.

SR3.3.1.11SR3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR3.3.1.10. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the po wer range neutron detectors consists of a normalization of the de tectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the dete ctor plateau or preamp discriminator curves, evaluating those curves, and comparing those curves to the manufacturer's data. This Surveillan ce is not required for the NIS power range detectors for entry into MODE2 or1, and is not required for the NIS intermediate range detectors for entry into MODE2, because the unit must be in at least MODE2 to perform the test for the intermediate range detectors and MODE1 for the power range detectors. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.12SR3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR3.3.1.10. Whenever a sensin g element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.This test will verify the dynamic comp ensation for flow from the core to the RTDs. The OTT function is lead/lag compensated and the OPT function is rate/lag compensated.

(continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-57Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.1.12 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.13SR3.3.1.13 is the performance of a COT of RTS interlocks. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERAT IONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Techni cal Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.1.14SR3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS. A successful test of

the required contact(s) of a channe l relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable

because all of the other required contact s of the relay are verified by other Technical Specifications and non-Technical Specifi cations tests at least once per refueling interval with applicable extensions. The test shall independently verify the OPERABIL ITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip

Breakers and undervoltage trip mechanism for the Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall incl ude testing of the automatic undervoltage trip.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

North Anna Units 1 and 2B 3.3.1-58 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.14 (continued)

The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with

them.SR3.3.1.15SR3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. A successful test of the required co ntact(s) of a channel relay may be performed by the verification of the cha nge of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed prior to exceeding the P-8 interlock whenever the unit has been in MODE3. Th is Surveillance is not required if

it has been performed within the fre quency specified in the Surveillance Frequency Control program. Verification of the trip setpoint does not have to be performed for this Surveillance. Performance of this test will ensure

that the turbine trip Function is OPERABLE prior to exceeding the P-8 interlock.SR3.3.1.16SR3.3.1.16 verifies that the individual channel/train ac tuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing a cceptance criteria are included in Technical Requirements Manual (Ref.8

). Individual component response

times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip se tpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,

control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic tr ansfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured re sponse time compared to the appropriate UFSAR response time as listed in the TRM. Alternately, the response time test can be performed with the time constants se t to their nominal value, provided the required response (continued)

RTS Instrumentation B 3.3.1BASESNorth Anna Units 1 and 2B 3.3.1-59Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.1.16 (continued)time is analytically calculated assumi ng the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the en tire response time is measured.

Response time may be veri fied by actual response time tests in any series of sequential, overlapping or tota l channel measurements, or by the summation of allocated sensor, sign al processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor re sponse times may be obtained from: (1)historical records ba sed on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2)i n place, onsite, or offsite (e.g., vendor) test measurements, or (3)utilizing vendor engineering specifications. WCAP-13632-P-A Revision2, "Eliminati on of Pressure Sensor Response Time Testing Requirements" (Ref.10) provides the basis and methodology for using allocated sensor response time s in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response time verification for other se nsor types must be demonstrated by test.WCAP-14036-P-A Revision1 "Elimi nation of Periodic Protection Channel Response Time Tests" (Ref.11) provides the basis and the methodology for using allocated signa l processing and actuation logic response times in the overall verificat ion of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not

impact response time provided the parts used for repair are of the same type and value. Specific component s identified in the WCAP may be replaced without verification testing. One exampl e where response time could be affected is replacing the sensing assembly of a transmitter.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

North Anna Units 1 and 2B 3.3.1-60 Revision 46RTS Instrumentation B 3.3.1BASESSURVEILLANCE REQUIREMENT

SSR3.3.1.16 (continued)SR3.3.1.16 is modified by a Note stat ing that neutron detectors are excluded from RTS RESPONSE TIME te sting. This Note is necessary because of the difficulty in generating an appropriate detector input signal.

Response of neutron flux signal porti on of the channel time shall be measured from the detector or input of the first electronic component in the channel. Excluding the detectors is acce ptable because the principles of detector operation ensure a vi rtually instantaneous response.REFERENCES1.UFSAR, Chapter7.2.UFSAR, Chapter6.3.UFSAR, Chapter15.

4.IEEE-279-1971.

5.10CFR50.49.

6.RTS/ESFAS Setpoint Methodology Study (Technical ReportEE-0116).7.WCAP-10271-P-A, Supplement1, Rev.1, June1990 and WCAP-14333-P-A, Rev.1, October1998.8.Technical Requirements Manual.

9.Regulatory Guide1.105, Revision3, "Setpoints for Safety Related Instrumentation."10.WCAP-13632-P-A, Revision2, "El imination of Pressure Sensor Response Time Testing Requirements," January1996.11.WCAP-14036-P-A, Revision1, "El imination of Periodic Protection Channel Response Time Tests," December1995.

North Anna Units 1 and 2B 3.3.2-1Revision 0ESFAS Instrumentation B 3.3.2B 3.3 INSTRUMENTATIONB 3.3.2Engineered Safety Feature Actuation System (ESFAS) InstrumentationBASESBACKGROUNDThe ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect ag ainst violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

?Field transmitters or process sens ors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;

?Signal processing equipment includi ng analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comp arison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and

?Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdow n or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal pro cess control and protection system.The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accide nts (DBAs) will be acceptable. The Allowable Value is considered a limiti ng value such that a channel is OPERABLE if the set point is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT).

Note that, although a channel is "OPE RABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFA S setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical

allowances of the uncertainty terms assigned.

North Anna Units 1 and 2B 3.3.2-2Revision 0ESFAS Instrumentation B 3.3.2BASESBACKGROUND (continued)

Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field tr ansmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases,

the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowa nces are provided in the Allowable Values. The OPERABILITY of each tran smitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing EquipmentGenerally, three or four channels of process contro l equipment are used for the signal processing of uni t parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments loca ted on the main control board, and comparison of measured i nput signals with setpoint s established by safety analyses. These setpoints are defined in UFSAR, Chapter6 (Ref.1), Chapter7 (Ref.2), and Chapter15 (Ref.3

). If the measured value of a unit parameter exceeds the predetermined set point, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit

parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while

others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.These requirements are described in IEEE-279-1971 (Ref.4). The actual number of channels required for each unit parameter is specified in Reference2.

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-3Revision 0BACKGROUND (continued)

Allowable Values and ESFAS Setpoints The trip setpoints used in the bistables are summarized in Reference6. The selection of these trip se tpoints is such that ade quate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instru mentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10CFR50.49 (Ref.5), the Allowable Values specified in Table3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Value and ESFAS

setpoints including their explicit uncertainties, is provided in the unit

specific setpoint methodology study (Ref.6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered

into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the T echnical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in

measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties.

Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., calibra tion tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal" value (i.e.,

expressed as a value without inequali ties) for the purposes of the COT and CHANNEL CALIBRATION.

Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equi pment functions as designed.

(continued)

North Anna Units 1 and 2B 3.3.2-4Revision 0ESFAS Instrumentation B 3.3.2BASESBACKGROUNDAllowable Valu es and ESFAS Setpoints (continued)

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Table3.3.2-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field

instrument signal. The process equipment for the channel in test is then

tested, verified, and calibrated. SRs for the channels are specified in the SR section.Solid State Protection System The SSPS equipment is used for the d ecision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or place d in test, a reactor trip will result.

Each train is packaged in its ow n cabinet for physi cal and electrical separation to satisfy separatio n and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation;

and provides the status, permissive, and annunciator output signals to the

main control room of the unit.

The bistable outputs from the signa l processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various tr ansients. If a required logic matrix combination is completed, the syst em will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore th e unit to a safe condition.

Examples are given in the Applic able Safety Analyses, LCO, and Applicability secti ons of this Bases.

Each SSPS train has a built in testing de vice that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-5Revision 0BACKGROUNDSolid State Protection System (continued) train is capable of providing unit moni toring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished th rough master and slave relays. The SSPS energizes the ma ster relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not

interfere with continued unit operation. For the latter case, actual

component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is ve rified by a continuity check of the circuit containing the slave relay.APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITYEach of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function ma y be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal fo r one or more other accidents. For example, Pressurizer Pressure-LowLow is a primary ac tuation signal for small loss of coolant accidents (LOC As) and a backup actuation signal for steam line breaks (SLBs) outside c ontainment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for

conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref.3).The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provide d the trip setpoint "as-found" value does not exceed (continued)

North Anna Units 1 and 2B 3.3.2-6Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY (continued)its associated Allowable Value and pr ovided the trip setpoint "as-left" value is adjusted to a value within the calibration tolerance band of the nominal trip setpoint. A tr ip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to unit conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped or bypassed during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are require d to ensure no single random failure disables the ESFAS.The required channels of ESFAS instru mentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1.Safety Injection Safety Injection (SI) prov ides two primary functions:1.Primary side water addition to en sure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to <2200F); and2.Boration to ensure recovery and maintenance of SDM.These functions are necessary to mi tigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initia te other Functions such as:

?PhaseA Isolation;

?Reactor Trip;

?Turbine Trip;

?Feedwater Isolation;

?Start of all auxiliary feedwater (AFW) pumps; ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-7Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)

?Control room ventilat ion isolation; and

?Enabling automatic switchover of Emergency Core Cooling

Systems (ECCS) suction to containment sump.

These other functions ensure:

?Isolation of nonessential systems through containment penetrations;

?Trip of the turbine and reactor to limit power generation;

?Isolation of main feedwater (MFW

) to limit secondary side mass losses;?Start of AFW to ensure sec ondary side cooling capability;

?Isolation of the control room to ensure habitability; and

?Enabling ECCS suction from the refueling water storage tank (RWST) switchover on lowlow RWST level to ensure continued

cooling via use of the containment sump.a.Safety Injection-Manual InitiationThe LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all

components in the same manner as any of the automatic actuation signals.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS

actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one switch and the interconnecting wiring to the actuation logic cabin et. Each switch actuates both trains. This configuration does not allow testing at power.

North Anna Units 1 and 2B 3.3.2-8Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)b.Safety Injection-Automatic Actuation Logic and Actuation RelaysThis LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay cont acts responsible for actuating the ESF equipment.

Manual and automatic initiation of SI must be OPERABLE in MODES1, 2, and3. In these MODES, there is sufficient energy

in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE4 even though automatic actuation is not required.

Automatic actuation logic and actuation relays must be

OPERABLE in MODE 4 to support system manual initiation. In

this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the

large number of components ac tuated on a SI, actuation is simplified by the use of the manual actuation switches.

These Functions are not required to be OPERABLE in MODES5 and6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure

and temperature are very lo w and many ESF components are administratively locked out or otherwise prevented from actuating

to prevent inadvertent overpre ssurization of unit systems.c.Safety Injection-Containment Pressure-High This signal provides protection ag ainst the following accidents:

?SLB inside containment;

?LOCA; and

?Feed line break inside containment.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-9Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)c.Safety Injection-Containment Pressure-High (continued)

Containment Pressure-High provi des no input to any control

functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements wi th a two-out-of-three logic. The transmitters (d/p cells) and el ectronics are located outside of

containment with the sensing lin e (high pressure side of the transmitter) located inside containment.Thus, the high pressure Function will not experience any adverse environmental conditions and the trip setpoint reflects only steady

state instrument uncertainties.

Containment Pressure-High must be OPERABLE in MODES1, 2, and3 when there is sufficie nt energy in the primary and secondary systems to pressurize th e containment following a pipe break. In MODES4, 5, and6, there is insufficient energy in the

primary or secondary systems to pressurize the containment.d.Safety Injection-Pressurizer Pressure-LowLow This signal provides protection ag ainst the following accidents:

?Inadvertent opening of a steam generator (SG) relief or safety valve;?SLB;?A spectrum of rod cluster control assembly ejection accidents (rod ejection);

?Inadvertent opening of a pressuri zer relief or safety valve;

?LOCAs; and

?SG Tube Rupture.

(continued)

North Anna Units 1 and 2B 3.3.2-10 Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)d.Safety Injection-Pressurizer Pressure-LowLow (continued)

Three channels are required to sa tisfy the requirements with a two-out-of-three logic. North Anna design utilizes dedicated protection and control channe ls, and only three protection channels are necessary to satisfy the protective requirements.The transmitters are located inside containment, with the taps in the vapor space region of the pr essurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB

inside containment, rod ejection)

. Therefore, the trip setpoint reflects the inclusion of bot h steady state and adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES1, 2, and3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.This Function is not required to be OPERABLE in MODE3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF system s in this MODE. In MODES4, 5, and6, this Function is not needed for accident

detection and mitigation.e.Steam Line Pressure-High Differential Pressure Between Steam LinesSteam Line Pressure-High Differential Pressure Between Steam Lines provides protection agai nst the following accidents:

?SLB;?Feed line break; and

?Inadvertent opening of an SG relief or an SG safety valve.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-11Revision 0APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)e.Steam Line Pressure-High Differential Pressure Between Steam Lines (continued)

Steam Line Pressure-High Differential Pressure Between Steam Lines provides no input to any control functions. Thus, three OPERABLE channels on each steam li ne are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

With the transmitters located away from the steam lines, it is not possible for them to experience adverse environm ental conditions during an SLB event. The trip se tpoint reflects only steady state instrument uncertainties. Steam li ne high differential pressure must be OPERABLE in MODES1, 2, and3 when a secondary

side break or stuck open valv e could result in the rapid

depressurization of the steam line(s

). This Function is not required to be OPERABLE in MODE4, 5, or6 because there is not

sufficient energy in the secondary side of the unit to cause an

accident.f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-LowThese Functions(1.f and1.g) provide protection against the

following accidents:

?SLB; and?the inadvertent opening of an SG relief or an SG safety valve.

Two steam line flow channels per steam line are required OPERABLE for these Functions. Th e steam line flow channels are combined in a one-out-of-tw o logic to indicate high steam flow in one steam line. The steam flow transmitters provide

control inputs, but the control function cannot cause the events that the Function must protect ag ainst. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow (continued)

North Anna Units 1 and 2B 3.3.2-12 Revision 0ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-Low (continued) channel is not sufficient to ca use initiation. High steam flow in two steam lines is acceptable in the case of a single steam line fault due to the fact that the rema ining intact steam lines will pick up the full turbine load. The increased steam flow in the remaining intact lines will actuate the re quired second high steam flow trip. Additional protection is provided by Function1.e, High Differential Pressure Between Steam Lines.

One channel of T avg per loop and one channe l of low steam line pressure per steam line are required OPERABLE. For each parameter, the channels for all loops or steam lines are combined in a logic such that two channels tripped will cause a trip for the parameter. The low steam line pressure channels are combined in

two-out-of-three logic. Thus, th e Function trips on one-out-of-two high flow in any two-out-of-th ree steam lines if there is one-out-of-one lowlow T avg trip in any two-out-of-three RCS loops, or if there is a one-out-o f-one low pressure trip in any two-out-of-three steam lines. Sinc e the accidents that this event protects against cause both low steam line pressure and lowlow Tavg, provision of one channel per loop or steam line ensures no single random failure ca n disable both of these Functions. The steam line pressure channels provide no control inputs. The T avg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate.The Allowable Value for high steam flow is a linear function that varies with power level. The function is a P corresponding to 42% of full steam flow between 0% and 20% load to 111% of full steam flow at 100% load. The nomin al trip setpoint is similarly calculated.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-13Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY1.Safety Injection (continued)f. g.Safety Injection-High St eam Flow in Two Steam Lines Coincident With T avg-LowLow or Coincident With Steam Line Pressure-Low (continued)With the transmitters located inside the containment (T avg) or near the steam lines (High Steam Flow),

it is possible for them to experience adverse st eady state environmen tal conditions during an SLB event. The trip setpoint reflects only steady state

instrument uncertainties.

This Function must be OPERABLE in MODES1, 2, and3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the stea m line(s). This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked.

This Function is not required OPERABLE below P-12 because

the reactor is not critical, so steam line brea k is not a concern. SLB may be addressed by Containment Pressure High (inside

containment) or by High Stea m Flow in Two Steam Lines coincident with Steam Line Pressure-Low, for Steam Line

Isolation, followed by High Differ ential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE4, 5, or6 because there is insufficient

energy in the secondary side of the unit to cause an accident.2.Containment Spr ay Systems The Containment Spray System s (Quench Spray (QS) and Recirculation Spray (RS)) provi de four primary functions:1.Lowers containment pressure and temperature after an HELB in containment;2.Reduces the amount of radioactive iodine in the containment atmosphere;3.Adjusts the pH of the water in the containment sump after a large break LOCA; and4.Remove heat from containment.

North Anna Units 1 and 2B 3.3.2-14Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY2.Containment Spray Systems (continued)These functions are necessary to:

?Ensure the pressure boundary integrity of the containment structure;

?Limit the release of radioactive io dine to the environment in the event of a failure of the containment structure; and

?Minimize corrosion of the co mponents and systems inside containment following a LOCA.

The containment spray actuation signal starts the QS pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of cont ainment. Water is initially drawn

from the RWST by the QS pumps a nd mixed with a sodium hydroxide solution from the chemical addition tank. When the RWST level reaches the low setpoint coincident with Containment Pressure-High

High, the RS pumps receive a start si gnal. The outside RS pumps start immediately and the inside RS pum ps start after a 120-second delay. Water is drawn from the containment sump through heat exchangers and discharged to the RS nozzle headers. When the RWST reaches the lowlow level setpoint, the Low Head Safety Injection pump suctions are shifted to the containment su mp. Containment sp ray is actuated manually or by Containment Pressure-HighHigh signal. RS is

actuated manually or by RWST Level-Low coincident with

Containment Pressure-High High.a.Containment Spray-Manual Initiation The operator can initiate containm ent spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent

actuation of containment spra y could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-15Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY2.Containment Spray Systems (continued)a.Containment Spray-Manual Initiation (continued)Simultaneously turning the two switches in either set will actuate

containment spray in both trains in the same manner as the

automatic actuation signal. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Init iation Function. Note that Manual Initiation of containment spray also actuates PhaseB containment isolation.b.Containment Spray-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.

Manual and automatic initiation of containment spray must be OPERABLE in MODES1, 2, and3 when there is a potential for an accident to occur, and sufficie nt energy exists in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual in itiation is also required in MODE4, even though automatic actuati on is not required. In this MODE, adequate time is availa ble to manually actuate required components in the event of a DBA.

However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, there is insufficient energy in the primary and

secondary systems to result in containment overpressure. In MODES5 and6, there is also adequate time for the operators to

evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by ma nually starting individual components.

North Anna Units 1 and 2B 3.3.2-16Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY2.Containment Spray Systems (continued)c.Containment Spray-Containment Pressure This signal provides protection agai nst a LOCA or an SLB inside containment. The transmitters (d

/p cells) are located outside of

containment with the sensing lin e (high pressure side of the transmitter) located inside cont ainment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse enviro nmental conditions and the Allowable Value reflects onl y steady state instrument uncertainties.

This is one of few Functions that requires the bistable output to energize to perform its required acti on. It is not desirable to have a loss of power actuate containmen t spray, since the consequences of an inadvertent actua tion of containment sp ray could be serious.

Note that this Function also has the inoperable channel placed in

bypass rather than trip to d ecrease the probability of an inadvertent actuation.North Anna uses four channels in a two-out-of-four logic configuration and the Containmen t Pressure-High High Setpoint Actuates Containment Spray System

s. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted

because this Function is en ergize to trip. Containment Pressure-HighHigh must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES4, 5, and6, there is insuffic ient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-HighHigh setpoints.d.RWST Level-Low Coincident wi th Containment Pressure-High HighThis signal starts the RS system to provide protection against a LOCA inside containment. Th e Containment Pressure-High High (ESFAS Function2.c) signal aligns the RS system for spray

flow delivery (e.g., opens isolatio n valves) but does not start the (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-17Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY2.Containment Spray Systems (continued)d.RWST Level-Low Coincident w ith Containment Pressure-High High (continued)

RS pumps. The RWST Level-Low coincident with Containment Pressure-High High provides the automatic start signal for the

inside RS and outside RS pumps. Once the coincidence trip is

satisfied, the outside RS pumps st art immediately and the inside RS pumps start after a 120-se cond delay. The delay time is sufficient to avoid simultaneous starting of the RS pumps on the

same emergency diesel generato

r. This ESFAS function ensures

that adequate water inventory is present in the containment sump to meet the RS sump strainer functional requirements following a LOCA. The RS system is not required for SLB mitigation.Automatic initiation of RS mu st be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and

sufficient energy exists in the primary and secondary systems to pose a threat to containment integrity due to overpressure conditions. The requirement for automatic initiat ion of RWST Level-Low to be operable in MODES 1, 2, and 3 is consistent with the operability requi rements for Containment Pressure-High High. Manual initia tion of the RS system is required in MODE 4, even though automatic initiation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. In MODES 5

and 6, there is insufficient energy in the primary and secondary

systems to result in containmen t overpressure. In MODES 5 and 6, there is also adequate time fo r the operators to evaluate unit conditions and respond to mitigate the consequences of abnormal

conditions by manually starting individual components. An operator can initiate RS at any time from the control room by using the pump control switch. The manual function would be

used only when adequate water inventory is present in the

containment sump to meet the RS sump strainer functional

requirements.

North Anna Units 1 and 2B 3.3.2-18Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY (continued)3.Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all proc ess systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the

release of radioactivity to the environment in the event of a large

break LOCA.

There are two separate Containment Isolation signals, PhaseA and PhaseB. PhaseA isolation isolates all automatically isolable process lines, except component cooling wate r (CC) and instrument air (IA),

at a relatively low containment pr essure indicative of primary or secondary system leaks. A list of the process lines is provided in the Technical Requirements Manual (Ref.9

). For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs)

and SGs is the preferred (but not required) method of decay heat

removal. Since CC is required to support RCP operation, not isolating CC on the low pressure PhaseA signal enhances unit safety by allowing operators to us e forced RCS circulation to cool the unit.

Isolating CC on the low pressure si gnal may force the use of feed and bleed cooling, which could prove more difficult to control.PhaseA containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CC and IA, are isolated. CC is not isolated at this time to permit continued operation of the RCPs with cooling water fl ow to the thermal barrier heat exchangers and air or oil coolers.

All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE4.Manual PhaseA Containmen t Isolation is accomp lished by either of two switches in the control room. Ei ther switch actuates both trains.The PhaseB signal isolates CC and IA. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no

longer desirable. Isolating the CC at the higher pressu re does not pose a challenge to the containment boundary because the CC (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-19Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY3.Containment Isolation (continued)

System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the PhaseB setpoint. Thus, routine operation

demonstrates the integrity of the system pressure boundary for pressures exceeding the PhaseB setpoint. Furthermore, because system pressure exceeds the PhaseB setpoint, any system leakage prior to initiation of PhaseB isolation would be into containment.

Therefore, the combination of CC and IA Systems design and PhaseB isolation ensures the CC System is not a potential path for radioactive

release from containment.PhaseB containment isolation is actuated by Containment Pressure-HighHigh, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-HighHigh, a large break LOCA or SLB must have occurred. RCP operation will no longer be required and CC to the RCPs is, therefore, no longer

necessary. The RCPs can be operated with seal injection flow alone and without CC flow to the th ermal barrier heat exchanger.Manual PhaseB Containment Isolati on is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, PhaseB Containment Isolation and Containment Spray will be actuated in both trains.a.Containment Isolation-PhaseA Isolation(1)Phase A Isolation-Manual InitiationManual PhaseA Containment Isol ation is actuated by either of two switches in the contro l room. Either switch actuates both trains.(2)Phase A Isolation-Automatic Actuation Logic and Actuation RelaysAutomatic Actuation Logic and Actuation Relays consist of the same features and opera te in the same manner as described for ESFAS Function1.b.

North Anna Units 1 and 2B 3.3.2-20Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY3.Containment Isolation (continued)a.Containment Isolation-PhaseA Isolation (continued)Manual and automatic initiation of PhaseA Containment Isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an accident to occur. Manual initiation is also required in MODE4 even though automatic actuation is not required. In this MODE, adequate time is available to manually

actuate required components in th e event of a DBA, but because of the large number of components actuated on a PhaseA Containment Isolation, actuation is simplified by the use of the

manual actuation switches. Automatic actuation logic and

actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, there is insufficient energy in the primary or seconda ry systems to pressurize the containment to require PhaseA C ontainment Isolation. There also

is adequate time for the operato r to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.(3)Phase A Isolation-Safety InjectionPhaseA Containment Isolation is also initiated by all Functions that initiate SI. The PhaseA Containment Isolation requirements for these Functions are the same as the

requirements for their SI function. Therefore, the

requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced fo r all initiating Functions and requirements.b.Containment Isolation-PhaseB IsolationPhaseB Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and

by Containment Pressure channels (the same channels that actuate Containment Spray Systems, Function2). The Containment Pressure trip of PhaseB Containmen t Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.(1)Phase B Isolation-Manual Initiation ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-21Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY3.Containment Isolation (continued)b.Containment Isolation-PhaseB Isolation (continued)(2)Phase B Isolation-Automatic Actuation Logic and Actuation RelaysManual and automatic initiation of PhaseB containment isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an acci dent to occur. Manual initiation is also required in MODE4 ev en though automatic actuation

is not required. In this MODE, ad equate time is available to

manually actuate required components in the event of a

DBA. However, because of th e large number of components actuated on a PhaseB contai nment isolation, actuation is simplified by the use of the Containment Spray manual actuation switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system manual initiation. In MODES5 and6, ther e is insufficient energy in the primary or secondary systems to pressurize the containment to require PhaseB containment isolation. There also is adequate time for the operator to evaluate unit

conditions and manually actuate individual isolation valves

in response to abnormal or accident conditions.(3)Phase B Isolation-Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function2.c above.4.Steam Line Isolation Isolation of the main steam lines provides protection in the event of an

SLB inside or outside containment.

Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at

most. For an SLB upstream of the main steam trip valves (MSTVs),

inside or outside of containment, closure of the MSTVs limits the accident to the blowdown from onl y the affected SG. For an SLB downstream of the MSTVs, closure of the MSTVs terminates the accident.

North Anna Units 1 and 2B 3.3.2-22Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY4.Steam Line Isolation (continued)a.Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches for each MSTV in the control room and either switch can initiate action to immediately close that MSTV. Following a SG tube rupture, the operator will isolate the main steam side (close the MSTV) of the ruptured SG. The LCO requires two channels to be OPERABLE

for each MSTV.b.Steam Line Isolation-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.Manual and automatic initiation of steam line isolation must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in

the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantit ies of energy and cause a cooldown of the primary system. The Steam Li ne Isolation Function is required in MODES2 and3 unless all MSTVs are closed and de-activated. In MODES4, 5, and6, there is insufficient energy in the RCS and SGs

to experience an SLB or other accid ent releasing significant quantities of energy.c.Steam Line Isolation-Contai nment Pressure-Intermediate HighHighThis Function actuates closure of the MSTVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure-Intermediate HighHi gh provides no input to any control functions. Thus, two OPER ABLE channels are sufficient to satisfy protective requirement s with one-out-of-two logic.

However, for enhanced reliability, this Function was (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-23Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY4.Steam Line Isolation (continued)c.Steam Line Isolation-Contai nment Pressure-Intermediate HighHigh (continued) designed with three channels a nd a two-out-of-three logic. The transmitters and electronics are located outside of containment.

Thus, they will not experien ce any adverse environmental conditions, and the trip setpoi nt reflects only steady state instrument uncertainties.

Containment Pressure-Intermediate HighHigh must be OPERABLE in MODES1, 2, and3, when there is sufficient energy in the primary and seconda ry side to pressurize the containment follow ing a pipe break.

This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSTVs. The Steam Line Isolation Function remains OPERABLE in MODES2 and3 unless all MSTVs are closed and de-activated. In MODES4, 5, and6, there is not enough energy in the primary and secondary sides to pressurize th e containment to the Containment Pressure-Intermediate HighHigh setpoint.d. e.Steam Line Isolation-High St eam Flow in Two Steam Lines Coincident with T avg-LowLow or Coincident With Steam Line Pressure-Low These Functions (4.d and 4.e) provide closure of the MSTVs

during an SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions1.f. and1.g.These Functions must be OPERABLE in MODES1 and2, and in MODE3, when a secondary side break or stuck open valve could result in the rapid depressurizat ion of the steam lines unless all MSTVs are closed and de-activ ated. These Functions are not required to be OPERABLE in MODES4, 5, and6 because there is insufficient energy in the second ary side of the unit to have an accident.

North Anna Units 1 and 2B 3.3.2-24Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY (continued)5.Turbine Trip and Feedwater Isolation The primary functions of the Turb ine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam

lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a hi gh water level in the SGs, which could result in carryover of water into the steam lines

and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.

The Function is actuated when th e level in any SG exceeds the highhigh setpoint, and perfor ms the following functions:

?Trips the main turbine;

?Trips the MFW pumps;

?Initiates feedwater isolation by closing the Main Feedwater Isolation Valves (MFIVs); and

?Shuts the MFW regulat ing valves and their associated bypass valves.This Function is actuated by SG Water Level-HighHigh, or by an SI signal. In the event of SI, the MF W System is automatically secured and isolated and the AFW System is automatically started. The SI signal was discussed previously.a.Turbine Trip and Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Ac tuation Relays consist of the same features and operate in th e same manner as described for ESFAS Function1.b.b.Turbine Trip and Feedwater Isolation-Steam Generator Water Level-HighHigh (P-14)

This signal provides protection ag ainst excessive feedwater flow.

The ESFAS SG water level instru ments provide input to the SG Water Level Control System. The SG Water Level-HighHigh

trip is provided from the narrow range instrumentation span from each SG.(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-25Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY5.Turbine Trip and Feedwater Isolation (continued)b.Turbine Trip and Feedwater Is olation-Steam Generator Water Level-HighHigh (P-14)

(continued)

North Anna has only three channels that are shared between

protection and control functions a nd justification is provided in NUREG-1218 (Ref.7).The transmitters (d/p cells) ar e located inside containment. However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the trip setpoint reflects only steady st ate instrument uncertainties.c.Turbine Trip and Feedwate r Isolation-Safety Injection Turbine Trip and Feedwater Isol ation is also initiated by all Functions that initiate SI. Th e Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

Turbine Trip and Feedwater Isolat ion Functions must be OPERABLE in MODES1, 2, and3 when the MFW System is in operation and the

turbine generator may be in operation. These functions are not required to be OPERABLE in MODES2 and3 when all MFW pump discharge valves or all MFIVs, MFRVs, and associated bypass valves

are closed and de-activated or isolated by a closed manual valve. In MODES4, 5, and6, the MFW System and the turbine generator are

not in service and this Function is not re quired to be OPERABLE.6.Auxiliary Feedwater The AFW System is designed to pr ovide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump,

making it available during normal uni t operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.

The normal source of water for the AFW System is the (continued)

North Anna Units 1 and 2B 3.3.2-26Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)Emergency condensate storage tank (ECST). The AFW System is

aligned so that upon a pump start, flow is initiated to the respective SG immediately.a.Auxiliary Feedwater-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.b.Auxiliary Feedwater-Steam Ge nerator Water Level-Low LowSG Water Level-LowLow provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water

Level-Low Low provides input to the SG Level Control System. Three protection channels are nece ssary to satisfy the protective requirements. These channels ar e shared between protection and control functions and justification is provided in Reference7.With the transmitters (d/p cells) located inside containment and thus possibly experiencing adve rse environmental conditions (feed line break), the trip setpoi nt reflects the inclusion of both steady state and adverse environmental instrument uncertainties.c.Auxiliary Feedwater-Safety InjectionAn SI signal starts the motor driven and turbine driven AFW

pumps. The AFW initiation func tions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced for all initiati ng functions and requirements.d.Auxiliary Feedwater-Loss of Offsite Power A loss of offsite power to the tr ansfer buses may be accompanied by a loss of reactor coolant pum ping power and the subsequent need for some method of decay heat removal. The loss of offsite

power is(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-27Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY6.Auxiliary Feedwater (continued)d.Auxiliary Feedwater-Loss of Offsite Power (continued) detected by a voltage drop on each transfer bus. Loss of power to the transfer bus will start all AF W pumps to ensure that at least one SG contains enough water to se rve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.Functions6.a through6.d must be OPERABLE in MODES1, 2, and3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level-LowLow in any SG will cause all AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to th e SGs. These Functions do not have to be OPERABLE in MODES5 and6 because there is not enough

heat being generated in th e reactor to require the SGs as a heat sink. In MODE4, AFW actuation does not need to be OPERABLE because

either RCS Loop(s) or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.e.Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some me thod of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Motor driven MFW pumps are equipped with a breaker position sensing device. An open s upply breaker indicates that the pump is not running. Two OPERABLE channels pe r pump satisfy redundancy requirements with one-out-of-two logic on each MFW pump. A trip of all MFW pumps starts the motor driven and

turbine driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.Function6.e must be OPERABLE in MODES1 and2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES3, 4, and5, the RCPs and MFW pumps may be

normally shut down, and thus neithe r pump trip is indicative of a condition requiring automatic AFW initiation.

North Anna Units 1 and 2B 3.3.2-28Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY (continued)7.Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will be nearly

empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment sum

p. The low head safety injection

(LHSI) pumps and inside and outside recirculation spray pumps draw the water from the containment sump, the LHSI pumps pump the water back into the RCS. The Inside and Outside Recirculation Spray

pumps circulate water through the heat exchangers to the spray rings and supplies water to the contai nment sump. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the LHSI pumps and a loss of core cooling capability. For similar reasons, sw itchover must not occur before there is sufficient water in the containment sump to support ESF

pump suction. Furthermore, early swit chover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.a.Automatic Switchover to Containment Sump-Automatic Actuation Logic and Actuation RelaysAutomatic actuation logic and actua tion relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.b.Automatic Switchover to Cont ainment Sump-Refueling Water Storage Tank (RWST) Level-LowLow Coincident With Safety Injection During the injection phase of a LO CA, the RWST is the source of water for all ECCS pumps. A lowlow level in the RWST

coincident with an SI signal pr ovides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions.

Therefore, a two-out-of-four logi c is adequate to initiate the protection function actuation. Al though only three channels would be sufficient, a fourth channe l has been added for increased reliability.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-29Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY7.Automatic Switchover to Containment Sump (continued)b.Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST) Level-LowLow Coincident With Safety Injection (continued)The RWST-LowLow Allowable Value has both upper and

lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage.

The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit

also ensures adequate water invent ory in the containment sump to provide ECCS pump suction.The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditi ons and the Allowable Value reflects only steady state in strument uncertainties.

Automatic switchover occurs only if the RWST lowlow level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempti ng to take suction from an empty sump. The automatic switchover Function requirements for the SI

Functions are the same as the re quirements for th eir SI function.

Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenc ed for all initiating Functions and requirements.These Functions must be OPERABLE in MODES1, 2, 3, and4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES5 and6 because

there is adequate time for the ope rator to evaluate unit conditions and respond by manually starting systems, pumps, and other

equipment to mitigate the conseque nces of an a bnormal condition or accident. System pressure a nd temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent

overpressurization of unit systems.

North Anna Units 1 and 2B 3.3.2-30Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY (continued)8.Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are

included as part of the ESFAS. Thes e interlocks permit the operator to

block some signals, automatically enable other signals, prevent some actions from occurri ng, and cause other actions to occur. The interlock Functions b ack up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, automatic SI reinitiation is blocked after a 60second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once

SI is blocked, automatic actuati on of SI cannot occur until the RTBs have been manually closed, resetting the P-4 interlock. The functions of the P-4 interlock are:

(continued)FunctionPurposeRequired MODESIsolate MFW regulating valves with

coincident low T avgFeedwater isolation1, 2Trip the main turbinePrevents excessive cooldown, thereby

Condition II event

does not propagate to

Condition III event 1, 2 ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-31Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)

(continued)FunctionPurposeRequired MODESPrevent automatic

reactuation of SI after

a manual reset of SI Allows alignment of

ECCS for

recirculation mode,

prevents subsequent

inadvertent alignment

to injection mode by

auto SI1, 2, 3 North Anna Units 1 and 2B 3.3.2-32Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)

(continued)FunctionPurposeRequired MODES Reset high steam flow

setpoint to no-load

value1.SI-High Steam flow in Two Steam Lines

Coincident With

Steam Line

Pressure-Low2.SI-High Steam Flow in Two

Steam Lines

Coincident With

Tavg-LowLow3.Steam Line Isolation-

High Steam Flow in Two Steam Lines Coincident

With Steam Line

Pressure-Low4.Steam Line Isolation-

High Steam Flow

in Two Steam

Lines Coincident

With Tavg-LowLowEnsures setpoint is reset to low/zero

power reference value

following plant trip,

regardless of turbine first stage pressure indication 1, 2, 3 (function not

required if MSTVs are closed and

deactivated)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-33Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued)

Each of the above Func tions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of th e RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent

increase in core power. Addition of feedwater to a steam generator associated with a steamline or feedline break could result in excessive containment building pressure. To avoid such a

situation, the noted Functions have been interlocked with P-4 as part of the design of the uni t control and protection system.

The turbine trip Function is exp licitly assumed in the non-LOCA analysis since it is an immediate consequence of the reactor trip Function. Block of the auto SI signals is required to support long-term ECCS operation in the post-LOCA recirculation mode.

The RTB position switches that pr ovide input to the P-4 interlock only function to energize or de-ene rgize or open or close contacts.

Therefore, this Function has no adjustable trip setpoint with which

to associate an Allowable Value.This Function must be OPERABLE in MODES1, 2, and3, as noted above, when the reactor ma y be critical or approaching criticality or support of the (continued)FunctionPurposeRequired MODES Prevent opening of

the MFW regulating

valves if they were

closed on SI or SG

Water Level

-HighHighSeal-in feedwater

isolation to prevent

inadvertent feeding of

depressurized SG 1, 2, 3 North Anna Units 1 and 2B 3.3.2-34Revision31ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)a.Engineered Safety Feature Actu ation System Interlocks-Reactor Trip, P-4 (continued) auto SI block function is require

d. This Function does not have to be OPERABLE in MODES4, 5, or6 because the main turbine

and the MFW System are not required to be in operation.b.Engineered Safety F eature Actuation System Interlocks-Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI. With two-out-of-three

pressurizer pressure channels (dis cussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure-LowLow SI signal.

Additionally, the P-11 signal blocks the automatic opening of the pressurizer power operated relief valves (PORVs).

With two-out-of-three pressurize r pressure channels above the P-11 setpoint, the Pressurizer Pressure-Low Low SI signal is automatically enabled. The operator can also enable this function by use of the respective manual reset switches. The automatic opening capability for the pressurizer PORVs is reinstated above the P-11 setpoint. The ECCS accumu lator isolation valves will receive an automatic open signal when pressurizer pressure exceeds the P-11 setpoint. The Allowable Value reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES1, 2, and3 to

allow an orderly cooldown and depressurization of the unit without the actuation of SI. This Function does not have to be OPERABLE in MODE4, 5, or6 because system pressure must

already be below the P-11 setpoint for the requirements of the

heatup and cooldown curves to be met.c.Engineered Safety F eature Actuation System Interlocks-T avg-LowLow, P-12 On increasing reactor coolant temperature, the P-12 interlock reinstates SI on High Steam Flow Coincident (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-35Revision31APPLICABLE SAFETY

ANALYSES,

LCO, AND APPLICABILITY8.Engineered Safety Feature Actuation System Interlocks (continued)c.Engineered Safety Feature Actuation System Interlocks-T avg-LowLow, P-12 (continued)

With Steam Line Pressure-L ow or Coincident With Tavg-LowLow. On decreasing reactor coolant temperature, the P-12 interlock allows the operato r to manually block SI on High Steam Flow Coincident With Steam Line Pressure-Low or Coincident with T avg-LowLow. On a decreasing temperature, the P-12 interlock also provides a blocking signal to the Steam

Dump System to prevent an excessive cooldown of the RCS due

to a malfunctioning Steam Dump System.

Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. Th ese channels are used in two-out-of-three logic.This Function must be OPERABLE in MODES1, 2, and3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE4, 5, or6 because there is insufficient

energy in the secondary side of the unit to have an accident.The ESFAS instrumentation satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed on Table3.3.2-1.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrume nt Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel mu st be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis),

then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

(continued)

North Anna Units 1 and 2B 3.3.2-36Revision31ESFAS Instrumentation B 3.3.2BASESACTIONS(continued)

When the number of inoperable channels in a trip function exceed those specified in one or other related Condi tions associated w ith a trip function,

then the unit is outside the safety analysis. Therefore, LCO3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1ConditionA applies to all ESFAS protection functions.ConditionA addresses the situation where one or more channels or trains

for one or more Functions are inopera ble at the same time. The Required Action is to refer to Table3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2ConditionB applies to manual initiation of:

?SI;?Containment Spray; and

?PhaseA Isolation.

This action addresses the train orient ation of the SSPS for the functions listed above. If a channel or train is inoperable, 48hours is allowed to return it to an OPERABLE status.

Note that for containment spray isolation, failure of one or both channels in one train renders the train inoperable. The manual initiation for PhaseB Containment isolation is provided by the containment spray manual switches. ConditionB,

therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and

another manual initiation train OPERABLE for each Function, and the low probability of an event oc curring during this interval

. If the train cannot be restored to OPERABLE status, the uni t must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (54hours total time) and in MODE5 within an additional 30hours (84hours total time). The allowable Completion Times are reasonable, based on operating

experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-37Revision31ACTIONS(continued)

C.1, C.2.1, and C.2.2ConditionC applies to the automatic actuation logic and actuation relays for the following functions:

?SI;?Containment Spray;

?PhaseA Isolation;

?PhaseB Isolation; and

?Automatic Switchover to Containment Sump.This action addresses the train orientat ion of the SSPS and the master and slave relays. If one train is inoperable, 24hours are allowed to restore the train to OPERABLE status. The specified Completion Time is reasonable

considering that there is another tr ain OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to

OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (30hours total time) and in MODE5 within an additional 30hours (60hours total time). The Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillan ce testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of Reference8 that 4hours is the average time required to

perform channel surveillance.

D.1, D.2.1, and D.2.2ConditionD applies to:

?Containment Pressure-High;

?Pressurizer Pressure-LowLow;

?Steam Line Differential Pressure-High; North Anna Units 1 and 2B 3.3.2-38Revision31ESFAS Instrumentation B 3.3.2BASESACTIONSD.1, D.2.1, and D.2.2 (continued)

?High Steam Flow in Two Steam Lines Coincident With T avg-Low Low or Coincident With Steam Line Pressure-Low;

?Containment Pressure-Intermediate HighHigh;

?SG Water Level-LowLow;

?SG Water Level-HighHigh (P-14); and

?RWST Level-Low Coincident With Containment Pressure HighHigh.

If one channel is inoperable, 72hours are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

Failure to restore the inoperable channe l to OPERABLE status or place it in the tripped condition within 72hours requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12hour s for surveillance testing of other channels. The 72hours allowed to re store the channel to OPERABLE status or to place the inoperable ch annel in the tripped condition, and the 12hours allowed for testing, are justified in Reference8.

E.1, E.2.1, and E.2.2ConditionE applies to:

?Containment Spray Containment Pressure-HighHigh; and ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-39Revision31ACTIONSE.1, E.2.1, and E.2.2 (continued)

?Containment PhaseB Isolation Containment Pressure-High High.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel

may be bypassed rather than tripped. Note that one channel may be

bypassed and still sati sfy the single failure criter ion. Furthermore, with one channel bypassed, a single instrument ation channel failure will not spuriously initiate containment spray.To avoid the inadvertent actuation of containment spray and PhaseB containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72hours, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperabl e channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval

. Failure to rest ore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72hours, requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and

without challenging unit systems. In MODE4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. Placing a second channel in the bypass condition for up to 12hours for testing purposes is acceptable based on the results of Reference8.

North Anna Units 1 and 2B 3.3.2-40Revision31ESFAS Instrumentation B 3.3.2BASESACTIONS(continued)

F.1, F.2.1, and F.2.2ConditionF applies to:

?Manual Initiation of Steam Line Isolation;

?Loss of Offsite Power; and

?P-4 Interlock.For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power

Function, this action recognizes the la ck of manual trip provision for a failed channel. If a train or channe l is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be retu rned to OPERABLE status, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE4, the unit does not have any analy zed transients or conditions that require the explicit use of the protection functions noted above.

G.1, G.2.1, and G.2.2ConditionG applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Turbine Trip and Feedwater Isolation, and AFW actuation Functions.The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24hours are allowed to restore the train to OP ERABLE status. The Completion Time for restoring a train to OPERABLE stat us is reasonable considering that there is another train OPERABLE, a nd the low probability of an event

occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-41Revision31ACTIONSG.1, G.2.1, and G.2.2 (continued)orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all requirements fo r OPERABILITY of the protection

channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions th at require the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillance testing provided the other train

is OPERABLE. This allowance is based on the reliability analysis (Ref.8) assumption that 4hours is the averag e time required to perform channel surveillance.

H.1 and H.2ConditionH applies to the AFW pump start on trip of all MFW pumps.This action addresses the train orientation of the SSPS for the auto start function of the AFW System on loss of all MFW pumps. The

OPERABILITY of the AFW System must be assured by allowing

automatic start of the AFW System pumps. If a channel is inoperable, 48hours are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6hours are allowed to place the unit in MODE3. The allowed Completion Time of 6hours is

reasonable, based on operating experience, to reach MODE3 from full power conditions in an orderly ma nner and without challenging unit systems. In MODE3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48hours to return the train to an OPERABLE status is justified in Reference8.

I.1, I.2.1, and I.2.2ConditionI applies to:

?RWST Level-LowLow Coincide nt with Safety Injection.RWST Level-LowLow Coincident With SI provides actuation of switchover to the containm ent sump. Note that this Function requires the bistables to energize to perform thei r required action. The failure of up to two channels will not prevent (continued)

North Anna Units 1 and 2B 3.3.2-42Revision31ESFAS Instrumentation B 3.3.2BASESACTIONSI.1, I.2.1, and I.2.2 (continued) the operation of this Function. However, placing a failed channel in the tripped condition could result in a pr emature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass result s in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required.

Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72hour Completion Time is justified in a plant-specific risk assessment, consistent with Reference8. If the channel cannot be returned to OPERABLE st atus or placed in the bypass condition within 72hours, the unit must be brought to MODE3 within the following 6hours and MODE5 within the next 30hours. The allowed Completion Times are reasonable, ba sed on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and

without challenging unit systems. In MODE5, the unit does not have any analyzed transients or conditions th at require the explicit use of the

protection functions noted above.

The Required Actions are modified by a Note that allows placing a second channel in the bypass condition for up to 12hours for surveillance testing. The total of 78hours to reach MODE3 and 12hours for a second channel to be bypassed is acceptable based on the results of a pl ant-specific risk assessment, consistent with Reference8.

J.1, J.2.1, and J.2.2ConditionJ applies to the P-11 and P-12 interlocks.

With one or more channels inoperable, the operator must verify that the interlock is in the required stat e for the existing unit condition. The verification that the interlocks are in their proper state may be performed via the Control Room permissive st atus lights. This action manually accomplishes the function of the inte rlock. Determination must be made within 1hour. The 1hour Completion Time is equal to the time allowed by LCO3.0.3 to initiate shutdown (continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-43Revision 46ACTIONSJ.1, J.2.1, and J.2.2 (continued)actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all

requirements for OPERABILITY of these interlocks.SURVEILLANCE

REQUIREMENT

SThe SRs for each ESFAS Function are identified by the SRs column of Table3.3.2-1.

A Note has been added to the SR Table to clarify that Table3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process pr otection supplies both trains of the ESFAS. When testing channelI, trainA and trainB must be examined. Similarly, trainA and trainB must be examined when testing channelII, channelIII, and channelIV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent

with the assumptions used in analyti cally calculating the required channel accuracies.SR3.3.2.1 Performance of the CHANNEL CHECK en sures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is ba sed on the assumption that instrument channels monitoring the same parame ter should read approximately the

same value. Significant deviations between the two instrument channels could be an indication of excessive inst rument drift in one of the channels or of something even more seri ous. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

(continued)

North Anna Units 1 and 2B 3.3.2-44 Revision 46ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT

SSR3.3.2.1 (continued)

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability.

If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.2SR3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, ar e tested for each protection function. This verifies th at the logic modules are OPERABLE.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.3SR3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil.

Upon master relay contact operation, a lo w voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The Survei llance Frequency is based on operating experience, equipment reliability, and plant risk and

is controlled under the Surveill ance Frequency Control Program.SR3.3.2.4SR3.3.2.4 is the performance of a COT.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-45Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.2.4 (continued)

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Se tpoints must be found within the Allowable Values specified in Table3.3.2-1. A successful test of the

required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shal l be left set consistent with the assumptions of the current unit specific setpoint methodology.The COT for the Containment Pressure Channel includes exercising the transmitter by applying either a vacuum or pressure to the appr opriate side of the transmitter.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.2.5SR 3.3.2.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is

verified in one of two ways. Actuati on equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact op eration can be ve rified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For th is latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note that allows an exception for testing of relays which could induce a unit transient, an inadvertent reactor trip or ESF actuation, or cause the inoperabilit y of two or more ESF components.

North Anna Units 1 and 2B 3.3.2-46 Revision 46ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.3.2.6SR3.3.2.6 is the performance of a TADOT.

This test is a check of the Loss of Offsite Power Function. The Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verifica tion of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elabor ate bench calibration and are verified during CHANNEL CALIBRATION. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.3.2.7SR3.3.2.7 is the performance of a TADOT.

This test is a check of the Manual Actuation Functions, AFW pump start on trip of all MFW pumps

and the P-4 interlock Function, includi ng turbine trip, automatic SI block, and seal-in of feedwa ter isolation by SI.

Each Manual Actuation Function is te sted up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the ot her required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). Th e turbine trip (P-4) is independently verified for both trains. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. However, the P-4 input signals to SSPS actuation logic are normally tested in conjunction with RTB testing under SR3.3.1.4 on a 31-day staggered test basis.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-47Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.2.7 (continued)

The SR is modified by a Note that ex cludes verification of setpoints during the TADOT for manual initiation or interlock Functions. The manual

initiation Functions have no associated setpoints.SR3.3.2.8SR3.3.2.8 is the performance of a CHANNEL CALIBRATION.CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifi es that the channel responds to measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be pe rformed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values a nd the previous test "as left" values must be consistent with the drif t allowance used in the setpoint methodology. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note stat ing that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR3.3.2.9 This SR ensures the individual ch annel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the Technical Requirements Manual (Ref.9).

Individual component res ponse times are not modele d in the analyses. The analyses model the overall or total el apsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure

, valves in full open or closed position).

(continued)

North Anna Units 1 and 2B 3.3.2-48Revision31ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENT

SSR3.3.2.9 (continued)

For channels that include dynamic tr ansfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resultin g measured response time compared to the appropriate UFSAR response time. Alternately, the response time test

can be performed with the time constants set to their nominal value provided the required response time is analytically calcul ated assuming the time constants are set at their nomin al values. The response time may be measured by a series of overlapping test s such that the en tire response time is measured.

Response time may be veri fied by actual response time tests in any series of sequential, overlapping or tota l channel measurements, or by the summation of allocated sensor, si gnal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor re sponse times may be obtained from: (1)historical records based on accepta ble response time tests (hydraulic, noise, or power interrupt tests), (2)i n place, onsite, or offsite (e.g., vendor) test measurements, or (3)utilizing vendor engineering specifications. WCAP-13632-P-A Revision2, "Eliminati on of Pressure Sensor Response Time Testing Requirements" (Ref.10) provides the basis and methodology

for using allocated sensor response time s in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response time verification for other sensor types mu st be demonstrated by test.WCAP-14036-P-A Revision1 "Elimi nation of Periodic Protection Channel Response Time Tests" (Ref.11) provides the basis and the methodology for using allocated signa l processing and actuation logic response times in the overall verificat ion of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not

impact response time provided the parts used for repair are of the same type and value. Specific component s identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

(continued)

ESFAS Instrumentation B 3.3.2BASESNorth Anna Units 1 and 2B 3.3.2-49Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.2.9 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24hours after reaching 1005psig in the SGs.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter7.3.UFSAR, Chapter15.

4.IEEE-279-1971.

5.10CFR50.49.

6.RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).7.NUREG-1218, April1988.

8.WCAP-10271-P-A, Supplement2, Rev.1, June1990 and WCAP-14333-P-A, Rev.1, October1998.9.Technical Requirements Manual.

10.WCAP-13632-P-A, Revision2, "El imination of Pressure Sensor Response Time Testing Requirements," January1996.11.WCAP-14036-P-A, Revision1, "El imination of Periodic Protection Channel Response Time Tests," December1995.

Intentionally Blank North Anna Units 1 and 2B 3.3.3-1Revision 0PAM Instrumentation B 3.3.3B 3.3 INSTRUMENTATIONB 3.3.3Post Accident Monitoring (PAM) InstrumentationBASESBACKGROUNDThe primary purpose of the PA M instrumentation is to display unit variables that provide information re quired by the control room operators during accident situations

. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their

safety functions for Design Basis Accidents (DBAs).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information av ailable on selected unit parameters to monitor and to assess unit status a nd behavior following an accident.

The availability of accident monitoring instrumentati on is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by Reference1 addressing the recommendations of Regulatory Guide1.97 (Ref.2) as required by Supplement1 to NUREG-0737 (Ref.3).

The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific implementation of Regulatory Guide1.97 as TypeA and CategoryI variables.TypeA variables are included in this LCO because they provide the primary information required for the cont rol room operator to take specific manually controlled actions for whic h no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs. Primary information is define d as information that is essential for the direct accomplishment of the specific safety functions; it does not include those variables that are associ ated with contingency actions that may also be identified in written procedures.

(continued)

North Anna Units 1 and 2B 3.3.3-2Revision 0PAM Instrumentation B 3.3.3BASESBACKGROUND (continued)CategoryI variables are the key variab les deemed risk significant because they are needed to:

?Determine whether other systems im portant to safety are performing their intended functions;

?Provide information to the operators th at will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release; and?Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.These key variables are identified by the plant specific Regulatory Guide1.97 analyses (Ref.1). This re port identifies the plant specific TypeA and Category I variables and pr ovides justification for deviating from the NRC proposed list of CategoryI variables.The specific instrument Functions listed in Table3.3.3-1 are discussed in

the LCO section.APPLICABLE SAFETY ANALYSESThe PAM instrumentation ensures the operability of Regulatory Guide1.97 TypeA and CategoryI variables so that the control room operating staff can:?Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to pre-planned actions for the primary success path of DBAs), e.g., lo ss of coolant accident (LOCA);

?Take the specified, pre-planned, manua lly controlled actions, for which no automatic control is pr ovided, and that are required for safety systems to accomplish their safety function;

?Determine whether systems important to safety are performing their

intended functions;

?Determine the likelihood of a gross breach of the ba rriers to radioactivity release;?Determine if a gross breach of a barrier has occurred; and (continued)

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-3Revision 0APPLICABLE SAFETY ANALYSES(continued)

?Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.PAM instrumentation that meets the definition of TypeA in Regulatory Guide1.97 satisfies Criterion3 of 10CFR 50.36(c)(2)(ii). CategoryI, non-TypeA, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents. Therefore, CategoryI, non-TypeA, variables are important for reducing public risk.LCOThe PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide1.97 TypeA monito rs, which provide information required by the control room operators to perform certain manual actions specified in the plant Emergency Operating Procedures. These manual actions ensure that a system can acc omplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide1.97 instruments that have been designated CategoryI, non-TypeA.The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with Reference1.LCO3.3.3 requires two OPERABLE channels for most Functions. Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident.

Furthermore, OPERABILITY of tw o channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requi rement is Containment Isolation Valve (CIV) Position. In this case, the imp ortant information is the status of the containment penetrations. The LC O requires one position indicator for each active CIV. This is sufficient to redundantly ve rify the isolation status of each isolable penetration either via indicated status of the active valve

and prior knowledge of a pa ssive valve, or via sy stem boundary status. If a normally active CIV is known to be closed and deactivated, position (continued)

North Anna Units 1 and 2B 3.3.3-4Revision 40PAM Instrumentation B 3.3.3BASESLCO(continued) indication is not needed to determ ine status. Therefore, the position indication for valves in this stat e is not required to be OPERABLE.Table3.3.3-1 lists all TypeA and CategoryI variables identified by the plant specific Regulatory Guide1.97 analyses (Ref.1).Reference1, Technical Report PE-0013, North Anna Power Station Response to Regulatory Guide1.97 and Reference4, Technical

Requirements Manual (TRM) Section3.3.9 - Regulatory Guide (RG) 1.97 Instrumentation, provide specific design and qualificati on requirements for RG1.97 instrumentation.Listed below are discussions of the spec ified instrument Functions listed in Table3.3.3-1.1, 2.Power Range and Source Range Neutron FluxPower Range and Source Range Neutron Flux indication is provided to verify reactor shutdown. This indication is provided by the

Gammametric channels. The two ra nges are necessary to cover the full range of flux that may occur post accident.

Neutron flux is used for accide nt diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.3, 4.Reactor Coolant System (RCS)

Hot and Cold Leg Temperatures (Wide Ranges)

RCS Hot and Cold Leg Temperatur e wide range indications are CategoryI variables provided for verification of core cooling and long term surveillance.

The RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.

The channels provide indication over a range of 0°F to 700°F.

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-5Revision 0 LCO(continued)5.Reactor Coolant System Pressure (Wide Range)RCS wide range pressure is a CategoryI variable provided for verification of core cooling and RC S integrity long term surveillance.

RCS pressure is used to verify closure of spray line valves and

pressurizer power operated relief valves (PORVs).

In addition to these verificatio ns, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of safety injecti on (SI), if still in progress, or reinitiation of SI if it has been stopped. RCS pressure can also be used:?to determine whether to terminate actuated SI or to reinitiate stopped SI;

?to determine when to reset SI and shut off low head SI;

?to manually restart low head SI;

?to make a decision on operation of reactor coolant pumps (RCPs);

and?to make a determination on the natu re of the accident in progress and where to go next in the procedure.

RCS subcooling margin is also used for unit stabilization and

cooldown control.

RCS pressure is also re lated to three decisions about depressurization.

They are:

?to determine whether to proceed with primary system depressurization;

?to verify termination of depressurization; and

?to determine whether to close accu mulator isolation valves during a controlled cooldown/depressurization.

Another use of RCS pressure is to determine whether to operate the

pressurizer heaters.

(continued)

North Anna Units 1 and 2B 3.3.3-6Revision 0PAM Instrumentation B 3.3.3BASESLCO5.Reactor Coolant System Pressure (Wide Range)

(continued)RCS pressure is a TypeA variable because the operator uses this indication to monitor subcooling margin during the cooldown of the RCS following a steam ge nerator tube rupture (S GTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this

indication.6.Inadequate Core Cooling Monitoring (ICCM) System The ICCM consists of three functi onal subsystems. Each subsystem is composed of two instrumentation trains. The three subsystems of ICCM are: the Reactor Vessel Level Instrumentation System (RVLIS); Core Exit Temper ature Monitoring (CETM); and Subcooling Margin Monitor (SMM).

The functions provided by the subsystems are discussed below.6.aReactor Vessel Level Instrumentation System RVLIS is provided for verification a nd long term surveillance of core cooling. It is also used to determine reactor coolant inventory

adequacy.

The RVLIS provides a measurement of the collapsed liquid level above the upper core plate. The coll apsed level represents the amount of liquid mass that is in the reactor vessel above the core.

Measurement of the collapsed water level is selected because it is an indication of the water inventory.6.bReactor Coolant System Subcooling Margin Monitor The RCS SMM is a Category I variab le provided for verification of core cooling. The SMM subsystem calc ulates the margin to saturation for the RCS from inputs of wide ra nge RCS pressure transmitters and the average of the five highest temperature core exit thermocouples. The two trains of SMM receive inputs from separate trains of pressure

transmitters and core ex it thermocouples (CETs).

(continued)LCO6.bReactor Coolant System Subcooling Margin Monitor (continued)

The SMM indicators are redundant to the information provided by the RCS hot and cold leg temperatur e and RCS wide range pressure indicators. RCS subcooling margin wi ll allow termination of SI, if still in progress, or re initiating of SI if it has been secured. RCS subcooling margin is also used for unit stabilization, cooldown control, and RCP trip criteria.

The SMM indicates the degree of subcooling from -35F (superheated) to +200F (subcooled).

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-7Revision 06.cCore Exit Temperature Monitoring CETM is provided for verification a nd long term surveillance of core cooling. Two OPERABLE CETs per channel are required in each core quadrant to provide indicati on of radial distribution of the coolant temperature rise across re presentative regions of the core.

Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient. Monitoring of the CETs is available through the In adequate Core Cooling Monitor. Different CETs are connected to their respective channel, so a single

CET failure does not affect bot h channels. The following CET indication is provided in the control room:

?Five hottest thermocouples (ranked from highest to lowest);

?Maximum, Average, and Minimum te mperatures for each quadrant; and?Average of the five high thermocouples.7.Containment Sump Water Level (Wide Range)

Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.

Containment Sump Water Level is used for accident diagnosis.LCO8, 9.Containment Pressure and Containment Pressure Wide Range (continued)

Containment Pressure and Contai nment Pressure Wide Range are provided for verification of RCS and containment OPERABILITY.Containment Pressure channels are used to verify Safety Injection (SI) initiation and PhaseA isolation on a Containment Pressure-High signal. These channels are also used to verify closure of the Main Steam Trip Valves on a Containm ent Pressure-Intermediate High High signal. The Containment Pressure channels are also used to verify initiation of Containment Spray and PhaseB isolation on a Containment Pressure-High High signal.10.Penetration Flow Path Contai nment Isolation Valve PositionCIV Position is provided for verification of Containment OPERABILITY, and PhaseA and PhaseB isolation.When used to verify PhaseA and PhaseB isolation, the important information is the isolation status of the containment penetrations.

The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment North Anna Units 1 and 2B 3.3.3-8Revision 0PAM Instrumentation B 3.3.3BASESpenetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with onl y one active CIV having control room indication, Note (b

) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolab le penetration either via indicated status of the active valve, as a pplicable, and prior knowledge of a passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not

needed to determine status. Ther efore, the position indication for valves in this state is not required to be OPERABLE. Note (a) to the

Required Channels states that the Function is not required for isolation valves whose associated pe netration is isolated by at least one closed and deactivated automatic valve, closed manual valve,

blind flange, or check valve with flow through the valve secured.

Each penetration is treated separate ly and each penetration flow path is considered a separate function.

Therefore, separate Condition entry is allowed for each inoperabl e penetration flow path.

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-9Revision 17 LCO(continued)11.Containment Area Radiation (High Range)

Containment Area Radiation is pr ovided to monitor for the potential of significant radiation releases a nd to provide release assessment for use by operators in determining th e need to invoke site emergency plans. Containment radiation level is used to determine if adverse containment conditions exist.12.Deleted13.Pressurizer Level Pressurizer Level is used to determin e whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that

the unit is maintained in a safe shutdown condition.14, 15.Steam Generator Water Level (Wide and Narrow Ranges)

SG Water Level is provided to monitor operation of decay heat removal via the SGs. Both wide and narrow ranges are CategoryI indications of SG level. The wide range level covers a span of +7 to -

41feet from nominal full load water level. The narrow range instrument covers from +7 to -5feet of nominal full load water level.The level signals are inputs to the unit computer, control room

indicators, and the Auxi liary Feedwater System.

SG Water Level is used to:

?identify the affected SG following a tube rupture;

?verify that the intact SGs are an adequate heat sink for the reactor;

?determine the nature of the accident in progress (e.g., verify a SGTR); and

?verify unit conditions for termination of SI.LCO14, 15.Steam Generator Water Level (Wide and Narrow Ranges)

(continued)

Operator action is based on the cont rol room indication of SG level.

The RCS response during a design basis small break LOCA depends on the break size. For a certain range of break sizes, a secondary heat sink is necessary to remove decay heat. Narrow range level is a TypeA variable because the operator must manually raise and control SG level.

North Anna Units 1 and 2B 3.3.3-10 Revision 17PAM Instrumentation B 3.3.3BASES16.Emergency Condensate St orage Tank (ECST) LevelECST Level is provided to ensure water supply for auxiliary feedwater (AFW). The ECST provides the ensured safety grade water supply for the AFW Syst em. Inventory is moni tored by a 0% to 100% level indication and ECST Level is displayed on a control room

indicator.

The DBAs that require AFW are the loss of offsite electric power, loss of normal feedwater, SG TR, steam line break (S LB), and small break LOCA.

The ECST is the initial source of water for the AFW System.

However, as the ECST is depleted, manual operator action is necessary to replenish the ECST.17.Steam Generator PressureSG pressure is a CategoryI variable and provides an indication of the integrity of a steam generator. Th is indication can provide important information in the event of a faul ted or ruptured steam generator.18.High Head Safety Injection (HHSI) FlowTotal HHSI flow to the RCS cold legs is a TypeA variable and provides an indication of the total borated water supplied to the RCS.

For the small break LOCA, HHSI flow may be the only source of

borated water that is injected into the RCS. Total HHSI flow is a Type A variable because it provides an indication to the operator for the RCP trip criteria.

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-11Revision 8APPLICABILITYThe PAM instrume ntation LCO is applicable in MODES1, 2, and3. These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES1, 2, and3. In MODES4, 5, and6, unit condi tions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not require d to be OPERABLE in these MODES.ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Function listed on Table3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1ConditionA applies when one or mo re Functions have one required channel that is inoperable. Required ActionA.1 requires restoring the inoperable channel to OPERABLE status within 30days. The 30day Completion Time is based on operating experience and takes into account

the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1ConditionB applies when the Require d Action and associated Completion Time for ConditionA are not met.

This Required Action specifies immediate initiation of actions in Specification 5.6.6, which requires a written report to be submitted to the NRC within the following 14days.

This report discusses the results of the root cause evaluation of the inoperability and identif ies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.

North Anna Units 1 and 2B 3.3.3-12 Revision 46PAM Instrumentation B 3.3.3BASESACTIONS(continued)

C.1ConditionC applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function).

Required ActionC.1 requires restoring one channel in th e Function(s) to OPERABLE status within 7days. The Completion Time of 7days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of a lternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable becaus e the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring re storation of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.D.1 andD.2If the Required Action and associated Completion Time of ConditionD is not met the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and MODE4 within 12hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SA Note has been added to the SR Table to clarify that SR3.3.3.1 and SR3.3.3.3 apply to each PAM instrumentation Function in Table3.3.3-1 with the exception that SR3.3.3.3 is not required to be performed on

containment isolation valve position indication. SR3.3.3.4 is required for

the containment isolation valve position indication.SR3.3.3.1Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that

instrument channels monitoring the same parameter should read (continued)

PAM Instrumentation B 3.3.3BASESNorth Anna Units 1 and 2B 3.3.3-13Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.3.1 (continued)approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to oper ate properly between each CHANNEL CALIBRATION. The high radiation in strumentation should be compared to similar unit instruments located throughout the unit.Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainti es, including isolation, indication, and readability. If a channel is outside th e criteria, it may be an indication that the sensor or the signal processing equipment has drifted out side its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.As specified in the SR, a CHANN EL CHECK is only required for those channels that are normally energized.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.3.2 Not Used SR3.3.3.3CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifi es that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the CET sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

North Anna Units 1 and 2B 3.3.3-14 Revision 46PAM Instrumentation B 3.3.3BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.3.3.4SR3.3.3.4 is the performance of a TADO T of containment isolation valve position indication. This TADOT is performed every 18months. The test shall independently verify the OPERABILITY of containment isolation

valve position indication against th e actual position of the valves.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.Technical ReportPE-0013.2.Regulatory Guide1.97, May 1983.3.NUREG-0737, Supplement1, "TMI Action Items."

4.Technical Requirements Manual North Anna Units 1 and 2B 3.3.4-1Revision 0 Remote Shutdown System B 3.3.4B 3.3 INSTRUMENTATIONB 3.3.4Remote Shutdown SystemBASESBACKGROUNDThe Remote Shutdown System pr ovides the control room operator with sufficient instrumentation and contro ls to maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect ag ainst the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE3. With the unit in MODE3, the Auxiliary Feedwater (AFW)

System and the steam generator (S G) power operated relief valves (PORVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolan t System (RCS) from outside the control room allows extended operation in MODE3.

If the control room becomes inaccessible, the operators can establish control at the auxiliary shutdown panel, and maintain the unit in MODE3. Not all controls and necessary transfer switches are located at the auxiliary shutdown panel. Some controls and tr ansfer switches will have to be operated locally at the switchgear, mo tor control panels, or other local stations. The unit automatically reaches MODE3 following a unit shutdown and can be maintained safely in MODE3 for an extended period of time.

The OPERABILITY of the remote sh utdown control and instrumentation functions ensures there is sufficient information available on selected unit parameters to maintain the unit in MODE3 should the control room

become inaccessible.APPLICABLE SAFETY ANALYSESThe Remote Shutdown System is re quired to provide equipment at appropriate locations outside the control room with a capability to maintain the unit in a safe condition in MODE3.

The criteria governing the design and sp ecific system requirements of the Remote Shutdown System are located in Reference1.

The Remote Shutdown System satisfies Criterion4 of 10CFR50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.3.4-2Revision 0 Remote Shutdown System B 3.3.4BASESLCOThe Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to maintain the unit in MODE3 from a location other than the control room. The instrumentation and controls required are listed in TableB3.3.4-1.

The controls, instrumentation, and tr ansfer switches are required for:*Core reactivity control (long term);*RCS pressure control;

  • Decay heat removal via the AFW System and the SG PORVs; and
  • RCS inventory control via charging flow.

A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, TableB3.3.4-1 may indicate that the required information or control capability is available from several

alternate sources. In these cases, the Function is OPERABLE as long as

one channel of any of the alternate information or control sources is OPERABLE.

The remote shutdown instrument and c ontrol circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments a nd control circuits will be OPERABLE if unit conditions require that the Remo te Shutdown System be placed in operation.APPLICABILITYThe Remote Shutdown System LCO is applicable in MODES1, 2, and3.

This is required so that the unit can be maintained in MODE3 for an extended period of time from a loca tion other than the control room.This LCO is not applicable in MODE4, 5, or6. In these MODES, the

facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, cons iderable time is availa ble to restore necessary instrument control functions if cont rol room instruments or controls become unavailable.

Remote Shutdown System B 3.3.4BASESNorth Anna Units 1 and 2B 3.3.4-3Revision 46ACTIONSA Remote Shutdown System functi on is inoperable when the function is not accomplished by at least one designed Remote Shutdown System channel that satisfies the OPERAB ILITY criteria for the channel's Function. These criteria are outlined in the LCO section of the Bases.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate C ondition entry is allowed for each Function. The Completion Time(s) of th e inoperable channe l(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was en tered for that Function.

A.1ConditionA addresses the situation wh ere one or more required Functions of the Remote Shutdown System are in operable. This includes the control and transfer switches for any required function.

The Required Action is to restore the required Function to OPERABLE status within 30days. The Completion Time is based on operating

experience and the low pr obability of an even t that would require evacuation of the control room.B.1 andB.2If the Required Action and associated Completion Time of ConditionA is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and

without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.3.4.1 Performance of the CHANNEL CHECK en sures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a

comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is ba sed on the assumption that instrument channels monitoring the same parame ter should read approximately the

same value. Significant deviations between the two instrument channels could be an indication of (continued)

North Anna Units 1 and 2B 3.3.4-4Revision 46 Remote Shutdown System B 3.3.4BASESSURVEILLANCE REQUIREMENT

SSR3.3.4.1 (continued) excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will de tect gross channel failure; thus, it is key to verifying that the instru mentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the si gnal processing equi pment has drifted outside its limit.

As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.4.2SR3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be sati sfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be maintained in MODE3 from the remote shutdown panel and

the local control stations. The Surveillance Frequency is based on

operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Remote Shutdown System B 3.3.4BASESNorth Anna Units 1 and 2B 3.3.4-5Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.3.4.3CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

Whenever a sensing element is repl aced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter3.

North Anna Units 1 and 2B 3.3.4-6Revision 0 Remote Shutdown System B 3.3.4TableB 3.3.4-1 (page1 of1)

Remote Shutdown System Instrumentation and ControlsFUNCTION/INSTRUMENTOR CONTROL PARAMETERREQUIREDNUMBER OF FUNCTIONS

1. Reactivity Controla.Boric Acid Pump controls
12. Reactor Coolant System (RCS) Pressure Control
a. Pressurizer Pressure indications 1b.Pressurizer Heater controls 13.Decay Heat Removal via Steam Generators (SGs)a.RCS Tavg Temperature indication1loopb.AFW Pump and Valve controls 1c.SG Pressure indication 1d.SG Level (Wide Range) indication 1e.SG Power Operated Relief Valve controls 1f.AFW Discharge Header Pressure indication 1g.Emergency Condensate Storage Tank Level indication 14.RCS Inventory Controla.Pressurizer Level indication 1b.Charging Pump controls 1c.Charging Flow control 1

North Anna Units 1 and 2B 3.3.5-1Revision 0LOP EDG Start Instrumentation B 3.3.5B 3.3 INSTRUMENTATIONB 3.3.5Loss of Power (LOP) Emergency Diesel Generator (EDG) Start InstrumentationBASESBACKGROUNDThe EDGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs on the emergency buses. There are two required LOP start signals for each 4.16kV emergency bus.Undervoltage relays are provided on each 4160V Class1E bus for detecting a loss of bus voltage or a sustained degraded voltage condition.

The relays are combined in a two-out

-of-three logic to generate a LOP signal. A loss of voltage start of the EDG is initiated when the voltage is less than 74% of rated voltage and lasts for approximately 2seconds. A

degraded voltage start of the EDG is produced when th e voltage is less than 90% of rated voltage sustained for approximately 56seconds. The time

delay for the degraded voltage start signal is reduced to approximately 7.5seconds with the presence of a Sa fety Injection signal for the H and J bus on this unit.One 4160VAC bus from the other unit is needed to support operation of each required Service Water (SW) pump, Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS) fan, Auxiliary Building central exhaus t fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, A uxiliary Building central exhaust system, and CC are shared systems.The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for Engineered Safety Features Actuation System (ESFAS) action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a lim iting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is

OPERABLE under these circumstances, th e setpoint must be left adjusted to within the established calibra tion tolerance band of the setpoint (continued)

North Anna Units 1 and 2B 3.3.5-2Revision 0LOP EDG Start Instrumentation B 3.3.5BASESBACKGROUND (continued)in accordance with uncertainty assumptions stated in the referenced setpoint methodology, (as-left-criteria) and confir med to be operating with the statistical allowances of the uncertainty terms assigned.Allowable Values and LOP EDG St art Instrumentation Setpoints The trip setpoints are summarized in Reference3. The selection of the Allowable Values is such that ade quate protection is provided when all sensor and processing time delays are taken into account.

Setpoints adjusted consistent with the requirement of the Allowable Value ensure that the consequences of accid ents will be accep table, providing the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.Allowable Values are specified for each Function in SR3.3.5.2. Nominal trip setpoints are also specified in the unit specific setpoint calculations and listed in the Technical Requirements Manual (TRM) (Ref.2). The trip setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measur ed setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a

trip setpoint less conservative than th e nominal trip setpoint, but within the Allowable Value, is acceptable provi ded that operation and testing is consistent with the assumptions of the unit specific setpoint calculation (Ref.3).APPLICABLE SAFETY ANALYSESThe LOP EDG start instrumentation is required for the Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS.Accident analyses credit the loading of the EDG based on the loss of offsite power during a loss of c oolant accident (LOCA). The actual EDG start has historically been associated with the ESFAS actuation. The EDG loading has been included in the delay time associated with each safety system component requiring EDG supplied power following a loss of offsite power. The analyses assume a non-mechanistic (continued)

LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)

EDG loading, which does not explicit ly account for each individual component of loss of power det ection and subsequent actions.

The required channels of LOP EDG st art instrumentation, in conjunction with the ESF systems powered from the EDGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference5, in which a loss of offsite power is assumed.

The delay times assumed in the safe ty analysis for the ESF equipment include the 10second EDG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation," include the appr opriate EDG loading and sequencing delay if applicable.

The LOP EDG start instrumentation channels satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO for LOP EDG start instrume ntation requires that three channels per bus of both the loss of voltage a nd degraded voltage Functions shall be OPERABLE in MODES1, 2, 3, and4 when the LOP EDG start

instrumentation supports safety systems associated with the ESFAS. This is associated with the requirement of LCO3.3.5.a for this unit's H and J buses. LCO3.3.5.b specifies that for a re quired H and/or J bus on the other unit that is needed to support a require d shared component for this unit, the LOP EDG start instrumentation for th e required bus must be OPERABLE. The other unit's required H and/or J bus are required to be OPERABLE to support the SW, MCR/ESGR EVS, Auxi liary Building cent ral exhaust, and CC functions needed for this unit.

These Functions share components,

pumps, or fans, which are electricall y powered from both units. A channel is OPERABLE with a trip setpoint va lue outside its calibration tolerance band provided the trip setpoint "as-found" value doe s not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration toleranc e band of the trip setpoint. A trip setpoint ma y be set more conservative than the trip setpoint specified in the TRM (Ref.2) as neces sary in response to unit conditions. In MODES5 or6, the three channels must be OPERABLE whenever the associated EDG is required to be OPERABLE to ensure that the automatic start of(continued)

North Anna Units 1 and 2B 3.3.5-4Revision 0LOP EDG Start Instrumentation B 3.3.5BASESLCO(continued)the EDG is available when needed. Loss of the LOP EDG Start Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences

during accidents. During the loss of offsite power the EDG powers the

motor driven auxiliary feedwater pumps

. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased

potential for a loss of decay heat removal through the secondary system.APPLICABILITYThe LOP EDG Start Instrumentation Functions are required in MODES1, 2, 3, and4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE5 or6 is required whenever the

required EDG must be OPERABLE so th at it can perform its function on a LOP or degraded power to the emergency bus.ACTIONSIn the event a channel's trip set point is found nonconservative with respect to the Allowable Value, or the ch annel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.

Because the required channels are specified on a per bus basis, the Condition may be entered separate ly for each bus as appropriate.

A Note has been added in the ACTI ONS to clarify the application of Completion Time rules. The Conditi ons of this Specification may be entered independently for each Func tion listed in the LCO and for each emergency bus. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was en tered for that Function for the associated emergency bus.

A.1ConditionA applies to the LOP EDG start Function with one loss of voltage or degraded voltage channel per bus inoperable.

If one channel is inoperable, Required ActionA.1 requires that channel to be placed in trip within 72hours.

A plant-specific risk assessment, consistent with Reference4, (continued)

LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-5Revision 0ACTIONSA.1 (continued)was performed to justify the 72hour Completion Time. With a channel in trip, the LOP EDG start instrumentation channels are confi gured to provide a one-out-of-two logic to initiate a trip of the incoming offsite power.

A Note is added to allow bypassi ng an inoperable channel for up to 12hours for surveillance testing of othe r channels. A plant-specific risk assessment, consistent with Reference4, was performed to justify the 12hour time limit. This allowance is made where bypassing the channel does not cause an actuation and where normally, excluding required testing, two other channels are monitoring that parameter.The specified Completion Time and time allowed for bypassing one channel are reasonable consider ing the Function remains fully OPERABLE on every bus and the low probability of an event occurring

during these intervals.

B.1ConditionB applies when more than one loss of voltage or more than one degraded voltage channel on an emergency bus is inoperable.Required ActionB.1 requires restori ng all but one channel to OPERABLE status. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time s hould allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

C.1ConditionC applies to each of the LOP EDG start Functions when the Required Action and associated Completion Time for ConditionA orB are not met.In these circumstances the Conditions specified in LCO3.8.1, "AC Sources-Operating," or LCO3.8.2, "AC Sources-Shutdown," for the

EDG made inoperable by failure of the LOP EDG start instrumentation are required to be entered immediately. Th e actions of those LCOs provide for adequate compensatory actions to assure unit safety.

North Anna Units 1 and 2B 3.3.5-6Revision 46LOP EDG Start Instrumentation B 3.3.5BASESSURVEILLANCE REQUIREMENT

SSR3.3.5.1SR3.3.5.1 is the performance of a TA DOT for channels required by LCO3.3.5.a and LCO3.3.5.b. A successful te st of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay.

This clarifies what is an acceptable TADOT of a relay. This is acceptabl e because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at an 18 month frequency with applicable extensions. The test checks trip device s that provide actuation signals directly, bypassing the an alog process control equipment.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to the loss of voltage and degraded voltage relays for the 4160VAC emer gency buses, setpoi nt verification requires elaborate bench calibrati on and is accomplished during the CHANNEL CALIBRATION. Each train or logic channel shall be

functionally tested up to and including input coil continuity testing of the ESF slave relay. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.5.2SR3.3.5.2 is the performance of a CHANNEL CALIBRATION for channels required by LCO3.3.5.a and LCO3.3.5.b.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as shown in Reference1.CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The verification of degraded voltage wi th a SI signal is not required by LCO3.3.5.b.

(continued)

LOP EDG Start Instrumentation B 3.3.5BASESNorth Anna Units 1 and 2B 3.3.5-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.3.5.2 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.3.5.3 This SR ensures the individual ch annel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis for channels required by LCO3.3.5.a and LCO3.3.5.b. Response Time testing acceptance criteria are included in the TRM (Ref.2).

Individual component res ponse times are not modele d in the analyses. The analyses model the overall or total el apsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure

, valves in full open or closed position).

For channels that include dynamic tr ansfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulti ng measured response time compared to the appropriate TRM response time. Alternately, the response time test can be performed with the time constant s set to their nominal value provided the required response time is analyti cally calculated assuming the time constants are set at th eir nominal values. The response time may be measured by a series of overlapping test s such that the entire response time is measured.

Response time may be verified by actual response ti me test in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, sign al processing and actuation logic response times with actual response time tests on the remainder of the channel.

Testing of the final actuation device s, which make up the bulk of the response time, is included in the testing of each channel.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section8.3.2.Technical Requirements Manual.3.RTS/ESFAS Setpoint Methodology Study (Technical ReportEE-0116).

North Anna Units 1 and 2B 3.3.5-8Revision 46LOP EDG Start Instrumentation B 3.3.5BASES4.WCAP14333-P-A, Rev.1, October1998.5.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.3.6-1Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6B 3.3 INSTRUMENTATIONB 3.3.6Main Control Room/Emergency Switchge ar Room (MCR/ESGR) Envelope Isolation Actuation InstrumentationBASESBACKGROUNDThe MCR/ESGR Envelope Isolation func tion provides a protected environment from which operators can control the unit following an uncontrolled release of radioactivity. During normal operation, the MCR and Relay Room Air Cond ition System provides unfiltered make up air and cooling. Upon receipt of an MCR/ES GR Envelope Isolation actuation signal from either unit Safety Injecti on (SI), High Radiation or manual, the Unit1 and2 control room normal ventil ation intake and exhaust ducts are isolated to prevent unfiltered makeup air from entering the control room. In addition to MCR/ESGR envelope isolation, an SI signal also automatically starts the affected units MCR/ESGR EVS fans to provide filtered

recirculated air within the MCR/ES GR envelope. The Fuel Building High Radiation or manual initiation starts bot h units' available EVS train fans in the recirculation mode. Manual operato r action is required to align the MCR/ESGR EVS to provided filtered makeup air. The MCR/ESGR EVS is described in the Bases for LCO3.7.10, "Main Control Room/Emergency Switchgear Room Emergency Ventilation System."There are four independent and redundant trains of manual actuation

instrumentation for the MCR/ESGR Envelope Isolation. Each manual actuation train consists of two actuation switches (channels), and the

interconnecting wiring to the actuation circuitry. Only one switch (channel) per train and two of the four trains are required for the system to maintain independence and redundancy.

The MCR/ESGR Envelope Is olation is actuated on a SI signal from either unit, a Fuel building High Radiation signal or manual switches in the MCR. The Safety Injection Function is discussed in LCO3.3.2,

"Engineered Safety Feature Actuation System (ESFAS) Instrumentation."APPLICABLE SAFETY ANALYSESThe control room must be kept habitable for the operators stationed there

during accident recovery and post accident operations. The MCR/ESGR Envelope Isolation actuation on a SI signal acts to automatically terminate

the supply of (continued)

North Anna Units 1 and 2B 3.3.6-2Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESAPPLICABLE SAFETY ANALYSES(continued) unfiltered outside air to the control room and initiate filtration in the

recirculation mode. Manual actions ar e required to align the MCR/ESGR EVS to provide filtered make up air to the MCR/ESGR envelope.The safety analysis for a loss of coolant accident in MODES1-4 assumes automatic isolation of the MCR/ESGR envelope on a SI signal and manual initiation of filtered outside air flow within 1hour.

No credit is taken for filtered recirculation or pressurization provided by the MCR/ESGR EVS. The safety analysis for a fuel handling accident (FHA) assumed manual isolation of the MCR/ESGR envelope and manual initiation or positioning of the MCR/ESGR EVS to supply filtered air flow within 1hour. For the

remaining design basis accidents, MCR/

ESGR envelope isolation is not assumed. Normal ventilation inflow with 500cfm of a dditional unfiltered inleakage is assumed.The accident analysis assumes norma l ventilation during a toxic gas or smoke incident. The MCR/ESGR envel ope isolation is not required to mitigate the consequences of these events.

The MCR/ESGR EVS actuation instrume ntation satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO requirements ensure that in strumentation necessary to initiate isolation of the MCR/ESGR envelope is OPERABLE.1.Manual Initiation The LCO requires one channel per train and two trains OPERABLE. The operator can initia te the MCR/ESGR isolation at any time by using any one of the two switches in a train from the

control room. This action will cause actuation of components in the same manner as the automatic actuation signal.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in th e manual actuation circuitry to ensure the operator has manual initiation capability.

Each train consists of two switches (channels) and the interconnecting wiring to the actuation circuitry.

MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESNorth Anna Units 1 and 2B 3.3.6-3Revision 39 LCO(continued)2.Safety InjectionRefer to LCO3.3.2 Function1 for all initiating Functions and requirements.APPLICABILITYThe MCR/ESGR Envelope Isolation Functi ons must be operable in MODES1, 2, 3, and4 and during the movement of recently irradiated fuel

assemblies to provide the require d MCR/ESGR envelope isolation initiation assumed in the applicable safety analyses. In MODES5 and6, when no fuel movement involving recently irradiated fuel (i.e., fuel that

has occupied part of a cr itical reactor core within the previous 300hours) is taking place, there are no requirements for MCR/ESGR EVS instrumentation OPERABILITY consis tent with the safety analyses assumptions applicable in these MODES.

In addition, the manual channels ar e required OPERABLE when moving recently irradiated fuel.ACTIONSA Note has been added to the AC TIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table3.3.6-1 in the accompanying LCO. The Completion Time(s) of the inoperable train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that FunctionA.1.

A.1ConditionA applies to the Manual Function of the MCR/ESGR EVS.

If one train is inoperable, in one or more Functions, 7days are permitted to restore it to OPERABLE status. The 7day Completion Time is the same as is allowed if one train of the MCR/ESGR EVS is inoperable. The basis for this Completion Time is the same as provided in LCO3.7.10. If the train

cannot be restored to OPERABLE st atus, the normal ventilation to the MCR/ESGR envelope must be isolat ed. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of

operation.

North Anna Units 1 and 2B 3.3.6-4Revision 39 MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESACTIONS(continued)

B.1ConditionB applies to the failure of two MCR/ESGR Envelope Isolation actuation trains, or two manual trains. The Required Action is to isolate the normal ventilation to the MCR/ESGR envelope immediately. This accomplishes the actuation instrument ation Function that may have been lost and places the unit in a conservative mode of operation.C.1 andC.2ConditionC applies when the Require d Action and associated Completion Time for ConditionA orB have not been met and the unit is in MODE1, 2, 3, or4. The unit must be brought to a MODE in which the LCO requirements are not applicable. To ac hieve this status, the unit must be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.D.1 andD.2ConditionD applies when the Require d Action and associated Completion Time for ConditionA orB have not been met when recently irradiated fuel assemblies are being move

d. Either the normal ventilation to MCR/ESGR envelope must be isolated or movement of recently irradiated fuel assemblies must be suspended immediat ely to reduce the risk of accidents that would require MCR/ESGR Envelope Isolation actuation.

MCR/ESGR Envelope Isolati on Actuation Instrumentation B 3.3.6BASESNorth Anna Units 1 and 2B 3.3.6-5Revision 46SURVEILLANCE REQUIREMENT

SA Note has been added to the SR Table to clarify that Table3.3.6-1 determines which SRs apply to wh ich MCR/ESGR Envelope Isolation Actuation Functions.SR3.3.6.1SR3.3.6.1 is the performance of a TADOT.

This test is a check of the Manual Actuation Functions

. Each Manual Actuation Function is tested up to, and including, the master relay coil

s. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some in stances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that ex cludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.REFERENCESNone Intentionally Blank North Anna Units 1 and 2B 3.4.1-1Revision 0RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1B 3.4REACTOR COOLANT SYSTEM (RCS)B 3.4.1RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)

LimitsBASESBACKGROUNDThese Bases address require ments for maintaining RCS pressure, temperature, and flow rate within li mits assumed in the safety analyses. The safety analyses (Ref.1) of norma l operating conditions and anticipated operational occurrences assume initia l conditions within the normal steady state envelope. The limits placed on RCS pressure, temperature, and flow rate ensure that the minimum de parture from nucleate boiling ratio (DNBR) will be met for each of the transients analyzed.The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are compared to the limit. A lower pressure will cause the reactor core to approach DNB limits.

The RCS coolant average temperature li mit is consistent with full power operation within the nominal opera tional envelope. RCS loop average temperature is compared to the lim it. A higher average temperature will cause the core to approach DNB limits.

The RCS flow rate norma lly remains constant during an operational fuel cycle with all pumps running. The mi nimum RCS flow limit corresponds to that assumed for DNB analyses. Flow rate indications are averaged to come up with a value for comparison to the limit. A lower RCS flow will

cause the core to approach DNB limits.

Operation for significant periods of time outside these DNB limits increases the likelihood of a fuel cladding failure in a DNB limited event.APPLICABLE SAFETY ANALYSESThe requirements of this LCO represent the initial conditions for DNB limited transients analyzed in the unit safety analyses (Ref.1). The safety

analyses have shown that transients initiated from the limits of this LCO will result in meeting the DNBR cr iterion. The limits on the DNB related parameters assure that each of the parameters are maintained within the

normal steady state envelope of (continued)

North Anna Units 1 and 2B 3.4.1-2Revision 0RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESAPPLICABLE SAFETY ANALYSES(continued) operation assumed in the transient and accident analysis. The limits have been analytically demonstrated to be adequate to maintain a minimum DNBR greater than the design limit throughout each analyzed transient including allowances for measurement uncertainties. Changes to the unit that could impact these parameters must be assessed for their impact on the DNBR criteria. The transients analyzed for include loss of coolant flow

events and dropped or stuck rod events. A key assumption for the analysis of these events is that the core power distribution is within the limits of LCO3.1.6, "Control Bank Insertion Limits"; LCO3.2.3, "AXIAL FLUX DIFFERENCE (AFD)"; and LCO3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."The pressurizer pressure limit and RCS average temperature limit specified in the COLR equal the analytical li mits because of the application of statistical combination of uncertainty.

The RCS DNB parameters satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO specifies limi ts on the monitored process variables-pressurizer pressure, RCS average temperature, and RCS total flow rate-to ensure the core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle. However, the minimum RCS flow, usually based on the maximum analyzed steam generator tube plugging, is retained in the LCO. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.

The numerical values for pressure, temp erature, and flow rate specified in the COLR are given for the measurement location have been adjusted for instrument error.APPLICABILITYIn MODE1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criter ia will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. The (continued)

RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESNorth Anna Units 1 and 2B 3.4.1-3Revision 0APPLICABILITY (continued) design basis events that are sensitive to DNB in other MODES (MODE2 through5) have sufficient margin to DNB, and therefore, there is no reason to restrict DNB in these MODES.

A Note has been added to indicate the limit on pressurizer pressure is not applicable during short term operational transients such as a THERMAL POWER ramp increase >5%RTP per minute or a THERMAL POWER step increase >10%RTP. These conditions represent short term

perturbations where actions to cont rol pressure variations might be counterproductive. Also, since they re present transients initiated from power levels <100%RTP, an increased DNBR margin exists to offset the

temporary pressure variations.The DNBR limit is provided in SL2.1.1, "Reactor Core SLs." The conditions which define the DNBR limit are less restrictive than the limits

of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Shoul d a violation of this LCO occur, the operator must check whether or not an SL may have been exceeded.ACTIONSA.1RCS pressure and RCS average te mperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be ta ken to restore parameter(s).

RCS total flow rate is not a controllab le parameter and is not expected to vary during steady state operation. If th e indicated RCS total flow rate is below the LCO limit, power must be reduced, as required by Required ActionB.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds.The 2hour Completion Time for restor ation of the parameters provides sufficient time to adjust unit parameters, to determine the cause for the off normal condition, and to restore the read ings within limits, and is based on unit operating experience.

North Anna Units 1 and 2B 3.4.1-4Revision 46RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESACTIONS(continued)

B.1If Required ActionA.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE2 within 6hours. In MODE2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6hours is reasonable to reach the required unit c onditions in an orderly manner.SURVEILLANCE

REQUIREMENT

SSR3.4.1.1 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.1.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.1.3 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

RCS Pressure, Temperatur e, and Flow DNB Limits B 3.4.1BASESNorth Anna Units 1 and 2B 3.4.1-5Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.4.1.4 Measurement of RCS total flow ra te by performance of a precision calorimetric heat balance allows the installed RCS flow instrumentation to be calibrated and verifies the actual RC S flow rate is greater than or equal to the minimum required RCS flow rate.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that allows entry into MODE1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 30days after 90% RTP. The 30day period after reaching 90% RTP is reasonable to establish st able operating conditions, install the test equipment, perform the test, and analyze the results. The Surveillance shall be performed within 30days after reaching 90% RTP.REFERENCES1.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.4.2-1Revision 0RCS Minimum Temperature for Criticality B 3.4.2B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.2RCS Minimum Temperature for CriticalityBASESBACKGROUNDThis LCO is based upon meeting several major considerations before the reactor can be made critical a nd while the reactor is critical.

The first consideration is moderator temperature coefficient (MTC), LCO3.1.3, "Moderator Temperature Coefficient (MTC)." In the transient and accident analyses, the MTC is assu med to be in a range from slightly positive to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is operated

consistent with these assumptions.

The second consideration is the prot ective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is chosen to en sure proper indication and response while the reactor is critical.

The third consideration is the pressu rizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i

.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup a nd power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within th e nominal operating envelope is chosen.

The fourth consideration is that the reactor vessel is a bove its minimum nil ductility reference temperature when the reactor is critical.APPLICABLE SAFETY ANALYSESAlthough the RCS minimum temperature for criticality is not itself an initial condition assumed in Design Ba sis Accidents (DBAs), the closely aligned temperature for hot zero power (HZP) is a process variable that is an initial (continued)APPLICABLE SAFETY ANALYSES(continued) condition of DBAs, such as the rod cluster control assembly (RCCA) withdrawal from subcritical, RCCA ejection, boron dilution at startup,

feedwater malfunction, main steam sy stem depressurization, and main steam line break accidents performed at zero power that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

North Anna Units 1 and 2B 3.4.2-2Revision 0RCS Minimum Temperature for Criticality B 3.4.2BASESAll low power safety analyses assume initial RCS loop temperatures the HZP temperature of 547F. The minimum temperature for criticality limitation provides a small band, 6F, for critical operation below HZP.

This band allows critical operation below HZP during unit startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality.The RCS minimum temperature for criticality satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

LCOCompliance with the LCO ensures that the reactor will not be made or maintained critical (keff 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis.

Failure to meet the requirements of this LCO may produce initial

conditions inconsistent with the init ial conditions assumed in the safety analysis.APPLICABILITYIn MODE1 andMODE 2 with keff 1.0, LCO3.4.2 is applicable since the reactor can only be critical (keff 1.0) in these MODES.The special test exception of LCO3.1.9, "MODE2 PHYSICS TESTS

Exceptions," permits PHYSICS TESTS to be performed at 5%RTP with RCS loop average temperatures slight ly lower than normally allowed so that fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be

necessary to operate outside the norma l restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to fall below Tnoload, which may cause RCS loop average temperatures to fall below the temp erature limit of this LCO.ACTIONSA.1If the parameters that are outside the limit cannot be rest ored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE2 with keff <1.0 within 30minutes. Rapid reactor shutdown can be readily and practically achieved within a 30minute period. The allowed time is reasonable, based on operating experience, to reach MODE2 with keff <1.0 in an orderly manner and without challenging unit systems.

RCS Minimum Temperature for Criticality B 3.4.2BASESNorth Anna Units 1 and 2B 3.4.2-3Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.2.1 RCS loop average temperature is require d to be verified at or above 541F. The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCESNone.

Intentionally Blank North Anna Units 1 and 2B 3.4.3-1Revision 0 RCS P/T Limits B 3.4.3B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.3RCS Pressure and Temperature (P/T) LimitsBASESBACKGROUNDAll components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LC O limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions

and the stress limits for cyclic operation.

This LCO contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) test ing, and data for the maxi mum rate of change of reactor coolant temperature.

Each P/T limit curve defines an ac ceptable region for normal operation.

The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component mo st subject to bri ttle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristi cs and operating functions.10CFR50, AppendixG (Ref.1), requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. Reference1 requires an adequate margin to brittle failure during normal operation, anticipated operati onal occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code, SectionIII, AppendixG (Ref.2).

The neutron embrittlement effect on the material t oughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.

(continued)BACKGROUND (continued)The actual shift in the RTNDT of the vessel material is established periodically by removing and evaluating the irradiated reactor vessel

material specimens, in accordance with ASTME185 (Ref.3) and AppendixH of 10CFR50 (Ref.4). The operating P/T limit curves are adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide1.99 (Ref.5).

North Anna Units 1 and 2B 3.4.3-2Revision 0 RCS P/T Limits B 3.4.3BASESThe P/T limit curves are calculated using the most limiting value of RTNDT corresponding to the limiting beltline region material for the reactor vessel.The heatup curve represents a differ ent set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gr adient reversal alters the location of the tensile stress between the outer and inner walls.

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can resu lt in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components. The ASME Code, SectionXI, AppendixE (Ref.6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.APPLICABLE SAFETY ANALYSESThe P/T limits are not derived fr om Design Basis Accident (DBA) analyses. They are prescribed during normal operation to avoid

encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause

nonductile failure of the RCPB, an un analyzed condition. Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).

RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-3Revision 20 LCOThe two elements of this LCO are:a.The limit curves for heatup, c ooldown, and ISLH testing; andb.Limits on the rate of change of temperature.The LCO limits apply to all components of the RCS, except the pressurizer.

These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/

T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

The reactor vessel beltline is the most limiting region of the reactor vessel for the determination of P/T limit curves. The P/T curves include a correction for the difference between the pressure at the point of

measurement (hot leg or pressurizer) and the reactor vessel beltline. The P/T limits include instrument uncertain ties for pressure and temperature.Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components.

The consequences depend on se veral factors, as follow:a.The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;b.The length of time the limits were violated (longer violations allow the temperature gradient in the thic k vessel walls to become more pronounced); andc.The existences, sizes, and orientati ons of flaws in the vessel material.

North Anna Units 1 and 2B 3.4.3-4Revision 0 RCS P/T Limits B 3.4.3BASESAPPLICABILITYThe RCS P/T li mits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10CFR50, AppendixG (Ref.1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES3, 4, and5) or ISLH testing, their Applicab ility is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.During MODES1 and2, other Technical Specifications pr ovide limits for operation that can be more restrictiv e than or can supplement these P/T limits. LCO3.4.1, "RCS Pressure, Temper ature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit2.1, "Safety Limits," also provide operational restrictions for pressure and temper ature and maximum pressure. Furthermore, MODES1 and2 are above the temperature range of concern for nonductile failure, and stress analyses have be en performed for normal maneuvering profiles, such as power ascension or descent.ACTIONSA.1 and A.2Operation outside the P/T limits during MODE1, 2, 3, or4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.The 30minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.Besides restoring operation within li mits, an evaluation is required to determine if RCS operation can conti nue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Seve ral methods may be us ed, including comparison with pre-analyzed transients in th e stress analyses, new analyses, or inspection of the components.

ASME Code, SectionXI, AppendixE (Ref.6), may be us ed to support the evaluation. However, its use is rest ricted to evaluation of the vessel beltline.

(continued)

RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-5Revision 0ACTIONSA.1 and A.2 (continued)The 72hour Completion Time is reas onable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation mu st be completed before continuing to operate.ConditionA is modified by a Note requiring Required ActionA.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required ActionA.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of ConditionA are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced

pressure and temperature. In reduced pressure and temperature conditions,

the possibility of propagation with undetected flaws is decreased.If the required restoration activity cannot be accomplished within 30minutes, Required ActionB.1 and Required ActionB.2 must be implemented to reduce pr essure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72hours or the results are inde terminate or unfavor able, action must proceed to reduce pressure and temperature as specified in Required ActionB.1 and Required ActionB.2. A favorable evaluation must be

completed and documented before re turning to operating pressure and

temperature conditions.

Pressure and temperature are reduced by bringing the unit to MODE3 within 6hours and to MODE5 with RCS pressure <500psig within 36hours.(continued)

North Anna Units 1 and 2B 3.4.3-6Revision 0 RCS P/T Limits B 3.4.3BASESACTIONSB.1 and B.2 (continued)The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE1, 2, 3, or4, so that the RCPB

is returned to a condition that has been verified by stress analysis.The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within li mits, an evaluation is required to determine if RCS operation can continue. The evalua tion must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE4. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.ASME Code, SectionXI, AppendixE (Ref.6), may be us ed to support the evaluation. However, its use is rest ricted to evaluation of the vessel beltline.

ConditionC is modified by a Note requiring Required ActionC.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required ActionC.1 is insufficient because higher than analyzed stresse s may have occurred and may have affected the RCPB integrity.

RCS P/T Limits B 3.4.3BASESNorth Anna Units 1 and 2B 3.4.3-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.3.1Verification that operation is within li mits is required when RCS pressure and temperature conditions are undergoing planned changes. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant unit procedure for ending the activity is satisfied.

This SR is modified by a Note that onl y requires this SR to be performed during system heatup, cooldown, and IS LH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement.REFERENCES1.10CFR50, AppendixG.2.ASME, Boiler and Pressure Vessel Code, SectionIII,AppendixG.3.ASTM E185.

4.10CFR50, AppendixH.

5.Regulatory Guide1.99, Revision2, May1988.

6.ASME, Boiler and Pressure Vessel Code, SectionXI,AppendixE.

Intentionally Blank North Anna Units 1 and 2B 3.4.4-1Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.4RCS Loops-MODES1 and2BASESBACKGROUNDThe primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.

The secondary functions of the RCS include:a.Moderating the neutron energy level to the thermal state, to increase the probability of fission;b.Improving the neutron economy by acting as a reflector;c.Carrying the soluble neutron poison, boric acid;d.Providing a second barrier agains t fission product release to the environment; ande.Removing the heat generated in the fuel due to fission product decay following a unit shutdown.

The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reac tor coolant pump (RCP),

and appropriate flow and temperature instrumentation for both control and protection. The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary c oolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulati on of the reactor coolant ensures mixing of the coolant for proper boration and chemistry control.APPLICABLE SAFETY ANALYSESSafety analyses contain various assumptions for the design bases accident

initial conditions includi ng RCS pressure, RCS temp erature, reactor power level, core parameters, and safety system setpoints. The important aspect for this LCO is the reactor coolant forc ed flow rate, which is represented by the number of RCS loops in service.

(continued)APPLICABLE SAFETY ANALYSES(continued)Both transient and steady state analyses have been performed to establish the effect of flow on the departur e from nucleate boiling (DNB). The transient and accident analyses for the unit have been performed assuming three RCS loops are in operation. The ma jority of the unit safety analyses are based on initial conditions at high core power or zero power. The North Anna Units 1 and 2B 3.4.4-2Revision 28 RCS Loops-MODES 1 and 2 B 3.4.4BASESaccident analyses that are most important to RCP operation are the complete loss of forced reactor flow

, single reactor coolant pump locked rotor, partial loss of forced reactor flow, and rod withdrawal events (Ref.1).The DNB analyses assume normal thre e loop operation. Uncertainties in key unit operating parameters, nuclear and thermal para meters, and fuel fabrication parameters are considered statistically such that there is at least a 95 percent probability that DNB wi ll not occur for the limiting power rod.

Key unit parameter uncertainties are us ed to determine the unit departure from nucleate boiling ratio (DNBR) uncertainty. This DNBR uncertainty, combined with the DNBR limit, establishes a design DNBR value which must be met in unit safety analyses and is used to determine the pressure

and temperature Safety Limit (SL). Si nce the parameter uncertainties are considered in determining the design DNBR value, the unit safety analyses are performed using values of input parameters without uncertainties.

Therefore, nominal operating values for reactor coolant flow are used in the accident analyses.

The unit is designed to operate with all RCS loops in operation to maintain DNBR above the limit during all nor mal operations and anticipated transients. By ensuring heat transfer in the nucleate boiling region,

adequate heat transfer is provided be tween the fuel cladding and the reactor coolant.RCS Loops-MODES1 and2 satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNBR, three pumps are required at rated power.

An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG.APPLICABILITYIn MODES1 and2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in ope ration in these MODES to prevent DNB and core damage.

The decay heat production rate is much lower than the full power heat rate.

As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES3, 4, and5.

RCS Loops-MODES 1 and 2 B 3.4.4BASESNorth Anna Units 1 and 2B 3.4.4-3Revision 0 Operation in other MODES is covered by:LCO3.4.5, "RCS Loops-MODE3";LCO3.4.6, "RCS Loops-MODE4";

LCO3.4.7, "RCS Loops-MODE5, Loops Filled";

LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";

LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the unit to MODE3. This lowers power level and

thus reduces the core heat removal ne eds and minimizes the possibility of violating DNBR limits.The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from fu ll power conditions in an orderly manner and without challenging safety systems.SURVEILLANCE REQUIREMENT

SSR3.4.4.1 This SR requires verification that each RCS loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal while maintaining the margin to the DNBR limit. The Surveillance Frequency is

based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.4.4-4Revision 0 RCS Loops-MODES 1 and 2 B 3.4.4BASES North Anna Units 1 and 2B 3.4.5-1Revision 0 RCS Loops-MODE 3 B 3.4.5B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.5RCS Loops-MODE3BASESBACKGROUNDIn MODE3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat

, via the steam generator (SG), to the secondary plant fluid. The secondary f unction of the reactor coolant is to act as a carrier for solubl e neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protect ion, and indication. The reactor vessel contains the clad fuel. The SGs provi de the heat sink. The RCPs circulate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage.In MODE3, RCPs are used to provide fo rced circulation for heat removal during heatup and cooldown. The MODE3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to ensure redundant capability for decay heat removal.APPLICABLE SAFETY ANALYSESWhenever the reactor trip breakers (R TBs) are in the closed position and the control rod drive mechanisms (CRDMs) are energized, an inadvertent

rod withdrawal from subcri tical, resulting in a power excursion, is possible.

Such a transient could be caused by a malfunction of the rod control system.Therefore, in MODE3 with RTBs in the closed position and Rod Control System capable of rod withdrawal, accidental control rod withdrawal from subcritical is postulated and requi res at least one RCS loop to be OPERABLE and in operation to ensure that the accident analyses limits are met.Failure to provide decay heat removal may result in chal lenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates (continued)

North Anna Units 1 and 2B 3.4.5-2Revision 0 RCS Loops-MODE 3 B 3.4.5BASESAPPLICABLE SAFETY ANALYSES(continued) to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the in tegrity of a fission product barrier.RCS Loops-MODE3 satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to requi re that at least two RCS loops be OPERABLE and one of those loops be in operation. One RCS loop in operation is necessary to ensure remova l of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop is required to be OPERABLE to ensure redundant capability for decay

heat removal.The Note permits all RCPs to be removed from operation for 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests that are designed to valida te various accident analyses values.

One of these tests is validation of th e pump coastdown curve used as input to a number of accident analyses includi ng a loss of flow accident. This test is generally performed in MODE3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values of the coastdown curve may be revalidated by conducting the test again.

Another test that may be performed during the startup testing program is the vali dation of rod drop times during cold conditions, both with and without flow.

The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to pe rform this test and validate the assumed analysis values. As with the validation of the pump coastdown curve, this test should be performed only once unless the flow

characteristics of the RCS are changed. The 1hour time period specified is adequate to perform the pump swap or the desired tests, and operating

experience has shown that boron stratification is not a problem during this short period with no forced flow.

(continued)

RCS Loops-MODE 3 B 3.4.5BASESNorth Anna Units 1 and 2B 3.4.5-3Revision 28 LCO(continued)

Utilization of the Note is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:a.No operations are permitted th at would dilute the RCS boron concentration with coolant at boron concentrations less than required to ensure the SDM of LCO3.1.1, thereby maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less

than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.

An OPERABLE RCS loop consists of one OPERABLE RCP and one OPERABLE SG, which has the minimum water level specified in SR3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.APPLICABILITYIn MODE3, this LCO ensures forc ed circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing.

Operation in other MODES is covered by:LCO3.4.4, "RCS Loops-MODES1 and 2";LCO3.4.6, "RCS Loops-MODE4";

LCO3.4.7, "RCS Loops-MODE5, Loops Filled";

LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";

LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If one required RCS loop is inoperabl e, redundancy for heat removal is lost. The Required Action is restor ation of the required RCS loop to OPERABLE status within the Completion (continued)

North Anna Units 1 and 2B 3.4.5-4Revision 28 RCS Loops-MODE 3 B 3.4.5BASESACTIONSA.1 (continued)Time of 72hours. This time allowance is a justified peri od to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat

produced in the reactor core and because of the low probability of a failure in the remaining loop occu rring during this period.

B.1If restoration is not possible within 72hours, the unit must be brought to MODE4. In MODE4, the unit may be placed on the Residual Heat

Removal System. The additional Completion Time of 12hours is compatible with required operations to achieve cooldown and

depressurization from the existing unit conditions in an orderly manner and without challenging unit systems.

C.1, C.2, and C.3If two required RCS loops are inoperable or a required RCS loop is not in operation, except as during conditions permitted by the Note in the LCO section, place the Rod Control System in a condition incapable of rod withdrawal (e.g., all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets). All operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets removes the possibility of an inadvertent rod withdrawal. Suspen ding the introduction of coolant into

the RCS of coolant with boron concentr ation less than requi red to meet the minimum SDM of LCO3.1.1 is require d to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

RCS Loops-MODE 3 B 3.4.5BASESNorth Anna Units 1 and 2B 3.4.5-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.5.1 This SR requires verification that the required loops are in operation. Verification includes flow rate, temp erature, and pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.5.2SR3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 17% for required RCS loops. If the SG secondary side narrow range water level is <

17%, the tubes may become uncovered and the associated loop may not be ca pable of providing the heat sink for removal of the decay heat. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.5.3Verification that the required RCP is OPERABLE ensures that safety analyses limits are met. The requireme nt also ensures that an additional RCP can be placed in ope ration, if needed, to main tain decay heat removal and reactor coolant circulation. Veri fication is performed by verifying proper breaker alignment and power availability to the required RCP. The

Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCESNone.

Intentionally Blank North Anna Units 1 and 2B 3.4.6-1Revision 0 RCS Loops-MODE 4 B 3.4.6B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.6RCS Loops-MODE4BASESBACKGROUNDIn MODE4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the compone nt cooling water via the residual heat removal (RHR) heat exchange rs. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protecti on, and indication. The RCPs circulate

the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.In MODE4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR l oop is adequate for decay heat removal. The other intent of this LC O is to require that two paths be OPERABLE to provide redundancy for decay heat removal.APPLICABLE SAFETY ANALYSESIn MODE4, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RCS and RHR loops provide this circulation.RCS Loops-MODE4 satisfies Criterion 4 of 10CFR 50.36(c)(2)(ii).LCOThe purpose of this LCO is to require that at least two loops be OPERABLE in MODE4 and that one of these loops be in operation. The

LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and RHR loops. Any one loop in operation

provides enough flow to (continued)

North Anna Units 1 and 2B 3.4.6-2Revision 0 RCS Loops-MODE 4 B 3.4.6BASESLCO(continued) remove the decay heat from the core with forced circulation. An additional loop is required to be OPERABLE to provide redundancy for heat removal.Note1 permits all RCPs or RHR pumps to be removed from operation for 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests that are de signed to validate various accident analyses values. One of the tests which may be performed during the startup testing program is the vali dation of rod drop times during cold conditions, both with and without flow.

The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short

period of time. The Note permits th e stopping of the pumps in order to perform this test and validate the assu med analysis values. If changes are made to the RCS that would cause a ch ange to the flow characteristics of the RCS, the input values may be re validated by conducting the test again. The 1hour time period is adequate to perform the pump swap or test, and operating experience has shown that bor on stratification is not a problem during this short period with no forced flow.Utilization of Note1 is permitted provided the following conditions are met along with any other conditions imposed by initial startup test procedures:a.No operations are permitted that would dilute the RCS boron concentration with coolan t at boron concentrations less than required to meet the SDM of LCO3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less

than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.Note2 requires that the secondary side water temperature of each SG be 50F above each of the RCS cold leg te mperatures before the start of an RCP with any RCS cold leg temperature (continued)

RCS Loops-MODE 4 B 3.4.6BASESNorth Anna Units 1 and 2B 3.4.6-3Revision 28 LCO(continued)280F. This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.

An OPERABLE RCS loop is comprised of an OPERABLE RCP and an OPERABLE SG, which has the minimum water level specified in SR3.4.6.2.

Similarly for the RHR System, an OP ERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR pumps are

OPERABLE if they are capable of be ing powered and are able to provide forced flow if required.APPLICABILITYIn MODE4, this LCO ensures forc ed circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS and RHR loops are required to be OPERABLE to provide redundancy for heat

removal.Operation in other MODES is covered by:

LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";

LCO3.4.7, "RCS Loops-MODE5, Loops Filled";

LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";

LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).ACTIONSA.1 If one required loop is inoperable, redundancy for heat removal is lost.

Action must be initia ted to restore a second RCS or RHR loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availabi lity of two paths for heat removal.

North Anna Units 1 and 2B 3.4.6-4Revision 0 RCS Loops-MODE 4 B 3.4.6BASESACTIONS(continued)

A.2If restoration is not accomplished and an RHR loop is OPERABLE, the unit must be brought to MODE5 within 24hours. Bringing the unit to MODE5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundanc y for decay heat removal is lost and, in the event of a loss of the remaining RHR loop, it would be safer to initiate that loss from MODE5 rather than MODE4. The Completion Time of 24hours is a reasonable time

, based on operating experience, to reach MODE5 from MODE4 in an orderly manner and without challenging unit systems.

This Required Action is modified by a Note which indicates that the unit must be placed in MODE 5 only if an RHR loop is OPERABLE. With no RHR loop OPERABLE, the unit is in a condition with only limited cooldown capabilities. Therefore, the ac tions are to be concentrated on the restoration of an RHR loop, rather th an a cooldown of extended duration.

B.1 and B.2 If two required loops are inoperable or a required loop is not in operation, except during conditions permitted by Note1 in the LCO section, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. The required margin to criticality must not be reduced in th is type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however

coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for

decay heat removal. The action to restore must be continued until one loop is restored to OPERAB LE status and operation.

RCS Loops-MODE 4 B 3.4.6BASESNorth Anna Units 1 and 2B 3.4.6-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.6.1 This SR requires verification that the required RCS or RHR loop is in operation. Verification includes flow rate, temperature, or pump status

monitoring, which help ensure that fo rced flow is providing heat removal.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.6.2SR3.4.6.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 17%. If the SG secondary side narrow range water level is <17%, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink necessary for removal of

decay heat. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.4.6.3Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be pl aced in operation, if needed, to maintain decay heat rem oval and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCESNone.

Intentionally Blank North Anna Units 1 and 2B 3.4.7-1Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.7RCS Loops-MODE5, Loops FilledBASESBACKGROUNDIn MODE5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) sec ondary side coolant via na tural circulation (Ref. 1) or the component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heat removal is via

the RHR System, the SGs via natural circulation (Ref.1) ar e specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water.

As long as the SG secondary side water is at a lower temperature than th e reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a

carrier for soluble ne utron poison, boric acid.In MODE5 with RCS loops filled, th e reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, a nd appropriate flow and temperature

instrumentation for control, prot ection, and indication. One RHR pump circulates the water through the RCS at a sufficient rate to prevent boric acid stratification.

The number of loops in operation can vary to suit the operational needs.

The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and tran sport. The flow provided by one RHR loop is adequate for decay heat removal. The other in tent of this LCO is to require that a second path be availa ble to provide redundancy for heat removal.The LCO provides for redundant paths of decay heat removal capability.

The first path can be an RHR l oop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop or maintaining a SG with secondary side water level of at least 17% using narrow range instrumentation to provide an alternate method for decay heat removal via natural circulation (Ref. 1).APPLICABLE SAFETY ANALYSESIn MODE5, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RHR loops provide this circulation.RCS Loops-MODE5 (Loops Filled

) satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.4.7-2Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7BASESLCOThe purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or a SG with secondary side water level 17% using narrow range instrumentation and the associated loop isolation valves open. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these c onditions. An additi onal RHR loop is required to be OPERABLE to provi de redundancy for heat removal. However, if the standby RHR loop is not OPERABLE, an acceptable

alternate method is a SG with its secondary side water level 17% using narrow range instrumentation. Shoul d the operating RHR loop fail, the SG could be used to remove the decay heat via natural circulation.Note1 permits all RHR pumps to be removed from operation 1hour per 8hour period. The purpose of the Note is to permit pump swap operations and tests designed to validate various accident analyses values. One of the

tests performed during the startup test ing program is the validation of rod

drop times during cold conditions, both with and without flow. The no flow test may be performed in MODE3, 4, or5 and requires that the pumps be stopped for a short period of time. Th e Note permits stopping of the pumps in order to perform this test and vali date the assumed analysis values. If changes are made to the RCS that would cause a change to the flow

characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1hour ti me period is adequate to perform the pump swap or test, and operati ng experience has shown that boron stratification is not likely during this short period with no forced flow.

(continued)

RCS Loops-MODE 5, Loops Filled B 3.4.7BASESNorth Anna Units 1 and 2B 3.4.7-3Revision 28 LCO(continued)Utilization of Note1 is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:a.No operations are permitted th at would dilute the RCS boron concentration with coolant at boron concentrations less than required to meet the SDM of LCO3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure the SDM is maintained is prohibited because a uniform concentration distribut ion throughout the RCS cannot be ensured when in natural circulation; andb.Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubbl e may form and possibly cause a natural circulation flow obstruction.Note2 allows one RHR loop to be inoperable for a period of up to 2hours, provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when such testing is safe and possible.Note3 requires that the secondary side water temperature of each SG be 50F above each of the RCS cold leg te mperatures before the start of a reactor coolant pump (RCP) with an RCS cold leg temperature 280F. This restriction is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.Note4 provides for an orderly transition from MODE5 to MODE4 during a planned heatup by permitting rem oval of RHR loops from operation when at least one RCS loop is in ope ration. This Note provides for the transition to MODE4 where an RCS l oop is permitted to be in operation and replaces the RCS ci rculation function provide d by the RHR loops with circulation provided by an RCP.

RHR pumps are OPERABLE if they ar e capable of being powered and are able to provide flow if required. A SG can perform as a heat sink via natural circulation when it has an adequate water level and is OPERABLE.

North Anna Units 1 and 2B 3.4.7-4Revision 0 RCS Loops-MODE 5, Loops Filled B 3.4.7BASESAPPLICABILITYIn MODE5 with the unisolated portion of the RCS loops filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide pr oper boron mixing. One loop of RHR provides sufficient circulation for th ese purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least one SG is required to be 17% with the associated loop isolation valves open.

Operation in other MODES is covered by:

LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";

LCO3.4.6, "RCS Loops-MODE4";

LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled";

LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).

If all RCS loops are isolated, an SG cannot be used for decay heat removal and RCS water inventory is substantially reduced. In this circumstance, LCO3.4.8 applies.ACTIONSA.1, A.2, B.1, andB.2 If one RHR loop is OPERABLE and th e required SG has secondary side water level <17%, redundancy for heat removal is lost. Action must be

initiated immediately to restore a second RHR l oop to OPERABLE status or to restore the required SG secondary side water level. Either Required Action will restore redundant heat removal paths. The immediate Completion Time reflects the importan ce of maintaining the availability of two paths for heat removal.

C.1 and C.2 If a required RHR loop is not in operation, except during conditions permitted by Note1 and Note4, or if no required RHR loop is OPERABLE, all operations involving intr oduction of coolant into the RCS with boron concentration less than re quired to meet the minimum SDM of LCO3.1.1 must be suspended and act ion to restore one RHR loop to OPERABLE status and operation must be initiated. Suspending the

introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of (continued)

RCS Loops-MODE 5, Loops Filled B 3.4.7BASESNorth Anna Units 1 and 2B 3.4.7-5Revision 46ACTIONSC.1 and C.2 (continued)LCO3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmi xed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for heat removal.SURVEILLANCE

REQUIREMENT

SSR3.4.7.1 This SR requires verification that the required loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.7.2Verifying that at least one SG is OPERABLE by ensuring its secondary side narrow range water level is 17% ensures an alternate decay heat removal method via natural circulati on in the event that the second RHR loop is not OPERABLE. If both RHR loops are OPERABLE, this Surveillance is not needed. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.7.3Verification that the required RHR pump is OPERABLE ensures that an additional pump can be placed in opera tion, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment a nd power available to the required RHR pump. If secondary side water level is 17% in at least one SG, this Surveillance is not needed. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCES1. NRC Information Notice 95-35, Degraded Ability of Steam Generators to Remove Decay Heat by Natural Circulation.

Intentionally Blank North Anna Units 1 and 2B 3.4.8-1Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.8RCS Loops-MODE5, Loops Not FilledBASESBACKGROUNDIn MODE5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat generated in the fuel, and the transfer of this heat to the componen t cooling water via the residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled. The secondary function of the reactor coolant is to act as a carrier for the soluble neutron poison, boric acid.In MODE5 with loops not filled, only RHR pumps ca n be used for coolant circulation. The number of pumps in operation can vary to suit the operational needs. The intent of this LC O is to provide forced flow from at least one RHR pump for decay heat re moval and transport and to require that two paths be available to provide redundancy for heat removal.APPLICABLE SAFETY ANALYSESIn MODE5, RCS circulation is considered in the determination of the time available for mitigation of the accide ntal boron dilution event. The RHR loops provide this circulation. Th e flow provided by one RHR loop is adequate for heat removal and for boron mixing.RCS loops in MODE5 (loops not f illed) satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).

LCOThe purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transf erring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the RHR System unless forced flow is used. A minimum of one running RHR pump meets the LCO requirement for one loop in operation.

An additional RHR loop is required to be OPERABLE to provide redundancy for heat removal.Note1 permits all RHR pumps to be removed from operation for 15minutes when switching from one loop to another.

The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet (continued)

North Anna Units 1 and 2B 3.4.8-2Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESLCO(continued) temperature is maintained > 10F below saturation temperature. The Note prohibits boron dilution with coolant at boron concentrations less than required to assure the SDM of LCO3.1.1 is maintained or draining operations when RHR forced flow is stopped.Note2 allows one RHR loop to be inoperable for a period of 2hours, provided that the other loop is OPER ABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when these tests are safe and possible.

An OPERABLE RHR loop is compri sed of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger.

RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required.APPLICABILITYIn MODE5 with the unisolated portion of the loops not filled, this LCO requires core heat removal and coolant circulation by the RHR System.

Operation in other MODES is covered by:LCO3.4.4, "RCS Loops-MODES1 and2";LCO3.4.5, "RCS Loops-MODE3";

LCO3.4.6, "RCS Loops-MODE4";

LCO3.4.7, "RCS Loops-MODE5, Loops Filled";

LCO3.9.5, "Residual Heat Re moval (RHR) and CoolantCirculation-High Water Level" (MODE6); andLCO3.9.6, "Residual Heat Re moval (RHR) and CoolantCirculation-Low Water Level" (MODE6).

If all RCS loops are isolated, the RCS water inventory is substantially

reduced. In this circumstance, LCO3.4.8 applies whether or not the isolated loops are filled.ACTIONSA.1 If one required RHR loop is inopera ble, redundancy for RHR is lost. Action must be initiated to restore a second loop to OPERABLE status.

The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESNorth Anna Units 1 and 2B 3.4.8-3Revision 46ACTIONS(continued)

B.1 and B.2 If no required loop is OPERABLE or th e required loop is not in operation, except during conditions permitted by Note1, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE status and operation. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO3.1.1 is required to assure continued safe operation. With coolant added wi thout forced circulation, unmixed coolant could be introduced to the core, however c oolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal.

The action to restore must continue until one loop is restored to OPERABLE status and

operation.SURVEILLANCE

REQUIREMENT

SSR 3.4.8.1 This SR requires verification that the required loop is in operation. Verification includes flow rate, temp erature, or pump status monitoring, which help ensure that forced fl ow is providing heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.4.8.2Verification that the required pump is OPERABLE ensures that an additional pump can be placed in opera tion, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment a nd power available to the required pump. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24hours after a re quired pump is not in operation.

North Anna Units 1 and 2B 3.4.8-4Revision 0 RCS Loops-MODE 5, Loops Not Filled B 3.4.8BASESREFERENCESNone.

North Anna Units 1 and 2B 3.4.9-1Revision 0 Pressurizer B 3.4.9B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.9PressurizerBASESBACKGROUNDThe pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under satu rated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining require d primary system pressure during steady state operation, and limiting the pr essure changes caused by reactor coolant thermal expansion and contraction during normal load transients.The pressure control components addressed by this LCO include the pressurizer water level, the require d heaters, and their controls and emergency power supplies. Pressurizer safety valves and pressurizer power

operated relief valves are addressed by LCO3.4.10, "Pressurizer Safety Valves," and LCO3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.

The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of

potential overpressure transients.

The presence of a steam bubble is consistent with analytical assump tions. Relatively small amounts of noncondensible gases can inhibit the condensation heat transfer between the pressurizer spray and the steam, and diminish the spray effectiveness for pressure control.Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressu rizer at saturation temperature and maintain a constant operating pressure. There are 5 groups of pressurizer heaters. Groups 1, 2, 4, and 5 are ba ckup heaters. Group 3 consists of proportional heaters. Groups 1 and 4 are powered from the emergency

busses and are governed by this Specification. A minimum required available capacity of pressurizer heater s ensures that the RCS pressure can be maintained. The capability to mainta in and control system pressure is important for maintaining subcooled conditions in the RCS and ensuring the capability to remove core decay heat by either forced or natural circulation of reactor coolant. Unless ad equate heater capacity is available,

the hot, high pressure condition cannot be maintained indefinitely and (continued)

North Anna Units 1 and 2B 3.4.9-2Revision 0 Pressurizer B 3.4.9BASESBACKGROUND (continued) still provide the required subcooling margin in the primary system. Inability to control the system pressure and maintain subcooling under conditions of natural circul ation flow in the primary system could lead to a loss of single phase natural circulati on and decreased capability to remove core decay heat.APPLICABLE SAFETY ANALYSESIn MODES1, 2, and3, the LCO re quirement for a steam bubble is

reflected implicitly in the accident an alyses. Safety analyses performed for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existe nce of a steam bubble and saturated conditions in the pressurizer. In ma king this assumption, the analyses neglect the small fraction of nonc ondensible gases normally present.Safety analyses presented in the U FSAR (Ref. 1) do not take credit for pressurizer heater operation unless their operation would increase the severity of the event; however, an im plicit initial condition assumption of the safety analyses is that the pressure control system is maintaining RCS pressure in the normal operating range.The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Although the heat ers are not specifically used in accident analysis, the need to mainta in subcooling in th e long term during loss of offsite power, as indicated in NUREG-0737 (Ref.2), is the reason for providing an LCO.

LCOThe LCO requirement for the pressurizer to be OPERABLE with a water volume 1240 cubic feet, which is equivalent to 93%, ensures that a steam bubble exists. Limiting the LCO maximum operating water level

preserves the steam space for pres sure control. The LCO has been established to ensure the capability to establish and maintain pressure control for steady state operation a nd to minimize the consequences of potential overpressure tran sients. Requiring the pres ence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 125kW, capable of being powered from an emergency bus. The two heater groups are designated as (continued)

Pressurizer B 3.4.9BASESNorth Anna Units 1 and 2B 3.4.9-3Revision 0 LCO(continued)

Group 1 and Group 4. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insu lation. By maintaining the pressure

near the operating conditions, a wide margin to subcooling can be obtained in the loops. The exact design value of 125kW is derived from the use of seven heaters rated at 17.9kW each. The amount needed to maintain

pressure is dependent on the heat losses.APPLICABILITYThe need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has been designated for MODES1 and2. The applicability is also provided for MODE3. The purpose is to prevent solid water RCS operation during

heatup and cooldown to avoid rapid pressure rises caused by normal

operational perturbation, such as reactor coolant pump startup.In MODES1, 2, and3, there is need to maintain the availability of pressurizer heaters, capable of being powered from an emergency bus. In the event of a loss of offsite power, the initial conditions of these MODES give the greatest demand for maintaining the RCS in a hot pressurized

condition with loop subcooling for an extended period. Fo r MODE 4, 5, or 6, the need for pressurizer heaters supplied from an emergency bus to maintain pressure control is reduced because core heat is reduced, and has a correspondingly lower effect on pre ssurizer level and RCS pressure control. In addition, other mechanisms, such as the Residual Heat Removal (RHR) System and the Power Operated Relief Valves (PORVs) are

available to control RCS temperature and pressure should normal offsite power be lost.ACTIONSA.1, A.2, A.3 and A.4Pressurizer water level control malfunc tions or other unit evolutions may result in a pressurizer water level a bove the nominal upper limit, even with the unit at steady state conditions. Normal ly the unit will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level-High Trip.

(continued)

North Anna Units 1 and 2B 3.4.9-4Revision 46 Pressurizer B 3.4.9BASESACTIONSA.1, A.2, A.3 and A.4 (continued)

If the pressurizer water level is not within the limit, action must be taken to bring the unit to a MODE in which the LCO does not apply. To achieve this status, within 6hours the unit must be brought to MODE3, with all rods fully inserted and incapable of withdrawal. Additionally, the unit must be brought to MODE4 within 12hours. This takes the unit out of the applicable MODES.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.

B.1If one required group of pressurizer h eaters is inoperable, restoration is required within 72hours. The Completion Time of 72hours is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pr essure control may be maintained during this time using the remaining heaters.

C.1 and C.2 If one group of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required ActionB.1, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR 3.4.9.1 This SR requires that during steady state operation, pressurizer level is maintained below the nom inal upper limit to provi de a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Pressurizer B 3.4.9BASESNorth Anna Units 1 and 2B 3.4.9-5Revision 46SURVEILLANCE REQUIREMENT

SSR 3.4.9.2 The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer

heaters are verified to be at thei r required rating. This may be done by testing the power supply output and by performing an electrical check on

heater element continuity and resistance. The Surveillance Frequency is

based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter15.2.NUREG-0737, November1980.

Intentionally Blank North Anna Units 1 and 2B 3.4.10-1Revision 20Pressurizer Safety Valves B 3.4.10B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.10Pressurizer Safety ValvesBASESBACKGROUNDThe pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protec tion for the RCS. The pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensati on. The safety valves are designed to prevent the system pressure from ex ceeding the system Sa fety Limit (SL), 2735psig, which is 110% of the design pressure.

Because the safety valves are totally enclosed and self actuating, they are considered independent components. Th e relief capacity for each valve, 380,000lb/hr, is based on postulated overpressure transient conditions resulting from a complete loss of steam flow to the turbine, a locked reactor coolant pump rotor, and reactivity inse rtion due to contro l rod withdrawal.

The complete loss of steam flow is typically the limiting event. The limiting event results in the maximum surge rate into the pressurizer, which specifies the minimum relief capacity for the safety valves. The discharge

flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indica ted by an increase in temperature downstream of the pressurizer safety valves, increase in the pressurizer relief tank temperature or level, or by the acoustic monitors located on the relief line.Overpressure protection is required in MODES1, 2, 3, 4, and5; however, in MODE4, with one or more RCS cold leg temperatures 280F, and MODE5 and MODE6 with the reactor vessel head on, overpressure

protection is provided by operating procedures and by meeting the requirements of LCO3.4.12, "Low Temp erature Overpressure Protection (LTOP) System."The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positiv e or negative percentage of each tested safety valve, is summed and divided by the number of valves tested.

This average as-found value is compared to the acceptable range of +2% to -3%. In addition, no single valve is allowed to be outside of +/-3%. The lift

setting is for the ambient conditions associated with MODES1, 2, and3. This requires (continued)

North Anna Units 1 and 2B 3.4.10-2Revision 8Pressurizer Safety Valves B 3.4.10BASESBACKGROUND (continued) either that the valves be set hot or that a correlation between hot and cold settings be established.The pressurizer safety valves are pa rt of the primary success path and mitigate the effects of postulated a ccidents. OPERABILITY of the safety valves ensures that the RCS pr essure will be limited to 110% of design pressure in accordance with ASME Code, SectionIII (Ref.1). The consequence of exceeding the ASME Code pressure limit could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses pr ior to resumption of reactor operation.APPLICABLE SAFETY ANALYSESAll accident and safety analyses in the UFSAR (Ref.2) that require safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure protection analysis (Ref.3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not properly terminated include:a.Uncontrolled rod withdrawal from full power;b.Loss of reactor coolant flow;c.Loss of external electrical load; d.Loss of normal feedwater;e.Loss of all AC power to station auxiliaries;f.Locked rotor; andg.Uncontrolled rod withdrawal from subcritical.

Description of the analyses of the above transients are contained in Reference2. Safety valve actuation is required in eventsa, c, f andg (above) to limit the pressure increase. Compliance with this LCO is consistent with the design bases a nd accident analyses assumptions.

Pressurizer safety valves satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).

Pressurizer Safety Valves B 3.4.10BASESNorth Anna Units 1 and 2B 3.4.10-3Revision 20 LCOThe three pressurizer safety valv es are set to open at the RCS design pressure (2485psig), and within the ASME specified tolerance, to avoid exceeding the maximum design pressure SL, to maintain accident analyses assumptions, and to comply with ASME requirements. The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positive or negative percentage of each tested safety

valve, is summed and divided by the num ber of valves tested. This average as-found value is compared to the acceptable range of +2% to -3%. In

addition, no single valve is allowed to be outside of +/-3%. The limit protected by this Specification is th e reactor coolant pressure boundary (RCPB) SL of 110% of design pressure. Inoperability of one or more valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, incr eased leakage, or additional stress analysis being required prior to resumption of reactor operation.APPLICABILITYIn MODES1, 2, and3, and portions of MODE4 above the LTOP enabling temperature, OPERABILITY of thr ee valves is required because the combined capacity is requi red to keep reactor coolant pressure below 110%

of its design value during certain accidents. MODE3 and portions of MODE4 are conservatively included, although the listed accidents may

not require the safety valves for protection.The LCO is not applicable in MODE4 when any RCS cold leg temperatures are 280F or in MODE5 because LTOP is provided.

Overpressure protection is not required in MODE6 with reactor vessel

head detensioned.The Note allows entry into MODES3 and4 with the lift settings outside the LCO limits. This permit s testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminar y cold setting. The cold setting gives

assurance that the valves are OPER ABLE near their de sign condition. This method of testing is not cu rrently used at North Anna

, but it is an accepted method. Only one valve at a time may be removed fr om service for testing. The 54hour exception is based on 18hour outage time for each of the three valves. The 18hour period is derived from industry experience that hot

testing can be performed in this timeframe.

North Anna Units 1 and 2B 3.4.10-4Revision 20Pressurizer Safety Valves B 3.4.10BASESACTIONSA.1With one pressurizer safety valve i noperable, restoration must take place within 15minutes. The Completion Time of 15minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve coincident wi th an RCS overpressure event could challenge the integrity of the pressure boundary.

B.1 and B.2 If the Required Action of A.1 ca nnot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status

, the unit must be brought to at least MODE3 within 6hours and to MODE4 with any RCS cold leg temperatures 280F within 24hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems. With any RCS cold leg temp eratures at or below 280F, overpressure protection is provided by the LTOP System. The change from MODE1, 2, or3 to MODE4 reduces the RCS energy (core

power and pressure), lowers the potential for large pressurizer insurges,

and thereby removes the need fo r overpressure protection by three pressurizer safety valves.SURVEILLANCE

REQUIREMENT

SSR 3.4.10.1SRs are specified in the Inservice Testing Program. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref.4), which provides the acti vities and Frequencies necessary to satisfy the SRs. No additiona l requirements are specified.The pressurizer safety valve lift setting given in the LCO is for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift.REFERENCES1.ASME, Boiler and Pressure Vessel Code, SectionIII.2.UFSAR, Chapter15.3.WCAP-7769, Rev.1, June 1972.

Pressurizer Safety Valves B 3.4.10BASESNorth Anna Units 1 and 2B 3.4.10-5Revision 0REFERENCES (continued)4.ASME Code for Operation and Maintenance of Nuclear Power Plants.

Intentionally Blank North Anna Units 1 and 2B 3.4.11-1Revision 0Pressurizer PORVsB 3.4.11B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.11Pressurizer Power Operated Relief Valves (PORVs)BASESBACKGROUNDThe pressurizer is equipped with two types of devices for pressure relief: pressurizer safety valves and PORVs. The PORVs are air or nitrogen operated valves that are controlled to open at a set pressure when the pressurizer pressure increases and cl ose when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room.Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the control room. A stuck open PORV is, in effect, a small break lo ss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss.The PORVs and their associated bl ock valves may be used by unit operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their bl ock valves permit performance of surveillances on the valv es during power operation.The PORVs may also be used for feed and bleed core cooling in the case of

multiple equipment failure events that are not within the design basis, such as a total loss of feedwater.The PORVs, their block valves, and their controls are powered from the emergency buses that normally receive power from offsite power sources, but are also capable of being powered from emergency power sources in the event of a loss of offsite power. The PORVs are air operated valves and normally are provided motive force by the Instrument Air System. A backup, nitrogen supply for the PORVs is also available. Two PORVs and their associated block valves are power ed from two separate safety trains (Ref.1).The unit has two PORVs, each having a relief capacity of 210,000lb/hr at 2335psig. The functional design of the PORVs is based on maintaining

pressure below the Pressurizer (continued)

North Anna Units 1 and 2B 3.4.11-2Revision 0Pressurizer PORVsB 3.4.11BASESBACKGROUND (continued)

Pressure-High reactor trip setpoint following a step reduction of 50% of full load with steam dump. In addition, the PORVs mi nimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection (LTOP). See LCO3.4.12, "Low Temperature Overpressure Protection (LTOP) System."APPLICABLE SAFETY ANALYSESUnit operators employ the PORVs to depressurize the RCS in response to

certain unit transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event. A loss of offsite power is assume d to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are

assumed to be used for RCS depressu rization, which is one of the steps performed to equalize th e primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.The PORVs are also modeled in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical (Ref.2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint; thus, the DNBR calculation is more conser vative. As such, this actuation is not required to mitigate these events, and PORV automatic operation is, therefore, not an assumed safety function.Pressurizer PORVs satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe LCO requires the PORVs and thei r associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.

By maintaining two PORVs and their associated block valves OPERABLE, the single failure criteri on is satisfied. An OPERABLE block valve may be either open and energized with the capability to be closed, or closed and energized with the capabili ty to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of an inoperable PORV (continued)

Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-3Revision 0 LCO(continued) that is capable of being manually cycl ed (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render that PORV or block valve i noperable provided the relief function remains available with manual action.An OPERABLE PORV is required to be capable of manually opening and closing, and not experiencing excessive seat leakage. Excessive seat leakage, although not associated with a specific acceptance criteria, exists when conditions dictate closure of the block valve to limit leakage to within LCO3.4.13, "RCS Operational Leakage."

Satisfying the LCO helps minimize ch allenges to fission product barriers.APPLICABILITYIn MODES1, 2, and3, the PORVs and their associated block valves are required to be OPERABLE to limit th e potential for a small break LOCA through the flow path and for manual operation to mitigate the effects associated with an SGTR. The PORVs are also required to be OPERABLE in MODES1, 2, and3 for manual actuation to mitigate an SGTR event.

Imbalances in the energy output of the core and heat removal by the

secondary system can cause the RCS pressure to increase to the PORV opening setpoint. The most rapid in creases will occur at the higher operating power and pressure conditions of MODES1 and2.

Pressure increases are less prominent in MODE3 because the core input energy is reduced, but the RCS pressu re is high. Therefore, the LCO is applicable in MODES1, 2, and3. The LCO is not applicable in MODES4, 5, and6 with the reactor vessel head in place when both pressure and core energy are decreased and the pressure surges become much less significant.

LCO3.4.12 addresses the PORV requirements in these MODES.ACTIONSNote1 has been added to clarify that all pressurizer PORVs are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).

North Anna Units 1 and 2B 3.4.11-4Revision 0Pressurizer PORVsB 3.4.11BASESACTIONS(continued)

A.1The PORVs are provided normal moti ve force by the Instrument Air system and have a backup nitrogen supply. If the backup nitrogen supply is inoperable, the PORVs are still capable of being manually cycled provided the Instrument Air system is available. The Instrument Ai r system is highly reliable and the likelihood of its being unavailable during a demand for PORV actuation is low enough to justify a 14 day Completion Time for

return of the backup nitroge n supply to OPERABLE status.

B.1PORVs may be inoperable and capable of being manually cycled (e.g.,

excessive seat leakage). In this Condition, either the PORVs must be

restored or the flow path isolated within 1hour. The associated block valve

is required to be closed, but power must be maintained to the associated block valve, since removal of pow er would render the block valve inoperable. This permits operation of the unit until the next refueling outage (MODE6) so that maintenance can be performed on the PORVs to eliminate the problem condition.Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1hour is based on unit operating experience that has shown that minor problems can be corrected or closure accompl ished in this time period.

C.1, C.2, and C.3If one PORV is inoperable and not capable of being manually cycled, it

must be either restored, or isolated by closing the associated block valve and removing the power to the associ ated block valve. The Completion Time of 1hour is reasonable, based on challenges to the PORVs during this time period, and provides the operato r adequate time to correct the situation. If the inoperable valve cannot be restored to being capable of being manually cycled (permitting en try into Condition B), or OPERABLE status, it must be isolated within the specified time. Because there is one PORV that remains OPERABLE, an additional 72hours is provided to restore the inoperable PORV to OPERABLE status. If the PORV cannot be restored within this addi tional time, the unit must be brought to a MODE in which the LCO does not apply, as required by ConditionE.

Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-5Revision 0ACTIONS(continued)

D.1 and D.2If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1hour or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV.

Therefore, if the block valve cannot be restored to OPERABLE status within 1hour, the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1hour is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Becau se at least one PORV remains OPERABLE, the operator is permitted a Completion Time of 72hours to restore the inoperable block valve to OPERABLE status.

The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in ConditionC, since the PORVs

may not be capable of mitigating an ev ent if the inoperable block valve is not full open. If the block valve is restored within the Completion Time of 72hours, the PORV may be restored to automatic operation. If it cannot be restored within this addi tional time, the unit must be brought to a MODE in which the LCO does not apply, as required by ConditionE.The Required ActionsD.1 andD.2 are m odified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of ConditionC entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunction(s).)

E.1 and E.2If the Required Action of ConditionA, B, C, orD is not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within (continued)ACTIONSE.1 and E.2 (continued)12hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.

North Anna Units 1 and 2B 3.4.11-6Revision 0Pressurizer PORVsB 3.4.11BASESF.1 and F.2If more than one PORV is inoperabl e and not capable of being manually cycled, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an orderly

manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.G.1If two block valves are inoperable, it is necessary to restore at least one block valve within 2hours. The Completion Time is reasonable, based on the small potential for challenges to the system during this time and provide the operator time to correct the situation.The Required ActionG.1 is modified by a Note stating that the Required Action does not apply if the sole reas on for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Action for inoperable PORV (which requires the block valve power to be removed once it is closed) is adequate to address the condition. While it may be desirable to also place the PORV in manual control, this ma y not be possible fo r all causes of ConditionC entry with PORV inope rable and not capable of being manually cycled (e.g., as a result of fa iled control power fuse(s) or control switch malfunction(s)).

H.1 and H.2If the Required Actions of ConditionG are not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at (continued)

Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-7Revision 46ACTIONSH.1 and H.2 (continued)least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems. In MODE4, automatic PORV OPERABILITY is required. See LCO3.4.12.SURVEILLANCE

REQUIREMENT

SSR3.4.11.1SR3.4.11.1 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope

with a steam generator tube rupture coin cident with loss of the containment Instrument Air system. The Surveilla nce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.11.2 Block valve cycling verifies that the valve(s) can be opened and closed if needed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.

This SR is modified by two Notes. Note1 modifies this SR by stating that it is not required to be performe d with the block valve closed, in accordance with the Required Actions of this LCO. Opening the block valve in this condition increases the risk of an unisolable leak from the RCS since the PORV is already inoperable.Note2 modifies this SR to allow entry into and operation in MODE3 prior to performing the SR. This allows the test to be performed in MODE3 under operating temperature and pressure conditions, prior to entering MODE1 or2.SR3.4.11.3SR3.4.11.3 requires a complete cycle of each PORV. Operating a PORV through one complete cycle ensures that the PORV can be manually

actuated for mitigation of an SGTR. This testing is performed in MODES3 or4 to prevent possible RCS pressure transients with th e reactor critical.

(continued)

Pressurizer PORVsB 3.4.11BASESNorth Anna Units 1 and 2B 3.4.11-8Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.11.3 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.The Note modifies this SR to allow entry into and operation in MODE3 prior to performing the SR. This allo ws the test to be performed in MODE3 under operating temperature and pressure conditions, prior to entering MODE1 or2.SR3.4.11.4 Operating the solenoid control valves and check valves on the accumulators ensures the PORV cont rol system actuates properly when called upon. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.32, February1977.2.UFSAR, Section15.4.3.ASME Code for Operation and Maintenance of Nuclear Power Plants.

North Anna Units 1 and 2B 3.4.12-1Revision 20LTOP System B 3.4.12B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.12Low Temperature Overpressure Protection (LTOP) SystemBASESBACKGROUNDThe LTOP System controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the LTOP System design basis pressure and temperature (P/T) limit curve (i.e., 100%

of the isothermal P/T limit curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1).

The reactor vessel is th e limiting RCPB component for demonstrating such protection. This specification provi des the maximum allowable actuation logic setpoints for the power operated relief valves (PORVs) and LCO3.4.3, "RCS Pressure and Temper ature (P/T) Limits," provides the maximum RCS pressure for the existi ng RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference1 requirements during the LTOP MODES.

The reactor vessel material is less tough at low temp eratures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref.2). RCS pressu re, therefore, is maintained low at low temperatures and is increased only as temperature is increased.

The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while s hutdown; a pressure fluctuation can occur more quickly than an operato r can react to relieve the condition.

Exceeding the RCS P/T limits by a signi ficant amount could cause brittle cracking of the reactor vessel. LCO3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrati ve control of RCS pressure and temperature during heatup and cool down to prevent exceeding the P/T limits.This LCO provides RCS overpressure protection by limiting coolant input capability and having adequate pressure relief capacity. Limiting coolant input capability requires a ll but one low head safety injection (LHSI) pump and one charging pump incapable of injection into the RCS and isolating the accumulators when accumulator pressure is greater than the PORV lift setting. The pressure relief capacity requires either two redundant RCS PORVs or a depressurized RCS and an (continued)

North Anna Units 1 and 2B 3.4.12-2Revision 0LTOP System B 3.4.12BASESBACKGROUND (continued)RCS vent of sufficient size. One RCS PORV or the open RCS vent is the overpressure protection device that acts to terminate an increasing pressure event.With limited coolant input capability, the ability to provide core coolant addition is restricted. Th e LCO does not require th e makeup control system deactivated or the safety injection (S I) actuation circuits blocked. Due to the lower pressures in the LTOP MODE S and the expected core decay heat levels, the makeup system can provide adequate flow via the makeup control valve. If conditions require the use of more than one LHSI and charging pump for makeup in the event of loss of inventory, then pumps

can be made available through manual actions.The LTOP System for pressure relief consists of two PORVs with reduced lift settings, or a depressurized RCS and an RCS vent of sufficient size. Two RCS PORVs are required for redundancy. One RCS PORV has

adequate relieving capability to keep from overpressurization for the required coolant input capability.PORV RequirementsAs designed for the LTOP System, each PORV is signaled to open if the RCS pressure exceeds a limit determined by the LTOP actuation logic. The LTOP actuation logic monitors both RCS temperature and RCS pressure and determines when a condition is not acceptable. The wide range RCS temperature indications are auctioneered to select the lowest temperature signal.The lowest temperature signal is pass ed to a comparator circuit which determines the pressure limit for that temperature. The pressure limit is then compared with the indicated RCS pressure from a wi de range pressure channel. If the indicated pressure meets or exceeds the calculated value, the PORVs are signaled to open.The PORV setpoints are staggered so only one valve opens to stop a low temperature overpressure transient. If the opening of the first valve does not prevent a further increase in pre ssure, a second valve will open at its higher pressure setpoint to stop the tr ansient. Having the setpoints of both valves within the limits in the LCO ensures that the LTOP System design basis P/T limit curve will not be exceeded in any analyzed event.

(continued)

LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-3Revision 26BACKGROUNDPORV Requirements (continued)When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to decrease below the reset pressure as the valve closes.RCS Vent Requirements Once the RCS is depressurized, a ve nt exposed to the containment atmosphere will maintain the RCS within the LTOP design basis P/T limit curve in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path

must be capable of relieving the flow resulting from the limiting LTOP mass or heat input transient, and ma intaining pressure below the LTOP System design basis P/T limit curve.

The required vent capacity may be provided by one or more vent paths.For an RCS vent to meet the flow capacity requirement, it requires either removing a pressurizer safety valve, or blocking open a PORV and opening its block valve, or similarly establ ishing a vent by opening an RCS vent valve. The vent path(s) must be above th e level of reactor c oolant, so as not to drain the RCS when open.APPLICABLE SAFETY ANALYSESSafety analyses (Ref.3) demonstrate that the reactor vessel is adequately protected against exceeding the LTOP System design basis P/T limit curve (i.e., 100% of the isothermal P/T limi t curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1). In MODES1, 2, and3, and in MODE4 with RCS cold leg temperature exceeding 280°F, the

pressurizer safety valves will prev ent RCS pressure from exceeding the Reference1 limits. At 280°F and below, overpressure prevention falls to two OPERABLE RCS PORVs or to a depressurized RCS and a sufficient

sized RCS vent. Each of these means has a limited overpressure relief capability.

The RCS cold leg temperature below which LTOP protection must be provided increases as the reactor ve ssel material toughness decreases due to neutron embrittlement. Each time the P/T curves are revised, the LTOP System must be (continued)

North Anna Units 1 and 2B 3.4.12-4Revision 0LTOP System B 3.4.12BASESAPPLICABLE SAFETY ANALYSES(continued)re-evaluated to ensure its functional requirements can still be met using the PORV method or the depressuri zed and vented RCS condition.

The LCO contains the acceptance limits that define the LTOP requirements. Any change to the RCS must be evaluated against the Reference3 analyses to determine the impact of the change on the LTOP

acceptance limits.Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transi ents, examples of which follow:Mass Input Type Transientsa.Inadvertent safety injection; orb.Charging/letdown flow mismatch.Heat Input Type Transientsa.Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.

The following are required during the LTOP MODES to ensure that mass and heat input transients do not occur, which either of the LTOP overpressure protection means cannot handle:a.Rendering all but one LHSI pump and one charging pump incapable of injection;b.Deactivating the accumulator discharge isolation valves in their closed positions when accumulator pressure is greater than the PORV lift setting; andc.Disallowing start of an RCP if secondary temperature is more than 50F above primary temperature in any one loop. LCO3.4.6, "RCS Loops-MODE4," and LCO3.4.7, "RCS Loops-MODE5, Loops

Filled," provide this protection.The Reference3 analyses demonstrate that either one PORV or the depressurized RCS and RCS vent can maintain RCS pressure below limits when only one LHSI pump and one charging pump are actuated. Thus, the LCO allows only one LHSI pump and one charging pump OPERABLE during the LTOP MODES. The (continued)

LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-5Revision 20APPLICABLE SAFETY ANALYSESHeat Input Type Transients (continued)Reference3 analyses do not explicitly model actuation of the LHSI pump, since the RCS pressurization resulting from inadvertent safety injection by a single charging pump against a water-solid RCS would not be made more severe by such actuation. Since the LTOP analyses assume that the accumulators do not cause a mass addition transient, when RCS temperature is low, the LCO also requi res the accumulators to be isolated when accumulator pressure is greater than the PORV lift setting. The isolated accumulators must have their discharge valves closed and the

valve power supply breakers fixed in their open positions.Fracture mechanics analyses established the temperature of LTOP Applicability at 280F.The consequences of a small break lo ss of coolant accident (LOCA) in LTOP MODE4 conform to 10CFR50.46 (Ref.4), requirements by having a maximum of one LHSI pump and one charging pump OPERABLE.PORV PerformanceThe fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the allowable values shown in the LCO.

The setpoint allowable values are derived by analyses that model the performance of the LTOP System, assuming the limiting LTOP transient of one charging pump injecting into the RCS. These analyses consider pressure overshoot beyond the PORV ope ning and closing, resulting from signal processing and valve stroke times. The PORV setpoints at or below the derived value ensure the RCS pressure at the reactor vessel beltline will not exceed the LTOP design P/T limit curve.The PORV setpoint allowable values ar e evaluated when the P/T limits are modified. The P/T limits ar e periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits ar e determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO3.4.3 discuss these examinations.

The PORVs are considered active co mponents. Thus, the failure of one PORV is assumed to represent the worst case, single active failure.

North Anna Units 1 and 2B 3.4.12-6Revision 20LTOP System B 3.4.12BASESAPPLICABLE SAFETY ANALYSES(continued)RCS Vent PerformanceWith the RCS depressurized, analyses show a vent size of 2.07square inches is capable of mitigating the allowed LTOP overpressure transient.

(A vent size of 2.07 square inches is th e equivalent relief capacity of one PORV.) The capacity of a vent this size is greater than the flow of the limiting transient for the LTOP c onfiguration, one LHSI pump and one charging pump OPERABLE, maintaining RCS pressure less than the LTOP design basis P/T limit curve.

The RCS vent size is re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance.

The RCS vent is passive and is not subject to active failure.

The LTOP System satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the mi nimum coolant input and pressure relief capabilities are OPERABLE. Viol ation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the LTOP System design basis P/T limit curve (i

.e., 100% of the isot hermal P/T limit curve determined to satisfy the requirements of 10CFR50, AppendixG, Ref.1) as a result of an operational transient.To limit the coolant input capability, the LCO requires a maximum of one LHSI pump and one charging pump capable of injecting into the RCS and all accumulator discharge isolation valves closed with power removed from the isolation valve operator, wh en accumulator pres sure is greater than the PORV lift setting.The LCO is modified by two Notes. Note1 allows two charging pumps to be made capable of injection for 1hour during pump swap operations. One hour provides sufficient time to safe ly complete the actual transfer and to complete the administrative cont rols and Surveillance requirements associated with the swap. The intent is to minimize the actual time that more than one charging pump is physically capable of injection.

(continued)

LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-7Revision 20 LCO(continued)Note2 states that accumulator isolation is only required when the accumulator pressure is more than the PORV lift setting.

This Note permits the accumulator discharge isolation valves to be open if the accumulator cannot challenge the LTOP limits.The elements of the LCO that pr ovide low temperature overpressure mitigation through pressure relief are:

a.Two OPERABLE PORVs; orA PORV is OPERABLE for LTOP when its block valve is open, its lift setpoint is set to the limits provi ded in the LCO and testing proves its ability to open at this setpoint, and backup nitrogen motive power is available to the PORVs a nd their control circuits.b.A depressurized RCS and an RCS vent.

An RCS vent is OPERABLE when open with an area of 2.07square inches.Each of these methods of overpressure prevention is capable of mitigating the limiting LTOP transient.APPLICABILITYThis LCO is applicable in MODE4 when any RCS cold leg temperature is 280F, in MODE5, and in MODE6 when the reactor vessel head is on.

The pressurizer safety valves provide overpressure protection that meets the Reference1 P/T limits above 280F. When the reactor vessel head is off, overpressurization cannot occur.

LCO3.4.3 provides the operational P/T limits for all MODES. LCO3.4.10, "Pressurizer Safety Valves

," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES1, 2, and3, and MODE4 above 280°F.

Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input tran sient can cause a very rapid increase in RCS pressure wh en little or no time allows operator action to mitigate the event.

North Anna Units 1 and 2B 3.4.12-8Revision 20LTOP System B 3.4.12BASESACTIONSA.1 and B.1With more than one LHSI pump and one charging pump capable of injecting into the RCS, RCS ove rpressurization is possible.To immediately initiate ac tion to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from this condition.

C.1, C.2, D.1, and D.2 An unisolated accumulator requires isolation immediately.

Power available to an accumulator isolation valve operator must be removed in one hour. These ACTIONS are modified by a Note which states the Condition only applies if the accumulator pressure is more than the PORV lift setting.

If isolation is needed and cannot be accomplished, Required ActionD.1 and Required ActionD.2 pr ovide two options, either of which must be performed in the next 12hours. By increasing the RCS temperature to >280°F, the LCO is no longer Applicable. Depressurizing the accumulators below the PORV lift setting also exits the Condition.The Completion Times are based on op erating experience that these activities can be accomplished in th ese time periods and on engineering judgement indicating that an event requiring LTOP is not likely in the allowed times.

E.1In MODE4 when any RCS co ld leg temperature is 280F, with one RCS PORV inoperable, the RCS PORV must be restored to OPERABLE status within a Completion Time of 7days. Two PORVs are required to provide low temperature overpressure miti gation while withstanding a single failure of an active component.The Completion Time considers the facts that only one of the PORVs is required to mitigate an overpressure tran sient and that the likelihood of an active failure of the remaining valve pa th during this time period is very low.

LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-9Revision 0ACTIONS(continued)F.1The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref.5). Thus, with one of the two RCS PORVs inoperable in MODE5 or in MODE6 with the head on, the Completion Time to restore two valves to OPERABLE status is 24hours.The Completion Time represents a r easonable time to investigate and repair PORV failures without exposur e to a lengthy period with only one OPERABLE RCS PORV to protect against overpressure events.G.1The RCS must be depressurized and a vent must be established within 12hours when:

a.Both required RCS PORVs are inoperable; orb.A Required Action and associated Completion Time of ConditionA, B, D, E, orF is not met; orc.The LTOP System is inoperable for any reason other than ConditionA, B, C, D, E, orF.

The vent must be sized 2.07square inches to ensure that the flow capacity is greater than that required for the worst case mass input transient reasonable during the applic able MODES. This action is needed to protect the RCPB from a low temperature overpressure even t and a possible brittle failure of the reactor vessel.The Completion Time considers the time required to place the unit in this Condition and the relatively low proba bility of an overpressure event during this time period due to increased operator awareness of administrative control requirements.SURVEILLANCE

REQUIREMENT

SSR3.4.12.1, SR3.4.12.2, and SR3.4.12.3To minimize the potential for a lo w temperature overpressure event by limiting the mass input capability, a maximum of one LHSI pump and a maximum of one charging pump are verified (continued)

North Anna Units 1 and 2B 3.4.12-10 Revision 46LTOP System B 3.4.12BASESSURVEILLANCE REQUIREMENT

SSR3.4.12.1, SR3.4.12.2, and SR3.4.12.3 (continued)incapable of injecting into the RCS and the accumulator discharge isolation valves are verified closed with pow er removed from the isolation valve operator.SR3.4.12.3 is modified by a Note stati ng that the verification is only required when accumulator pressure is greater than the PORV lift setting. With accumulator pressure less than the PORV lift setting, the accumulator cannot challenge the LTOP limits and the isolation valves are allowed to be open.

The LHSI pumps and charging pumps are rendered incapable of injecting into the RCS through removing the power from the pumps by racking the breakers out under administ rative control. An alternate method of LTOP control may be employed using at least two independent means to prevent a pump start such that a single failure or single action will not result in an

injection into the RCS. This ma y be accomplished through the pump control switch being placed in pull to lock and at least one valve in the discharge flow path being closed.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.4 The RCS vent of 2.07square inches is pr oven OPERABLE by verifying its open condition either:

a.Once every 12hours for a valve that is not locked.b.The Surveillance Frequency for lo cked valves is based on operating experience, equipment reliability, a nd plant risk and is controlled under the Surveillance Fre quency Control Program.The passive vent arrangement must only be open to be OPERABLE. This Surveillance is required to be performed if the vent is being used to satisfy the pressure relief requirements of the LCO3.4.12b.

LTOP System B 3.4.12BASESNorth Anna Units 1 and 2B 3.4.12-11Revision 46SURVEILLANCE REQUIREMENT

S(continued)

SR 3.4.12.5The PORV block valve must be verified open every 72hours to provide the flow path for each required PORV to perform its function when actuated.

The valve may be remotely verified open in the main control room. In addition, the PORV keyswitch must be ve rified to be in the proper position to provide the appropriated trip setpoints to the PORV actuation logic. This Surveillance is performed if the PORV is used to satisfy the LCO.

The block valve is a remotely contro lled, motor operated valve. The power to the valve operator is not require d removed, and the manual operator is not required locked in the inactive position. Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.6SR3.4.12.6 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope with an overpressure event. The Surveillance Frequency is based on

operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.12.7Performance of a COT is required on each required PORV to verify the PORV is capable of performing its LTOP function and, as necessary, adjust its lift setpoint. A successful test of the required contac t(s) of a channel relay may be performed by the verifica tion of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The COT will verify the setpoint is within the al lowed maximum limits in this specification. PORV actuation could depressurize the (continued)

North Anna Units 1 and 2B 3.4.12-12 Revision 46LTOP System B 3.4.12BASESSURVEILLANCE REQUIREMENT

SSR 3.4.12.7 (continued)

RCS and is not required. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

A Note has been added indicating that this SR is not required to be performed until 12hours after entering a condition in which the PORV is required to be OPERABLE. The Note allows entering the LTOP

Applicability prior to performing the SR. The 12-hour frequency considers the unlikelihood of a low temperature overpressure even t during this time.SR3.4.12.8Performance of a CHANNEL CALIBRATION on each required PORV

actuation channel is required to adjust the whole channel so that it responds and the valve opens within the requi red range and accur acy to known input.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixG.2.Generic Letter88-11.3.UFSAR, Section5.2.2.2.

4.10CFR50, Section50.46.

5.Generic Letter90-06.

North Anna Units 1 and 2B 3.4.13-1Revision 0RCS Operational LEAKAGE B 3.4.13B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.13RCS Operational LEAKAGEBASESBACKGROUNDComponents that cont ain or transport the coolan t to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational

wear or mechanical deterioration.

The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of

LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.General Design Criteria3 (Ref.1), requi res means for dete cting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide1.45 (Ref.2) describe s acceptable methods for selecting leakage detection systems.The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing

them to take corrective action should a l eak occur that is detrimental to the safety of the facility and the public.A limited amount of leakage inside cont ainment is expected from auxiliary systems that cannot be made 100% le aktight. Leakage from these systems should be detected, loca ted, and isolated from th e containment atmosphere, if possible, to not interfere with RCS leakage detection.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the co re from inadequate cooling, in addition to preventing the accident an alyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

North Anna Units 1 and 2B 3.4.13-2Revision 28RCS Operational LEAKAGE B 3.4.13BASESAPPLICABLE SAFETY ANALYSESExcept for primary to secondary LEA KAGE, the safety analyses do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect

the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes that primary to secondary LEAKAGE from all steam generators (SGs) is one gallon per minute or increases to one gallon per minute as a result of accident induced conditions. The LCO requirement to limit primary to secondary LEAKAGE through any one SG to less than or equal to 150gallons per

day is significantly less than the condi tions assumed in the safety analysis.

Primary to secondary LEAKAGE is a f actor in the dose releases outside containment resulting from a main steam line break (MSLB) accident.

Other accidents or transients involve secondary steam release to the atmosphere, such as a steam generato r tube rupture (SGTR). The leakage contaminates the secondary fluid.The UFSAR (Ref.3) analysis for SGTR assumes the contaminated secondary fluid is released via power operated relief valves or safety

valves. The source term in the primary system coolant is transported to the affected (ruptured) steam generator by the break flow. The affected steam generator discharges steam to the environment for 30minutes until the generator is manually isolated. The 1gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue through the unaff ected steam generators until the Residual Heat Removal Syst em is placed in service.The MSLB is less limiting for site radiation releases than the SGTR. The safety analysis for the MSLB ac cident assumes 1 gpm primary to secondary LEAKAGE as an initial condition. The dose consequences resulting from the MSLB and SGTR accidents are within the limits defined in the staff approved licensing basis.The RCS operational LEAKAGE satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-3Revision 28 LCORCS operational LEAKAGE shall be limited to:a.Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not

pressure boundary LEAKAGE.b.Unidentified LEAKAGE One gallon per minute (gpm) of unide ntified LEAKAGE is allowed as a reasonable minimum detectable am ount that the containment air monitoring and containment sump level monitoring equipment can

detect within a reasonable time pe riod. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.c.Identified LEAKAGEUp to 10gpm of identified LEAKAGE is considered allowable because

LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the

containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a nor mal function not considered LEAKAGE). Violation of this LC O could result in continued degradation of a component or system.d.Primary to Secondary LEAKAGE through Any One SGThe limit of 150gallons per day pe r SG is based on the operational LEAKAGE performance criterion in NEI97-06, Steam Generator Program Guidelines (Ref.4). The Steam Generator Program operational LEAKAGE performance criterion in NEI97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage (continued)

North Anna Units 1 and 2B 3.4.13-4Revision 28RCS Operational LEAKAGE B 3.4.13BASESLCOd.Primary to Secondary LEAKAGE through Any One SG (continued) rate criterion in conjunction with the implementation of the Steam Generator Program is an effect ive measure for minimizing the frequency of steam generator tube ruptures.APPLICABILITYIn MODES1, 2, 3, and4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.In MODES5 and6, LEAKAGE limits ar e not required because the reactor coolant pressure is far lower, resu lting in lower stresses and reduced potentials for LEAKAGE.

LCO3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.ACTIONSA.1Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4hours. This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must

be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within li mit, or if unidentified LEAKAGE, or identified LEAKAGE, cannot be reduced to within limits within 4hours, the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential conseque nces. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. The reactor must be brought to MODE3 within (continued)

RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-5Revision 28ACTIONSB.1 and B.2 (continued)6hours and MODE5 within 36hours. This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.SURVEILLANCE

REQUIREMENT

SSR 3.4.13.1Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintain ed. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance.

The RCS water inventory ba lance must be met with the reactor at steady state operating conditions (s table temperature, power level, pressurizer and makeup tank levels, makeup and let down, and RCP seal injection and return flows). The surveillance is modified by two Notes. Note1 states that this SR is not required to be performed until 12hours after establishing steady state operation. The 12hour allowance provides sufficient time to collect and process all necessary data after stable pl ant conditions are established.Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not usef ul. For RCS operational LEAKAGE determination by water inve ntory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and let down, and RCP seal injection and return flows.

An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and (continued)

North Anna Units 1 and 2B 3.4.13-6Revision 46RCS Operational LEAKAGE B 3.4.13BASESSURVEILLANCE REQUIREMENT

SSR 3.4.13.1 (continued)the containment sump level. It should be noted that LEAKAGE past seals

and gaskets is not pressure boundary LEAKAGE. These leakage detection systems are specified in LCO3.4.15, "RCS Leakage Detection

Instrumentation."Note2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory balance.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.13.2 This SR verifies that primary to se condary LEAKAGE is le ss than or equal to 150gallons per day through any one SG. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Gene rator Program is met. If this SR is not met, compliance with LCO3.4.20, "Steam Generator Tube Integrity," should be evaluated. The 150gallons pe r day limit is measured at room temperature as described in Reference5. The operational LEAKAGE rate

limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG.The Surveillance is modified by a Note, which states that the Surveillance is not required to be performed until 12hours after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup ta nk levels, makeup and letdown, and RCP seal injection and return flows.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The primary to secondary LEAKAGE is

determined using continuous process radiation moni tors or radiochemical grab sampling in accordance with the EPRI guidelines (Ref.5).

RCS Operational LEAKAGE B 3.4.13BASESNorth Anna Units 1 and 2B 3.4.13-7Revision 28REFERENCES1.UFSAR, Section3.1.26.2.Regulatory Guide1.45, May 1973.3.UFSAR, Chapter15.

4.NEI97-06, "Steam Generator Program Guidelines."

5.EPRI, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines."

Intentionally Blank North Anna Units 1 and 2B 3.4.14-1Revision 0 RCS PIV Leakage B 3.4.14B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.14RCS Pressure Isolation Valve (PIV) LeakageBASESBACKGROUND10CFR50.2, 10CFR50.55a(c), and General Design Criteria55 (Refs.1, 2, and3), define RCS PIVs as any two normally closed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attach ed low pressure system. The 1975 Reactor Safety Study, WA SH-1400, (Ref. 4) identi fied intersystem LOCAs as a significant contributor to the risk of core melt. The study considered

designs containing two in-series chec k valves and two check valves in series with an MOV which isolate the high pressure RCS from the low

pressure safety injection system. The sc enario considered is a failure of the two check valves leading to overpr essurization and rupture of the low pressure injection piping which results in a LOCA that bypasses containment. A letter was issued (R ef. 5) by the NRC requiring plants to describe the PIV configuration of the plant. On April 20, 1981, the NRC

issued an Order modifying the North Anna Unit 1 Technical Specifications to include testing requirements on PI Vs and to specify the PIVs to be tested. The original North Anna 2 Technical Specifications, dated August 21, 1980, included a list of PIVs required to be tested and described the required testing. The valves required to be leak tested by this Specification are listed in Tables B 3.4.14-1 (Unit1) and B 3.4.14-2 (Unit 2).During their lives, these valves can produce varying amounts of reactor

coolant leakage through either norma l operational wear or mechanical deterioration. The RCS PIV Leakag e LCO allows RCS high pressure

operation when leakage through these valves exists in amounts that do not compromise safety.The PIV leakage limit applies to each individual valve to which the LCO applies. Leakage through both series PIVs in a line must be included as part of the identified LEAKAGE, governed by LCO3.4.13, "RCS Operational LEAKAGE." This is true during opera tion only when the loss of RCS mass through two series valves is determ ined by a water inventory balance (SR3.4.13.1). A known component of th e identified LEAKAGE before operation begins is the leas t of the two individual leak rates determined for leaking series PIVs during the (continued)

North Anna Units 1 and 2B 3.4.14-2Revision 0 RCS PIV Leakage B 3.4.14BASESBACKGROUND (continued) required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight.Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overp ressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure

piping or components. Failure conseque nces could be a loss of coolant accident (LOCA) outside of contai nment, an unanalyzed accident, that could degrade the ability for low pressure injection.Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.APPLICABLE SAFETY ANALYSESReference4 identified potential intersystem LOCAs as a significant contributor to the risk of core melt. The dominan t accident sequence in the intersystem LOCA category is the failur e of the low pressure portion of the ECCS low pressure injection system ou tside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the ECCS low pressure injection system downstream of the PIVs from the RCS. Because the low pressure portion of the system is not designed for RCS pressure, overpressurization failure of the low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

RCS PIV leakage satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).

LCOThe RCS PIVs required to be leak tested are listed in TablesB3.4.14-1 (Unit 1) and B3.4.14-2 (Unit 2).

RCS PIV leakage is identified LEAK AGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute. Leakage that increases signifi cantly suggests that something is operationally wrong and correc tive action must be taken.

(continued)

RCS PIV Leakage B 3.4.14BASESNorth Anna Units 1 and 2B 3.4.14-3Revision 0 LCO(continued)The LCO PIV leakage limit is 0.5gpm pe r nominal inch of valve size with a maximum limit of 5gpm. The previous criterion of 1gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing information on potential valve degradat ion and resulted in higher personnel radiation exposures. A study concluded a leakage ra te limit based on valve size was superior to a single allowable value.Reference6 permits leakage testing at a lower pressure differential than between the specified maximum RCS pr essure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall l eakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power.APPLICABILITYIn MODES1, 2, 3, and4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE4, any valves in the RHR flow path that are required to be tested are not required to meet the requirements of this LCO when in, or during the transition to or from, the RHR mode of operation.In MODES5 and6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment.ACTIONSThe Actions are modified by two Notes. Note1 provides clarification that each flow path allows separate entry into a Condition. This is allowed based upon the functional independence of the flow path. Note2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system operability, or isolation of a le aking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function.

North Anna Units 1 and 2B 3.4.14-4Revision 46 RCS PIV Leakage B 3.4.14BASESACTIONS(continued)

A.1Required ActionA.1 requires that RCS PIV leakage be restored to within limit within 4hours. Four hours provides time to reduce leakage in excess of the allowable limit. The 4hour Completion Time allows the actions and restricts the operation with leaking isolation valves.

B.1 and B.2 If leakage cannot be redu ced the unit must be brou ght to a MODE in which the requirement does not apply. To ach ieve this status, the unit must be brought to MODE3 within 6hours and MODE5 within 36hours. This Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.4.14.1 Performance of leakage testing on the affected RCS PIV or isolation valve used to satisfy Required ActionA.1 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5gpm per inch of nominal valve diameter up to 5gpm maximum applies to each valve. Le akage testing requires a st able pressure condition. Leakage may be measured indirectly (a s from the performance of pressure indicators) to satisfy ALARA require ments if supported by calculations verifying that the method is capabl e of demonstrating valve compliance with the leakage criteria.For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage te sted, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situati on, the protection provided by redundant valves would be lost.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

RCS PIV Leakage B 3.4.14BASESNorth Anna Units 1 and 2B 3.4.14-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.4.14.1 (continued)

The Frequency is within frequency allowed by the American Society of Mechanical Engineers (ASME) Code (Ref.6).

In addition, testing must be performe d once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance should also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24hours after the valve has been reseated. Within 24hours is a reasonable and practical time limit for performing this test after opening or reseating a valve.The leakage limit is to be met at the RCS pressure associated with MODES1 and2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES wi th lower pressures. If testing cannot be performed at these pr essures, testing can be performed at lower pressures and scaled to operating pressure.Entry into MODES3 and4 is allowed if needed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows th is provision is complementary to the Frequency of prior to entry into MODE2 whenever the unit has been in MODE5 for 7days or more, if leakage testing has not been performed in the previous 9months. In addition, this Surveillance is not required to be performed on any RCS PIVs in the RH R System flow path when the RHR System is aligned to the RCS in the shutdown cooling mode of operation.

PIVs contained in the RHR shutdown cool ing flow path that are required to be tested must be leakage rate tested after RHR is secu red and stable unit conditions and the necessary differ ential pressures are established.REFERENCES1.10CFR50.2.2.10CFR50.55a(c).3.UFSAR, Section 3.1.48.1.

North Anna Units 1 and 2B 3.4.14-6Revision 0 RCS PIV Leakage B 3.4.14BASESREFERENCES (continued)4.WASH-1400 (NUREG-75/014), AppendixV, October 1975.5.Letter from D. G. Eisenhut, NRC, to all LWR licensees, LWR Primary Coolant System Pressure Isolation Valves, February23,1980.6.ASME Code for Operation and Main tenance of Nuclear Power Plants.7.10CFR50.55a(g).

North Anna Units 1 and 2B 3.4.14-7Revision 0 RCS PIV Leakage B 3.4.14TableB 3.4.14-1 (page1 of1)

Unit 1 RCS PIVS Required To Be Tested VALVEFUNCTION1-SI-83Low Head Safety Injection to Cold Legs-Loop 11-SI-195Low Head Safety Injection to Cold Legs-Loop 11-SI-86Low Head Safety Injection to Cold Legs-Loop 21-SI-197Low Head Safety Injection to Cold Legs-Loop 2 1-SI-89Low Head Safety Injection to Cold Legs-Loop 31-SI-199Low Head Safety Injection to Cold Legs-Loop 3 North Anna Units 1 and 2B 3.4.14-8Revision 0 RCS PIV Leakage B 3.4.14TableB 3.4.14-2 (page 1 of 1)

Unit 2 RCS PIVS Required To Be Tested ValveFunction2-SI-85High head safety injection to cold legs and hot legs 2-SI-93High head safety injection to cold legs and hot legs 2-SI-107High head safety injection to cold legs and hot legs 2-SI-119High head safety injection to cold legs and hot legs MOV-2836High head safety injection off charging headerMOV-2869A, BHigh head safety injection off charging headerMOV-2867C, DBoron injection tank outlet valves

2-SI-91Low head safety injection to cold legs 2-SI-99Low head safety injection to cold legs 2-SI-105Low head safety injection to cold legs 2-SI-126Low head safety injection to hot legs 2-SI-128Low head safety injection to hot legs2-SI-151Accumulator discharge check valves2-SI-153Accumulator discharge check valves2-SI-168Accumulator discharge check valves2-SI-170Accumulator discharge check valves2-SI-185Accumulator discharge check valves2-SI-187Accumulator discharge check valves MOV-2700RHR system isolation valves MOV-2701RHR system isolation valvesMOV-2720A, BRHR system isolation valvesMOV-2890A, B, C, & DLow head safety injection to cold legs and hot legs North Anna Units 1 and 2B 3.4.15-1Revision 47RCS Leakage Detection Instrumentation B 3.4.15B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.15RCS Leakage Detection InstrumentationBASESBACKGROUNDUFSAR, Chapter3 (Ref.1) requires compliance with Regulatory Guide1.45, Revision0 (Ref.2). Regulatory Guide1.45, Revision0 describes acceptable methods for sele cting RCS leakage detection systems.Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential fo r propagation to a gross failure. Thus, an early indication or warning signal in the control room is necessary to permit proper evaluati on of all unidentified LEAKAGE. In addition to meeting the OPERABILITY requirements, the monitors are typically set to provide the most se nsitive response without causing an excessive number of spurious alarms.

These leakage detection methods or systems differ in sensitivity and response time.

The containment sump used to co llect unidentified LEAKAGE includes two sump level monitors that provide level indication. The "A"train level indicator provides input to a calculated discharge flow rate determined by the plant computer. Either level indi cation or the calculated containment sump discharge flow rate is accep table for detecting increases in

unidentified LEAKAGE.The reactor coolant contains radioact ivity that, when released to the containment, may be detected by ra diation monitoring instrumentation.

Radioactivity detection systems are included for monitoring both particulate and gaseous activities beca use of their sensitivities and rapid responses to RCS LEAKAGE. One C ontainment Air Recirculation Fan (CARF) provides enough air flow for the operation of the radiation detectors.

(continued)

North Anna Units 1 and 2B 3.4.15-2Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESBACKGROUND (continued)Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containm ent. Containment temperature and pressure fluctuate slightly during unit operation, but a rise above the

normally indicated range of values may indicate RCS leakage into the

containment. The relevance of temperature and pressure measurements are affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing rapid and sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO.APPLICABLE SAFETY ANALYSESThe need to evaluate the severity of an alarm or an indication is important to the operators, and the ability to compare and verify with indications from other systems is necessary. Multiple instrument locations are utilized, if needed, to ensure that the trans port delay time of the leakage from its source to an instrument location yields an acceptable overa ll response time.The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the un identified LEAKAGE provides quantitative information to the operators, allowing them to take corrective

action should a leakage occur detrimental to the safety of the unit and the public.RCS leakage detection instrumentation satisfies Criterion1 of 10CFR50.36(c)(2)(ii).

LCOThis LCO requires instruments of di verse monitoring principles to be OPERABLE to provide confidence th at small amounts of unidentified LEAKAGE are detected in time to allow actions to place the unit in a safe condition, when RCS LEAKAGE indicat es possible RCPB degradation.

The LCO requires two instruments to be OPERABLE.

The containment sump used to co llect unidentified LEAKAGE includes two sump level monitors that provid e level indication. The "A" train level indicator provides input to a calculated discharge flow rate determined by the plant (continued)

RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-3Revision 47 LCO(continued)computer. Either level indication or the calculated containment sump discharge flow rate is acceptable for detecting increases in unidentified LEAKAGE. The identification of an increase in unidentified LEAKAGE

will be delayed by the time require d for the unidentified LEAKAGE to travel to the containment sump and it may take longer than one hour to detect a 1 gpm increase in unid entified LEAKAGE, depending on the origin and magnitude of the LEAKAGE.

This sensitivity is acceptable for containment sump monitor OPERABILITY.The reactor coolant contains radioact ivity that, when released to the containment, can be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Only one of the two detectors is required to be OPERABLE. Radioactivity detection systems are included for monitoring both particulate and gase ous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolan t radioactivity levels will be low during initial reactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects. If there are few fuel element cladding defects and low levels of activation products, it may not be possible for the gaseous or part iculate containment atmosphere radioactivity monitors to detect a 0.5gpm increase wi thin 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> during normal operation. However, the gase ous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable of detecting a 0.5gpm increase in unidentified LEAKAGE within 1hour given an RCS activity equivalent to th at assumed in the design calculations for the monitors (Reference 3).The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor, in combination with a gaseous or particulate radioactivity monitor, provides an acceptable minimum.

North Anna Units 1 and 2B 3.4.15-4Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESAPPLICABILITYBecause of elevated RCS temperature and pressure in MODES1, 2,3, and4, RCS leakage detection inst rumentation is required to be OPERABLE.In MODE5 or6, the temperature is to be 200F and pressure is maintained low or at atmospheric pr essure. Since the temperatures and pressures are far lower than those for MODES1, 2, 3, and4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of this LCO are not applicable in MODES5 and6.ACTIONSA.1 and A.2With the required containment sump m onitor inoperable, no other form of sampling can provide the equivalent information; however, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together wi th the containment atmosphere radioactivity monitor, the periodic su rveillance for RCS water inventory balance, SR3.4.13.1, must be performe d at an increased frequency of 24hours to provide information that is adequate to detect leakage. A Note is added allowing that SR3.4.13.1 is not required to be performed until 12hours after establishing steady state operation (stable temperature,

power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12hour allowance provides sufficient time to collect and process all necessary data after stable unit

conditions are established.

Restoration of the required sump m onitor to OPERABLE status within a Completion Time of 30days is require d to regain the function after the monitor's failure. This time is acceptable, considering the Frequency and adequacy of the RCS water inve ntory balance required by Required ActionA.1.B.1.1, B.1.2, andB.2With both gaseous and particulate c ontainment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is

required. Either grab samp les of the containment at mosphere must be taken and analyzed or water inventory balances, in accordance with SR3.4.13.1,

must be performed to provide alternate periodic information.

(continued)

RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-5Revision 47ACTIONSB.1.1, B.1.2, andB.2 (continued)With a sample obtained and analyz ed or water inventory balance performed every 24hours, the reactor may be operated for up to 30days to allow restoration of the required co ntainment atmosphere radioactivity monitors.The 24hour interval provides periodic information that is adequate to detect leakage. A Note is added allowing that SR3.4.13.1 is not required to be performed until 12hours after esta blishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12hour allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established. The 30day Completion Time

recognizes at least one other form of leakage detection is available.

C.1 and C.2With the required containment sump m onitor inoperable, the only means of

detecting LEAKAGE is the required containment atmosphere radiation monitor. A Note clarifies that this Condition is applicable when the only OPERABLE monitor is the containm ent atmosphere gaseous radiation monitor. The containment atmosphe re gaseous radioactivity monitor typically cannot detect a 0.5gpm leak within one hour when RCS activity is low. In addition, this configurati on does not provide th e required diverse means of leakage detection. Indirect methods of monitoring RCS leakage

must be implemented. Grab samples of the containment atmosphere must be taken to provide alternate periodic information. The 12hour interval is sufficient to detect increasing RCS leakage. The Required Action provides 7days to restore another RCS leakag e monitor to OPERABLE status to regain the intended leakage detection capability. The 7day Completion Time ensures that the plant will not be operated in a degraded configuration for a lengthy time period.

(continued)

North Anna Units 1 and 2B 3.4.15-6Revision 47RCS Leakage Detection Instrumentation B 3.4.15BASESACTIONS(continued)

D.1 and D.2If a Required Action of ConditionA or B cannot be met, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1With all required monitors inoperable, no required automatic means of monitoring leakage are available, and immediate unit shutdown in accordance with LCO3.0.3 is required.SURVEILLANCE

REQUIREMENT

SSR3.4.15.1SR3.4.15.1 requires the performance of a CHANNEL CHECK of the

required containment atmosphere radioactivity monitor. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.15.2SR3.4.15.2 requires the performance of a COT on the required containment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument string. The

Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.15.3 and SR3.4.15.4These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is

based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Chapter3.2.Regulatory Guide1.45, Revision 0, "Reactor Coolant Pressure Boundary Leakage Detection Systems," dated May,1973.

RCS Leakage Detection Instrumentation B 3.4.15BASESNorth Anna Units 1 and 2B 3.4.15-7Revision 473.UFSAR, Chapter5.2.4 Intentionally Blank North Anna Units 1 and 2B 3.4.16-1Revision 42RCS Specific Activity B 3.4.16B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.16RCS Specific ActivityBASESBACKGROUNDThe maximum dose that an indi vidual at the exclusion area boundary can receive for 2hours following an accident, or at the low population zone outer boundary for the radiological release duration, is specified in 10CFR50.67 (Ref.1). Doses to control room operators must be limited per GDC19. The limits on specific activity ensure that the offsite and control room doses are appropriately limited during analyzed transients and accidents.

The RCS specific activity LCO limits th e allowable concentration level of radionuclides in the reactor coolant. The LCO limits are established to minimize the dose consequences in the event of a steam line break (SLB) or steam generator tube rupture (SGTR) accident.

The LCO contains specific activity limits for both DOSE EQUIVALENTI-131 and DOSE EQUIVALENTXE-133. The allowable levels are intended to ensure that offsite and control room doses meet the

appropriate acceptance criteria in the Standard Review Plan (Ref. 2).APPLICABLE SAFETY ANALYSESThe LCO limits on the specific activity of the reactor coolant ensure that the resulting offsite and control r oom doses meet the appropriate SRP acceptance criteria following a SLB or SGTR accident. The safety analyses (Refs. 3 and 4) assume the specific activity of the reactor coolant is at the LCO limits, and an existing reactor coolant steam generator (SG) tube leakage rate of 1gpm exists. The safety analyses assume the specific

activity of the secondary coolant is at its limit of 0.1Ci/gm DOSE EQUIVALENTI-131 from LCO3.7.18, "Secondary Specific Activity."The analyses for the SLB and SGTR accidents establish the acceptance limits for RCS specific activity. Reference to these analyses is used to

assess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits.

(continued)

North Anna Units 1 and 2B 3.4.16-2Revision 42RCS Specific Activity B 3.4.16BASESAPPLICABLE SAFETY ANALYSES(continued)The safety analyses consider two cases of reactor coolant iodine specific activity. One case assume s specific activity at 1.0 Ci/gm DOSE EQUIVALENTI-131 with a concurrent large iodine spike that increases the rate of release of i odine from the fuel rods containing cladding defects to the primary coolant immediately af ter a SLB (by a factor of 500), or SGTR (by a factor of 335), respectively. The second case assumes the initial reactor coolant iodine activity at 60.0Ci/gm DOSE EQUIVALENTI-131 due to an iodine sp ike caused by a reactor or an RCS transient prior to the accident. In bot h cases, the noble gas specific activity is assumed to be 197Ci/gm DOSE EQUIVALENTXE-133.The SGTR analysis also assumes a loss of offsite power at the same time as the reactor trip. The SGTR causes a reduction in reactor coolant inventory. The reduction initiates a reactor trip from a low pressuri zer pressure signal or an RCS overtemperature T signal.The loss of offsite power causes the st eam dump valves to close to protect the condenser. The rise in pressure in the ruptured SG discharges radioactively contaminated steam to the atmosphere through the SG power operated relief valves and the main steam safety valves. The unaffected SGs remove core decay heat by venting steam to the atmosphere until the

cooldown ends and the Residual Heat Re moval (RHR) system is placed in service.The SLB radiological analysis assumes that offsite power is lost at the same time as the pipe break occurs outside containment. Reactor trip occurs after the generation of an SI signal on low steam line pressure. The affected SG blows down completely and steam is vented directly to the atmosphere. The unaffected SGs remove core decay heat by venting steam to the atmosphere until th e cooldown ends and the RHR system is placed in service.Operation with iodine specific activity levels greater than the LCO limit is permissible, if the activi ty levels do not exceed 60.0Ci/gm for more than 48hours.

The limits on RCS specific activity are also used for establishing standardization in radiation shie lding and plant personnel radiation protection practices.

RCS specific activity satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe iodine specific activity in the reactor coolant is limited to 1.0Ci/gm DOSE EQUIVALENTI-131, and the noble gas specific ac tivity in the reactor coolant is limited to 197Ci/gm DOSE EQUIVALENTXE-133.

The limits on specific activity ensure that offsite and control room doses will meet the appropriate SRP acceptance criteria (Ref.2).

RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-3Revision 46 The SLB and SGTR accident analyses (Refs.3 and 4) show that the calculated doses are within acceptable limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of a SLB or SGTR, lead to doses that exceed the SRP acceptance criteria (Ref.2).APPLICABILITYIn MODES1, 2, 3, and 4, operation within the LCO limits for DOSE EQUIVALENTI-131 and DOSE EQUIVALENTXE-133 is necessary to limit the potential consequences of a SLB or SGTR to within the SRP acceptance criteria (Ref.2).

In MODES 5 and 6, the steam generators are not bei ng used for decay heat removal, the RCS and steam generators are depressurized, and primary to secondary leakage is minimal. Theref ore, the monitoring of RCS specific activity is not required.ACTIONSA.1 and A.2With the DOSE EQUIVALENTI-131 greate r than the LCO limit, samples at intervals of 4hours must be taken to demonstrate that the specific activity is <

60.0Ci/gm. The Completion Time of 4hours is required to obtain and analyze a sample. Sampling is continued every 4hours to provide a trend.The DOSE EQUIVALENTI-131 must be restored to within limit within 48hours. The Completion Time of 48hours is acceptable since it is

expected that, if there were an iodi ne spike, the normal coolant iodine concentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.A Note permits the use of the provisions of LCO3.0.4.c. This allowance permits entry into the applicable MODE(S), relying on Required Actions A.1 and A.2 while the DOSE EQUIVALENT I-131 LCO limit is not met. This allowance is acceptable due (continued)ACTIONS(continued) to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or pr oceeds to, power operation.

B.1With the DOSE EQUIVALENTXE-133 greater than the LCO limit, DOSE EQUIVALENTXE-133 must be restored to within limit within 48hours. The allowed Completion Time of 48hours is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas North Anna Units 1 and 2B 3.4.16-4Revision 46RCS Specific Activity B 3.4.16BASESconcentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.

A Note permits that the use of the provisions of LCO3.0.4.c. This allowance permits entry into the appl icable MODE(S), relying on Required ActionB.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to si gnificant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to,

power operation.

C.1 and C.2If the Required Action and associated Completion Time of ConditionA or B is not met, or if the DOSE EQUIVALENTI-131 is > 60.0Ci/gm, the reactor must be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full

power conditions in an orderly manner and without challenging plant

systems.SURVEILLANCE

REQUIREMENT

SSR3.4.16.1SR3.4.16.1 requires performing a gamma isotopic analys is as a measure of the noble gas specific activity of the r eactor coolant. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveill ance provides an indication of any increase in the noble gas specific activity.

(continued)SURVEILLANCE

REQUIREMENT

S(continued)SR3.4.16.1 (continued)Trending the results of this Surveillan ce allows proper re medial action to be taken before reaching the LCO li mit under normal operating conditions.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.Due to the inherent difficulty in detecting Kr-85 in a react or coolant sample due to masking from radioisotopes within similar decay energies, such as F-18 and I-134, it is acceptable to incl ude the minimum detectable activity for Kr-85 in the SR3.4.16.1 calculation. If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT

XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.SR3.4.16.2 RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-5Revision 46 This Surveillance is performed to ensu re iodine specific activity remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more apt to occur. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The Frequency, between 2 and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a power change

>15% RTP within a 1hour period, is established because the iodine levels peak during this time foll owing the iodine spike init iation; samples at other times would provide accurate results.

RCS Specific Activity B 3.4.16BASESNorth Anna Units 1 and 2B 3.4.16-6Revision 42REFERENCES1.10CFR50.67.2.Standard Review Plan (SRP) Section15.0.1 "Radiological Consequence Analyses Using Alternative Source Terms."3.UFSAR, Section15.4.2.4.UFSAR, Section15.4.3.

North Anna Units 1 and 2B 3.4.17-1Revision 0RCS Loop Isolation Valves B 3.4.17B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.17RCS Loop Isolation ValvesBASESBACKGROUNDThe reactor coolant loops are equipped with l oop isolation valves that permit any loop to be isolated from the reactor vessel. One valve is installed on each hot leg and one on each cold leg. The loop isolation valves are used to perform mainte nance on an isolated loop. Power operation with a loop isolated is not permitted.To ensure that inadvertent closure of a loop isolation valve does not occur, the valves must be open with power to the valve operators removed in MODES1, 2, 3 and4. If the valves are closed, a set of administrative

controls and equipment interlocks mu st be satisfied prior to opening the isolation valves as described in LCO3.4.18, "RCS Isolated Loop Startup."APPLICABLE SAFETY ANALYSESThe safety analyses performed for the reactor at power assume that all reactor coolant loops are initially in operation and the loop isolation valves are open. This LCO places c ontrols on the loop isolation valves to ensure that the valves are not inadvertently closed in MODES1, 2, 3 and4. The

inadvertent closure of a loop isolat ion valve when the Reactor Coolant Pumps (RCPs) are operating will result in a partial loss of forced reactor coolant flow (Ref.1). If the reactor is at power at the time of the event, the effect of the partial loss of forced coolant flow is a rapid increase in the

coolant temperature which could resu lt in DNB with subsequent fuel damage if the reactor is not tripped by the Low Flow reactor trip. If the reactor is shutdown and an RCS loop is in operation removing decay heat,

closure of the loop isolation valve a ssociated with the operating loop could also result in increasing coolant temp erature and the possibility of fuel damage.RCS Loop Isolation Valves satisfy Criterion2 of 10CFR 50.36(c)(2)(ii).

LCOThis LCO ensures that the loop isolat ion valves are open and power to the valve operators is removed. Loop isolat ion valves are used for performing maintenance in MODES5 and6.

(continued)

North Anna Units 1 and 2B 3.4.17-2Revision 0RCS Loop Isolation Valves B 3.4.17BASESLCO(continued)

The safety analyses assume that the loop isolation valves are open in any RCS loops required to be OPERABLE by LCO3.4.4, "RCS Loops-MODES1 and2," LCO3.4.5, "RCS Loops-MODE3," or LCO3.4.6, "RCS Loops-MODE4."APPLICABILITYIn MODES1 through4, this LCO ensures that the loop isolation valves are open and power to the valve operators is removed. The safety analyses assume that the loop isolation valves are open in any RCS loops required to

be OPERABLE.In MODES5 and6, the loop isolation valves may be closed. Controlled startup of an isolated loop is governed by the requirements of LCO3.4.18, "RCS Isolated Loop Startup."ACTIONSThe Actions have been provided wi th a Note to clarify that all RCS loop isolation valves for this LCO are treated as separate entities, each with separate Completion Times, i.e., the Completion Time is on a component basis.A.1If power is inadvertentl y restored to one or more loop isolation valve operators, the potential exists for acci dental isolation of a loop. The loop isolation valves have motor operators. Therefore, these valves will maintain their last position when power is removed from the valve operator. With power applied to the valve operators, only the interlocks prevent the valve from being opera ted. Although operating procedures and interlocks make the occurrence of this event unlikely, the prudent action is to remove power from the loop isol ation valve operators. The Completion Time of 30minutes to remove pow er from the loop isolation valve operators is sufficient considering the complexity of the task.

B.1, B.2, and B.3 Should a loop isolation valve be closed in MODES1 through4, the affected loop isolation valve(s) must remain closed and the unit placed in MODE5. Once in MODE5, the isolat ed loop may be started in a controlled manner in accordance with LCO3.4.18, "RCS Isolated Loop Startup." Opening the closed isolation valve in MODES1 through4 could

result in colder water or water at a lower boron concentration being mixed with the operating RCS loops (continued)

RCS Loop Isolation Valves B 3.4.17BASESNorth Anna Units 1 and 2B 3.4.17-3Revision 46ACTIONSB.1, B.2, and B.3 (continued) resulting in positive reac tivity insertion. The Completion Time of Required ActionB.1 allows time for borati ng the operating loops to a shutdown boration level such that the unit can be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.4.17.1 The Surveillance is performed to ensure that the RCS loop isolation valves

are open prior to removing power from the isolation valve operator. There is no remote position indi cation available after power is removed from the valve operators. The valves will maintain their last position when power is removed for the valve operator.SR3.4.17.2The primary function of this Surveillance is to ensure that power is removed from the valve operators, since SR3.4.4.1 of LCO3.4.4, "RCS Loops-MODES1 and2," ensures that the loop isolation valves are open by verifying every 12hours that all loops are operating and circulating reactor coolant. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section15.2.6.

Intentionally Blank North Anna Units 1 and 2B 3.4.18-1Revision 0RCS Isolated Loop Startup B 3.4.18B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.18RCS Isolated Loop StartupBASESBACKGROUNDThe RCS may be operated with loops isolated in MODES5 and6 in order to perform maintenance. While opera ting with a loop isolated, there is potential for inadvertently opening the is olation valves in the isolated loop.

In this event, any coolant in the isolated loop would begin to mix with the coolant in the operating loops. This situ ation has the potential of causing a positive reactivity addition with a corresponding reduction of SDM if:a.The temperature in the isolated loop is lower than the temperature in the operating Residual Heat Removal (RHR) or RCS loops (cold water incident); orb.The boron concentration in the isol ated loop is lower than the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1 (boron dilution incident).

If the loop is drained of coolant, st artup of an isolat ed loop will cause coolant to flow from the RCS into the isolated portion of the loop with the potential to lower the RCS water level and cause a loss of suction to the RHR System pumps.As discussed in the UFSAR (Ref.1), the startup of a filled, isolated loop is done in a controlled manner that virtually eliminates any sudden reactivity addition from cold water or boron dilution because:a.This LCO and unit operating procedures require that the boron concentration in the isolated loop be equal to or greater than the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1 prior to opening the isolation valves, thus eliminating the potential for introducing coolant from the isolated loop that could dilute the boron concentr ation in the operating loops below the required limit.b.The cold leg loop isolation valve cannot be opened unless the loop has been operated with the hot leg isol ation valve open and recirculation flow of 125 gpm for (continued)

North Anna Units 1 and 2B 3.4.18-2Revision 0RCS Isolated Loop Startup B 3.4.18BASESBACKGROUNDb.(continued)90minutes. This ensures that the te mperatures of both the hot leg and cold leg of the isolat ed loop are within 20F of the operating loops and the boron concentration of the isolated loop is gr eater than or equal to the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1. Comp liance with the recirculation requirement is ensured by operat ing procedures and automatic interlocks.c.Other automatic interlocks preven t opening the hot leg loop isolation valve unless the cold leg loop is olation valve is fully closed.

The startup of an initially drained, isolated loop is performed in a controlled manner to ensure that sufficient water is available in the RCS to support RHR operation. In this case, the automatic interlocks are defeated and the isolated loop is fille d under administrative control.APPLICABLE SAFETY ANALYSESDuring startup of a filled isolated loop, the cold leg loop isolation valve

interlocks and operating procedures prevent opening the valve until the isolated loop and active RCS volume temperatures are equalized and the

boron concentration is within limit. This ensures that any undesirable reactivity effect from the isolated loop does not occur.An evaluation of the effects of openi ng the loop isolation valves with the boron concentration or temperature re quirements of the filled, isolated portion not met is described in Reference1. Failure to follow the requirements in the LCO could result in the RCS boron concentration or coolant temperature being reduced with a corresponding reduction in SDM. The evaluation concluded that adequate time is available for an operator to identify and respond to such an event prior to reactor criticality.The initial RCS volume re quirements ensure that the operation of the RHR System is not impaired during the fill ing of an isolated loop from the RCS should the isolatio n valves on three drained, isol ated loops be inadvertently opened.RCS isolated loop startup satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).

LCOLoop isolation valves are used for pe rforming maintenance when the unit is in MODE5 or6. This LCO governs the return to operation of an isolated loop (i.e., the hot and cold leg loop isolation valves are initially closed) and ensures that the loop isolation valves remain closed unless acceptable conditions for opening the valves are established.

There are two methods for returning an isolated loop to operation. The first method is used when the is olated loop is filled with water. When using the RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-3Revision 0 filled loop method, the hot leg isolation valve (e.g., the inlet valve to the isolated portion of the loop) is opened first. As described in LCO3.4.18.a, the water in the isolated loop must be borated to at least the boron

concentration needed to provide the required shutdown margin prior to opening the hot leg isolation valve. This ensures that the RCS boron

concentration is not reduced below th at required to maintain the required shutdown margin. The water in the isolated loop is then mixed with the

water in the RCS by establ ishing flow through the reci rculation line (which bypasses the cold leg isolation va lve). After the flow through the recirculation line has thoroughly mixed the water in the isolated loop with the water in the RCS and it is verified that the isolated loop temperature is no more than 20F below the temperature of the RCS (to avoid reactivity additions due to reduced RCS temperat ure), the cold leg isolation valve may be opened.

The second method for returning an isol ated loop to operat ion is described in LCO3.4.18.b and is used when the isolated loop is drained of water. In the drained loop method, the water in the RCS is used to fill the isolated portion of the loop. The LCO also requi res that the pressurizer water level be established sufficiently high prior to and during the opening of the isolation valves to ensure that the in advertent opening of all three sets of loop isolation valves on thr ee drained and isolated l oops would not result in loss of net positive suction head fo r the Residual Heat Removal system.

The LCO is modified by a Note wh ich allows Reactor Coolant Pump

(RCP) seal injection to be initiated to a RCP in a drained, isolated loop. This is to support vacuum assisted backfill of the loop. In this method, a

vacuum is drawn on the isolated loop pr ior to opening the cold leg isolation valve in order to minimize the amount of trapped air in the loop and to

minimize the need to run the RCP in the isolated loop to clear out air

pockets. In order to draw a vacuum on (continued)

LCO(continued)the isolated loop, the RCP seals must be filled with water. The boron concentration of the water used for seal injection must meet the same requirements as the reactor coolant sy stem and the loop must be drained prior to starting seal inje ction in order to be sure that no water at a boron concentration less than required remains in the isolated loop.

The LCO is modified by a Note which allows a hot or cold leg isolation valve to be closed for up to two hours without considering the loop isolated and meeting the LCO requirements when opening the closed valve. This allows for necessary maintenance and testing on the valves and the valve operators. If the closed valve is not re opened with two hours, it is necessary to close both isolation valves on the affected loop and follow the

requirements of the LCO when reopeni ng the isolation valves. This is required because there is a possibility th at the water in the isolated loop has become diluted or cooled to the point that reintroduction of the water into to the reactor vessel could result in a significant reactivity change.

North Anna Units 1 and 2B 3.4.18-4Revision 0RCS Isolated Loop Startup B 3.4.18BASESAPPLICABILITYIn MODES 5 and 6, RCS loops may be isolated to perform maintenance.

When a filled, isolated loop is to be put in operation, the isolated loop boron concentration and temperature must be controlled prior to opening the loop isolation valves in order to avoid the potential for positive reactivity addition. When an initially drai ned, isolated loop is to be put into operation, sufficient RCS inventory must be available to ensure that RCS

water level continues to support RHR operation. The LCO water level requirement is sufficient to ensure that RCS water level does not drop below that required for RHR operation. In MODES1, 2, 3 and4, the loop

isolation valves are required to be open with power to the valve operators removed by LCO3.4.17, "RCS Loop Isolation Valves."ACTIONSA.1, B.1, andC.1Required ActionsA.1, B.1, andC.1 apply when the requirements of LCO3.4.18.a are not met and a loop is olation valve has been opened.

Therefore, the Actions require immedi ate closure of isolation valves to preclude a boron dilution event or a cold water event or RCS water level falling below that required for RHR operation.

RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-5Revision 0ACTIONS(continued)D.1, D.2, E.1 andE.2Required ActionsD.1, D.2, E.1 andE.2 apply when the requirements of LCO3.4.18.b are not met and an initially drained, isolated loop is filled from the active RCS volume by opening a loop isolation valve. If the RCS water level requirement is not met, there is the possibility of insufficient net positive suction head to suppor t the RHR pumps. If the RCP seal

injection boron concentration requirements are not met, there is the possibility of diluting the reactor c oolant boron concentration below that which is required. In both cases, the isol ation valve(s) are to be closed and the requirements of the LCO must be met prior to opening the isolation

valves. If both isolation valves on the loop are not fully opened within 2hours, the lack of flow through the cl osed valve(s) could result in the boron concentration of the previously isolated portion of the loop being significantly different from the remainder of the RCS. The boron concentration in the isolated loop must be verified to be wi thin limit or the isolation valve(s) are to be closed and the requireme nts of the LCO must be met prior to opening th e isolation valves.F.1If power is restored to one or more closed loop isolat ion valve operators without the initial conditions in LCO 3.4.18.a.1 or LCO 3.4.18.b.1 being met, the potential exists for accident al startup of an isolated loop and possible reduction in shutdown margi

n. The loop isolation valves have motor operators. Therefore, these valves will maintain their last position

when power is removed from the valve operator. With power applied to the valve operators, only the interlocks prevent the valve from being operated. Although operating procedures and interlocks make the occurrence of this event unlikely, the prudent action is to remove power from the loop isolation valve operators. The Completion Time of 30minutes to remove power from the loop isolation valve operators is sufficient considering the complexity of the task.SURVEILLANCE

REQUIREMENT

SSR3.4.18.1 This Surveillance is performed to ensure that the temperature differential

between a filled, isolated loop and the operating loops is 20F. The loop stop valve interlocks (continued)

North Anna Units 1 and 2B 3.4.18-6Revision 0RCS Isolated Loop Startup B 3.4.18BASESSURVEILLANCE REQUIREMENT

SSR3.4.18.1 (continued) ensure that the temperature of the isolated loop is equalized with the temperature of the operating loops by re quiring that the isolated loop is operated for at least 90minutes with a recirculation flow of 125 gpm. The safety analysis neglects the uncertainty associated with measuring

recirculation flow due to the insignificant effect on the analysis. Performing the Surveillance 30minutes prior to opening the cold leg

isolation valve in the isolated loop provides reasonable assurance, based on engineering judgment, that the temperature differential will stay within limits until the cold leg isolation valve is opened.

This Frequency has been shown to be acceptable th rough operating experience.The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO

applicable to starting a filled, isolated loop.SR3.4.18.2To ensure that the boron concentration of a filled, isolated loop is greater than or equal to the boron concentration required to meet the SDM of LCO3.1.1 or the boron concentration of LCO3.9.1, a Surveillance is performed 1hour prior to opening either the hot or cold le g isolation valve. Performing the Surveillance 1hour prior to opening either the hot or cold

leg isolation valve provides reasonable assurance the boron concentration difference will stay wi thin acceptable limits until the loop is unisolated.

This Frequency is a reasonable amount of time given that the isolated loop boron concentration changes slowly a nd the time require d to request and have analyzed a boron concentration measurement prior to opening the

isolation valve.The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting a filled, isolated loop.

RCS Isolated Loop Startup B 3.4.18BASESNorth Anna Units 1 and 2B 3.4.18-7Revision 0SURVEILLANCE REQUIREMENT

S(continued)SR3.4.18.3 This Surveillance is performed to ensu re that a filled, isolated loop is recirculated, with the hot leg isolation valve open, for at least 90 minutes at a flow rate of at least 125 gpm. This will ensure that the boron

concentration and temperatur e of the isolated loop is similar to those of the operating loops. The Frequency of with in 30 minutes prior to opening the cold leg isolation valve in a filled, is olated loop is considered a reasonable time to prepare for the opening of the cold leg isolation valve. The

Surveillance is modified by a Note which states that the Surveillance is only required to be met when util izing the requirements of the LCO applicable to starting a filled, isolated loop.SR3.4.18.4 This Surveillance is performed to ensu re that an isolated loop is drained

before opening an isolation valve to fill the isolated portion of the RCS from the RCS active volume or before initiating seal injection to the RCP in the isolated loop. This verificati on is performed to prevent unsampled water in a partially filled, isolated loop from mixing with the water in the RCS and potentially causing reactivity changes due to differences in boron concentration. The Frequency of within 2hours prior to fill ing an initially drained loop from the active RCS volume or within 2hours of initiating seal injection to the RCP in the isol ated loop is considered a reasonable time to prepare for the opening of the isolation valve. The Surveillance is modified by a Note which states that th e Surveillance is on ly required to be met when utilizing the requirements of the LCO applicable to starting an initially drained, isolated loop.SR3.4.18.5This Surveillance verifies that the bor on concentration of the water used for seal injection to the RCP in the isolated loop is borated to the same requirement as the RCS. This will prevent the water used for seal injection from diluting the water in the RCS. The LCO is modified by two Notes. Note1 states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting an initially drained, isolated loop. Note2 states that the Su rveillance is only required to be met when using blended flow as the sour ce for RCP seal injection. The other sources(continued)

North Anna Units 1 and 2B 3.4.18-8Revision 0RCS Isolated Loop Startup B 3.4.18BASESSURVEILLANCE REQUIREMENT

SSR3.4.18.5 (continued) for seal injection are required to be borated to at least the required boron concentration and are periodically verified by ot her specifications. The Frequency of within 1hour prior to in itiating seal inject ion flow and once per hour during filling of an initia lly drained loop from the active RCS volume is considered a reasonable time to monitor the seal injection boron concentration.SR3.4.18.6This Surveillance verifies that there is sufficient water in the RCS when filling an initially drained, isolated portion of the RCS. The volume of water required is sufficient to cont inue to support RHR operation in the event of the inadvertent opening of th e isolation valves on three isolated and drained loops. The required level of 32% incorporates inaccuracies due to use of instruments calibrated at cold conditions. If inst ruments calibrated at hot conditions are used, an indicated level of 39% is required due to the increased instrument uncertainty.

The Frequency of every 15 minutes during filling of a drained, isolated loop ensures that the operators are aware of the water level during the fi lling operation. The Surveillance is modified by a Note which states that the Surveillance is only required to be met when utilizing the requirements of the LCO applicable to starting a drained, isolated loop.SR3.4.18.7This Surveillance is performed to ensu re that the boron concentration of an isolated loop satisfies the boron con centration requirements of the RCS prior to completely opening the cold leg isolation valve or opening the hot leg isolation valve. The Surveillance is modified by a Note which states

that the Surveillance is only required to be met when utilizing the

requirements of the LCO applicable to starting an initially drained, isolated loop. The Frequency of within 1hour prior to fully opening the cold leg

isolation valve or opening the hot le g isolation valve is considered a reasonable time to prepare for th e opening of the isolation valves.REFERENCES1.UFSAR, Section15.2.6.

North Anna Units 1 and 2B 3.4.19-1Revision 0RCS Loops-Test Exceptions B 3.4.19B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.19RCS Loops-Test ExceptionsBASESBACKGROUNDThe primary purpose of this test exception is to provide an exception to LCO3.4.4, "RCS Loops-MODES1 and2,"

to permit reactor criticality under no forced flow conditions during certain PHYSICS TESTS (natural

circulation demonstration, station blackout, and loss of offs ite power) to be performed while at low THERMAL POWER levels. SectionXI of 10CFR50, AppendixB (Ref.1), requi res that a test program be established to ensure that structures, systems, a nd components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceed ed during normal operation and anticipated operational occurrences must be tested. This testing is an

integral part of the design, construc tion, and operation of the power plant as specified in General Design Criteria1, "Quality Standards and Records" (Ref.2).The key objectives of a test program are to provide assurance that the facility has been adequately designed to validate the analytical models used in the design and analysis, to verify the assumptions used to predict unit response, to provide assurance that in stallation of equipment at the unit has been accomplished in accordance with the design, and to verify that the operating and emergency procedures are adequate. Testing is performed prior to initial criticality, during startup, and following low power operations.The tests will include verifying the ability to establish and maintain natural circulation following a unit trip, pe rforming natural circulation cooldown on emergency power, and during the c ooldown, showing that adequate boron mixing occurs and that pressure can be controlled using auxiliary spray and pressurizer heaters powered from the emergency power sources.APPLICABLE SAFETY ANALYSESThe tests described above require operating the unit without forced convection flow and as such are not bounded by any safety analyses. However, operating experience has dem onstrated this exception to be safe under the present applicability.

(continued)

North Anna Units 1 and 2B 3.4.19-2Revision 0RCS Loops-Test Exceptions B 3.4.19BASESAPPLICABLE SAFETY ANALYSES(continued)As described in LCO3.0.7, compliance with Test Exception LCOs is

optional, and therefore no criteria of 10CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCOThis LCO provides an exemption to the requirements of LCO3.4.4.

The LCO is provided to allow for th e performance of PHYSICS TESTS in MODE2 (after a refueling), where the core cooling requirements are significantly different than after the core has been operating. Without the LCO, unit operations would be held bound to the normal operating LCOs for reactor coolant loops and circulation (MODES1 and2), and the appropriate tests could not be performed.In MODE2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under no flow conditions provided THERMAL POWER is P-7 and the reactor trip setpoints of the OPERABLE power level channels are set 25%RTP. This ensures, if some problem caused the unit to enter MODE1 and start increasing unit power, the Reactor Trip System (RTS) would automatically shut it down before power became too high, and thereby prevent violation of fuel design limits.The exemption is allowed even though there are no bounding safety analyses. However, these tests are performed under close supervision

during the test program and provide valuable information on the unit's capability to cool down without offs ite power available to the reactor

coolant pumps.APPLICABILITYThis LCO is applicable when performing low power PHYSICS TESTS without any forced convection flow. This testing is performed to establish

that heat input from nuclear heat do es not exceed the natural circulation heat removal capabilities.

Therefore, no safety or fu el design limits will be violated as a result of the associated tests.ACTIONSA.1 When THERMAL POWER is the P-7 interlock setpoint 10%, the only acceptable action is to ensure the reactor trip breakers (RTBs) are opened immediately in accordance with Required ActionA.1 to prevent operation

of the fuel beyond its design limits. Opening the RTBs will shut down the RCS Loops-Test Exceptions B 3.4.19BASESNorth Anna Units 1 and 2B 3.4.19-3Revision 46reactor and prevent operation of the fuel outside of its design limits.SURVEILLANCE REQUIREMENT

SSR3.4.19.1Verification that the power level is <

the P-7 interlock setpoint (10%) will ensure that the fuel design criteria are not violated during the performance of the PHYSICS TESTS. The Surveillance Frequency is based on

operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.4.19.2 The power range and intermediate range neutron detectors, P-10, andP-13 interlock setpoint must be verified to be OPERABLE and adjusted to the proper value. The Low Power Reactor Trips Block, P-7 interlock, is actuated from either the Power Ra nge Neutron Flux, P-10, or the Turbine Impulse Chamber Pressure, P-13 interl ock. The P-7 interlock is a logic Function with train, not channel identity. A COT is performed prior to initiation of the PHYSICS TESTS. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This will ensure that the RTS is properly aligned to provide the required degree of core protection dur ing the performance of the PHYSICS TESTS. The SR3.3.1.8 Frequency is suff icient for the power range and intermediate range neutron detectors to ensure that the instrumentation is OPERABLE before initiating PHYSICS TESTS.

North Anna Units 1 and 2B 3.4.19-4Revision 0RCS Loops-Test Exceptions B 3.4.19BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.4.19.3The Low Power Reactor Trips Block, P-7 interlock, must be verified to be OPERABLE in MODE1 by LCO3.3.1, "Reactor Trip System

Instrumentation." The P-7 interlock is actuated from either the Power Range Neutron Flux, P-10, or the Turb ine Impulse Chamber Pressure, P-13 interlock. The P-7 interlock is a logic Function. An ACTUATION LOGIC TEST is performed to verify OPERABIL ITY of the P-7 interlock prior to initiation of startup and PHYSICS TESTS. This will ensure that the RTS is properly functioning to pr ovide the required degr ee of core protection during the performance of the PHYSICS TESTS.REFERENCES1.10CFR50, AppendixB, SectionXI.2.UFSAR, Section 3.1.1.

North Anna Units 1 and 2B 3.4.20-1Revision 28SG Tube Integrity B 3.4.20B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.20Steam Generator (SG) Tube IntegrityBASESBACKGROUNDSteam generator (SG) tubes are small diameter, th in walled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of impor tant safety functions. SG tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and inventory. The SG tubes isolate the radioactive fission pr oducts in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface betw een the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO3.4.4, "RCS Loops-MODES1 and2," LCO3.4.5, "RCS Loops-MODE3,"

LCO3.4.6, "RCS Loops-MODE4," and LCO3.4.7, "RCS Loops-MODE5, Loops Filled."

SG tube integrity means that the t ubes are capable of performing their intended RCPB safety f unction consistent with the licensing basis, including applicable regulatory requirements.

SG tubing is subject to a variety of degradation mechanisms. SG tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular atta ck, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear.

These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG

tube degradation.Specification5.5.8, "Steam Generator (SG) Program

," requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification5.5.8, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, acci dent induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification5.5.8. Meeting the (continued)

North Anna Units 1 and 2B 3.4.20-2Revision 28SG Tube Integrity B 3.4.20BASESBACKGROUND (continued)SG performance criteria provides reasonable assura nce of maintaining tube integrity at normal a nd accident conditions.The processes used to meet the SG pe rformance criteria are defined by the Steam Generator Program Guidelines (Ref.1).APPLICABLE SAFETY ANALYSESThe steam generator tube rupture (S GTR) accident is the limiting basis event for SG tubes and avoiding a SGTR is the basis for th is Specification.

The analysis of a SGTR event as sumes a bounding primary to secondary LEAKAGE rate of 1gpm, which is co nservative with respect to the operational LEAKAGE rate limits in LCO3.4.13, "RCS Operational LEAKAGE," plus the leakage rate a ssociated with a double-ended rupture of a single tube. The UFSAR analysis for SGTR as sumes the contaminated secondary fluid is released via power operated relief valves or safety

valves. The source term in the primary system coolant is transported to the affected (ruptured) steam generator by the break flow. The affected steam generator discharges steam to the environment for 30minutes until the generator is manually isolated. The 1gpm primary to secondary LEAKAGE transports the source term to the unaffected steam generators. Releases continue through the unaff ected steam generators until the Residual Heat Removal Syst em is placed in service.The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their struct ural integrity (i.e., they are assumed not to rupture.) In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs of 1gallon per minute or is assumed to increase to 1gallon per minute as a

result of accident induced conditions.

For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO3.4.16, "RCS Specific Activity," limits. For accidents that assume fuel damage

, the primary coolant activity is a function of the amount of activity re leased from the damaged fuel. The dose consequences of these events are within the limits of GDC19 (Ref.2), 10CFR50.67 (Ref.3) or RG1.183 (Ref.4), as appropriate.

SG tube integrity satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-3Revision 49 LCOThe LCO requires that SG tube in tegrity be maintained. The LCO also requires that all SG tubes that sati sfy the plugging criteria be plugged in accordance with the Steam Generator Program.During an SG inspection, any inspected tube that satisfies the Steam Generator Program pluggi ng criteria is removed from service by plugging.

If a tube was determined to sati sfy the plugging criteria but was not plugged the tube may still have tube integrity.

In the context of this Spec ification, a SG tube is de fined as the entire length of the tube, including the tube wall be tween the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesh eet weld at the tube outlet. The tube-to-tubesheet weld is not considered part of the tube.

A SG tube has tube integrity when it satisfies the SG performance criteria.

The SG performance criteria are defined in Specification5.5.8, "Steam Generator Program," and describe ac ceptable SG tube performance. The Steam Generator Program also pr ovides the evaluation process for determining conformance with the SG performance criteria.

There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAG E. Failure to meet any one of these criteria is considered failure to meet the LCO.

The structural integrity performance criterion provides a margin of safety against tube burst or collapse unde r normal and accide nt conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tu be burst is defined as, "The gross structural failure of the tube wall. The condition t ypically corresponds to an unstable opening displacemen t (e.g., opening area incr eased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation." Tube collapse is defined as, "For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero." The structural integrity performance criterion provides

guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term "s ignificant" is defined as "An accident loading condition other than differential pressure is considered significant (continued)

North Anna Units 1 and 2B 3.4.20-4Revision 28SG Tube Integrity B 3.4.20BASESLCO(continued) when the addition of such loads in the assessment of the st ructural integrity performance criterion could cause a lower structural limit or limiting burst/collapse condition to be established." For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circ umferential degradation, th e classification of axial thermal loads as primary or second ary loads will be evaluated on a case-by-case basis. The divisi on between primary and secondary classifications will be based on detailed analysis and/or testing.Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for all ASME Code, SectionIII, Service LevelA (normal operating conditions) and Service LevelB (upset or abnormal conditions) transients incl uded in the design specification. This includes safety factors and applicable design basis loads based on ASME Code, SectionIII, SubsectionNB (Ref.5) and Draft Regulatory Guide1.121 (Ref.6).

The accident induced leakage perf ormance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions. The accident analysis assumes that accident induced leakage does not exceed 1gpm.

The accident induced leakage rate includes any primary to secondary LEAKAGE existing prior to the acci dent in addition to primary to secondary LEAKAGE induced during the accident.

The operational LEAKAGE performance cr iterion provides an observable indication of SG tube conditions during plant operation. The limit on operational LEAKAGE is contained in LCO3.4.13, "RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150gallons per day. This limit is based on the assumption that a single crack leaking this amount woul d not propagate to a SGTR under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one cr ack, the cracks are very small, and the above assumption is conservative.APPLICABILITYSG tube integrity is challenged when the pressure differential across the tubes is large. Large differential pr essures across SG tubes can only be experienced in MODE1, 2, 3, or4.

(continued)

SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-5Revision 49APPLICABILITY (continued)

SG integrity limits are not provided in MODES 5 and6 since RCS conditions are far less challenging than in MODES5 and6 than during MODES1, 2, 3, and4. In MODES5 and6, primary to secondary differential pressure is low, resulting in lower st resses and reduced potential for LEAKAGE.ACTIONSThe ACTIONS are modified by a Note clarifying that separate Conditions entry is permitted for each SG tube. This is acceptable because the

Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for

continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and appl ication of associated Required

Actions.A.1 andA.2ConditionA applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by SR3.4.20.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG

performance criteria described in the Steam Generator Program. The SG plugging criteria define li mits on SG tube degradation that allow for flaw growth between inspections while st ill providing assurance that the SG performance criteria will c ontinue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must

be completed that demonstrates that the SG performan ce criteria will continue to be met until the next re fueling outage or SG tube inspection.

The tube integrity determ ination is based on the estimated condition of the tube at the time the situation is disc overed and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, ConditionB applies.A Completion Time of 7days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, Required ActionA.2 allows plant opera tion to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported (continued)

North Anna Units 1 and 2B 3.4.20-6Revision 49SG Tube Integrity B 3.4.20BASESACTIONSA.1 andA.2 (continued) by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.B.1 andB.2 If the Required Actions and associated Completion Times of ConditionA are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE3 within 6hours and MODE5 within 36hours.

The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power

conditions in an orderly manner a nd without challenging plant systems.SURVEILLANCE

REQUIREMENT

SSR3.4.20.1 During shutdown periods the SGs are in spected as required by this SR and the Steam Generator Program. NEI97-06, Steam Generator Program Guidelines (Ref.1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator

Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition mon itoring assessment of the SG tubes is performed. The condition monitoring assessment determines the "as found" condition of the SG tubes. Th e purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for

the previous operating period.The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying

the tube plugging criteria. Inspection sc ope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and

potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation.

Inspection methods are a SG Tube Integrity B 3.4.20BASESNorth Anna Units 1 and 2B 3.4.20-7Revision 49SURVEILLANCE REQUIREMENT

SSR3.4.20.1 (continued)function of degradation morphology, non-destructive examination (NDE) technique capabilities, a nd inspection locations.The Steam Generator Program defines the Frequency of SR3.4.20.1. The Frequency is determined by the operati onal assessment and other limits in the SG examination guidelines (Ref.7). The Steam Generator Program

uses information on existing degradati ons and growth rates to determine an inspection Frequency that provides r easonable assurance that the tubing will meet the SG performa nce criteria at the next scheduled inspection. In addition, Specification5.5.8 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met betw een scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is re stricted by Specification 5.5.8 until subsequent inspections support ex tending the inspection interval.SR3.4.20.2During an SG inspection, any inspected tube that satisfies the Steam

Generator Program pluggi ng criteria is removed from service by plugging.

The tube plugging criteria delineated in Specification5.5.8 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In ad dition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure

that the SG performance criteria wi ll continue to be met until the next inspection of the subject tube(s). Reference1 provides guidance for performing operational assessments to ve rify that the tubes remaining in service will continue to meet the SG perfor mance criteria.The Frequency of prior to entering MODE4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.

North Anna Units 1 and 2B 3.4.20-8Revision 49SG Tube Integrity B 3.4.20BASESREFERENCES1.NEI97-06, "Steam Ge nerator Program Guidelines."2.10CFR50 AppendixA, GDC19.3.10CFR50.67.

4.RG1.183, July2000.

5.ASME Boiler and Pressure Vessel Code, SectionIII, SubsectionNB.

6.Draft Regulatory Guide1.121, "Basis for Plugging Degraded Steam Generator Tubes," August1976.7.EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."

North Anna Units 1 and 2B 3.5.1-1Revision 0Accumulators B 3.5.1B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.1AccumulatorsBASESBACKGROUNDThe functions of th e ECCS accumulators are to supply water to the reactor vessel during the blowdown phase of a loss of coolant acci dent (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a

small break LOCA.The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot in ternals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient

ends when the RCS pressu re falls to a value approaching that of the containment atmosphere.In the refill phase of a large break LOCA, which immediately follows the blowdown phase, reactor coolant inve ntory has vacated the core through steam flashing and ejection out through the break. The co re is essentially in adiabatic heatup. The balance of accumulat or inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer so as to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of safety injection (SI) water.The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas.

The accumulators are passive components, since no operator or cont rol actions are required in order for them to perform their function. Internal accumulator tank pressure is sufficient to discharge the accumula tor contents to the RCS, if RCS pressure decreases below the accumulator pressure.

Each accumulator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a mo tor operated isolation valve and two check valves in series.The accumulator size, water volume, and nitrogen cover pressure are selected so that two of the three accumulators are sufficient to partially

cover the core before significant clad melting or zirconium water reaction can(continued)

North Anna Units 1 and 2B 3.5.1-2Revision 0Accumulators B 3.5.1BASESBACKGROUND (continued)occur following a large break LOCA

. The need to ensure that two accumulators are adequate for this function is consistent with the large break LOCA assumption that the entire contents of one accumulator will be lost via the RCS pipe break during the blowdown phase of the large

break LOCA.APPLICABLE SAFETY ANALYSESThe accumulators are assumed OPERABLE in both the large and small break LOCA analyses at full power (Ref.1). These are the Design Basis

Accidents (DBAs) that establis h the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used to assess changes in the accumulators as they relate to the acceptance limits.In performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a large

break LOCA, with or without a loss of offsite power, the accumulators provide the sole source of makeup water to the RCS. The assumption of loss of offsite power is required by re gulations and conservatively imposes a delay wherein the ECCS pumps cannot deliver flow until the emergency

diesel generators start, come to rated speed, and energize their respective buses. In cold leg large break scenarios, the entire contents of one

accumulator are assumed to be lost through the break.The limiting large break LOCA is a double ended guillotine break at the discharge of the reactor coolant pump. During this event, the accumulators discharge to the RCS as soon as RCS pressure decreases to below

accumulator pressure.

As a conservative estimate, no credit is taken for ECCS pump flow until an effective delay has elapsed. This dela y accounts for the di esels starting and the pumps being loaded and delivering full flow. The delay time is conservatively set with an additional 2seconds to account for SI signal generation. During this time, the accumulators are analyzed as providing the sole source of emergency core c ooling. No operator action is assumed during the blowdown stage of a large break LOCA.The worst case small break LOCA an alyses also assume a time delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the accumulators, with pumped flow then providing continued cooling. As break size decr eases, the accumulators and High (continued)

Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-3Revision 48APPLICABLE SAFETY ANALYSES(continued)

Head Safety Injection (HHSI) pumps bo th play a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the accumulators continues to decrease until they are not required and the

HHSI pumps become solely responsible for terminati ng the temperature increase.This LCO helps to ensure that the fo llowing acceptance criteria established for the ECCS by 10CFR50.46 (Ref.2) will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200°F for small breaks, and there must be a high le vel of probability that the peak cladding temperature does not exceed 2200°F for large breaks;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinde rs surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; andd.Core is maintained in a coolable geometry.Since the accumulators discharge during the blowdown phase of a LBLOCA, they do not contribute to th e long term cooling requirements of 10CFR50.46.For the small break LOCA analysis, a nominal contained accumulator water volume is used while the larg e break LOCA analysis samples the accumulator water volume over a gi ven range. For small breaks, the accumulator water volume only affects the mass flow rate of water into the RCS since the tanks do not empty for most break sizes analyzed. The assumed water volume has an insignificant effect upon the peak clad temperature. For large breaks, an incr ease in water volume can be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the br eak during the core reflooding portion of the transient. The safety analysis supports operation with a contained water volume of between 7580gallons and 7756gallons per accumulator.

(continued)

North Anna Units 1 and 2B 3.5.1-4Revision 48Accumulators B 3.5.1BASESAPPLICABLE SAFETY ANALYSES(continued)

The minimum boron concentration set point is used in the post LOCA boron concentration calculation. The cal culation is performed to assure reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly insertion.

A reduction in the accumulator mi nimum boron concentration would produce a subsequent reduction in the available containment sump

concentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron concentration is used in determining the cold leg to hot leg recirculation injection switchover time and minimum sump pH.The small break LOCA peak clad temper ature analysis is performed at the minimum nitrogen cover pressure, since sensitivity analyses have demonstrated that higher nitrogen cover pressure results in a computed peak clad temperature benefit. The maximum nitrogen cover pressure limit prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity. The large break LOCA analysis samples the

accumulator pressure over a given range.The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Ref.1). The large break LOCA containment analyses assume that the accumulator nitrogen is discharged into the containment, which affects transient

subatmospheric pressure.

The accumulators satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe LCO establishes the minimum c onditions required to ensure that the accumulators are available to accomplish their core cooling safety function following a LOCA. Three accumulators are required to ensure that 100% of the contents of two of the accumulators will reach the core during a large break LOCA. This is consistent with the assumpti on that the contents of one accumulator spill through the break. If less than two accumulators are injected during the blowdown phase of a large break LOCA, the ECCS acceptance criteria of 10CFR50.46 (Ref.2) could be violated.

(continued)

Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-5Revision 9 LCO(continued)For an accumulator to be considered OPERABLE, the isolation valve must be fully open, power removed when RCS pressure is 2000psig, and the limits established in th e SRs for contained volum e, boron concentration, and nitrogen cover pressure must be met.APPLICABILITYIn MODES1 and2, and in MODE3 with RCS pressure >1000psig, the accumulator OPERABILITY requir ements are based on full power operation. Although cooling requirements decrease as power decreases, the accumulators are still required to provi de core cooling as long as elevated RCS pressures and temperatures exist.

This LCO is only applicable at pressures >1000psig. At pressures 1000psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10CFR50.46 (Ref.2) limit of 2200F.In MODE3, with RCS pressure 1000psig, and in MODES4, 5, and6, the accumulator motor opera ted isolation valves are closed to isolate the accumulators from the RCS. This allows RCS cooldown and depressurization without discharging the accumulators into the RCS or

requiring depressurization of the accumulators.ACTIONSA.1 If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72hours. In this Condition, ability to maintain subcriticality or minimu m boron precipitation time may be reduced. The boron in the accumulators contributes to the assumption that the combined ECCS water in the par tially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of the core subcritical. One accumulator below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood. Boiling of ECCS water in the core during reflood concentrates boron in the saturated liquid that remains in the core. In addition, the accumulators do not discharge following a large main steam line break. Thus, 72hours is

allowed to return the boron concentration to within limits.

North Anna Units 1 and 2B 3.5.1-6Revision 46Accumulators B 3.5.1BASESACTIONS(continued)

B.1If one accumulator is inoperabl e for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 1hour. In this Condition, the re quired contents of two accumulators cannot be assumed to reach the core during a large break LOCA. Due to the severity of the consequences should a large break LOCA occur in these conditions, the 1hour Completion Time to open the valve, remove power to the valve, or restore the proper wa ter volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable accumulator to OPERABLE status. The Completion Time minimizes the

time the unit is exposed to a LOCA under these conditions.

C.1 and C.2 If the accumulator cannot be return ed to OPERABLE status within the associated Completion Time, the uni t must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and RCS pressure reduced to 1000psig within 12hours. The allowed Completion Times are reasonable, based on operating expe rience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1If more than one accumulator is inoperable, the unit is in a condition outside the accident analyses; therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE

REQUIREMENT

SSR3.5.1.1Each accumulator isolation valve should be verified to be fully open. This

verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the ra te of injection to the RCS would be reduced. Although a motor operated valv e position should not change with power removed, a closed valve could result in not meeting accident analyses assumptions. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Accumulators B 3.5.1BASESNorth Anna Units 1 and 2B 3.5.1-7Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.5.1.2 and SR3.5.1.3 Borated water volume and nitrogen cove r pressure are verified for each accumulator. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.5.1.4 The boron concentration shoul d be verified to be wi thin required limits for each accumulator since the static de sign of the accumulators limits the ways in which the concentration can be changed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Sampling the affected accumulator within 6hours after a 50%

increase of indicated level will iden tify whether inleakage has caused a reduction in boron concentration to be low the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), because th e water contained in the RWST is within the accumulator boron concentration requirements.

This is consistent with the recommendation of NUREG-1366 (Ref.3).Although the run of piping between the two accumulator discharge check

valves is credited in demonstrating compliance with Technical Specification3.5.1 minimum accumul ator volume requirement, the minimum boron concentration requirement does not apply to this run of piping. Applicable ac cident analyses have explic itly considered in-leakage from the RCS, and the resulting reduction in boron concentration in this

run of piping, which is not sampled.SR3.5.1.5Verification that power is removed from each accumulator isolation valve operator when the RCS pressure is 2000 psig ensures that an active failure could not result in the clos ure of an accumulator motor operated isolation valve. If this were to occur, only one accumulator would be available for injection given a single failure (continued)

North Anna Units 1 and 2B 3.5.1-8Revision 46Accumulators B 3.5.1BASESSURVEILLANCE REQUIREMENT

SSR3.5.1.5 (continued) coincident with a LOCA. The Surveillance Frequency is based on

operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is <2000psig, t hus allowing operational flexibility by avoiding unnecessary delays to ma nipulate the breakers during unit startups or shutdowns.REFERENCES1. UFSAR, Chapter6 and Chapter15.2. 10CFR50.46.3. NUREG-1366, February1990.

North Anna Units 1 and 2B 3.5.2-1Revision 0 ECCS-Operating B 3.5.2B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.2ECCS-OperatingBASESBACKGROUNDThe function of the ECCS is to provide core co oling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:a.Loss of coolant accident (LOCA),

coolant leakage greater than the capability of the normal charging system;b.Rupture of a control rod drive mechanism-control rod assembly ejection accident;c.Loss of secondary coolant acci dent, including uncontrolled steam release or loss of feedwater; andd.Steam generator tube rupture (SGTR).

The addition of negative reactivity is designed primarily for the MSLB where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.

There are three phases of ECCS operati on: injection, cold leg recirculation, and hot leg recirculation. In the inj ection phase, water is taken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the cont ainment sumps have enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation. Within approximately 5hours, the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the boiling in the top of the core and any resulting boron precipitation.

The ECCS consists of two separate subsystems: High Head Safety Injection (HHSI) and Low Head Safety Injection (LHSI)

. Each subsystem consists of two redundant, 100% capacity trains.

The ECCS accumulators and the RWST are also part of the ECCS, but are not considered part of an ECCS flow path as described by this LCO.

(continued)

North Anna Units 1 and 2B 3.5.2-2Revision 0 ECCS-Operating B 3.5.2BASESBACKGROUND (continued)

The ECCS flow paths cons ist of piping, valves, and pumps such that water from the RWST can be injected in to the RCS following the accidents described in this LCO. The major components of each subsystem are the HHSI pumps and the LHSI pumps. Each of the two subsystems consists of two 100% capacity trains that are in terconnected and redundant such that either train is capable of supplying 100%

of the flow required to mitigate the accident consequences. This in terconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the re quired 100% flow to the core.

During the injection phase of LOCA recovery, a suction header supplies water from the RWST to the ECCS pumps. Water from the supply header enters the LHSI pumps through para llel, normally open, motor operated valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header th en branches to the three HHSI pumps through normally open, motor operated valves. The discharge from the HHSI pumps combines prior to ente ring the boron injection tank (BIT) and then divides again into three supply lines, each of which feeds the injection line to one RCS cold leg. The discharge from the LHSI pumps combine

and then divide into thre e supply lines, each of which feeds the injection line to one RCS cold leg. Control valves in the HHSI lines are set to balance the flow to the RCS. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs and preclude pump runout.

For LOCAs that are too small to depressurize the RCS below the shutoff head of the LHSI pumps, the HHSI pumps supply water until the RCS pressure decreases below the LHSI pump shutoff head. During this period, the steam generators are used to provide part of the core cooling function.

During the recirculation phase of LOCA recovery, LHSI pump suction is transferred to the containment sum

p. The LHSI pumps then supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation altern ates injection between the hot and cold legs.

(continued)

ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-3Revision 0BACKGROUND (continued)

The HHSI subsystem of the ECCS also functions to supply borated water to the reactor core following increase d heat removal events, such as an MSLB. The limiting design conditions occur when th e negative moderator temperature coefficient is highly negati ve, such as at the end of each cycle.

HHSI pumps A and B are capable of being automatically started and are powered from separate emergenc y buses. HHSI pump C can only be manually started, but can be powered from either of the emergency buses that HHSI pumps A and B are powered from. An interlock prevents HHSI pump C from being powered from both emergency buses simultaneously.

For HHSI pump C to be OPERABLE, it must be running since it does not start automatically. In the event of a Sa fety Injection signal coincident with a loss of offsite power, interlocks pr event automatic opera tion of two HHSI pumps on the same emergency bus to prevent overloading the emergency diesel generators. HHSI pump C is nor mally either running, or available but not running. HHSI pump C is normally running if either HHSI pumpA or B is inoperable or both are otherwise preferred to not be in operation.

HHSI pump C is normally available but not running when either HHSI pump A or B is running.

The ECCS subsystems are actuated upon receipt of an SI signal. The actuation of safeguard loads is accomplished in a programmed time sequence. If offsite power is available, the safeguard loads start

immediately in the programmed sequence. If offsite power is not available, the Engineered Safety Feature (ESF

) buses shed normal operating loads and are connected to the emergency di esel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting an d pump starting determines the time required before pumped flow is availa ble to the core following a LOCA.

The active ECCS components, along with the passive accumulators and the RWST covered in LCO3.5.1, "Accumulators," and LCO3.5.4, "Refueling Water Storage Tank (RWST)," provide th e cooling water necessary to meet Reference1.

North Anna Units 1 and 2B 3.5.2-4Revision 13 ECCS-Operating B 3.5.2BASESAPPLICABLE SAFETY ANALYSESThe LCO helps to ensure that the fo llowing acceptance criteria for the ECCS, established by 10CFR50.46 (Ref.2), will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200°F for small breaks, and there must be a high le vel of probability that the peak cladding temperature does not exceed 2200°F for large breaks;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding th e fuel, excluding the cladding surrounding the plenum volume, were to react;d.Core is maintained in a coolable geometry; ande.Adequate long term core cool ing capability is maintained.The LCO also limits the magnitude of post trip return to power following an MSLB event and ensures that containment temperature limits are met.

Each ECCS subsystem is taken credit for in a large break LOCA event at full power (Refs.3 and4). This ev ent establishes the maximum flow requirement for the ECCS pumps. The HHSI pumps are credited in a small break LOCA event. This event relies upon the flow and discharge head of

the HHSI pumps. The SGTR and MSLB events also credit the HHSI

pumps. The OPERABILITY requirements for the ECCS are based on the

following LOCA analysis assumptions:a.A large break LOCA event, with loss of offsite power and a single failure disabling one LHSI pump (

both EDG trains are assumed to operate due to requirements for modeling full active containment heat removal system operation); andb.A small break LOCA event, with a loss of offsite power and a single failure disabling one Emergency Diesel Generator.

(continued)

ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-5Revision 9APPLICABLE SAFETY ANALYSES(continued)During the blowdown stage of a large break LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large

breaks or control rod insertio n for small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower plenum, and refloods the core.The effects on containment mass and energy releases are accounted for in appropriate analysis (Ref.3). The LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It also ensures that the HHSI pumps will deliver sufficient wa ter and boron during a small LOCA to maintain core subcriticality. For smaller LOCAs, the HHSI pump delivers sufficient fluid to maintain RCS inventory. For a small break LOCA, the steam generators continue to serve as the heat sink, providing part of the required core cooling.

The ECCS trains satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOIn MODES1, 2, and3, two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is availabl e, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.In MODES1, 2, and3, an ECCS train consists of an HHSI subsystem and a LHSI subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an SI signal and automati cally transferring suction to the containment sump.

During an event requiring ECCS actuat ion, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply its flow to the RCS hot and cold legs.

(continued)

North Anna Units 1 and 2B 3.5.2-6Revision 12 ECCS-Operating B 3.5.2BASESLCO(continued)The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.As indicated in the Note, the SI flow paths may be isolated for 2hours in MODE3, under controlled conditions, to perform pressure isolation valve testing per SR3.4.14.1. The flow path is r eadily restorable from the control room.APPLICABILITYIn MODES1, 2, and3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are based on full power operation. Although reduced power would not require the same level of performance, the accident an alysis does not provide for reduced cooling requirements in the lower MODES. MODE2 and MODE3 requirements are bounded by the MODE1 analysis.This LCO is only applicable in MODE3 and above. Below MODE3, the

SI signal setpoint has already been manually bypa ssed by operator control, and system functional requirements ar e relaxed as described in LCO3.5.3, "ECCS-Shutdown."In MODES5 and6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled." MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Re moval (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Removal

(RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With one or more trains inoperable and at least 100% of the ECCS flow

equivalent to a single OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72hours. The 72hour Completion Time is based on an NRC reliability evaluation (Ref.5) and is a reasona ble time for repair of many ECCS components.

A note has been added to this Action's Completion Time to permit a one-time extension of the Completion Time to 7days to effect repairs on the Unit1 "A" LHSI train.

(continued)

ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-7Revision 9ACTIONSA.1 (continued)

An ECCS train is inoperable if it is not capable of deliveri ng design flow to the RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are not available.

The LCO requires the OPERABILIT Y of a number of independent subsystems. Due to the redundancy of trains and the diversity of

subsystems, the inoperabil ity of one active compone nt in a train does not render the ECCS incapable of perfor ming its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of f unction for the ECCS (e.g., an inoperable HHSI pump in one train, and an inoperable LHSI pump in the other). This

allows increased flexibility in uni t operations under circumstances when components in opposite tr ains are inoperable.An event accompanied by a loss of offs ite power and the failure of an EDG can disable one ECCS train until power is restored. A relia bility analysis (Ref.5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72hours.

B.1 and B.2 If the inoperable trains cannot be retu rned to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE3 within 6hours and MODE4 within 12hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.

C.1ConditionA is applicable with one or more trains inopera ble. The allowed Completion Time is based on the assu mption that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is available. With less than 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the facility is in a condition outside of the accident analyses. Therefore, LCO3.0.3 must be entered immediately.

North Anna Units 1 and 2B 3.5.2-8Revision 46 ECCS-Operating B 3.5.2BASESSURVEILLANCE REQUIREMENT

SSR3.5.2.1Verification of proper va lve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves

could render both ECCS trains inoperable. Securing these valves in

position by removal of power or by ke y locking the control in the correct position ensures that they cannot change position as a result of an active

failure or be inadvertentl y misaligned. These valves ar e of the type that can disable the function of both ECCS tr ains and invalidate the accident

analyses. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.2Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provi des assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were

verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signa l is allowed to be in a nonaccident position provided the valve will automa tically reposition within the proper stroke time. This Surveillance doe s not require any testing or valve manipulation. Rather, it involves verifi cation that those va lves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.3With the exception of the operating charging pump, the ECCS pumps are normally in a standby nonope rating mode. As such, so me flow path piping has the potential to develop pockets of entrained gases. Plant operating experience and analysis has shown that after proper system filling (following maintenance or refuel ing outages), some entrained noncondensable gases remai

n. These gases will form small voids, which remain stable in the system in both normal and tran sient operation. Mechanisms postulated to increase the (continued)

ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-9Revision 46SURVEILLANCE REQUIREMENT

SSR3.5.2.3 (continued) void size are gradual in nature, and th e system is operated in accordance with procedures to preclude growth in these voids.To provide additional assurances that the system will function, a verification is performed that the system is sufficiently full of water. The system is sufficiently full of water when the voids and pockets of entrained gases in the ECCS piping are small e nough in size and number so as to not interfere with the proper operation of the ECCS. Verificati on that the ECCS piping is sufficiently full of wa ter can be performed by venting the

necessary high point ECCS vents outsi de containment, using NDE, or using other Engineering-justified means. Maintaining the piping from the ECCS pumps to the RCS sufficiently full of water ensures that the system will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent water hammer, pump cavitation, and pumping of excess noncondensable gas (e.g., air, nitrogen, or hydrogen)

into the reactor vessel following an SI signal or during shutdown cooling.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.4 Periodic surveillance testing of E CCS pumps is required by the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This

testing is performed at low flow conditions during quarterly tests and near

design flow conditions at least once every 24months, as required by the Code. The quarterly test will detect gross degradation caused by impeller

structural damage or other hydrauli c component problems, but is not a good indicator of expected pump perf ormance at high flow conditions. Both tests verify that the measured performance is within an acceptable tolerance of the original pump baseline performance. Additionally, the 24-month comprehensive test verifies that the test flow is greater than or equal to the performance assumed in th e safety analysis. Due to limitations in system design, the 24-m onth test is performed during refueling outages.

SRs are specified in the Inservice Testing Program, (continued)

North Anna Units 1 and 2B 3.5.2-10 Revision 46 ECCS-Operating B 3.5.2BASESSURVEILLANCE REQUIREMENT

SSR3.5.2.4 (continued) which encompasses the ASME Code. The ASME Code provides the activities and Frequencies necessary to satisfy the requirements.SR3.5.2.5 and SR3.5.2.6These Surveillances demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SI signal and that each ECCS pump capable of starting automatically starts on recei pt of an actual or simulated SI signal. Th is Surveillance is not requi red for valves that are locked, sealed, or otherwise secu red in the required position under administrative controls. The Survei llance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.7 Proper throttle valve position is ne cessary for proper ECCS performance and to prevent pump runout and s ubsequent component damage. The Surveillance verifies each listed ECCS throttle valve is secured in the

correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.5.2.8 Periodic inspections of the containmen t sump components ensure that they are unrestricted and stay in prope r operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

ECCS-Operating B 3.5.2BASESNorth Anna Units 1 and 2B 3.5.2-11Revision 0REFERENCES1.UFSAR, Section3.1.31.2.10CFR50.46.3.UFSAR, Section15.4.1.

4.UFSAR, Section6.2 and Chapter15.

5.NRC Memorandum to V.Stello,Jr., from R.L.Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December1,1975.

Intentionally Blank North Anna Units 1 and 2B 3.5.3-1Revision 0 ECCS-Shutdown B 3.5.3B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.3ECCS-ShutdownBASESBACKGROUNDThe Background section for Bases3.5.2, "ECCS-Operating," is applicable to these Bases, wi th the following modifications.In MODE4, the required ECCS train cons ists of two separate subsystems:

High Head Safety Injection (HHSI) and Low Head Safety Injection (LHSI).The ECCS flow paths consist of piping, valves and pumps such that water from the refueling water storage tank (RWST) can be injected into the Reactor Coolant System (RCS) foll owing the accidents described in Bases3.5.2.APPLICABLE SAFETY ANALYSESThe Applicable Safety Analyses section of Bases3.5.2 also applies to this

Bases section.

Due to the stable conditions associated with operation in MODE4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is understood in these reductions that certain automatic safety injection (S I) actuation is not available. In this MODE, sufficient ti me exists for manual actuation of the required ECCS to mitigate the consequences of a DBA. The safety analysis assumes that flow from one HHSI pump is manually initiated 10minutes after the DBA.

Only one train of ECCS is required for MODE4. This requirement dictates that single failures are not consid ered during this MODE of operation.

The ECCS trains satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOIn MODE4, one of the two independe nt (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.

In MODE4, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. Each train includes the pi ping, instruments, and controls to ensure an OPERABLE flow path capable of (continued)

North Anna Units 1 and 2B 3.5.3-2Revision 0 ECCS-Shutdown B 3.5.3BASESLCO(continued)taking suction from the RWST and tran sferring suction to the containment sump.During an event requiring ECCS actuat ion, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment su mp and to deliver its flow to the RCS hot or cold legs.APPLICABILITYIn MODES1, 2, and3, the OPERABILITY requirements for ECCS are covered by LCO3.5.2.In MODE4 with RCS temperature below 350F, one OPERABLE ECCS train is acceptable without single fail ure consideration, on the basis of the stable reactivity of the reactor and the limited core cooling requirements.In MODES5 and6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled." MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Res idual Heat Removal (RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With no ECCS train OPERABLE, due to the inoperability of the ECCS

flow path, the unit is not prepared to respond to Design Basis Events requiring SI. The 1hour Completion Time to restore at least one ECCS train to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the unit in MODE5, where an ECCS train is not required.

B.1When the Required Actions of ConditionA cannot be completed within the required Completion Time, the unit should be placed in MODE5. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE5 in an orderly manner and without challenging unit systems or operators.

ECCS-Shutdown B 3.5.3BASESNorth Anna Units 1 and 2B 3.5.3-3Revision 0SURVEILLANCE REQUIREMENT

SSR3.5.3.1The applicable Surveillance descriptions from Bases3.5.2 apply.REFERENCESThe applicable references from Bases3.5.2 apply.

Intentionally Blank North Anna Units 1 and 2B 3.5.4-1Revision 0RWSTB 3.5.4B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.4Refueling Water Storage Tank (RWST)BASESBACKGROUNDThe RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal opera ting conditions, to the refueling pool during refueling, and to the ECCS and the Quench Spray System during accident conditions.The RWST supplies water to the ECCS pumps through a common supply header. Water from the supply header en ters the low head safety injection (LHSI) pumps through parallel, norm ally open, motor operated valves. Water to the High Head Safety Inj ection (HHSI) pumps is supplied via parallel motor operated valves to ensure that at least one opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The RWST supplies water to the Quench Spray

pumps via separate, redundant lines. A motor operated isolation valve is provided in each header to isolate the RWST from the ECCS once the system has been transferred to the recirculation mode.

The recirculation mode is entered when pump suction is transferred to the containment sump either manually or automatically following receipt of the RWST-Low Low level signal. Use of a single RWST to supply both trains of the ECCS and Quench Spray System is acceptable since the RWST is a passive component used for a short period of time following an accident, and

passive failures are not re quired to be assumed to occur during the time the RWST is needed follow ing Design Basis Events.

The switchover from normal operation to the injection phase of ECCS operation requires changing HHSI pump suction from the CVCS volume control tank (VCT) to the RWST through the use of isolation valves.

During normal operation, the LHSI pumps are aligned to take suction from the RWST.

The ECCS pumps are provided with r ecirculation lines that ensure each pump can maintain minimum flow requi rements when operating at or near shutoff head conditions.

(continued)

North Anna Units 1 and 2B 3.5.4-2Revision 0RWSTB 3.5.4BASESBACKGROUND (continued)

When the suction for the ECCS pumps is transferred to the containment sump, the recirculation lines are isol ated to prevent a release of the containment sump contents to the RWST

, which could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ECCS pumps.

This LCO ensures that:

a.The RWST contains sufficient borated water to support the ECCS during the injection phase and Quench Spray System;b.Sufficient water volume exists in the containment sumpto support continued operation of the ECCS and Recirculation Spray System pumps following transfer to the reci rculation mode of cooling; andc.The reactor remains subcritical following a loss of coolant accident (LOCA).Insufficient water volume in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. Improper boron concentrations could result in a reduction of SDM or excessive boric acid precipitation in the core following the LOCA, as well as excessive caustic stress corrosion of mechanic al components and systems inside the containment.APPLICABLE SAFETY ANALYSESDuring accident conditions, the RWST provides a source of borated water to the ECCS and Quench Spray System pumps. As such, it provides

containment cooling and depressurizat ion, core cooling, and replacement inventory to the RCS and is a source of negative reactivity for reactor shutdown (Ref.1). The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B3.5.2, "ECCS-Operating"; B3.5.3, "ECCS-Shutdown"; and B3.6.6, "Que nch Spray System." These analyses are used to assess changes to the RWST in order to evaluate their effects in relation to the acceptance limits in the analyses.The RWST must also meet volume, boron concentration, and temperature requirements for certain non-LOCA even ts. The volume is not an explicit assumption in non-LOCA events since the required volume is a small fraction of the (continued)

RWSTB 3.5.4BASESNorth Anna Units 1 and 2B 3.5.4-3Revision 10APPLICABLE SAFETY ANALYSES(continued) available volume. The deliverable volume limit is assumed by the Large Break LOCA containment analyses. For the RWST, the deliverable volume is different from the total volume c ontained. Because of the design of the tank, more water can be contained than can be delivered. The upper RWST volume limit is assumed for pH c ontrol after a LBLOCA. The minimum

boron concentration is an explicit as sumption in the main steam line break (MSLB) analysis to ensure the required shutdown capability. The importance of its value is small because of the boron injection tank (BIT)

with a high boron concentration. The maximum boron concentration is an explicit assumption in the inadvertent ECCS actuation anal ysis, although it is typically a nonlimiting ev ent and the results are ve ry insensitive to boron concentrations. The maximum RWST temperature ensures that the amount of containment cooling provided from the RWST during containment

pressurization events is consistent wi th safety analysis assumptions. The minimum RWST temperature is an assumption in the inadvertent Quench

Spray actuation analyses.For a large break LOCA analysis, the minimum water volume limit of 466,200gallons and the lower boron concentration limit of 2600ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The large break LOCA is the limiting case since the safety analysis assumes that all control rods are out of the core.

The upper limit on boron concentration of 2800ppm is used to determine the maximum allowable time to switch to hot leg recirculation following a LOCA. The purpose of switching from cold leg to hot leg injection is to avoid boron precipitation in the core following the accident.

In the ECCS analysis, the quench spray temperature is bounded by the RWST lower temperature limit of 40F. If the lower temperature limit is violated, the quench spray further re duces containment pressure, which decreases the rate at which steam can be vented out the break and increases peak clad temperature. The upper temperature limit of 50F is bounded by the values used in the small break LOCA analysis and containment OPERABILITY analysis. Exceeding this temperature will result in a higher peak clad temperature, because there is less heat transfer from the core to the injected water for the small break LOCA and higher containment pressures due to reduced quench spray cooling capacity. For

the containment response following an MSLB, (continued)

North Anna Units 1 and 2B 3.5.4-4Revision 10RWSTB 3.5.4BASESAPPLICABLE SAFETY ANALYSES(continued) the lower limit on boron concentration and the upper limit on RWST water temperature are used to maximize the total energy release to containment.The RWST satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe RWST ensures that an adequate supply of borated wate r is available to cool and depressurize the containmen t in the event of a Design Basis Accident (DBA), to cool and cover th e core in the event of a LOCA, to maintain the reactor subcritical follow ing a DBA, and to ensure adequate level in the containment sump to support ECCS and Recirculation Spray

System pump operation in the recirculation mode.To be considered OPERABLE, the RWST must meet the water volume, boron concentration, and temperature limits established in the SRs.APPLICABILITYIn MODES1, 2, 3, and4, RWST OPERABILITY requirements are dictated by ECCS and Quench Spray System OPERABILITY requirements. Since both the ECCS and the Quench Spray System must be OPERABLE in MODES1, 2, 3, and4, the RWST must also be

OPERABLE to support their operation. Core cooling requirements in MODE5 are addressed by LCO3.4.7, "RCS Loops-MODE5, Loops Filled," and LCO3.4.8, "RCS Loops-MODE5, Loops Not Filled."

MODE6 core cooling requirements are addressed by LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Re moval (RHR) and Coolant Circulation-Low Water Level."ACTIONSA.1With RWST boron concentration or bor ated water temperature not within limits, they must be returned to within limits within 8hours. Under these conditions neither the ECCS nor the Qu ench Spray System can perform its design function. Therefore, prompt action must be ta ken to restore the tank to OPERABLE condition. The 8hour limit to restore the RWST temperature or boron concentration to within limits was developed considering the time required to change either the boron concentration or

temperature and the fact that the contents of the tank are still available for injection.

RWSTB 3.5.4BASESNorth Anna Units 1 and 2B 3.5.4-5Revision 46ACTIONS(continued)

B.1With the RWST inoperable for reasons other than ConditionA (e.g., water volume), it must be restored to OPERABLE status within 1hour.

In this Condition, neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the unit in a MODE in which the RWST is not required. The short time limit of 1hour to restore the RWST to OPERABLE status is ba sed on this condition simultaneously affecting redundant trains.

C.1 and C.2If the RWST cannot be returned to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.5.4.1The RWST borated water temperature should be verified to be within the

limits assumed in the accident anal yses band. The Surv eillance Frequency is based on operating experience, equipment reliability, and plant risk and

is controlled under the Surveill ance Frequency Control Program.SR3.5.4.2The RWST water volume should be ve rified to be above the required minimum level in order to ensure that a sufficient initial supply is available for injection and to support conti nued ECCS and Recirculation Spray System pump operation on recirculati on. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.

North Anna Units 1 and 2B 3.5.4-6Revision 46RWSTB 3.5.4BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.5.4.3The boron concentration of the RWST should be verified to be within the required limits. This SR ensures that the reactor will remain subcritical following a LOCA. Further, it assures that the resulting sump pH will be maintained in an acceptable range so that boron precipitation in the core will not occur and the effect of ch loride and caustic stress corrosion on mechanical systems and components wi ll be minimized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6 and Chapter15.

North Anna Units 1 and 2B 3.5.5-1Revision 0 Seal Injection Flow B 3.5.5B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.5Seal Injection FlowBASESBACKGROUNDThe function of the seal injection throttle valv es during an accident is similar to the function of the ECCS throttle valves in that each restricts flow from the High Head Safety In jection (HHSI) pum p header to the Reactor Coolant System (RCS).

The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted from the injection path following an accident and precludes HHSI pump runout due to excessive seal injection flow. This limit is based on safety analysis assumptions that are required because RCP seal injection flow is not isolated during safety injection (SI).APPLICABLE SAFETY ANALYSESAll ECCS subsystems are assumed to be OPERABLE in the large break loss of coolant accident (LOCA) at full power (Ref.1). The LOCA analysis establishes the minimum flow for the HHSI pumps. The HHSI pumps are also credited in the small break LOCA analysis. This analysis establishes the flow and discharge head requireme nts at the design point for the HHSI pumps. The steam generator tube ruptur e and main steam line break event analyses also credit the HHSI pumps, but are not limiting in their design.

Reference to these analyses is made in assessing changes to the Seal Injection System for evaluation of their effects in relation to the acceptance limits in these analyses.This LCO ensures that seal injection flow of 30gpm, with RCS pressure 2215psig and 2255psig and seal injection (air operated) hand control valve full open, will be limited in such a manner that the ECCS trains will be capable of delivering sufficient wa ter to provide adequate core cooling following a large LOCA, and protec t against HHSI pump runout. The analysis conservatively neglects the contribution from seal injection to the

RCS. This conservatism bounds the minor effect of instrument uncertainty, so instrument uncertainties have not been included in the derivation of the flow (30 gpm) and RCS pressure (2215psig and 2255psig) setpoints.

The flow limit also ensures that the HHSI pumps will deliver (continued)

North Anna Units 1 and 2B 3.5.5-2Revision 0 Seal Injection Flow B 3.5.5BASESAPPLICABLE SAFETY ANALYSES(continued)sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the HHSI pumps alone deliver sufficient fluid to overcome the loss and maintain RCS inventory.

Seal injection flow satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe intent of the LCO li mit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure that sufficient HHSI pump injection flow is directed to the RCS via the injection points and to prevent pump runout.The LCO is not strictly a flow limit, but rather a flow lim it based on a flow line resistance. In order to establis h the proper flow line resistance, a pressure and flow must be known. The flow line resistance is determined by assuming that the RCS pressure is at normal operating pressure as specified in this LCO. The HHSI pump discharge header pressure remains essentially constant through all the applicable MODES of this LCO. A

reduction in RCS pressure would result in more flow being diverted to the RCP seal injection line than at normal operating pressure. The valve settings established at the prescribed RCS pressure result in a conservative valve position should RCS pressure decr ease. The additional modifier of this LCO, the seal injection (air op erated) hand control valve being full open, is required since the valve is designed to fail open for the accident condition. With the discharge pressure and control valve position as

specified by the LCO, a flow path resistance limit is established. It is this resistance limit that is used in the accident analyses.The limit on seal injection flow, combined with the RCS pressure limit and an open wide condition of the seal injection hand control valve, must be met to render the ECCS OPERABLE. If these conditions are not met, the ECCS flow to the core could be less than that assumed in the accident analyses.APPLICABILITYIn MODES1, 2, and3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for MODES1, 2, 3, and4. The seal

injection flow limit is not applicable for MODE4 and lower, however, because high seal (continued)

Seal Injection Flow B 3.5.5BASESNorth Anna Units 1 and 2B 3.5.5-3Revision 46APPLICABILITY (continued) injection flow is less critical as a result of the lower initial RCS pressure and decay heat removal requirements in these MODES. Therefore, RCP

seal injection flow must be limited in MODES1, 2, and3 to ensure adequate ECCS performance.ACTIONSA.1With the seal injection flow exceeding its limit, the amount of charging flow available to the RCS may be reduced or, following a LOCA, pump runout could occur. Under this Conditi on, action must be taken to restore the flow to below its limit. The operator has 4hours from th e time the flow is known to be above the limit to co rrectly position the manual valves and thus be in compliance with the accident analysis. The Completion Time minimizes the potential exposure of the unit to a LOCA with insufficient

injection flow and provides a reasonable time to rest ore seal injection flow within limits. This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel.

B.1 and B.2When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6hours for reaching MODE3 from MODE1 is a reasonable time for a controlled shutdown, based on operating experience

and normal cooldown rates, and does no t challenge unit safety systems or operators. Continuing the unit shutdown begun in Required ActionB.1, an additional 6hours is a reasonable time, based on operating experience and normal cooldown rates, to reach MODE4, where this LCO is no longer applicable.SURVEILLANCE

REQUIREMENT

SSR3.5.5.1Verification that the manual seal inject ion throttle valves are adjusted to give a flow within the limit ensure s that proper manual seal injection throttle valve position, and hence, proper seal injection flow, is maintained.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

North Anna Units 1 and 2B 3.5.5-4Revision 46 Seal Injection Flow B 3.5.5BASESSURVEILLANCE REQUIREMENT

SSR3.5.5.1 (continued)As noted, the Surveillance is not required to be performed until 4hours after the RCS pressure has stabilized within a +/-20psi range of normal

operating pressure. The RCS pressure re quirement is specified since this configuration will produce the require d pressure conditions necessary to assure that the manual valves are set correctly. The exception is limited to 4hours to ensure that the Surveillance is timely.REFERENCES1.UFSAR, Chapter6 and Chapter15.

North Anna Units 1 and 2B 3.5.6-1Revision 0 BITB 3.5.6B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.6Boron Injection Tank (BIT)BASESBACKGROUNDThe BIT is the primary means of quickly introducing negative reactivity into the Reactor Coolant System (RCS

) on a safety injection (SI) signal.

The main flow path through the Boron Injection Tank is from the discharge of the High Head Safety Injecti on (HHSI) pumps through lines equipped with a flow element and two valves in parallel that open on an SI signal. The valves can be operated from th e main control board. The valves and flow elements have main control boa rd indications. Downstream of these valves, the flow enters the BIT (Ref.1).The BIT is a stainless steel clad ta nk containing concentrated boric acid. Two trains of strip heaters are mounted on the tank to keep the temperature of the boric acid solution above the precipitation point. The strip heaters are controlled by temperature elements located near the bottom of the BIT. The temperature elements also activate High and Low temperature alarms in the Control Room. In addition to the strip heaters on the BIT, there is a recirculation system wi th a heat tracing system, including the piping section between the motor operated isolation valves

, which further ensures that the boric acid stays in solution.

The entire contents of the BIT are injected when required; thus, the cont ained and deliverable volumes are the same.During normal operat ion, a boric acid transfer pump provides recirculation between the boric acid tank and the BIT.

On receipt of an SI signal, the recirculation line valves close. Flow to the BIT is then supplied from the HHSI pumps. The solution of the BIT is injected into the RCS through the RCS cold legs.APPLICABLE SAFETY ANALYSESDuring a main steam line break (MSL B) or loss of coolant accident (LOCA), the BIT provides an immediate source of concentrated boric acid that quickly introduces negative reactivity into the RCS.

(continued)

North Anna Units 1 and 2B 3.5.6-2Revision 0 BITB 3.5.6BASESAPPLICABLE SAFETY ANALYSES(continued)

The contents of the BIT are not cred ited for core cooling or immediate boration in the LOCA analysis, but are for post LOCA recovery. The BIT maximum boron concentration of 15,750ppm is used to determine the

minimum time for hot leg recirculation switchover. The minimum boron concentration of 12,950ppm is used to determine the minimum mixed mean sump boron concentration fo r post LOCA shutdown requirements.For the MSLB, the BIT is the primar y mechanism for injecting boron into the core to counteract the positive increases in re activity caused by an RCS cooldown. The MSLB core response an alysis conservatively assumes a 0ppm minimum boron concentration of the BIT, which also affects the

departure from nucleate boiling desi gn analysis. The MSLB containment response analysis conservatively assumes a 2000ppm minimum boron concentration of the BIT. Reference to the LOCA and MSLB analyses is used to assess changes to the BIT to evaluate their effect on the acceptance limits contained in these analyses.The minimum temperature limit of 115F for the BIT ensures that the solution does not reach the boric acid precipitation point. The temperature of the solution is monitored and alarmed on the main control board.

The BIT boron concentration limits are established to ensure that the core remains subcritical during post LOCA recovery. The BIT will counteract any positive increases in reactiv ity caused by an RCS cooldown.The BIT water volume of 900gallons is us ed to ensure that the appropriate quantity of highly borated water with sufficient negative reactivity is injected into the RCS to shut down the core following an MSLB, to determine the hot leg recirculation switchover time, and to safeguard against boron precipitation.The BIT satisfies Criteria2 and3 of 10CFR 50.36(c)(2)(ii).

LCOThis LCO establishes the minimum requirements for contained volume, boron concentration, and temperature of the BIT inventory. This ensures that an adequate supply of borated wa ter is available in the event of a LOCA or MSLB to maintain the re actor subcritical following these accidents.

(continued)

BITB 3.5.6BASESNorth Anna Units 1 and 2B 3.5.6-3Revision 0 LCO(continued)To be considered OPERABLE, the limits established in the SR for water volume, boron concentration, a nd temperature must be met.APPLICABILITYIn MODES1, 2, and3, the BIT OPERABILITY requirements are consistent with those of LCO3.5.2, "ECCS-Operating."In MODES4, 5, and6, the respective accidents are less severe, so the BIT is not required in these lower MODES.ACTIONSA.1 If the required volume is not present in the BIT, both the hot leg recirculation switchover time analysis and the boron preci pitation analysis may not be correct. Under these conditions, prompt ac tion must be taken to restore the volume to above its re quired limit to declare the tank OPERABLE, or the unit must be placed in a MODE in which the BIT is

not required.

The BIT boron concentration is consid ered in the hot leg recirculation switchover time anal ysis, the boron precipitation analysis, and may effect the reactivity analysis for an MSLB. If the concentration were not within

the required limits, these analyses could not be relied on. Under these conditions, prompt action must be taken to restore the concentration to

within its required limits, or the unit must be placed in a MODE in which the BIT is not required.The BIT temperature limit is establis hed to ensure that the solution does not reach the boric acid crystallization point. If the temperature of the solution drops below the minimum, prom pt action must be taken to raise the temperature and declare the ta nk OPERABLE, or the unit must be placed in a MODE in which the BIT is not required.The 1hour Completion Time to restore the BIT to OPERABLE status is consistent with other Completion Times established for loss of a safety

function and ensures that the unit will not operate for long periods outside of the safety analyses.

North Anna Units 1 and 2B 3.5.6-4Revision 46 BITB 3.5.6BASESACTIONS(continued)

B.1, B.2, and B.3When Required ActionA.1 cannot be completed within the required Completion Time, a controlled shutdow n should be initiated. Six hours is a

reasonable time, based on operating experience, to reach MODE3 from full power conditions and to be bor ated to the required SDM without challenging unit systems or operators

. Borating to the required SDM assures that the unit is in a safe c ondition, without need for any additional boration.

After determining that the BIT is i noperable and the Required Actions of B.1 andB.2 have been completed, the tank must be returned to OPERABLE status within 7days. Thes e actions ensure that the unit will not be operated with an inoperable BIT for a lengthy period of time. It should be noted, however, that cha nges to applicable MODES cannot be

made until the BIT is restored to OPERABLE status, except as provided by LCO3.0.4.

C.1Even though the RCS has been borated to a safe and stable condition as a result of Required ActionB.2, either the BIT must be restored to OPERABLE status (Required ActionC.1) or the unit must be placed in a condition in which the BIT is not required (MODE4). The 12hour Completion Time to reach MODE4 is reasonable, based on operating

experience and normal cooldown rates, and does not challenge unit safety systems or operators.SURVEILLANCE

REQUIREMENT

SSR3.5.6.1Verification that the BIT water temper ature is at or above the specified minimum temperature will identify a temperature change that would approach the acceptable limit. The solution temperature is also monitored by an alarm that provides further a ssurance of protection against low temperature. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

BITB 3.5.6BASESNorth Anna Units 1 and 2B 3.5.6-5Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.5.6.2Verification that the BIT contained volume is above the required limit assures that this volume will be availa ble for quick injection into the RCS. The 900gallon limit corresponds to the BIT being completely full.

Methods of verifying that the BIT is completely full include venting from the high point vent, and recirculation flow with the Boric Acid Storage Tanks. If the volume is too low, the BIT would not provi de enough borated water to ensure subcriticality during recirculation or to provide additional core shutdown margin following an MS LB. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.5.6.3Verification that the boron concentration of the BIT is within the required band ensures that the reactor remains subcritical foll owing a LOCA; it limits return to power following an MSLB, and maintains the resulting sump pH in an acceptable range so that boron precipitati on will not occur in the core. In addition, the effect of chloride and causti c stress corrosion on mechanical systems and components will be minimized.

The BIT is in a recirculation loop th at provides continuous circulation of the boric acid solution through the BIT and the boric acid tank (BAT).

There are a number of points along th e recirculation loop where local samples can be taken. The actual loca tion used to take a sample of the solution is specified in the unit Surv eillance procedures.

Sampling from the BAT to verify the concentration of th e BIT is not recommended, since this sample may not be homogenous and the boron concentration of the two tanks may differ.

The sample should be taken from the BI T or from a point in the flow path of the BIT recirculation loop.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6 and Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.6.1-1Revision 0Containment B 3.6.1B 3.6CONTAINMENT SYSTEMSB 3.6.1ContainmentBASESBACKGROUNDThe containment consists of the concrete reactor building, its steel liner, and the penetrations through this stru cture. The structure is designed to contain radioactive material that may be released from the reactor core following a design basis loss of coolant accident (LOCA). Additionally, this structure provides shielding from the fission products that may be present in the containment atmos phere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a hemispherica l dome roof. The in side surface of the containment is lined with a carbon st eel liner to ensure a high degree of leak tightness during operating and accident conditions.The concrete reactor building is requi red for structural integrity of the containment under Design Basis Acci dent (DBA) conditions. The steel liner and its penetrations establis h the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioac tivity from the containment to the environment. SR3.6.1.1 leakage rate requirements comply with 10CFR50, AppendixJ, OptionB (Ref.1), as modified by approved exemptions.

The isolation devices for the penetra tions in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a.All penetrations required to be closed during accident conditions are either:1.capable of being closed by an OPERABLE automatic containment isolation system, or2.closed by manual valves, blind flan ges, or de-activated automatic valves secured in their closed positions, except as provided in LCO3.6.3, "Containment Isolation Valves";

North Anna Units 1 and 2B 3.6.1-2Revision31Containment B 3.6.1BASESBACKGROUND (continued)b.Each air lock is OPERABLE, except as provided in LCO3.6.2, "Containment Air Locks";c.All equipment hatches are closed; andd.The sealing mechanism associated with each penetration (e.g. welds, bellows, or O-rings) is OPERABLE.APPLICABLE SAFETY ANALYSESThe safety design basis for the containment is that the containment must

withstand the pressures and temperat ures of the limiting DBA without exceeding the design leakage rate.The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a LOCA, a steam line break, and a rod ejection accident (REA) (Ref.2). In addition, release of significant fission product radioactivity within containmen t can occur from a LOCA or REA. In the DBA analyses, it is assume d that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate of c ontainment leakage. The containment was designed with an allowable l eakage rate of 0.1% of containment air weight per day (Ref.3). This leakage rate, used to evaluate offsite doses resulting from accidents, is defined in 10CFR50, AppendixJ, OptionB (Ref.1), as L a: the maximum allowable containment leakage rate at the calculated peak containment internal pressure (P a) resulting from the limiting design basis LOCA. The allowable leakage rate represented by L a forms the basis for the acceptance criteria imposed on all containment leakage rate testing. L a is assumed to be 0.1% of containment air weight per day in the safety analyses at P a (Ref.3).Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOContainment OPERABILITY is maintained by limiting leakage to 1.0 La, except prior to the first startup af ter performing a required Containment Leakage Rate Testing Program leakage test. At this time the applicable leakage limits must be met.

(continued)

Containment B 3.6.1BASESNorth Anna Units 1 and 2B 3.6.1-3Revision 0 LCO(continued)

Compliance with this LCO will en sure a containment configuration, including the equipment hatch, that is st ructurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

Individual leakage rates specified fo r the containment air lock (LCO3.6.2) and purge valves with resilient seals (LCO3.6.3) are not specifically part of the acceptance criteria of 10CFR50, AppendixJ. Therefore, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0L a.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material into containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and

temperature limitations of these MODE S. Therefore, containment is not required to be OPERABLE in MODE5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE6 are addressed in LCO 3.9.4, "Containment Penetrations."ACTIONSA.1 In the event containment is inoperable, containment must be restored to OPERABLE status within 1hour. The 1hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES1, 2, 3, and4. This time period

also ensures that the probability of an accident (requiring containment

OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.

North Anna Units 1 and 2B 3.6.1-4Revision 0Containment B 3.6.1BASESSURVEILLANCE REQUIREMENT

SSR3.6.1.1 Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock and purge valves with resilient seal leakage limits specified in LCO3.6.2 and LCO3.6.3 does not invalidate the acceptability of these overall leakage

determinations unless their contribution to overall TypeA, B, andC leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program, leakage test is required to be 0.6La for combined Type B and C leakage, and 0.75La for overall Type A leakage. At all other times between required leakage rate tests, the accep tance criteria is based on an overall Type A leakage limit of 1.0La. At 1.0La the offsite dose consequences are bounded by the assumptions of the sa fety analysis. SR Frequencies are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.REFERENCES1.10CFR50, AppendixJ, OptionB.2.UFSAR, Chapter15.3.UFSAR, Section6.2.

North Anna Units 1 and 2B 3.6.2-1Revision 0 Containment Air Locks B 3.6.2B 3.6 CONTAINMENT SYSTEMSB 3.6.2Containment Air LocksBASESBACKGROUNDContainment air lock s form part of the contai nment pressure boundary and provide a means for personnel acce ss during all MODES of operation.

Each air lock is nominally a right circular cylinder, one of which is 7ft in diameter, the other 5.75ft in diameter, with a door at each end. The 5.75ft diameter equipment hatch escape air lock is an integral part of the

containment equipment hatch. The doors are interlocked to prevent

simultaneous opening. During periods wh en containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing

both doors of an air lock to rema in open for extended periods when frequent containment entry is necessary. Each air lock door has been

designed and tested to certif y its ability to withstand a pressure in excess of the maximum expected pressure follo wing a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors co ntains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. The inner and outer door of the 7 ft diameter personnel air lock include an 18 inch diameter emergency manway. The ma nways contain double gasketed seals and local leak rate testing capability to ensure pressure integrity. The manways are to be used only for emer gency entrance or exit from the air lock. Operation of the manways of the 7 ft personnel air lock is controlled administratively.The 7ft personnel air lock is provide d with limit switches on both doors that provide control room alarm of inside or outside door operation. Outside access to the 5.75ft equipment hatch escape air lock is controlled by an alarmed door to the space outside containment which provides access to the air lock.The containment air locks form part of the containment pressure boundary.

As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate

in excess of that assumed in the unit safety analyses.

North Anna Units 1 and 2B 3.6.2-2Revision31 Containment Air Locks B 3.6.2BASESAPPLICABLE SAFETY ANALYSESThe DBAs that result in a releas e of radioactive material within containment are a loss of coolant ac cident and a rod ejection accident (Ref.3). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the

environment is controlled by the ra te of containment leakage. The containment was designed with an a llowable leakage rate of 0.1% of containment air weight per day (Ref.2).

This leakage rate is defined in 10CFR50, AppendixJ, OptionB (Ref.1), as L a=0.1% of containment air weight per day, the maximum allowable containm ent leakage rate at the calculated peak containment internal pressure P a following a design basis LOCA. This allowable leakage rate forms the basis for the acceptance

criteria imposed on the SRs a ssociated with the air locks.

The containment air locks satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOEach containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the c ontainment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are

essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the TypeB air lock leakage test, and both air lock doors must be OPERABLE. Opening or

closing of the manways of the 7 ft pers onnel air lock is treated in the same manner as opening or closing of the associated door. The interlock allows only one air lock door of an air lock to be opened at one time. Operation of the manways of the 7 ft personnel air lock is controlled administratively.

These provisions ensure that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to pr ovide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for entry into or exit from containment.

Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-3Revision 0APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE5 to prevent leakage of radioactive material from containment.

The requirements for th e containment air locks during MODE6 are addressed in LCO3.9.4, "Containment Penetrations."ACTIONSThe ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is

inoperable, then it may be easily acce ssed for most repairs. It is preferred that the 7ft personnel air lock be used for access to Containment due to the size and configuration of the 5.75ft equipment hatch escape air locks. The equipment hatch escape air lock is typically only used in case of emergency. This means there is a s hort time during which the containment boundary is not intact (during acce ss through the OPERABLE door). The ability to open the OPERABLE door, ev en if it means the containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize th e containment during the short time in which the OPERABLE door is expect ed to be open. After each entry and

exit, the OPERABLE door must be immediately closed.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for e ach Condition provide appropriate compensatory actions for each inope rable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associ ated Required Actions.In the event the air lock leakage results in exceeding the overall containment leakage rate, Note3 di rects entry into the applicable Conditions and Required Actions of LCO3.6.1, "Containment."

North Anna Units 1 and 2B 3.6.2-4Revision 0 Containment Air Locks B 3.6.2BASESACTIONS(continued)

A.1, A.2, and A.3With one air lock door in one or more containment air locks inoperable, the OPERABLE door must be verified closed (Required ActionA.1) in each affected containment air lock. This en sures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This

action must be completed within 1hour. This specified time period is consistent with the ACTIONS of LCO3.6.1, which requires containment be restored to OPERABLE status within 1hour.In addition, the affected air lock pene tration must be isolated by locking closed the OPERABLE air lock door within the 24hour Completion Time. The 24hour Completion Time is reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is

being maintained closed.Required ActionA.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leak age boundary is maintained. The Completion Time of once per 31days is based on engineering judgment and is consider ed adequate in view of the low likelihood of a locked door being mis positioned and othe r administrative controls. Required ActionA.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified

locked closed by use of administra tive means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

The Required Actions have been modified by two Notes. Note1 ensures that only the Required Actions and associated Completion Times of ConditionC are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required ActionsC.1 andC.2 are the

appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note2 allows use of the air lock for entry and exit for 7day s under administrative controls if the air lock has an inoperable door. This 7 day restriction (continued)

Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-5Revision 0ACTIONSA.1, A.2, and A.3 (continued) begins when the air lock door is di scovered inoperable. Containment entry may be required on a periodic basis to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equi pment. This Note is not intended to preclude performing other activities (i.e., non-TS-require d activities) if the containment is entered, using the inoperable air loc k, to perform an allowed activity listed above. This allowance is acceptable due to the low

probability of an event that could pressurize the containment during the

short time that the OPERABLE door is expected to be open.

B.1, B.2, and B.3With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in ConditionA.The Required Actions have been modified by two Notes. Note1 ensures that only the Required Actions and associated Completion Times of ConditionC are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required ActionsC.1 andC.2 are the appropriate remedial actions. Note2 allows entry into and exit from

containment under the contro l of a dedicated individu al stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).Required ActionB.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked

closed by use of administrative means. Al lowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

North Anna Units 1 and 2B 3.6.2-6Revision 0 Containment Air Locks B 3.6.2BASESACTIONS(continued)

C.1, C.2, and C.3With one or more air locks inoperable for reasons other than those described in ConditionA orB, Required ActionC.1 requires action to be initiated immediately to evaluate pr evious combined leakage rates using current air lock test results. An evalua tion is acceptable, since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many inst ances (e.g., only one seal per door has failed), containment remains OPERABLE, yet only 1hour (per LCO3.6.1) would be provided to restore the air lock door to OPERABLE status prior

to requiring a unit shutdown. In additi on, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.Required ActionC.2 requires that one door in the affected containment air lock must be verified to be closed within the 1hour Completion Time. This

specified time period is consistent with the ACTIONS of LCO3.6.1, which requires that containment be restored to OPERABLE status within 1hour.Additionally, the affected air lock(s

) must be restored to OPERABLE status within the 24hour Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE status, assuming that at le ast one door is maintained closed in each affected air lock.

D.1 and D.2 If the inoperable containment air lo ck cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within6 hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.

Containment Air Locks B 3.6.2BASESNorth Anna Units 1 and 2B 3.6.2-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.6.2.1Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of TS5.5.15 Containm ent Leakage Rate Testing Program. This SR reflects the ove rall air lock leakage rate testing acceptance criteria with regard to air lock leakage (TypeB leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage limits do not exceed the allowed fraction of the overall containment leakage rate required by the Technical Specifications. The Frequency is required by the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either

air lock door is capable of providing a fission product barrier in the event of a DBA. Note2 has been added to this SR requiring the results to be

evaluated against the acceptance criteria which are applicable to SR3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the combined TypeB andC containment leakage rate.SR3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interl ock feature supports containment OPERABILITY while the air lock is being used for personnel transit in and

out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of

the inner and outer doors will not ina dvertently occur when combined with administrative procedures. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.10CFR50, AppendixJ, OptionB.2.UFSAR, Section6.2.3.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.6.3-1Revision 8Containment Isolation Valves B 3.6.3B 3.6 CONTAINMENT SYSTEMSB3.6.3Containment Isolation ValvesBASESBACKGROUNDThe containment isolation valves listed in TRM Tables4.1-1 (Unit1) and4.1-2 (Unit2) form part of th e containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on a containment isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves

secured in their closed position (incl uding check valves with flow through

the valve secured), blind flanges, and closed systems are considered passive devices. Automatic valves designed to close without operator action following an accident are considered active devices. Two barriers in series are provided for each penetration so that no si ngle credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these

barriers may be a closed system. Th ese barriers (typically containment isolation valves) make up the Containment Isolation System.

Automatic isolation signals are pr oduced during accident conditions. Containment Phase"A" isolation occurs upon receipt of a safety injection signal. The Phase"A" isolation signal isolates nonessential process lines in order to minimize leakage of fission product radioactivity. Containment Phase"B" isolation occurs upon receipt of a containment pressure

High-High signal and isolates the rema ining process lines, except systems required for accident mitigation.The OPERABILITY requirements for c ontainment isolation valves help ensure that containment is isolated within the time limits assumed in the safety analyses. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the safety analyses will be maintained.

(continued)

North Anna Units 1 and 2B 3.6.3-2Revision 0Containment Isolation Valves B 3.6.3BASESBACKGROUND (continued)Containment Purge System (36inch purge and exhaust valves, 18inch containment vacuum breaking valve, and 8inch purge bypass valve)The Containment Purge System operate s to supply outside air into the containment for ventilation and cooling or heating and may also be used to reduce the concentration of noble gase s within containment prior to and during personnel access. The supply a nd exhaust lines each contain two isolation valves. Because of their large size, the 36inch purge valves are not qualified for automa tic closure from their open position under Design Basis Accident (DBA) conditions. Therefore, the 36inch purge valves are maintained closed in MODES1, 2, 3, and4 to ensure the containment boundary is maintained. The 18inch containment vacuum breaking valve and 8inch bypass valve are also maintained closed in MODES1, 2, 3, and4.APPLICABLE SAFETY ANALYSESThe containment isolation valve LCO was derived from the assumptions related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during majo r accidents. As part of the containment boundary, containment isolation valve OPERABILITY

supports leak tightness of the containment. Therefore, the safety analyses of any event requiring isolation of containment is applicable to this LCO.The DBAs that result in a releas e of radioactive material within containment are a loss of coolant accident (LOCA) and a rod ejection accident (Ref.1). In the analyses for each of these accidents, it is assumed

that containment isolation valves are either clos ed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analyses assume that the 36inch purge and exhaust valves are closed at event initiation.

The DBA analysis assumes that, within 60seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate, La. The cont ainment isolation total response time of 60seconds includes signal delay, di esel generator startup (for loss of offsite power), and containment isolation valve stroke times.

(continued)

Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-3Revision 8APPLICABLE SAFETY ANALYSES(continued)

The containment isolation valv es satisfy Criterion 3 of 10CFR50.36(c)(2)(ii).LCOContainment isolation valves listed in TRM Tables4.1-1 (Unit1) and4.1-2 (Unit2) form a part of the containment boundary. The containment isolation valves' safety f unction is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA.The automatic power operated isola tion valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The 36, 18, and 8inch purge valves must be maintained locked, sealed, or otherwise secured closed. The valves covered by this LCO are listed along with their associated stroke times in the Technical Requirements Manual (Ref.2).The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges ar e in place, and closed systems are intact. These passive isolation valves/devices are those listed in Reference2.Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO3.6.1, "Containment," as TypeC testing.

This LCO provides assurance that th e containment isolation valves and purge valves will perform their desi gned safety functions to minimize the loss of reactor coolant inventory a nd establish the containment boundary during accidents.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE5. The

requirements for containment isolation valves during MODE6 are addressed in LCO3.9.4, "Cont ainment Penetrations."

North Anna Units 1 and 2B 3.6.3-4Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSThe ACTIONS are modified by a Note allowing penetration flow paths, except for 36inch purge and exhaust valve, 18inch containment vacuum breaking valve, 8inch purge bypass valv e, and steam jet ai r ejector suction penetration flow paths, to be unisolated intermitte ntly under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the fact that the 36inch valves are not qualified for automatic closure from their open position under DBA conditions and that these and the other penetrations listed as excepted exhaust directly fr om the containment atmosphere to the environment, the penetrat ion flow path containing these valves may not be opened under administrative controls.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment

isolation valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.The ACTIONS are further modified by a third Note, which ensures appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inopera ble containment isolation valve.In the event the leakage for a containment penetration flow path results in exceeding the overall containment leakage rate acceptance criteria, Note4 directs entry into the applicable Conditions and Required Actions of LCO3.6.1.

A.1 and A.2In the event one containment isolation valve in one or more penetration flow paths is inoperable, except for purge valve leakage not within limit, the affected penetration flow path must be isolated. The method of isolation must include the use of at l east one isolation barrier that cannot be adversely affected by a single active fail ure. Isolation barriers that meet this criterion are a closed and (continued)

Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-5Revision 0ACTIONSA.1 and A.2 (continued)de-activated automatic containment isol ation valve, a closed manual valve, a blind flange, or a check valve with flow through the valve secured. For a penetration flow path is olated in accordance with Required ActionA.1, the device used to isolate the penetration should be the closest available one to containment. Required ActionA.1 must be completed within 4hours. The 4hour Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES1, 2, 3, and4.For affected penetration flow paths that cannot be restored to OPERABLE status within the 4hour Completion Time and that have been isolated in accordance with Required ActionA.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of bei ng automatically isol ated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification, through a system walkdown, that t hose isolation devices outside containment and capable of being mispos itioned are in th e correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate consider ing the fact that the devices are operated under administrative contro ls and the probability of their misalignment is low. For the isolation devices inside containment, the time period specified as "prior to entering MODE4 from MODE5 if not performed within the previous 92days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation

devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.ConditionA has been modified by a No te indicating that this Condition is only applicable to those penetrati on flow paths with two containment

isolation valves. For penetration fl ow paths with only one containment isolation valve and a closed system, ConditionC provides the appropriate actions.Required ActionA.2 is modified by two Notes. Note1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of (continued)

North Anna Units 1 and 2B 3.6.3-6Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSA.1 and A.2 (continued)administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note2 applies to isolation devices th at are locked, sealed, or otherwise secured in position and allows these devi ces to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices

once they have been verified to be in the proper position, is small.

B.1With two containment isolation valves in one or more penetration flow paths inoperable, except for purge valve leakage not within limit, the affected penetration flow path must be isolated within 1hour. The method

of isolation must include the use of at least one is olation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 1hour Completion Time is consistent with the ACTIONS of LCO3.6.1. In the event the affected

penetration is isolated in accordance with Required ActionB.1, the affected penetration must be verified to be isolated on a periodic basis per Required ActionA.2, which remains in ef fect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an acci dent are isolated. The Completion Time of once per 31days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative control and the probability of their misalignment is low.ConditionB is modified by a Note indicating this Condition is only applicable to penetration flow paths with two cont ainment isolation valves. ConditionA of this LCO addresses the condition of one containment isolation valve inoperable in this type of penetration flow path.

Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-7Revision 0ACTIONS(continued)

C.1 and C.2With one or more penetration flow paths with one cont ainment isolation valve inoperable, the inoperable valve flow path must be restored to OPERABLE status or the affected penetration flow path must be isolated.

The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetrat ion flow path, with the exception of valves specified in Reference4. Required ActionC.1 must be completed within the 72hour Completion Time. The specified time period is

reasonable considering the relative stab ility of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of maintaining containment integrity during MODES1, 2, 3, and4. In the event the affected penetration flow path is isolated in accordance with Required ActionC.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure l eak tightness of containment and that containment penetrations requiring is olation following an accident are isolated. The Completion Time of once per 31days for verifying that each affected penetration flow path is isolated is appropriate because the valves are operated under administrative cont rols and the probability of their misalignment is low.ConditionC is modified by a Note indi cating that this Condition is only applicable to those pe netration flow paths wi th only one containment isolation valve and a closed system. The closed system must meet the requirements of Reference3. This Note is necessary since this Condition is written to specifically address those penetration flow paths in a closed system.

Required ActionC.2 is modified by two Notes. Note1 applies to valves and blind flanges located in high radi ation areas and allows these devices to be verified closed by use of admi nistrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note2 applies to is olation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification (continued)

North Anna Units 1 and 2B 3.6.3-8Revision 0Containment Isolation Valves B 3.6.3BASESACTIONSC.1 and C.2 (continued)by administrative means is considered acceptable, since the function of locking, sealing, or securi ng components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these valves, once they have been ve rified to be in the proper position, is small.D.1With the purge valve penetration leakage rate (SR3.6.3.4) not within limit, the assumptions of the safety analyses are not met. Therefore, the leakage

must be restored to within limit.

Restoration can be accomplished by isolating the penetration(s) that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated the leakage rate for the isolated

penetration is assumed to be th e actual pathway leakage through the

isolation device. If two is olation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 24hour Completion Time for pur ge valve penetration leakage is acceptable considering the purge valves remain closed so that a gross breach of containment does not exist.

E.1 andE.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times

are reasonable, based on operating expe rience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.6.3.1 This SR requires verification that eac h containment isolation manual valve and blind flange located outside cont ainment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment (continued)

Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-9Revision 46SURVEILLANCE REQUIREMENT

SSR3.6.3.1 (continued)boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it invol ves verification, through a system walkdown, that those containment isol ation valves outside containment and capable of being mispositioned are in the correct position. The

Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR sp ecifies that containment isolation valves that are open under administrative controls are not required to meet the SR during the time the valves ar e open. This SR does not apply to valves that are locked, sealed, or ot herwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing,

or securing.

The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verifi ed closed by use of administrative means. Allowing verification by admi nistrative means is considered acceptable, since access to these ar eas is typically restricted during MODES1, 2, 3 and4 for ALARA reasons. Therefore, the probability of misalignment of these containment isol ation valves, once they have been verified to be in the proper position, is small.SR3.6.3.2This SR requires verification that each containment isolation manual valve and blind flange located inside cont ainment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE4 from MODE5 if not performed within the previous 92days" is appropriate sin ce these containment isolation valves are operated under administrative cont rols and the probability of their misalignment is low. The SR specifies that containment isolation valves that are open under administrative contro ls are not required to meet the SR during the time they are open. This SR does not apply to (continued)

North Anna Units 1 and 2B 3.6.3-10 Revision 0Containment Isolation Valves B 3.6.3BASESSURVEILLANCE REQUIREMENT

SSR3.6.3.2 (continued) valves that are locked, sealed, or ot herwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

This Note allows valves and blind flan ges located in high radiation areas to be verified closed by use of administ rative means. Allo wing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES1, 2, 3, and 4, for ALARA reasons.

Therefore, the probability of misali gnment of these containment isolation valves, once they have been verified to be in their proper position, is small.SR3.6.3.3Verifying that the isolation time of each automatic power operated containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analyses. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program.SR3.6.3.4For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10CFR50, AppendixJ, OptionB, is required to ensure OPERABILITY. Operating experience has demonstrated that this type of seal ha s the potential to degrade in a shorter time period than do other seal types.This SR must be performed prior to entering MODE4 from MODE5 after containment vacuum has been broken. This Frequency was chosen

recognizing that cycling the valv e could introduce additional seal degradation (beyond that occurring to a valve that has not been opened).

This Frequency will ensure that each time these valv es are cycled they will be leak tested.

Containment Isolation Valves B 3.6.3BASESNorth Anna Units 1 and 2B 3.6.3-11Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.6.3.5Automatic containment isolation valves close on a containment isolation signal to prevent leakage of radi oactive material from containment following a DBA. This SR ensures that each automatic power operated containment isolation valve will ac tuate to its isolation position on a containment isolation signal. Check va lves which are containment isolation valves are not considered automati c valves for the purpose of this

Surveillance as they do not receive a containment isolation signal. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.3.6The check valves that serve a containment isolation function are weight or spring loaded to provide positive closure in the direction of flow. This ensures that these check valves will remain closed when the inside

containment atmosphere returns to subatmospheric conditions following a DBA. SR3.6.3.6 verifies the operation of the check valves that are not

testable during unit operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter15.2.Technical Requirements Manual.3.Standard Review Plan 6.2.4.

4.UFSAR, Section6.2.4.2.

Intentionally Blank North Anna Units 1 and 2B 3.6.4-1Revision31 Containment Pressure B 3.6.4B 3.6 CONTAINMENT SYSTEMSB 3.6.4Containment PressureBASESBACKGROUNDContainment air partial pressure is a process va riable that is monitored and controlled. The containment air partial pressure is maintained as a function of refueling water storage tank temperature and service water temperature according to Figure3.6.4-1 of the LCO, to ensure that, following a Design Basis Accident (DBA), the containmen t would depressurize to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours.

Controlling containment partial pressure within prescribed limits also prevents the containment pressure fr om exceeding the containment design negative pressure differential with respect to the outside atmosphere in the

event of an inadvertent actuation of the Quench Spray (QS) System.

Controlling containment air partial pressure limits within prescribed limits ensures adequate net positive suction head (NPSH) for the recirculation

spray and low head safety injection pumps following a DBA.

The containment internal air partial pressure limits of Figure3.6.4-1 are derived from the input c onditions used in the containment DBA analyses.

Limiting the containment internal air partial pressure and temperature in turn limits the pressure that could be expected following a DBA, thus ensuring containment OPERABILITY. Ensuring containment OPERABILITY limits leakage of fi ssion product radioactivity from containment to the environment.APPLICABLE SAFETY ANALYSESContainment air partial pressure is an initial condition used in the containment DBA analyses to establish the maximum peak containment internal pressure. The limiting DBAs considered relative to containment pressure are the loss of coolant accident (LOCA) and steam line break (SLB). The LOCA and SLB are analyz ed using computer codes designed to predict the resultant containment pressure transients. DBAs are assumed not to occur simultaneously or consecutively. The postulated DBAs are

analyzed assuming degraded containment Engineered Safety Feature (ESF) systems (i.e., assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure, resulting in one train of the QS System and (continued)

North Anna Units 1 and 2B 3.6.4-2Revision 48 Containment Pressure B 3.6.4BASESAPPLICABLE SAFETY ANALYSES(continued) one train of the Recirculation Spray System becoming inoperable). The containment analysis for the DBA (Ref.1) shows that the maximum peak containment pressure results fr om the limiting design basis SLB.The maximum design internal pressure for the containment is 45.0psig.

The LOCA and SLB analyses establish the limits for the containment air

partial pressure operating range. The initial conditions used in the containment design basis LOCA analyses were an air partial pressure of 12.3psia and an air temperature of 115F. This resulted in a maximum peak containment internal pressure of 42.7psig, which is less than the maximum design internal pressure for the containment. The SLB analysis resulted in a maximum peak containment internal pressure of 43.0psig, which is less than the maximum de sign internal pressure for the containment.

The containment was also designed for an external pressure load of 9.2psid (i.e., a design minimum pressure of 5.5psia). The inadvertent actuation of the QS System was anal yzed to determine the reduction in containment pressure (Ref.1). The init ial conditions used in the analysis were 10.3psia and 115F. This resulted in a minimum pressure inside containment of 8.6psia, which is c onsiderably above the design minimum of 5.5psia.

Controlling containment air partial pressure limits within prescribed limits ensures adequate NPSH for the recirc ulation spray and low head safety injection pumps following a DBA. The minimum containment air partial

pressure is an initial condition for the NPSH analyses.

For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emerge ncy Core Cooling System during the core reflood phase of a LOCA anal ysis increases with increasing containment backpressure. For the reflood phase calculations, the containment backpressure is calc ulated in a manner designed to conservatively minimize, rather than maximize, th e containment pressure response in accordance with 10CFR50.46 (Ref.2).The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig (continued)

Containment Pressure B 3.6.4BASESNorth Anna Units 1 and 2B 3.6.4-3Revision31APPLICABLE SAFETY ANALYSES(continued)for the interval from 1 to 6hours following the Design Basis Accident (Ref.3). Beyond 6hours the containmen t pressure is assumed to be less than 0.0psig, terminating leakage from containment.

Containment pressure satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOMaintaining containment pressure within the limits shown in Figure3.6.4-1 of the LCO ensures that in the event of a DBA the resultant peak containment accident pressure will be maintained below the containment design pressure. These lim its also prevent the containment pressure from exceeding the contai nment design negative pressure differential with respect to the out side atmosphere in the event of inadvertent actuation of the QS System. The LCO limits also ensure the containment structure will depressurize to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment. Since main taining containment pressure within design basis limits is essential to ensure initial conditions assumed in the accident analyses are maintained, the LCO is applicable in MODES1, 2, 3, and4.In MODES5 and6, the probability and consequences of these events are reduced due to the Reactor Coolant System pressure and temperature limitations of these MODES. Therefor e, maintaining containment pressure within the limits of the LCO is not required in MODE5 or6.ACTIONSA.1 When containment air partial pressure is not within the limits of the LCO, containment pressure must be restored to within these limits within 1hour.

The Required Action is necessary to return operation to within the bounds

of the containment analysis. The 1hour Completion Time is consistent with the ACTIONS of LCO3.6.1, "Con tainment," which requires that containment be restored to OPERABLE status within 1hour.

North Anna Units 1 and 2B 3.6.4-4Revision 48 Containment Pressure B 3.6.4BASESACTION (continued)

B.1 and B.2If containment air partial pressure cannot be restored to within limits within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.6.4.1Verifying that containment air partial pressure is within limits ensures that operation remains within the limits a ssumed in the containment analysis.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section6.2.2.10CFR50.46.3.UFSAR, Section15.4.1.7.

North Anna Units 1 and 2B 3.6.5-1Revision31Containment Air Temperature B 3.6.5B 3.6 CONTAINMENT SYSTEMSB 3.6.5Containment Air TemperatureBASESBACKGROUNDThe containment stru cture serves to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or steam line break (SLB).

The containment average air temperatur e limit is derived from the input conditions used in the containment functional analyses and the containment structure external pressure analyses. This LCO ensures that

initial conditions assumed in the anal ysis of containment response to a DBA are not violated dur ing unit operations. The total amount of energy to be removed from containment by th e Containment Spray systems during post accident conditions is dependent upon the energy released to the containment due to the event, as well as the initial containment temperature and pressure. The higher the initial temperature, the more energy which must be removed, resulting in a higher peak containment pressure and temperature. Exceeding containment design pressure may result in leakage greater than that assumed in the accident analysis. Operation with containment temperature in excess of the LCO limit violates an initial condition assumed in the accident analysis.APPLICABLE SAFETY ANALYSESContainment average air temperature is an initial condition used in the DBA analyses that establishes the c ontainment environm ental qualification operating envelope for both pressure and temperature. The limit for containment average air temperature en sures that operation is maintained within the assumptions used in the DBA analyses for containment (Ref.1).The limiting DBAs considered relati ve to containment OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are analyzed using

computer codes designed to predict the resultant containment pressure transients. No two DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed with regard to

containment (continued)

North Anna Units 1 and 2B 3.6.5-2Revision31Containment Air Temperature B 3.6.5BASESAPPLICABLE SAFETY ANALYSES(continued)Engineered Safety Feature (ESF) systems, assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure, resulting in one train of the Quench Spray (QS) System and Recirculation Spray System being rendered inoperable.

The postulated SLB events are analyzed without credit for the RS system.The limiting DBA for the maximum peak containment air temperature is an SLB. The initial containment average air temperature assumed in the design basis analyses is 115F. This resulted in a maximum containment air temperature of 309F. The design temperature is 280F.The temperature upper limit is used to establish the environmental qualification operating envelope for containment. The maximum peak containment air temperature was calc ulated to exceed the containment design temperature for a relatively shor t period of time during the transient.

The basis of the containment design temperature, however, is to ensure the performance of safety related equipment inside containment (Ref.2).

Thermal analyses showed that the time interval during which the

containment air temperature exceeded the containment design temperature was short enough that there would be no adverse effect on equipment inside containment assumed to mitigate the consequences of the DBA.

Therefore, it is concluded that the calculated transien t containment air temperature is acceptable for the DBA SLB.

The temperature upper limit is also used in the depressurization analyses to ensure that the minimum pressure limit is maintained following an inadvertent actuation of the QS System (Ref.1).

The containment pressure transient is sensitive to the initial air mass in containment and, therefore, to the initi al containment air temperature. The limiting DBA for establishing the ma ximum peak containment internal pressure is an SLB. The temperature upper limit is used in the SLB analysis

to ensure that, in the event of an accident, the maximum containment internal pressure will not be exceeded.Containment average air temperature satisfies Criterion2 of 10CFR50.36(c)(2)(ii).

Containment Air Temperature B 3.6.5BASESNorth Anna Units 1 and 2B 3.6.5-3Revision 0 LCODuring an SLB, with an initial containment average temperature less than or equal to the LCO temperature limits, the resultant peak accident temperature exceeds containment design temperature for a relatively short period of time, but otherwise is main tained below the containment design temperature. As a result, the ability of containment to perform its design function is ensured.APPLICABILITYIn MODES1, 2, 3, and4, an SLB could cause an accidental release of radioactive material to the environm ent or a reactivity excursion. In MODES5 and6, the probability and c onsequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the limit is not required in MODE5 or6.ACTIONSA.1When containment average air temperat ure is not within the limits of the LCO, it must be restored to within limits within 8hours. This Required Action is necessary to return operation to within the bounds of the containment analysis. The 8hour Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.

B.1 and B.2 If the containment average air temperat ure cannot be restor ed to within its limits within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.6.5.1Verifying that containment average air temperature is within the LCO limits ensures that containment operation remains within the limits assumed for the containment analys es. In order to determine the containment average air temperature, (continued)

North Anna Units 1 and 2B 3.6.5-4Revision 46Containment Air Temperature B 3.6.5BASESSURVEILLANCE REQUIREMENT

SSR3.6.5.1 (continued)a weighted average is calculated using measurements ta ken at locations within containment selected to provi de a representative sample of the overall containment atmosphere. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.

North Anna Units 1 and 2B 3.6.6-1Revision31QS System B 3.6.6B 3.6 CONTAINMENT SYSTEMSB 3.6.6Quench Spray (QS) SystemBASESBACKGROUNDThe QS System is designed to provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. The QS System, ope rating in conjunction with the Recirculation Spray (RS)

System, is designed to c ool and depressurize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a Design Basis Accident (DBA).

Reduction of containment pr essure and the iodine removal capability of the spray limit the release of fission product radioactiv ity from containment to the environment in the event of a DBA.

The QS System consists of two separate trains of equal capacity, each capable of meeting the design bases.

Each train includes a spray pump, a dedicated spray header, nozzles, valves, and piping. Each train is powered from a separate Engineered Safety Features (ESF) bus. The refueling water storage tank (RWST) supplies borated water to the QS System.The QS System is actuated either automatically by a containment High-High pressure signal or manually. The QS System provides a spray of cold borated water into the upper regions of containment to reduce the

containment pressure and temperature during a DBA. Each train of the QS System provides adequate spray coverage to meet the system design

requirements for containmen t heat and iodine fiss ion product removal. The QS System also provides flow to th e Inside RS pumps to improve the net positive suction head available.

The Chemical Addition System s upplies a sodium hydroxide (NaOH) solution into the spray. The resulting al kaline pH of the spray enhances the ability of the spray to scavenge iodine fission products from the containment atmosphere. The NaOH adde d to the spray also ensures an alkaline pH for the solution recirculated in the containment sump. The alkaline pH of the containment sump water minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.

(continued)

North Anna Units 1 and 2B 3.6.6-2Revision31QS System B 3.6.6BASESBACKGROUND (continued)The QS System is a containment ESF sy stem. It is designed to ensure that the heat removal capabili ty required during the post accident period can be attained. Operation of the QS System and RS System provides the required heat removal capability to limit post accident conditions to less than the containment design values and depressu rize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.The QS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.APPLICABLE SAFETY ANALYSESThe limiting DBAs considered are the loss of coolant accident (LOCA) and the steam line break (SLB). The LOCA and SLB are analyzed using computer codes designed to predict the resultant c ontainment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed, with respect to

containment ESF Systems, assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure,

resulting in one train of the QS Syst em and the RS System inoperable. The postulated SLB events are analyzed without credit for the RS system.

During normal operation, the c ontainment internal pressure is varied, along with other parameters, to maintain the capability to depressurize the containment to less than 2.0 psig in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and to subatmospheric pressure within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a DBA. This capability and the variation of containment pressure during a DBA ar e functions of the service water temperature, the RWST water temp erature, and the containment air temperature.

The DBA analyses (Ref.1) show th at the maximum peak containment pressure of 43.0psig results from the SL B analysis and is calculated to be less than the containment design pressure. The maximum peak containment atmosphere temperature of 309F results from the SLB analysis and was calculated to exceed the containment design temperature for a relatively short period of time during the transient. The basis of the

containment design temperature, however, is to ensure OPERABILITY of

safety related equipment inside containment (Ref.2). Thermal analyses show that the time interval duri ng which the contai nment atmosphere temperature (continued)

QS System B 3.6.6BASESNorth Anna Units 1 and 2B 3.6.6-3Revision 48APPLICABLE SAFETY ANALYSES(continued) exceeded the containment design temp erature was short enough that there would be no adverse effect on equipm ent inside containment assumed to

mitigate the consequences of the DBA.

Therefore, it is concluded that th e calculated transient containment atmosphere temperatures are acceptable for the SLB.

The modeled QS System actuation from the containment analysis is based upon a response time associated wi th exceeding the containment High-High pressure signal setpoint to achieving full flow through the spray nozzles. A delayed response time initia tion provides conservative analyses of peak calculated containment temp erature and pressure responses. The QS System total response time of 70seconds after Containment Pressure-High High comprises the signal delay, diesel generator startup time, and system startup time, in cluding pipe fill time.

For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis in creases with increasing containment backpressure. For these calculations, the containment backpressure is

calculated in a manner designed to c onservatively minimiz e, rather than maximize, the calculated transient containment pressures in accordance with 10CFR50.46 (Ref.3).

Inadvertent actuation of the QS System is evaluated in the analysis, and the resultant reduction in containment pressure is calculated. The maximum calculated reduction in containment pressure results in containment pressures within the design co ntainment minimum pressure.The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig for the interval from 1 to 6hours following the Design Basis Accident (Ref.4). Beyond 6hour s the containment pressure is assumed to be less than 0.0psig, te rminating leakage from containment.

The QS System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.6.6-4Revision31QS System B 3.6.6BASESLCODuring a DBA, one train of the QS Sy stem is required to provide the heat removal capability assumed in the safety analyses for containment. In addition, one QS System train, with sp ray pH adjusted by the contents of

the chemical addition tank, is required to scavenge iodine fission products from the containment at mosphere and ensure their retention in the containment sump water. To ensure that these requirements are met, two QS System trains must be OPERABLE with power from two safety

related, independent power supplies. Ther efore, in the event of an accident, at least one train of QS will operate, assuming that the worst case single active failure occurs.Each QS train includes a spray pump, a dedicated spray header, nozzles, valves, piping, instruments, and cont rols to ensure an OPERABLE flow path capable of taking suction from the RWST.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment and an increase in containment pressure and temperature requiring the oper ation of the QS System.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the QS System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1 If one QS train is inoperable, it mu st be restored to OPERABLE status within 72hours. The components availa ble in this degraded condition are capable of providing 100% of the heat removal and iodine removal needs after an accident. The 72hour Completion Time was developed taking into account the redundant heat removal and iodine removal capabilities afforded by the OPERABLE train a nd the low probability of a DBA

occurring during this period.

B.1 and B.2 If the Required Action and associated Completion Time are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 (continued)

QS System B 3.6.6BASESNorth Anna Units 1 and 2B 3.6.6-5Revision 46ACTIONSB.1 and B.2 (continued)within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.6.6.1Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the QS System provides assurance that the proper flow path exists for QS System operation. This SR does not

apply to valves that are locked, seal ed, or otherwise secured in position, since they were verified to be in th e correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it

involves verification, through a system walkdown, that those valves outside containment and capable of pot entially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.6.2Verifying that each QS pump's develope d head at the flow test point is greater than or equal to the required developed head ensu res that QS pump performance is consistent with the safety analysis assumptions. Flow and differential head are normal tests of centrifugal pump performance required by the ASME Code (Ref.5). Since the QS System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow.

This test confirms one point on the pump design curve and is indicative of overall performance. Such inse rvice tests confirm component OPERABILITY, trend performance, and detect incipient failures by

indicating abnormal performance. Th e Frequency of this SR is in accordance with the Inservice Testing Program.SR3.6.6.3 and SR3.6.6.4These SRs ensure that each QS auto matic valve actuates to its correct position and each QS pump starts upon receipt of an actual or simulated Containment Pressure high-high signal.

(continued)

North Anna Units 1 and 2B 3.6.6-6Revision 48QS System B 3.6.6BASESSURVEILLANCE REQUIREMENT

SSR3.6.6.3 and SR3.6.6.4 (continued)

This Surveillance is not required for valves that are locked, sealed, or

otherwise secured in the required pos ition under administrative controls.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.SR3.6.6.5With the quench spray inlet valves clos ed and the spray header drained of any solution, low pressure air or smoke can be blown through test connections or an inspection of the nozzles can be performed. This SR ensures that each spray nozzle is unobstr ucted and that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzle and the non-corrosive design of the system, a test performed following maintenance which could result in nozzle blockage is consider ed adequate to detect obstruction of the nozzles.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.

3.10CFR50.46.

4.UFSAR, Section15.4.1.7.

5.ASME Code for Operation and Main tenance of Nuclear Power Plants.

North Anna Units 1 and 2B 3.6.7-1Revision31RS System B 3.6.7B 3.6 CONTAINMENT SYSTEMSB 3.6.7Recirculation Spray (RS) SystemBASESBACKGROUNDThe RS System, operating in c onjunction with the Quench Spray (QS)

System, is designed to limit the post accident pressure and temperature in the containment to less than the design values and to depressurize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a Design Basis Accident (DBA). The

reduction of containment pressure a nd the removal of iodine from the containment atmosphere by the spray limit the release of fission product radioactivity from containment to the environment in the event of a DBA.

The RS System consists of two separate trains of equal capacity, each capable of meeting the design and accident analysis bases. Each train includes one RS subsystem outside containment and one RS subsystem

inside containment. Each subsystem consists of one approximately 50%

capacity spray pump, one spray cooler, one 180 coverage spray header, nozzles, valves, piping, instrumentati on, and controls. Each outside RS subsystem also includes a casing cool ing pump with its own valves, piping, instrumentation, and controls. The two outside RS subsystems' spray pumps are located outside containment and the two inside RS subsystems' spray pumps are located inside containment. Each RS train (one inside and

one outside RS subsystem) is powered from a separate Engineered Safety Features (ESF) bus. Each train of the RS System provides adequate spray coverage to meet the system design requirements for cont ainment heat and iodine fission product removal. Two spray pumps are required to provide

360 of containment spray coverage assumed in the accident analysis. One train of RS or two outside RS subs ystems will provide the containment spray coverage and required flow.

The two casing cooling pumps and common casing cooling tank are designed to increase the net positive suction head (NPSH) available to the outside RS pumps by injecting cold wa ter into the suction of the spray pumps. They are also beneficial to the containment depressurization

analysis. The casing cooling tank contains at least 116,500gal of chilled and borated water. Each casing cool ing pump supplies one outside spray pump with cold borated water from the casing (continued)

North Anna Units 1 and 2B 3.6.7-2Revision31RS System B 3.6.7BASESBACKGROUND (continued) cooling tank. The casing cooling pumps ar e considered part of the outside RS subsystems. Each casing cooling pu mp is powered from a separate ESF bus.The inside RS subsystem pump NPSH is increased by reducing the temperature of the water at the pump su ction. Flow is diverted from the QS system to the suction of the inside RS pump on the same safety train as the quench spray pump supplying the water.

The RS System provides a spray of s ubcooled water into the upper regions of containment to reduce the containment pressure and temperature during a DBA. Upon receipt of a High-High containment pressure signal, the two casing cooling pumps start, the casing cooling discharge valves open, and the RS pump suction and discharge valves receive an open signal to assure the valves are open. Refueling water storage tank (RWST) Level-Low

coincident with Containment Pressu re-High High provides the automatic start signal for the inside RS and ou tside RS pumps. Once the coincidence logic is satisfied, the outs ide RS pumps start immedi ately and the inside RS pumps start after a 120-second delay. The delay time is sufficient to avoid simultaneous starting of the RS pumps on the same emergency diesel generator. The coincident trip ensure s that adequate water inventory is present in the containment sump to m eet the RS sump strainer functional requirements following a loss of coolant accident (LOCA). The RS system is not required for steam line break (SLB) mitigation. The RS pumps take suction from the containment sump and discharge through their respective spray coolers to the spray headers a nd into the containment atmosphere. Heat is transferred from the containment sump water to service water in the spray coolers.

The Chemical Addition System s upplies a sodium hydroxide (NaOH) solution to the RWST water supplied to the suction of the QS System pumps. The NaOH added to the QS System spray ensures an alkaline pH for the solution recirculated in th e containment sump. The resulting alkaline pH of the RS spray (pumped from the sump) enhances the ability of the spray to scavenge iodine fi ssion products from the containment atmosphere. The alkaline pH of the containment sump water minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical syst ems and components exposed to the fluid.(continued)

RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-3Revision31BACKGROUND (continued)The RS System is a containment ESF sy stem. It is designed to ensure that the heat removal capabilit y required during the post accident period can be attained. Operation of the QS and RS systems provides the required heat removal capability to limit post ac cident conditions to less than the containment design values and depressu rize the containment structure to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours following a DBA.

The RS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.APPLICABLE SAFETY ANALYSESThe limiting DBAs considered are th e LOCA and the SLB. The LOCA and SLB are analyzed using computer codes designed to predict the resultant

containment pressure and temperature transients; DB As are assumed not to occur simultaneously or consecutively. The postulated DBAs are analyzed assuming no offsite power and the loss of one emergency diesel generator, which is the worst case single active failure fo r containment

depressurization, resulting in one trai n of the QS and RS systems being rendered inoperable (Ref.1). The postulated SLB events are analyzed

without credit for the RS system.The peak containment pressure following a high energy line break is affected by the initial total pressure and temperature of the containment atmosphere and the QS System operation. Maximizing the initial containment total pressure and average atmospheric temperature maximizes the calculated peak pressure. The heat removal effectiveness of the QS System spray is dependent on the temperature of the water in the RWST. The time required to depressurize the containment and the

capability to maintain it depressuri zed below atmospheric pressure depend on the functional performance of the QS and RS systems and the service water temperature. When the Service Water temperature is elevated, it is more difficult to depressurize the containment to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours since the heat removal effectiveness of the RS System is limited.During normal operation, the containment internal pressure is varied to maintain the capability to depressurize the containment to less than 2.0psig in 1hour and to subatmospheric pressure within 6hours after a DBA. This (continued)

North Anna Units 1 and 2B 3.6.7-4Revision 48RS System B 3.6.7BASESAPPLICABLE SAFETY ANALYSES(continued) capability and the variation of cont ainment pressure are functions of service water temperature, RWST wate r temperature, and the containment air temperature.The DBA analyses show that the maxi mum peak containment pressure of 43.0psig results from the SL B analysis and is calculat ed to be less than the containment design pressure. The maximum 309F peak containment atmosphere temperature re sults from the SLB analysis and is calculated to exceed the containment design temperature for a relatively short period of time during the transient. The basis of the containment design temperature, however, is to ensure OPERABILITY of safety related equipment inside containment (Ref.2). Thermal analyses show that the time interval during

which the containment atmosphere temperature exceeds the containment design temperature is short enough that there would be no adverse effect on equipment inside containment. Ther efore, it is concluded that the calculated transient cont ainment atmosphere temperatures are acceptable for the SLB and LOCA.The RS System actuation model from the containment analysis is based upon a response associated with exceed ing the Containment Pressure-High High signal setpoint and RWST level decreasing below the RWST

Level-Low setpoint. The contai nment analysis models account conservatively for instrument uncertainty for the Containment Pressure-High High setpoint and the RWST Level-Low setpoint. The RS System's total response time is determined by the time to satisfy the coincidence logic, the timer delay fo r the inside RS pumps, pump startup time, and piping fill time.

For certain aspects of accident analyses, maximizing the calculated containment pressure is not conser vative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure is

calculated in a manner designed to c onservatively minimiz e, rather than maximize, the calculated transient containment pressures in accordance with 10CFR50.46 (Ref.3).The radiological consequences analysis demonstrates acceptable results provided the containment pressure decreases to 2.0psig in 1hour and does not exceed 2.0psig for the interval from 1 to 6hours following the Design Basis(continued)

RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-5Revision31APPLICABLE SAFETY ANALYSES(continued)Accident (Ref.4). Beyond 6hours the c ontainment pressure is assumed to be less than 0.0psig, terminating leakage from containment.

The RS System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCODuring a DBA, one train (one inside and one outside RS subsystem in the same train) or two outside RS subsystems of the RS System are required to provide the minimum heat removal capability assumed in the safety analysis. To ensure that this requireme nt is met, four RS subsystems and the casing cooling tank must be OPERABLE. This will ensure that at least one train will operate assuming the worst case single failure occurs, which is no offsite power and the loss of one emergency diesel generator.

Inoperability of the casing cooling tank, the casing cooling pumps, the casing cooling valves, piping, instrume ntation, or controls, or of the QSSystem requires an assessment of the effect on RS subsystem OPERABILITY.

Each RS train consists of one RS subsystem outside c ontainment and one RS subsystem inside containment. Each RS subsystem includes one spray pump, one spray cooler, one 180° coverage spray header, nozzles, valves, piping, instrumentation, and controls to ensure an OPERABLE flow path capable of taking suction fr om the containment sump.APPLICABILITYIn MODES1, 2, 3, and4, a DBA c ould cause an increase in containment pressure and temperature requiri ng the operation of the RS System.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the RS System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1With one of the RS subsystems inope rable, the inoperable subsystem must be restored to OPERABLE status within 7days. The components in this

degraded condition are capable of pr oviding at least 100% of the heat removal needs (i.e., approximately 150% when one RS subsystem is inoperable)

(continued)

North Anna Units 1 and 2B 3.6.7-6Revision31RS System B 3.6.7BASESACTIONSA.1 (continued)after an accident. The 7day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the RS and QS systems and the low probability of a DBA occurring

during this period.

B.1 and C.1With two of the required RS subsystems inoperable either in the same train, or both inside RS subsystems, at leas t one of the inoperable RS subsystems must be restored to OPERABLE status within 72hours. The components in this degraded condition are capab le of providing 100% of the heat removal needs and 360 containment spray coverage after an accident. The 72hour Completion Time was develope d taking into account the redundant heat removal capability afforded by the OPERABLE subsystems, a reasonable amount of time for repair s, and the low probability of a DBA occurring during this period.

D.1With the casing cooling tank inoperable, the NPSH available to both outside RS subsystem pumps may not be sufficient. The inoperable casing cooling tank must be restored to OPERABLE status within 72hours. The components in this degr aded condition are capable of providing 100% of the heat removal needs after an accid ent. The casing cooling tank does not affect the OPERABILITY of the insi de RS subsystem pumps. The effect on NPSH of the outside RS pumps must be assessed as part of outside RS pump OPERABILITY. The 72hour Completion Time was chosen based on the same reasons as given in Required ActionB.1.

E.1 and E.2 If the inoperable RS subsystem(s) or the casing cooling tank cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 84hours. The allowed Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3

from full power conditions in an orderly manner and without challenging unit systems. The extended interval to reach (continued)

RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-7Revision 46ACTIONSE.1 and E.2 (continued)MODE5 allows additional time and is reasonable considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE3.F.1With an inoperable inside RS subsys tem in one train, and an inoperable outside RS subsystem in the other train, only 180 containment spray coverage is available. This condition is outside accident analysis. With three or more RS subsystems inoperabl e, the unit is in a condition outside the accident analysis. With two inoperable outside RS subsystems, less than 100% of required RS flow is availa ble. Therefore, in all three cases, LCO3.0.3 must be entered immediately.SURVEILLANCE

REQUIREMENT

SSR3.6.7.1Verifying that the casing cooling tank solution temperature is within the specified tolerances provides assurance that the water injected into the suction of the outside RS pumps will increase the NPSH available as per design. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.6.7.2Verifying the casing cooling tank c ontained borated water volume provides assurance that sufficient water is available to support the outside RS subsystem pumps during the time they are required to operate. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

North Anna Units 1 and 2B 3.6.7-8Revision 46RS System B 3.6.7BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.6.7.3Verifying the boron concentration of the solution in the casing cooling tank

provides assurance that borated water added from the casing cooling tank to RS subsystems will not dilute th e solution being recirculated in the containment sump. A Note states that for Unit2, until the first entry into MODE4 following the Unit2 Fall2002 refueling outage, the casing cooling tank boron concentration acceptance criter ia shall be 2300ppm and 2400ppm. The Surveillance Fre quency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.4Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in th e RS System and casing cooling tank provides assurance that the proper flow path exists for operation of the RS System. This SR does not apply to va lves that are locked, sealed, or otherwise secured in position, since they are verified as being in the correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it invol ves verification, through a system walkdown, that those valves outsi de containment and capable of potentially being mispositioned are in the corre ct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.5Verifying that each RS and casing cooling pump's developed head at the flow test point is greater than or equal to the required developed head ensures that these pumps' performance has not degraded during the cycle.

Flow and differential head are normal tests of centrifugal pump performance required by the ASME Code (Ref.5). Since the RS System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. Th is test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend perf ormance, and detect incipient failures by indicating abnor mal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

RS System B 3.6.7BASESNorth Anna Units 1 and 2B 3.6.7-9Revision 48SURVEILLANCE REQUIREMENT

S(continued)SR3.6.7.6These SRs ensure that each automatic valve actuates and that the casing

cooling pumps start upon receipt of an actual or simulated High-High containment pressure signal. The RS pum ps are verified to start with an actual or simulated RWST Leve l-Low signal coincident with a Containment Pressure-High High signal. The start delay times for the inside RS pumps are also verified. Th is Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.7.7 Periodic inspections of the containmen t sump components ensure that they are unrestricted and stay in prope r operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR3.6.7.8 This SR ensures that each spray nozzle is unobstructed and that spray coverage of the containment will meet its design ba ses objective. Either an inspection of the nozzles or an air or smoke test is performed through each spray header. Due to the passive design of the spray header and its

normally dry state, a test performe d following maintenance which could result in nozzle blockage is consider ed adequate for detecting obstruction of the nozzles.REFERENCES1.UFSAR, Section6.2.2.10CFR50.49.3.10CFR50.46.

4.UFSAR, Section15.4.1.7.

5.ASME Code for Operation and Main tenance of Nuclear Power Plants.

Intentionally Blank North Anna Units 1 and 2B 3.6.8-1Revision 36Chemical Addition System B 3.6.8B 3.6 CONTAINMENT SYSTEMSB 3.6.8Chemical Addition SystemBASESBACKGROUNDThe Chemical A ddition System is a subsystem of the Quench Spray System that assists in reducing the iodine fission product inventory in the containment atmosphere resulting fr om a Design Basis Accident (DBA).

Radioiodine in its various forms is the fission product of primary concern in the evaluation of a DBA. It is absorbed by the spray from the containment atmosphere. To enhance th e iodine absorption capacity of the spray, the spray solution is adjusted to an alkaline pH that promotes iodine hydrolysis, in which iodine is conver ted to nonvolatile forms. Because of its stability when exposed to radiati on and elevated temperature, sodium hydroxide (NaOH) is the pr eferred spray additive.

The NaOH added to the spray also ensures a pH value of between7.0 and8.5 of the solution recirculated from the containment sump. This pH band minimizes the evolution of iodine as well as the oc currence of chloride and caustic stress corrosion on mechanical systems and components.

The Chemical Addition System consists of one chemical addition tank, two parallel redundant motor operated valves in the line between the chemical addition tank and the refueling water storage tank (RWST), instrumentation, and a recirculation pump. The NaOH solution is added to the spray water by a balanced gravity feed from the chemical addition tank through the connecting piping into a weir within the RWST. There, it mixes with the borated water flowing to the spray pump suction. Because of the hydrostatic balance between the two ta nks, the flow rate of the NaOH is controlled by the volume per foot of height rati o of the two tanks. This ensures a spray mixture pH that is 8.5 and 10.5.The Quench Spray System actuation si gnal opens the valves from the chemical addition tank to the spray pump suctions or the quench spray

pump start signal opens the valves from the chemical addition tank after a 5minute delay. The 12%to 13%NaOH solution is drawn into the spray

pump suctions. The chemical addi tion tank capacity provides for the addition of NaOH solution to all of the water sprayed from the RWST into containment. The percent solution and volume of solution (continued)

North Anna Units 1 and 2B 3.6.8-2Revision 36Chemical Addition System B 3.6.8BASESBACKGROUND (continued) sprayed into containment ensures a lo ng term containment sump pH of 7.0 and 8.5. This ensures the continued iodine retention effectiveness of the sump water during the recirculation phase of spray operation and also minimizes the occu rrence of chloride induced stress corrosion cracking of the stainless steel recirc ulation piping. Maintaining the sump fluid pH less than or equal to 8.5 en sures that there is adequate NPSH available to the ECCS and RSS pum ps with post-LOCA debris and chemical precipitant loading on the containment sump strainer.APPLICABLE SAFETY ANALYSESThe Chemical Addition System is esse ntial to the removal of airborne iodine within contai nment following a DBA.

Following the assumed release of radioactive materials into containment, the containment is assumed to leak at its analysis value volume following the accident. The plant accident dose calculations use an effective containment coverage of 70% of the containment volume. The containment safety analyses implicitly assume that the containment atmosphere is so turbulent following an accidental release of high energy fluids inside containment that, for heat removal purposes, the containment volume is effectively completely covered by spray.The DBA response time assumed for the Chemical Addi tion System is based on the Chemical A ddition System isolation valves beginning to open 5minutes after a QS pump start.

The DBA analyses assume that one train of the Quench Spray System is inoperable and that the entire chem ical addition tank volume is added through the remaining Quench Spray System flow path.The Chemical Addition System satisfies Criterion3 of 10CFR50.36(c)(2)(ii).

LCOThe Chemical Addition System is necessary to reduce the release of radioactive material to the environment in the event of a DBA. To be

considered OPERABLE, the volume a nd concentration of the chemical addition solution must be sufficient to provide NaOH injection into the

spray flow until the Quench Spray System has completed pumping water from the RWST to the contai nment sump, and to raise the (continued)

Chemical Addition System B 3.6.8BASESNorth Anna Units 1 and 2B 3.6.8-3Revision 36 LCO(continued)average spray solution pH to a level conducive to iodine removal, namely, to between8.5 and10.5. This pH range maximizes the effe ctiveness of the iodine removal mechanism without in troducing conditions that may induce caustic stress corrosion cracking of mechanical system components.

In addition, it is essentia l that valves in the Chem ical Addition System flow paths are properly positioned and that automatic valves are capable of

activating to their correct positions.APPLICABILITYIn MODES1, 2, 3, and4, a DBA could cause a releas e of radioactive material to containment requiring th e operation of the Chemical Addition System. The Chemical Addition System assists in reducing the iodine fission product inventory prior to release to the environment.In MODES5 and6, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.

Thus, the Chemical Addition System is not required to be OPERABLE in MODE5 or6.ACTIONSA.1 If the Chemical Addition System is i noperable, it must be restored to OPERABLE within 72hours. The pH adjustment of the Quench Spray System flow for iodine removal enha ncement is reduced in this condition.

The Quench Spray System would still be available and would remove some iodine from the containment atmo sphere in the event of a DBA. The 72hour Completion Time takes into account the ability of the Quench

Spray System to remove iodine at a reduced capa bility using the redundant Quench Spray flow path capabilities and the low probability of the worst case DBA occurring during this period.

B.1 and B.2If the Chemical Addition System canno t be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To ac hieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 84hours. The allowed Completion Time of 6hours is reasonable, based (continued)

North Anna Units 1 and 2B 3.6.8-4Revision 46Chemical Addition System B 3.6.8BASESACTIONSB.1 and B.2 (continued)on operating experience, to reach MODE3 from full power conditions in an orderly manner and without chal lenging unit systems. The extended interval to reach MODE5 allows 48hour s for restoration of the Chemical Addition System in MODE3 and 36hours to reach MODE5. This is reasonable when considering the re duced pressure and temperature conditions in MODE3 for the release of radioactive material from the Reactor Coolant System.SURVEILLANCE

REQUIREMENT

SSR3.6.8.1Verifying the correct alignment of Chemical Addition System manual, power operated, and automatic valves in the chemic al addition flow path provides assurance that the system is able to provide additive to the Quench Spray System in the event of a DBA. This SR does not apply to

valves that are locked, sealed, or ot herwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing,

or securing. This SR does not requir e any testing or valve manipulation. Rather, it involves verification, th rough a system walkdown, that those valves outside containment and capable of potentially be ing mispositioned are in the correct position. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.2To provide effective iodine removal, the containment spray must be an alkaline solution. Since the RWST contents are normally acidic, the volume of the chemical addition tank must provide a sufficient volume of spray additive to adjust pH for all wa ter injected. This SR is performed to verify the availability of sufficie nt NaOH solution in the Chemical Addition System. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.3 This SR provides veri fication, by chemical analysis, of the NaOH concentration in the chemical addition tank and is sufficient to ensure that the spray solution being injected (continued)

Chemical Addition System B 3.6.8BASESNorth Anna Units 1 and 2B 3.6.8-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.6.8.3 (continued) into containment is at the correct pH level. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.6.8.4 This SR provides verificat ion that each automatic valve in the Chemical Addition System flow path actuat es to its correct position. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.6.8.5To ensure that the correct pH level is established in the borated water solution provided by the Quench Spray System, flow from the Chemical Addition System is verified draining solution from the RWST and chemical addition tank through the dr ain lines in the cross-connection between the tanks. This SR provides a ssurance that the correct amount of NaOH will be metered into the flow path upon Quench Spray System initiation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.REFERENCESNone Intentionally Blank North Anna Units 1 and 2B 3.7.1-1Revision 8 MSSVsB 3.7.1B 3.7PLANT SYSTEMSB 3.7.1Main Steam Safety Valves (MSSVs)BASESBACKGROUNDThe primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSV s also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water Syst em, is not available.

Five MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described in the UFSAR, Section10.3.1 (Ref.1). The MSSVs must have sufficient capacity to limit the secondary system pressure to 110% of the steam generator design pressure in order to meet the requirements of the ASME Code, SectionIII (Ref.2). The MSSV design includes sta ggered lift settings, according to Table3.7.1-2 in the accompanying LCO, so that only the needed valves will actuate. Staggered lift settings reduce the potential for valve chattering that is due to steam pressure insufficie nt to fully open all valves following a turbine reactor trip. These lift setti ngs are for ambient conditions of the valve associated with MODES1, 2, and3. This requires either that the valves be set hot or that a correlation between hot and cold settings be

established.APPLICABLE SAFETY ANALYSESThe design basis for the capacity of the MSSVs comes from Reference2 and its purpose is to limit the secondary system pressure to 110% of design pressure for any anticipate d operational occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.The events that challenge the relieving capacity of the MSSVs, and thus RCS pressure, are those characterized as decreased heat removal events,

which are presented in the UFSAR, Section15.2 (Ref.3). Of these, the full power turbine trip without steam dump is typically the limiting AOO. This event also terminates normal feedwater flow to the steam generators.

(continued)

North Anna Units 1 and 2B 3.7.1-2Revision 8 MSSVsB 3.7.1BASESAPPLICABLE SAFETY ANALYSES(continued)

The safety analysis demons trates that the transient response for turbine trip occurring from full power without a di rect reactor trip presents no hazard to the integrity of the RCS or the Main Steam System. One turbine trip analysis is performed assuming primary system pressure control via

operation of the pressurizer relief valves and spray. This analysis demonstrates that the DNB design ba sis is met. Another analysis is performed assuming no primary system pressure control, but crediting reactor trip on high pressurizer pressu re and operation of the pressurizer safety valves. This analysis demonstrates that RCS integrity is maintained

by showing that the maximum RCS pressure does not exceed 110% of the design pressure. All cases analyzed demonstrate that the MSSVs maintain Main Steam System integrity by limiting the maximum steam pressure to less than 110% of the steam generator design pressure.

In addition to the decreased heat removal events, reactivity insertion events may also challenge the relieving capacity of the MSSVs. The uncontrolled rod cluster control assembly (RCCA) bank withdrawal at power event is characterized by an increase in core power and steam generation rate until reactor trip occurs when either the Overtemperature T or Power Range Neutron Flux-High setpoint is reached. Steam flow to the turbine will not increase from its initial value for this event. The increased heat transfer to the secondary side causes an increase in steam pressure and may result in opening of the MSSVs prior to reactor trip, assuming no credit for operation of the atmospheric or condenser steam dump valves. The UFSAR Section15.2 safety analysis of the RCCA bank withdrawal at power event for a range of initial core power levels demonstrates that the MSSVs are capable of preventing sec ondary side overpressurization for this AOO. The UFSAR safety analyses discussed above assume that all of

the MSSVs for each steam genera tor are OPERABLE. If there are inoperable MSSV(s), it is necessary to limit the primary system power

during steady-state operation and AOOs to a value that does not result in exceeding the combined steam flow capacity of the turbine (if available) and the remaining OPERABLE MSSV

s. The required limitation on primary system power necessary to prevent secondary system

overpressurization may be determined by system transient analyses or conservatively arrived at by a simple heat balance cal culation. In some circumstances it is necessary to limit the primary side heat generation that can be achieved during an AOO by reducing the setpoint of the Power

Range Neutron Flux-High reacto r trip function. For example, (continued)

MSSVsB 3.7.1BASESNorth Anna Units 1 and 2B 3.7.1-3Revision 42APPLICABLE SAFETY ANALYSES(continued) if more than one MSSV on a single steam generator is inoperable, an uncontrolled RCCA bank withdrawal at power event occurring from a partial power level may result in an increase in reactor power that exceeds the combined steam flow capacity of the turbine and the remaining

OPERABLE MSSVs. Thus, for multiple inoperable MSSVs on the same steam generator it is necessary to prevent this power increase by lowering

the Power Range Neutron Flux-High set point to an appropriate value. When Moderator Temperature Coeffici ent (MTC) is positive, the reactor power may increase above the initial value during an RCS heatup event

(e.g., turbine trip). Thus, for any number of inoperable MSSVs it is necessary to reduce the trip setpoint if a positive MTC may exist at partial power conditions.The MSSVs satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe accident analysis requires five MSSVs per steam generator be OPERABLE to provide overpressure pr otection for design basis transients occurring at 100.37%RTP. The LCO requires that five MSSVs per steam generator be OPERABLE in compliance with Reference2, and the DBA analysis.

The OPERABILITY of the MSSVs is defined as the ability to open upon demand within the setpoint tolerances to relieve steam generator overpressure, and reseat when pressure has been reduced. The OPERABILITY of the MSSVs is dete rmined by periodic surveillance testing in accordance with the Inservice Testing Program.

This LCO provides assurance that the MSSVs will perform their designed safety functions to mitigat e the consequences of acci dents that could result in a challenge to the RCPB or Main Steam System integrity.APPLICABILITYIn MODES1, 2, and3, five MSSVs per steam ge nerator are required to be OPERABLE to prevent Main Steam System overpressurization.In MODES4 and5, there are no credible transients requiring the MSSVs.

The steam generators are not normally used for heat removal in MODES5 and6, and thus cannot be overpressurize d; there is no requirement for the MSSVs to be OPERABLE in these MODES.

North Anna Units 1 and 2B 3.7.1-4Revision 42 MSSVsB 3.7.1BASESACTIONSThe ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV.With one or more MSSVs inoperable, action must be taken so that the available MSSV relieving capacity meets Reference2 requirements.Operation with less than all five MSSVs OPERABLE for each steam generator is permissible, if THERMAL POWER is limited to the relief capacity of the remaining MSSVs. Th is is accomplished by restricting THERMAL POWER so that the energy transfer to the most limiting steam generator is not greater than the avai lable relief capacity in that steam generator.

A.1In the case of only a single inope rable MSSV on one or more steam generators, when the MTC is not posit ive, a reactor power reduction alone is sufficient to limit primary side heat generation such that overpressurization of the secondary si de is precluded for any RCS heatup event. Furthermore, for this case there is sufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to

preclude overpressurization in the even t of an increased reactor power due to reactivity insertion, such as in the event of an uncontrolled RCCA bank withdrawal at power. Therefore, Required ActionA.1 requires an appropriate reduction in reactor power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The maximum THERMAL POWER corr esponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balan ce calculation as described in the attachment to Reference5, with an appropriate allowance for calorimetric power uncertainty.

B.1 and B.2 In the case of multiple inopera ble MSSVs on one or more steam generators, with a reactor power reduction alone there may be insufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to prec lude overpressurization in the event of an increased reactor power due to reactivity insertion, such as in the event of

an uncontrolled RCCA bank withdrawal at power. Furthermore, for a single inoperable MSSV on one or more steam generators when the MTC

is positive the reactor power may increase as a result of an RCS heatup event such that flow capacity of the (continued)

MSSVsB 3.7.1BASESNorth Anna Units 1 and 2B 3.7.1-5Revision 42ACTIONSB.1 and B.2 (continued) remaining OPERABLE MSSVs is insufficient. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time for Required ActionB.1 is c onsistent with A.1. An additional 32hours is allowed in Required ActionB.2 to reduce the setpoints. The Completion Time of 36hours is based on a reasonable time to correct the MSSV inoperability, the time requi red to perform the power reduction, operating experience in resetting all ch annels of a protective function, and on the low probability of the occurrence of a transient that could result in

steam generator overpressure during this period.

The maximum THERMAL POWER corr esponding to the heat removal capacity of the remaining OPER ABLE MSSVs is determined via a conservative heat balan ce calculation as described in the attachment to Reference5, with an appropriate allowance for Nuclear Instrumentation System trip channel uncertainties.Required ActionB.2 is modified by a Note, indicating that the Power Range Neutron Flux-High reactor trip se tpoint reduction is only required in MODE1. In MODES2 and3 the reactor protection system trips specified in LCO3.3.1, "Reactor Protection Sy stem Instrumentation," provide sufficient protection.The allowed Completion Times are reasonable based on operating experience to accomplish the Require d Actions in an orderly manner without challenging unit systems.

C.1 and C.2 If the Required Actions are not completed within the associated Completion Time, or if one or more steam generators have 4 inoperable MSSVs, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and

without challenging unit systems.

North Anna Units 1 and 2B 3.7.1-6Revision 19 MSSVsB 3.7.1BASESSURVEILLANCE REQUIREMENT

SSR3.7.1.1SRs are specified in the Inservice Test ing Program. MSSVs ar e to be tested in accordance with the requirements of the ASME Code (Ref.4) which

provides the activities and frequencie s necessary to satisfy the SR. The MSSV lift settings given in the LCO are for operability, however, the

valves are reset to +/-1% during the surveillance to allow for drift.

This SR is modified by a Note that allows entry into and operation in MODE3 prior to performing the SR. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate

lift pressure.REFERENCES1.UFSAR, Section10.3.1.2.ASME, Boiler and Pressure Vessel Code, SectionIII.3.UFSAR, Section15.2.4.ASME Code for Operation and Main tenance of Nuclear Power Plants.5.NRC Information Notice 94-60, "Poten tial Overpressurization of the Main Steam System," August22,1994.

North Anna Units 1 and 2B 3.7.2-1Revision 0 MSTVsB 3.7.2B 3.7 PLANT SYSTEMSB 3.7.2Main Steam Trip Valves (MSTVs)BASESBACKGROUNDThe MSTVs isolate steam flow from the se condary side of the steam generators following a high energy line break (HELB). MSTV closure terminates flow from the unaff ected (intact) steam generators.One MSTV is located in each main steam line outside, but close to, containment. The MSTVs are downstream from the main steam safety valves (MSSVs) and auxiliary fe edwater (AFW) pump turbine steam supply, to prevent MSSV and AFW isolation from the steam generators by MSTV closure. Closing the MSTVs isolates each steam generator from the others, and isolates the turbine, Steam Dump Syst em, and other auxiliary steam supplies from the steam generators.The MSTVs close on a main steam is olation signal generated by either intermediate high high containment pr essure, high steam flow coincident with low low RCS T avg, or low steam line pressu re. The MSTVs fail closed on loss of control air pressure.

Each MSTV has an MSTV bypass valv

e. Although these bypass valves are normally closed, they receive the same emergency closure signal as do their associated MSTVs. The MSTV bypass valves may also be actuated manually.

A description of the MSTVs is found in the UFSAR, Section10.3 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis of the MSTVs is esta blished by the containment analysis for the main steam line break (MSLB) inside containment, discussed in the UFSAR, Section6.2 (Ref.2). It is also affected by the acci dent analysis of the SLB events presented in the UFSAR, Section15.4.2 (Ref.3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSTV

to close on demand).

(continued)

North Anna Units 1 and 2B 3.7.2-2Revision 0 MSTVsB 3.7.2BASESAPPLICABLE SAFETY ANALYSES(continued)

The limiting case for the containment analysis is the MSLB inside containment, with a loss of offsite pow er following turbine trip, and failure of the Non Return Valve (NRV) on the affected steam generator to close. At lower powers, the steam generator inventory and temperature are at their maximum, maximizing the analyzed mass and energy release to the

containment. Due to reverse flow and failure of the NRV to close, the additional mass and energy in the steam headers downstream from the

other MSTVs contribute to the total release. With the most reactive rod cluster control assembly assumed stuck in the fully withdrawn position,

there is an increased possibility that the core will b ecome critical and return to power. The core is ultimately sh ut down by the boric acid injection delivered by the Emergency Core Cooling System.The accident analysis compares several different MSLB events against different acceptance criteria. The MSLB outside containment upstream of the MSTV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The MSLB inside

containment at hot zero power is the limiting case for a post trip return to power. The analysis includes scenarios with offsite power available, and with a loss of offsite power following turbine trip. With offsite power

available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing th e Reactor Coolant System cooldown. With a loss of offsite power, the resp onse of mitigating systems is delayed. Significant single failures considered include failure of an MSTV to close.The MSTVs only serve a safety func tion and remain open during power operation. These valves operate under the following situations:a.A HELB inside containment. In order to maximize the mass and energy release into containment, the analysis assumes that the NRV in the affected steam generator remains ope

n. For this accident scenario, steam is discharged into containment from all steam generators until the remaining MSTVs close. After MSTV closure, steam is discharged into containment only from the affected steam genera tor and from the residual steam in the main steam header downstream of the closed MSTVs in the unaffected loops. Clos ure of the MSTVs isolates the break from the unaffec ted steam generators.

(continued)

MSTVsB 3.7.2BASESNorth Anna Units 1 and 2B 3.7.2-3Revision 20APPLICABLE SAFETY ANALYSES(continued)b.A break outside of containment a nd upstream from the MSTV is not a containment pressurization concer

n. The uncontrolled blowdown of more than one steam generator must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity addition.

Closure of the MSTVs isolates the break and limits the blowdown to a single steam generator.c.A break downstream of the MSTVs will be isolated by the closure of the MSTVs.d.Following a steam generator tube rupture, the operator will isolate flow to the ruptured steam generator, ad just auxiliary feedwater flow to maintain specified water levels in the ruptured and intact steam generators and manually isolate steam flow from the ruptured generator to the turbine-driven auxiliary feedwater in the Main Steam Valve

House. The operator will also veri fy that the steam generator power operated relief valves are available and their manual isolation valves

are opened (if required) in preparati on for subsequent steps. Closure of the MSTVs isolates the ruptured steam generator from the intact steam generators to minimize radiological releases.e.The MSTVs are also utilized during other events such as a feedwater line break. This event is less limiting so far as MSTV OPERABILITY is concerned.

The MSTVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that three MSTV s in the steam lines be OPERABLE. The MSTVs are considered OPERABLE when the isolation times are

within limits, and they close on an isolation actuation signal.

This LCO provides assurance that the MSTVs will perform their design safety function to mitigate the conseque nces of accidents that could result in offsite exposures comparable to the 10CFR50.67 (Ref.4) limits or the NRC staff approved licensing basis.

North Anna Units 1 and 2B 3.7.2-4Revision 8 MSTVsB 3.7.2BASESAPPLICABILITYThe MSTVs must be OPERABLE in MODE1, and in MODES2 and3 except when closed and de-activate d, when there is significant mass and energy in the RCS and steam generators. When the MSTVs are closed, they are already performing the safety function.In MODE4, the steam generator energy is low and the MSTVs are not required to support the safety analyses due to the low probability of a design basis accident.In MODE5 or6, the steam generators do not contain much energy because their temperature is belo w the boiling point of water; therefore, the MSTVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES.ACTIONSA.1With one MSTV inoperable in MODE1, action must be taken to restore OPERABLE status within 8hours. Some repairs to the MSTV can be made with the unit hot. The 8hour Completion Time is reasonable, considering the low probability of an accident occurring during this time period that would require a closure of the MSTVs.The 8hour Completion Time is greater than that normally allowed for containment isolation valves because the MSTVs are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides an additional means for containment isolation.

B.1If the MSTV cannot be restored to OPERABLE status within 8hours, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in MODE2 within 6hours and ConditionC would be entered. The Completion Times are reasonable, based on operating experience, to reach MODE2 and to close the MSTVs in an orderly manner and without challenging unit systems.

C.1 and C.2ConditionC is modified by a Note indi cating that separate Condition entry is allowed for each MSTV.

(continued)

MSTVsB 3.7.2BASESNorth Anna Units 1 and 2B 3.7.2-5Revision 8ACTIONSC.1 and C.2 (continued)

Since the MSTVs are required to be OPERABLE in MODES2 and3, the inoperable MSTVs may either be restor ed to OPERABLE status or closed.

When closed, the MSTVs are already in the position required by the assumptions in the safety analysis.The 8hour Completion Time is consistent with that allowed in ConditionA.

For inoperable MSTVs that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, the inoperable

MSTVs must be verified on a periodic ba sis to be closed. This is necessary to ensure that the assumptions in th e safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, in view of MSTV status indications ava ilable in the control room, and other administrative controls, to ensure th at these valves are in the closed

position.

D.1 and D.2 If the MSTVs cannot be restored to OPERABLE status or are not closed within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed at least in MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the required unit conditions from MODE2 conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.7.2.1 This SR verifies that MSTV isolation time is 5.0seconds. The MSTV isolation time is assumed in the acci dent and containment analyses. This Surveillance is normally performe d upon returning the unit to operation following a refueling outage. The MSTVs should not be tested at power, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power. As the MSTVs are not tested at power, they are exempt from the ASME Code (Ref.5) require ments during operation in MODE1 or2.The Frequency is in accordance with the Inservice Testing Program.

(continued)

North Anna Units 1 and 2B 3.7.2-6Revision 46 MSTVsB 3.7.2BASESSURVEILLANCE REQUIREMENT

SSR3.7.2.1 (continued)

This test may be conducted in MODE3 with the unit at operating temperature and pressure. This SR is modified by a Note that allows entry into and operation in MODE3 prior to performing the SR. This allows a delay of testing until MODE3, to es tablish conditions consistent with those under which the acceptance criterion was generated.SR3.7.2.2This SR verifies that each MSTV clos es on an actual or simulated actuation signal. This Surveillance is normally performed u pon returning the plant to operation following a refueling outage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section10.3.2.UFSAR, Section6.2.3.UFSAR, Section15.4.2.

4.10CFR50.67.

5.ASME Code for Operation and Main tenance of Nuclear Power Plants.

North Anna Units 1 and 2B 3.7.3-1Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3B 3.7 PLANT SYSTEMSB3.7.3Main Feedwater Isolation Valves (MFIVs), Main Feedwater Pump Discharge Valves (MFPDVs), Main Feedwater Regulating Valves (MFRVs), and Main Feedwater Regulating Bypass Valves (MFRBVs)BASESBACKGROUNDThe MFIV and the MFRV are in series in the Main Feedwater (MFW) line upstream of each steam generator.

The MFRBV is parallel to both the MFIV and the MFRV. The MFPDV is located at the discharge of each main feedwater pump. The valves are located outside of the containment. These valves provide the isolation of each MFW line by the closure of the MFIV and MFRBV, the MFRV and MFRBV, or the closure of the MFPDV. To provide the needed isolation given the single failure of one of the valves,

all four valve types are required to be OPERABLE. The MFIVs and the MFRVs provide single failure protection for each other in one flow path

and the MFPDVs and the MFRBVs provi de single failure protection for each other in the other flow path.

The safety-related function of the MFIVs, MFPDVs, MFRVs and the MFRBVs is to provide isolation of MF W from the secondary side of the steam generators following a high energy line break. Closure of the MFIV and MFRBV, the MFRV and MFRBV, or the closure of the MFPDV terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam or feedwater line breaks and minimizing the positive reactivity effects of the Reactor Coolant System (RCS) cooldown associated with th e blowdown. In the event of pipe rupture inside the containment, the valves limit the quantity of high energy fluid that enters the containment through the broken loop.

The containment isolation MFW check va lve in each loop provides the first pressure boundary for the addition of Auxiliary Feedwater (AFW) to the intact loops and prevents back flow in the feedwater line should a break occur upstream of these valves. These check valves also isolate the non-safety-related portion of the MFW system from the safety-related portion of the system. The piping volume from the feedwater isolation valve to the steam generators is considered in calculating mass and energy

release following either a st eam or feedwater line break.

(continued)

North Anna Units 1 and 2B 3.7.3-2Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESBACKGROUND (continued)The MFIVs, MFPDVs, MFRVs, and MF RBVs close on receipt of Safety Injection or Steam Generator Water Level-High High signal. The MFIVs, MFPDVs, MFRVs, and MFRBVs may also be actuated manually.

A description of the operation of the MFIVs, MFPDVs, MFRVs, and MFRBVs is found in the UFSAR, Section10.4.3 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis for the closure of the MFIVs, MFPDVs, MFRVs, and MFRBVs is established by the analyses for the Main Steam Line Break (MSLB). It is also influenced by the accident analysis for the Feedwater Line Break (FWLB). Closure of the MFIVs and MFRBVs, or MFRVs and

MFRBVs, or the MFPDVs, may also be relied on to terminate an MSLB on

receipt of an SI signal for core response analysis and for an excess

feedwater event upon the receipt of a Steam Generator Water Level-High High signal.Failure of an MFIV and MFRV, or an MFRBV and MFPDV to close following an MSLB or FWLB can result in additional mass and energy

being delivered to the steam genera tors, contributing to cooldown. This failure also results in additional mass and energy releases following an MSLB or FWLB event.The MFIVs, MFPDVs, MFRVs, and MFRBVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO ensures that the MFIVs, MFPDVs, MFRVs, and MFRBVs will isolate MFW flow to the steam genera tors, following an FWLB or MSLB.This LCO requires that three MFIVs, three MFPDVs, three MFRVs, and three MFRBVs be OPERABLE. The valves are considered OPERABLE when isolation times are within limi ts and they close on an isolation actuation signal. The MFIVs and the MFRVs provide single failure protection for each other, and the MFPDV and the MFRBV provide single failure protection for each other.Failure to meet the LCO requirements can result in additional mass and energy being released to containment following an MSLB or FWLB inside containment. A feedwater isolation signal on high high steam generator level is relied on to terminate an excess feedwater flow event, and failure to meet the LCO may result in the introduction of water into the main steam lines.(continued)

MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESNorth Anna Units 1 and 2B 3.7.3-3Revision 23APPLICABILITYThe MFIVs, MFPDVs, MFRVs, and MFRBVs must be OPERABLE whenever there is significant mass and energy in the RCS and steam generators. In MODES1, 2, and3, the MFIVs, MFPDVs, MFRVs, and MFRBVs are required to be OPERABLE to limit the amount of available fluid that could be added to containmen t in the case of a secondary system pipe break inside containment. When the valves are closed and

de-activated or isolated by a closed manual valve, they are already performing their safety function.In MODES4, 5, and6, steam generator energy is low. Therefore, the MFIVs, MFPDVs, MFRVs, and MF RBVs are not required to be OPERABLE.ACTIONSThe ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each valve.

A.1 and A.2With one MFIV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPER ABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performi ng their required safety function.The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on

operating experience.

Inoperable MFIVs that are cl osed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, in view of other

administrative controls, to ensure that these valves are closed or isolated.

B.1 and B.2With one MFRV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are perf orming their required safety function.

(continued)

North Anna Units 1 and 2B 3.7.3-4Revision 23MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESACTIONSB.1 and B.2 (continued)The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.Inoperable MFRVs, that are closed or isolated, must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgmen t, in view of other administrative controls to ensure that the valves are closed or

isolated.

C.1 and C.2With one MFRBV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performing their required safety function.The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.

Inoperable MFRBVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgmen t, in view of other administrative controls to ensure that these valves are closed or

isolated.

D.1 and D.2With one MFPDV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72hours. When these valves are closed or isolated, they are performing their required safety function.

(continued)

MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESNorth Anna Units 1 and 2B 3.7.3-5Revision 23ACTIONSD.1 and D.2 (continued)The 72hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72hour Completion Time is reasonable, based on operating experience.

Inoperable MFPDVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7day Completion Time is reasonable, based on engineering judgment, and in

view of other administrative controls, to ensure that these valves are closed or isolated.

E.1With two inoperable valves in the same flow path, there may be no redundant system to operate automatical ly and perform the required safety function. For example, either a MFIV and a MFRV in the same main

feedwater line are inoperable or a MFPDV and a MFRBV are inoperable.

Under these conditions, at least one of the affected valves must be restored to OPERABLE status, or the affected flow path isolated within 8hours.

This action returns the system to the condition where at least one valve in each flow path is performing the required safety function. The 8hour Completion Time is reasonable, based on operating experience, to complete the actions required to close the affected valves, or otherwise isolate the affected flow path.

F.1 and F.2 If the inoperable valve(s) cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 12hours. The allowed Completion Times are reasonable, based on operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.

North Anna Units 1 and 2B 3.7.3-6Revision 46MFIVs, MFPDVs, MFRVs, and MFRBVs B 3.7.3BASESSURVEILLANCE REQUIREMENT

SSR3.7.3.1This SR verifies that the isolation time of each MFIV, MFRV, and MFRBV is 6.98seconds and the isolati on time for each MFPDV is 60seconds.

The isolation times are assumed in th e accident and containment analyses.

This Surveillance is normally pe rformed during a refueling outage.

The Frequency for this SR is in accordance with the Inservice Testing Program.SR3.7.3.2 This SR verifies that each MFIV, MFRV, MFRBV, and MFPDV can close on an actual or simulated actuation signal. This Surveillance is normally performed upon returning the plant to operation following a refueling outage.The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section10.4.3.

North Anna Units 1 and 2B 3.7.4-1Revision 0SG PORVsB 3.7.4B 3.7 PLANT SYSTEMSB 3.7.4Steam Generator Power Operated Relief Valves (SG PORVs)BASESBACKGROUNDThe SG PORVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions shoul d the preferred heat sink via the condenser dump valves not be availa ble, as discussed in the UFSAR, Section10.3 (Ref.1). This is done in conjunction with the Auxiliary Feedwater System providi ng cooling water from the emergency condensate storage tank (ECST) (or, alternately, with main feedwater from the condenser hotwell or main c ondensate tanks, if available).One SG PORV line for eac h of the three st eam generators is provided. Each SG PORV line consists of one SG PORV and an associated upstream

manual isolation valve.The SG PORVs are provided with upstream manual isolation valves to permit their being tested at power, a nd to provide an alternate means of isolation. The SG PORVs are equippe d with pneumatic controllers to permit control of the cooldown rate.The SG PORVs are provided with a backup supply tank which is pressurized from the instrument air header via a check valve arrangement that, on a loss of pressure in the normal instrument air supply,

automatically supplies air to operate the SG PORVs. The air supply is sized to provide the sufficient pressurized air to operate the SG PORVs until manual operation of the SG PORVs can be established.A description of the SG PORVs is found in Reference1. The SG PORVs are OPERABLE when they are capable of providing controlled relief of the

main steam flow and capable of be ing fully opened and closed, either remotely or by local manual operation.APPLICABLE SAFETY ANALYSESThe design basis of the SG PORVs is established by the capability to cool the unit to RHR entry conditions. The SG PORVs are used in conjunction with auxiliary feedwater supplied from the ECST (or, alternately, with main feedwater from the condenser hotwell or main condensate tanks, if (continued)

North Anna Units 1 and 2B 3.7.4-2Revision 0SG PORVsB 3.7.4BASESAPPLICABLE SAFETY ANALYSES(continued) available). Adequate inventory is available in the ECST to support operation for 2hours in MODE3 followed by a 4hour cooldown to the RHR entry conditions.In the SGTR accident analysis presented in Reference2, the SG PORVs are assumed to be used by the operator to cool down the unit to RHR entry conditions when the SGTR is accompanied by a loss of offsite power, which renders the condenser dump valv es unavailable. Prior to operator actions to cool down the unit, the SG PORVs and main steam safety valves (MSSVs) are assumed to operate au tomatically to relieve steam and maintain the steam generator pressu re below the design value. For the recovery from a steam generator tube rupture (SGTR) even t, the operator is also required to perform a limite d cooldown to establish adequate subcooling as a necessary step to terminate the pr imary to secondary break flow into the ruptured steam generator. The time required to terminate the primary to secondary break flow for an SGTR is more critical than the time required to cool down to RHR conditions for this event. Thus, the SGTR is the limiting event for the SG PORVs. The requirement for three SG PORVs to be OPERABLE satisfies the SGTR accident analysis requirements,

including consideration of a single failure of one SG PORV to open on demand.The SG PORVs are equipped with manual isolation valves in the event an SG PORV spuriously fails open or fails to close during use.The SG PORVs satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThree SG PORV lines are required to be OPERABLE. One SG PORV line is required from each of three steam generators to ensure that at least one SG PORV line is available to conduc t a unit cooldown fo llowing an SGTR, in which one steam generator becomes unavailable, accompanied by a

single, active failure of a second SG PORV line on an unaffected steam generator. The manual isolation valves must be OPERABLE to isolate a failed open SG PORV line. A closed manual isolation valve does not render it or its SG PORV line inopera ble because operator action time to open the manual isolation valve is supported in the accident analysis.

(continued)

SG PORVsB 3.7.4BASESNorth Anna Units 1 and 2B 3.7.4-3Revision 0 LCO(continued)

Failure to meet the LCO can result in the inability to cool the unit to RHR entry conditions following an event in which the condenser is unavailable for use with the Steam Dump System.An SG PORV is considered OPERAB LE when it is capable of providing controlled relief of the main steam flow and capable of fully opening and closing, remotely or by lo cal manual operation on demand.APPLICABILITYIn MODES1, 2, and3, and in MODE4, when a steam generator is being relied upon for heat removal, the SG PORVs are required to be OPERABLE.

In MODE5 or6, an SGTR is not a credible event.ACTIONSA.1With one required SG PORV line i noperable, action must be taken to restore OPERABLE status within 7days. The 7day Completion Time

allows for the redundant capability afforded by the remaining OPERABLE SG PORV lines, a nonsafety grade backup in the Steam Dump System, and MSSVs.B.1With two or more SG PORV lines i noperable, action must be taken to restore all but one SG PORV line to OPERABLE status. Since the upstream manual isolation valve can be closed to isolate an SG PORV, some repairs may be possible with the unit at power. The 24hour Completion Time is reasonable to repair inoperable SG PORV lines, based on the availability of the Steam Dump System and MSSVs, and the low

probability of an event occurring duri ng this period that would require the SG PORV lines.

C.1 and C.2If the SG PORV lines cannot be rest ored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4, without reliance upon steam generator for heat removal, within 24hours. The allowed Completion Times are reasonable, based on operating (continued)

North Anna Units 1 and 2B 3.7.4-4Revision 46SG PORVsB 3.7.4BASESACTIONSC.1 and C.2 (continued) experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE REQUIREMENT

SSR3.7.4.1To perform a controlled cooldown of the RCS, the SG PORVs must be able to be opened either remotely or lo cally and throttled through their full range. This SR ensures that the SG PORVs are tested thr ough a full control cycle at least once per fuel cycle. Perf ormance of inservice testing or use of an SG PORV during a unit cooldown may satisfy this requirement. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.4.2The function of the upstream manual isolation valve is to isolate a failed SG PORV. Cycling the upstream manua l isolation valve both closed and open demonstrates its capability to pe rform this function. Performance of inservice testing or use of the upstr eam manual isolation valve during unit cooldown may satisfy this requirement. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section10.3.2.UFSAR, Section15.4.3.

North Anna Units 1 and 2B 3.7.5-1Revision 0AFW System B 3.7.5B 3.7 PLANT SYSTEMSB 3.7.5Auxiliary Feedwater (AFW) SystemBASESBACKGROUNDThe AFW System automatically s upplies feedwater to the steam generators to remove decay heat from the Reac tor Coolant System upon the loss of normal feedwater supply. The AFW pum ps take suction through separate and independent suction lines from the emergency condensate storage tank (ECST) (LCO3.7.6) and pump to the st eam generator secondary side via separate and independent connections to the main feedwater (MFW) piping outside containment. The steam generators function as a heat sink for core decay heat. The heat load is dissipated by releasing steam to the atmosphere from the steam generators via the main steam safety valves (MSSVs) (LCO3.7.1) or steam generator power operate d relief valves (SG PORVs) (LCO3.7.4). If the main conde nser is available, steam may be released via the steam dump valves and recirculated to the condenser hotwell.The AFW System consists of two mo tor driven AFW pumps and one steam turbine driven pump configured into th ree trains. Each pump is aligned to one steam generator, and the capacity of each pump is sufficient to provide

the designated flow assumed in the accident analysis. The pumps are

equipped with recirculation lines to prevent pump operation against a closed system. Each motor driven AFW pump is powered from an independent Class1E power suppl y and normally feeds one steam generator, although each pump has the capability to be realigned to feed

other steam generators. The steam turbine driven AFW pump receives steam from three main steam lines upstr eam of the main steam trip valves (MSTVs). The steam supply lines combin e into a header which is isolated from the steam driven auxiliary fe edwater pump by two parallel valves. Main steam trip valves, MS-TV-111A and MS-TV-111B (Unit1),

MS-TV-211A and MS-TV-211B (Unit 2) are powered from separate 125V

DC trains and actuated by the Engine ered Safety Features Actuation System (ESFAS). Opening of either trip valve will provide sufficient steam to the steam driven pump to produce th e design flow rate from the ECST to the steam generator(s).

The AFW System is capable of supplying feedwater to the steam generators during normal unit startup, shutdown, and hot standby conditions.

(continued)

North Anna Units 1 and 2B 3.7.5-2Revision 0AFW System B 3.7.5BASESBACKGROUND (continued)

The AFW pumps may be aligned and supply a common header capable of feeding all steam generators. One pump at full flow is sufficient to remove decay heat and cool the unit to residual heat removal (RHR) entry conditions. Thus, the requirement for diversity in motive power sources for the AFW System is met.

The AFW System is designed to supply sufficient water to the steam generator(s) to remove decay heat with steam generator pressure associated with the lowest setpoint MSSV. Subsequently, the AFW System supplies sufficient water to cool the unit to RHR entry conditions, with steam released through the SG PORVs.The AFW System actuates automatically on Steam Generator Water Level low-low by the ESFAS (LCO3.3.2). The system also actuates on loss of offsite power, safety injection, and trip of all MFW pumps.

The AFW System is discussed in the UFSAR, Section10.4.3.2 (Ref.1).APPLICABLE SAFETY ANALYSESThe AFW System mitigates the conseque nces of any event with loss of normal feedwater.

The design basis of the AFW System is to supply water to the steam generator to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the steam generators at pressures corresponding to the lowest steam genera tor safety valve set pressure plus 3%.In addition, the AFW Syst em must supply enough ma keup water to replace steam generator secondary inventory lost as the unit cools to MODE4 conditions. Sufficient AFW fl ow must also be availa ble to account for flow losses such as pump recirc ulation and line breaks.

The limiting Design Basis Accidents (DBAs) and transients for the AFW System are as follows:a.Feedwater Line Break (FWLB);b.Main Steam Line Break (MSLB); andc.Loss of MFW.

(continued)

AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-3Revision 0APPLICABLE SAFETY ANALYSES(continued)

In addition, the minimum available AF W flow and system characteristics are considerations in the analysis of a small break loss of coolant accident (LOCA).The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valves and containment, combined with a loss of offsite power follow ing turbine trip, and a single active failure of the steam turbine driven AFW pump. In such a case, the ESFAS logic may not detect the affected st eam generator if the backflow check valve to the affected MFW header worked properly. One motor driven

AFW pump would deliver to the broke n MFW header at maximum design

flow until the problem was detected, and flow terminated by the operator. Sufficient flow would be delivered to the intact steam generator by the

redundant AFW pump.The ESFAS automatically actuates the AFW turbine driven pump when required to ensure an adequate feed water supply to its dedicated steam generator during loss of power. Air or motor operated valves are provided for each AFW line to control the AFW flow to each steam generator.The AFW System satisfies the requirements of Criterion3 of 10CFR50.36(c)(2)(ii).

LCOThis LCO provides assura nce that the AFW System will perform its design safety function to mitigate the conseque nces of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent AFW pumps in three di verse trains are required to be OPERABLE to ensure the availability of AFW capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering two of the pumps from independent emergency buses. The third AFW pump is powered by a different means, a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSTVs.The AFW System is configured into three trains. The AFW System is considered OPERABLE when the components and flow paths required to

provide redundant AFW flow to the steam generators are OPERABLE. This requires that the two motor driven AFW pumps be OPERABLE in

two diverse paths, each supplying AFW to separate steam generators. The turbine driven AFW pump is required to be OPERABLE with redundant (continued)

North Anna Units 1 and 2B 3.7.5-4Revision 37AFW System B 3.7.5BASESLCO(continued) steam supplies from each of two main steam supply paths through MS-TV-111A and MS-TV-111B (Unit1), MS-TV-211A and MS-TV-211B (Unit2), which receive steam from at least two of the three main steam lines upstream of the MSTVs. The piping, valves, instrumentation, and controls required to perform the safety function in the required flow paths

also are required to be OPERABLE.

In addition, if a seismic air tank or th e inlet check valve to the seismic air tank associated with any of the air operated valves (FW-PCV-159A, FW-PCV-159B, FW-HCV-100A, FW-HCV-1OOB, FW-HCV-100C, MS-TV-111A and MS-TV-111B (Unit1), FW-PCV-259A, FW-PCV-259B, FW-HCV-200A, FW-HCV-200B, FW-HCV-200C, MS-TV-211A and MS-TV-211B (Unit2)) is removed fro m service, or becomes unavailable, then the associated valve is considered inoperable.

The LCO is modified by a Note i ndicating that one AFW train, which includes a motor driven pump, is required to be OPERABLE in MODE4 when the steam generator is relied upon for heat removal. This is because

of the reduced heat removal require ments and short period of time in MODE4 during which the AFW is required and the insufficient steam available in MODE4 to power the turbine driven AFW pump.APPLICABILITYIn MODES1, 2, and3, the AFW Sy stem is required to be OPERABLE in the event that it is called upon to function when the MFW is lost. In

addition, the AFW System is require d to supply enough makeup water to replace the steam generator secondary inventory, lost as the unit cools to MODE4 conditions.In MODE4 one AFW train is required to be OPERABLE when the steam generator(s) is relied upon for heat removal.

In MODE5 or6, the steam generators are not normally used for heat removal, and the AFW System is not required.ACTIONSA.1 If one of the two steam supplies, MS-TV-111A and MS-TV-111B (Unit1), MS-TV-211A and MS-TV-211B (Unit2), to the turbine driven AFW train is inoperable or if a turbine driven AFW pump is inoperable while in MODE3 immediately following refueli ng, action must be taken to restore the affected (continued)

AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-5Revision 37ACTIONSA.1 (continued)equipment to an OPERABLE status within 7days. The 7day Completion Time is reasonable, based on the following reasons:a.For the inoperability of a steam supply to the turbine driven AFW pump, the 7day Completion Time is reasonable since there is a redundant steam supply line for the turbine driven pump.b.For the inoperability of a turbin e driven AFW pump while in MODE3 immediately subsequent to a refueling outage, the 7day Completion Time is reasonable due to the minimal decay heat levels in this

situation.c.For both the inoperability of a st eam supply line to the turbine driven pump and an inoperable turbine driven AFW pump while in MODE3

immediately following a refueling outage, the 7day Completion Time is reasonable due to the availabili ty of redundant OPERABLE motor driven AFW pumps; and due to th e low probability of an event requiring the use of the turbine driven AFW pump.The second Completion Time for Required ActionA.1 establishes a limit on the maximum time allowed for a ny combination of Conditions during any contiguous failure to meet this LCO.The 10day Completion Time provides a limitation time allowed in this specified Condition after disc overy of failure to meet the LCO. This limit is considered reasonable fo r situations in which ConditionsA andB are entered concurrently. The AND connector between 7days and 10days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

ConditionA is modified by a Note whic h limits the applicability of the Conditions to when the unit has not entered MODE2 following a refueling. ConditionA allows the turbine driven AFW train to be inoperable for 7days vice the 72hour Completion Time in ConditionB. This longer Completion Time is based on the reduced decay heat following refueling and prior to th e reactor being critical.

North Anna Units 1 and 2B 3.7.5-6Revision 37AFW System B 3.7.5BASESACTIONS(continued)

B.1With one of the required AFW trains (pump or flow path) inoperable in MODE1, 2, or3 for reasons other than ConditionA, action must be taken to restore OPERABLE status within 72hours.

This Condition includes the loss of two steam supply lines to the turbine driven AFW pump. The 72hour Completion Time is reasonabl e, based on redundant capabilities afforded by the AFW System, time needed for repairs, and the low

probability of a DBA occurr ing during this time period.The second Completion Time for Required ActionB.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any contiguous failure to meet this LCO.The 10day Completion Time provides a limitation time allowed in this specified Condition after disc overy of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The AND connector between 72hours and 10days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

C.1 and C.2When Required ActionA.1 orB.1 cannot be completed within the required Completion Time, or if two AFW trains are inoperable in MODE1, 2, or3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4 within 18hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.In MODE4, when the steam generator is relied upon for heat removal, with two AFW trains inoperable, opera tion is allowed to continue because only one motor driven pump AFW train is required in accordance with the Note that modifies the LCO. Alt hough not required, the unit may continue to cool down and initiate RHR.

AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-7Revision 46ACTIONS(continued)

D.1If all three AFW trains are inoperable in MODE1, 2, or3, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety related equipment. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this conditi on requires that action be started immediately to restore one AFW train to OPERABLE status.

Required ActionD.1 is modified by a Note indicating that all required MODE changes or power reductions required by the Technical

Specifications are suspended until one AFW train is restored to OPERABLE status. In this case, LCO3.0.3 is not applicable because it could force the unit into a less safe condition.

E.1In MODE4, either the reactor coolan t pumps or the RHR loops can be used to provide forced circulation. This is addressed in LCO3.4.6, "RCS Loops-MODE4." With the required AF W train inoperable, action must be taken to immediately restore the inoperable train to OPERABLE status. The immediate Completion Time is consistent with LCO3.4.6.SURVEILLANCE

REQUIREMENT

SSR3.7.5.1Verifying the correct alignment for manual, power operated, and automatic valves in the AFW System water a nd steam supply flow paths provides assurance that the proper flow paths will exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to

locking, sealing, or securi ng. This SR also does not apply to valves that cannot be inadvertently misaligne d, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of bein g mispositioned are in the correct position.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

North Anna Units 1 and 2B 3.7.5-8Revision 46AFW System B 3.7.5BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.7.5.2Verifying that each AFW pump's developed head at the flow test point is

greater than or equal to the require d developed head ensures that AFW

pump performance has not degraded during the cycle. Flow and differential head are normal tests of centrif ugal pump performance required by the ASME Code (Ref2). Because it is so metimes undesirable to introduce cold AFW into the steam generators while they are operating, this testing is

typically performed on recirculation flow. This test confirms one point on the pump design curve and is indicativ e of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance.

Performance of inservice testing disc ussed in the ASME Code (Ref. 2) (only required at 3 month intervals) satisfies this requirement.

This SR is modified by a Note indicat ing that the SR should be deferred until suitable test conditions are established. This deferral is required because there may be insufficient st eam pressure to perform the test.SR3.7.5.3 This SR verifies that AFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an ESFAS, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or si mulated actuation signal. This Surveillance is not required for valves that are lock ed, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that st ates the SR is not required in MODE 4. In MODE4, the heat removal requirements would be less providing more time for operator action to manually align the required valves.

AFW System B 3.7.5BASESNorth Anna Units 1 and 2B 3.7.5-9Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.7.5.4This SR verifies that the AFW pumps wi ll start in the even t of any accident or transient that generates an ESFAS by demonstrating that each AFW

pump starts automatically on an actual or simulated actuation signal in MODES1, 2, and3. In MODE4, the required pump's autostart function is not required. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.

This SR is modified by tw o Notes. Note 1 indicates that the SR be deferred until suitable test conditions are established. This deferral is required because there may be insufficient steam pressure to perform the test. Note 2 states that the SR is not required in MODE 4. In MODE 4, the heat removal requirements would be less providing more time for operator action to manually start the required AFW pump.SR3.7.5.5This SR verifies that the AFW is properly aligned by verifying the flow paths from the ECST to each steam generator prior to entering MODE3 after more than 30contiguous days in any combination of MODES 5, 6, or defueled. OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shut down. The Frequency is reasonable, based on engineering judgement and ot her administrative controls that ensure that flow paths remain OPERABLE. To further ensure AFW

System alignment, flow path OPERABILITY is verified following extended outages to determine no misa lignment of valves has occurred.

This SR ensures that the flow path fr om the ECST to the steam generators is properly aligned.REFERENCES1.UFSAR, Section10.4.3.2.2.ASME Code for Operation and Maintenance of Nuclear Power Plants.

Intentionally Blank North Anna Units 1 and 2B 3.7.6-1Revision0ECSTB 3.7.6B 3.7 PLANT SYSTEMSB 3.7.6Emergency Condensate Storage Tank (ECST)BASESBACKGROUNDThe ECST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the Reactor Coolant System (RCS). The ECST provides a passive flow of water, by gravity, to the Auxiliary Feedwater (AFW) System (LCO3.7.5). The steam produced is released to the atmosphere by the main steam safety valves (MSSVs) or the steam generator power operated relief valves (SG PORVs). The AFW

pumps operate with a continuous recirculation to the ECST.

When the main steam trip valves are open, the preferred means of heat removal is to discharge steam to th e condenser by the nonsafety grade path of the steam dump valves. The condensed steam is returned to the hotwell and is pumped to the 300,000gallon conde nsate storage ta nk which can be aligned to gravity feed the ECST. Th is has the advantage of conserving condensate while minimizing releases to the environment.

Because the ECST is a principal com ponent in removing re sidual heat from the RCS, it is designed to with stand earthquakes a nd other natural phenomena, including missiles that might be generated by natural phenomena. The ECST is designed to Seismic CategoryI to ensure availability of the feedwater supply.

Feedwater is also available from alternate sources.A description of the ECST is found in the UFSAR, Section9.2.4 (Ref.1).APPLICABLE SAFETY ANALYSESThe ECST provides cooling water to remove decay heat and to cool down

the unit following all events in the ac cident analysis as discussed in the UFSAR, Chapters6 and15 (Refs.2 and3, respectively). For anticipated operational occurrences and accidents that do not affect the

OPERABILITY of the steam generators

, the analysis as sumption is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in MODE3, steaming through the MSSV s, followed by a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> cooldown to residual heat removal (RHR) entr y conditions at the design cooldown rate.(continued)

North Anna Units 1 and 2B 3.7.6-2Revision 42 ECSTB 3.7.6BASESAPPLICABLE SAFETY ANALYSES(continued)

The limiting event for the condensate volume is the large feedwater line break coincident with a loss of offsite power. Single failures accommodated by the accident include the following:a.Failure of the diesel generator powering the motor driven AFW pump to one unaffected steam generator (requiring additional steam to drive the remaining AFW pump turbine); andb.Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one mo tor driven AFW pump).

These are not usually the limiting fail ures in terms of consequences for these events.

A nonlimiting event considered in EC ST inventory determinations is a break in either the main feedwater or AFW line near where the two join. This break has the potential for dumping condensate until terminated by

operator action, since the Engineered Safety Features Actuation System (LCO3.3.2, ESFAS) starts the AFW system and would not detect a difference in pressure between the steam generators for this break location.

This loss of condensat e inventory is partially compensated for by the retention of steam generator inventory.

The ECST satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOTo satisfy accident analysis assumptions, the ECST must contain sufficient cooling water to remove decay heat for 30minutes following a reactor trip from 100.37%RTP, and then to cool down the RCS to RHR entry conditions, assuming a coincident loss of offsite power and the most adverse single failure. In doing this, it must retain sufficient water to ensure adequate net positive suction head for the AFW pumps during cooldown, as well as account for any losses from the steam driven AFW pump turbine, or before isolating AFW to a broken line.

The ECST level required is equiva lent to a contained volume of 110,000gallons, which is based on holding the unit in MODE3 for 8hours, or maintaining the unit in MODE3 for 2hours followed by a 4hour cooldown to RHR entry (continued)

ECSTB 3.7.6BASESNorth Anna Units 1 and 2B 3.7.6-3Revision0 LCO(continued) conditions within the limit of 100F/hour. The basis for these times is established in the accident analysis.The OPERABILITY of the ECST is determined by maintaining the tank level at or above the minimum requi red level to ensure the minimum volume of water.APPLICABILITYIn MODES1, 2, and3, and in MODE4, when steam generator is being relied upon for heat removal, the ECST is required to be OPERABLE.In MODE5 or6, the ECST is not required because the AFW System is not required.ACTIONSA.1 and A.2 If the ECST is not OPERABLE, the OPERABILITY of the backup supply, the Condensate Storage Tank, should be verified by administrative means within 4hours and once every 12hours thereafter. OPERABILITY of the backup feedwater supply must include ve rification that the flow paths from the backup water supply to the AFW pumps are OPERABLE, and that the backup supply has the required volume of water available. The ECST must be restored to OPERABLE status within 7days, because the backup supply may be performing this function in addition to its normal functions. The 4hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the backup water supply. Additionally, verifying the backup water supply every 12hours is adequate to ensure the

backup water supply continues to be available. The 7day Completion Time is reasonable, based on an OP ERABLE backup water supply being available, and the low pr obability of an event oc curring during this time period requiring the ECST.

B.1 and B.2If the ECST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE4, without reliance on the steam

generator for heat removal, within 24hours. The allowed Completion Times are reasonable, based on operati ng experience, to reach the required unit conditions from full power conditions in an orderly manner and

without challenging unit systems.

North Anna Units 1 and 2B 3.7.6-4Revision 46 ECSTB 3.7.6BASESSURVEILLANCE REQUIREMENT

SSR3.7.6.1 This SR verifies that the ECST c ontains the required volume of cooling water. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.4.2.UFSAR, Chapter6.3.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.7.7-1Revision 20 Secondary Specific Activity B 3.7.7B 3.7 PLANT SYSTEMSB 3.7.7Secondary Specific ActivityBASESBACKGROUNDActivity in the secondary cool ant results from steam generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half lives and, thus, indicates current conditions. During transients, I-131spikes have been observed as well as increased re leases of some noble gases. Other fission product isotopes, as well as act ivated corrosion products in lesser amounts, may also be found in the secondary coolant.

A limit on secondary coolant speci fic activity during power operation minimizes releases to the envir onment because of normal operation, anticipated operational occurrences, and accidents.This limit is lower than the activity value that might be expected from a 1gpm tube leak (LCO3.4.13, "RCS Op erational LEAKAGE") of primary coolant at the limit of 1.0Ci/gm (LCO3.4.16, "RCS Specific Activity").

The steam line failure is assumed to result in the release of the noble gas and iodine activity contained in the steam generator inventory, the feedwater, and the reacto r coolant LEAKAGE. Most of the iodine isotopes have short half lives, (i.e., <20hours).

If the main steam safety valves (MSSVs) open for 2hours following a trip from full power with the specified activity limit, the resultant 2hour dose to a person at the exclusion area boundary (EAB) would be less than 0.033rem TEDE (the consequences of the design basis main steam line break accident).Operating a unit at the allowable limits could result in a 2hour EAB exposure at the Regulatory Guide1.183 (Ref.1) limits, or the limits established as the NRC staff approved licensing basis.

North Anna Units 1 and 2B 3.7.7-2Revision 20 Secondary Specific Activity B 3.7.7BASESAPPLICABLE SAFETY ANALYSESThe accident analysis of the main steam line break (MSLB), as discussed in the UFSAR, Chapter15 (Ref.2) assu mes the initial secondary coolant specific activity to have a radi oactive isotope concentration of 0.10Ci/gm DOSE EQUIVALENTI-131. This assumption is used in the analysis for determining the radiological consequences of the postulated accident. The accident analysis, based on this an d other assumptions, shows that the radiological consequences of an MSLB do not exceed the limits specified in Regulatory Guide1.183 (Ref.1).With the loss of offsite power, the remaining steam generators are available for core decay heat dissi pation by venting steam to the atmosphere through the MSSVs and steam generator power operated relief valves (SG PORVs). The Auxiliary Feedwater System supplies the necessary makeup to the steam generators. Venting continues until the reactor coolant temperature and pressure have decreased sufficie ntly for the Residual Heat Removal System to complete the cooldown.

In the evaluation of the radiological consequences of this accident, the activity released fro m the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through the MSSVs and SG PORV during the event. Since no credit is taken in the analysis for activity pl ateout or retention, the resultant radiological consequences represent a conservative estimate of the

potential integrated dose due to the postulated steam line failure.Secondary specific activity limits satisfy Criterion2 of 10CFR50.36(c)(2)(ii).

LCOAs indicated in the Applicable Safety Analyses, the specifi c activity of the secondary coolant is required to be 0.10Ci/gm DOSE EQUIVALENTI-131 to limit the radiol ogical consequences of a Design

Basis Accident (DBA) to the required limit (Ref.1).

Monitoring the specifi c activity of the secondary coolant ensures that when secondary specific activity limits ar e exceeded, appropriate actions are taken in a timely manner to place the unit in an operational MODE that

would minimize the radiologica l consequences of a DBA.

Secondary Specific Activity B 3.7.7BASESNorth Anna Units 1 and 2B 3.7.7-3Revision 46APPLICABILITYIn MODES1, 2, 3, and4, the limits on secondary specific activity apply due to the potential for secondary steam releases to the atmosphere.In MODES5 and6, the steam generators are not being used for heat removal. Both the RCS and steam generators are depressurized, and primary to secondary LEAKAGE is mi nimal. Therefore, monitoring of secondary specific activity is not required.ACTIONSA.1 and A.2DOSE EQUIVALENTI-131 exceeding the allowable value in the

secondary coolant, is an indication of a problem in the RCS and contributes

to increased post accident doses. If th e secondary specific activity cannot be restored to within limits within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.7.7.1 This SR verifies that the secondary specific activity is within the limits of the accident analysis. A gamma isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident releases. It also serves to iden tify and trend any unusual isotopic concentrations that might indicate cha nges in reactor coolant activity or LEAKAGE. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.183, July2000.2.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.7.8-1Revision 0SW System B 3.7.8B 3.7 PLANT SYSTEMSB 3.7.8Service Water (SW) SystemBASESBACKGROUNDThe SW System provides a heat sink for the removal of process and operating heat from safety relate d components during a Design Basis Accident (DBA) or tr ansient. During normal operation, and a normal shutdown, the SW System also provides this function for various safety related and nonsafety related component

s. The safety related function is covered by this LCO.

The SW System is common to Units 1 and 2 and is designed for the simultaneous operation of various subsystems and components of both units. The source of cooling water for the SW System is the Service Water Reservoir. The SW System consists of two loops and components can be aligned to operate on either loop. Th ere are four main SW pumps taking suction on the Service Water Reservoir, supplying various components through the supply headers, and then returning to the Service Water

Reservoir through the return headers.

Eight spray arrays are available to provide cooling to the service water, as well as two winter bypass lines.

The isolation valves on the spray ar ray lines automatically open, and the isolation valves on the winter bypass lines automatically shut, following receipt of a Safety Inje ction signal. The main SW pumps are powered from the four emergency buses (two from each unit). There are also two

auxiliary SW pumps whic h take suction on North Anna Reservoir and discharge to the supply header. When the auxiliary SW pumps are in

service, the return header may be redirected to wast e heat treatment facility if desired. However, the auxiliary SW pumps are strictly a backup to the normal arrangement and are not cred ited in the analysis for a DBA.

During a design basis loss of coolant a ccident (LOCA) concurrent with a loss of offsite power to both units, one SW loop will provide sufficient

cooling to supply post-LOCA loads on one unit and shutdown and

cooldown loads on the other unit. During a DBA, the two SW loops are cross-connected at the recirculation spray (RS) heat exchanger supply and return headers of the accident unit. On a Safety Injection (SI) signal on

either unit, all four main SW pumps start and the system is aligned for Service Water Reservoir spray opera tion. On a contai nment high-high (continued)

North Anna Units 1 and 2B 3.7.8-2Revision 0 SW System B 3.7.8BASESBACKGROUND (continued) pressure signal the accident unit' s Component Cooling (CC) heat exchangers are isolated from the SW System and its RS heat exchangers are placed into service. All safety-r elated systems or components requiring cooling during an accident are cooled by the SW System, including the RS heat exchangers, main control ro om air conditioning condensers, and charging pump lubricating oil and gearbox coolers.

The SW System also provides cooling to the instrument air compressors, which are not safety-related, and the non-accident unit's CC heat exchangers, and serves as a bac kup water supply to the Auxiliary Feedwater System, the spent fuel pool coolers, and the containment recirculation air cooling coils. The SW System has sufficient redundancy

to withstand a single failure, including the failure of an emergency diesel generator on the affected unit.Additional information about the design and operation of the SW System, along with a list of the components se rved, is presented in the UFSAR, Section9.2.1 (Ref.1). The principal sa fety related function of the SW System is the removal of decay heat from the reactor fo llowing a DBA via the RS System.APPLICABLE SAFETY ANALYSESThe design basis of the SW System is for one SW loop, in conjunction with the RS System, to remove core deca y heat following a design basis LOCA as discussed in the UFSAR, Section6.2.2 (Ref.2). This prevents the

containment sump fluid from increasing in temperature, once the cooler RWST water has reached equilibrium wi th the fluid in containment, during the recirculation phase following a LOCA and provides for a gradual reduction in the temperature of this fl uid which is supplie d to the Reactor Coolant System by the ECCS pumps. The SW System also prevents the buildup of containment pressure from exceeding the containment design pressure by removing heat through the RS System heat exchangers. The SW System is designed to perform its function with a single failure of any

active component, assuming the loss of offsite power.

The SW System, in conjunction with the CC System, also cools the unit from residual heat removal (RHR), as discussed in the UFSAR, Section5.5.4, (Ref.3) entry conditions to MODE5 during normal and post accident operations. The time required for this evolution is a function of the number of CC and RHR System trains that are operating.

(continued)

SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-3Revision 14APPLICABLE SAFETY ANALYSES(continued)The SW System satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo SW loops are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident

heat loads, assuming that the worst case single active failure occurs coincident with the loss of offsite power.

A SW loop is considered OPERABLE during MODES1, 2, 3, and4 when:a.Eithera.1Two SW pumps are OPERABLE in an OPERABLE flow path; ora.2One SW pump is OPERABLE in an OPERABLE flow path provided two SW pumps are OPERABLE in the other loop and SW flow to the CC heat ex changers is throttled; andb.Eitherb.1Three spray arrays are OPERAB LE in an OPERABLE flow path; orb.2Two spray arrays are OPERABLE in an OPERABLE flow path, provided two spray arrays are OP ERABLE in the other loop; and the spray valves for the required OPERABLE spray arrays in both loops are secured in the accident position and power removed

from the valve operators; andc.The associated piping, valves, a nd instrumentation and controls required to perform the safety related function are OPERABLE.

A required valve directing flow to a spray array, bypass line, or other component is considered OPERABLE if it is capable of automatically

moving to its safety position or if it is administratively placed in its safety position.

North Anna Units 1 and 2B 3.7.8-4Revision 14 SW System B 3.7.8BASESAPPLICABILITYIn MODES1, 2, 3, and4, the SW System is a normally operating system that is required to support the OPER ABILITY of the e quipment serviced by the SW System and required to be OPERABLE in these MODES.In MODES5 and6, the OPERABILITY requirements of the SW System are determined by the systems it supports.ACTIONSA.1If one SWSystem loop is inoperable due to an inoperable SW pump, the flow resistance of the system mu st be adjusted within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> by throttling component cooling water heat exchanger flows to ensure that

design flows to the RS System heat exchangers are achieved following an accident. The required re sistance is obtained by th rottling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a

SW pump would not result in lo ss of the SW System function.

B.1 and B.2 If one or more SW System loops ar e inoperable due to only two SW pumps being OPERABLE, the flow resistance of the system must be adjusted within one hour to ensure that design flows to the RS System heat exchangers are achieved if no additional failures occur following an

accident. The required re sistance is obtained by th rottling SW flow through the CC heat exchangers. Two SW pumps aligned to one loop or one SW

pump aligned to each loop is capable of performing the safety function if CC heat exchanger flow is properly throttled. However, overall reliability is reduced because a single failure disabling a SW pump could result in loss of the SW System function. The one hour time reflects the need to minimize the time that two pumps ar e inoperable and CC heat exchanger flow is not properly throttled, but is a reasonable time based on the low probability of a DBA occurring during this time period.

Restoring one SW pump to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> together with the throttling ensures that design flows to the RS System heat exchangers are achieved following an accident. The required resistance is obtained by throttling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a SW pump would not result in loss of the SW System function.

SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-5Revision 14ACTIONS(continued)

C.1If one SW loop is inoperable for reasons other than ConditionA, action must be taken to restore th e loop to OPERABLE status.

In this Condition, the remaining OP ERABLE SW loop is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE SW loop could result in loss of SW System function. The inoperable SW loop is required to be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> unless the criteria for a 7 day Completion Time are met, as stated in the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time Note. The 7 day Completion Time applies if the three criteria in the 7 day Completion Time Note are met.The first criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if the inoperability of one SW loop is part of SW System upgrades. Service Water System upgrades include modification and maintenance activities associated with the installation of new discharge headers and spray arrays, mechanical and chemical cleaning of SW System piping and valves, pipe repair and replacement, valve repair and replacement, installation of corrosion mitigation measures and inspection of and repairs to buried pi ping interior coatings and pump or valve house components. The second criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if three SW pumps are OPERABLE from initial Condition entry, including one SW pump being allowed to not have automatic start capability. The third criterion in the 7 day Completion Ti me Note states that the 7 day Completion Time is only applicable if two auxiliary SW pumps are OPERABLE from initial Condition entry. The 72hour and 7day Completion Times are both based on the redundant capabilities afforded by the OPERABLE loop, and the low probab ility of a DBA occurring during this time period. The 7day Completion Time also credits the redundant capabilities afforded by three OPERABLE SW pumps (one without

automatic start capability) and tw o OPERABLE auxiliary SW pumps.

Changing the designation of the th ree OPERABLE SW pumps during the 7day Completion Time is allowed.

North Anna Units 1 and 2B 3.7.8-6Revision 14 SW System B 3.7.8BASESACTIONS(continued)

D.1 and D.2 If the SW pumps or loop cannot be re stored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 36hours.The allowed Completion Times are reasonable, based on operating

experience, to reach the required unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.

E.1 and E.2 If two SW loops are inope rable for reasons other than only two SW pumps

being OPERABLE, the SW System ca nnot perform the safety function. With two SW loops inoperable, the CC System and, consequently, the Residual Heat Removal (RHR) Syst em have no heat sink and are inoperable. Twelve hours is allowed to enter MODE 4, in which the Steam Generators can be used for decay heat removal to maintain reactor temperature. Twelve hours is reasonabl e, based on operating experience, to reach MODE 4 from full power c onditions in an orderly manner and without challenging unit systems. Th e unit may then remain in MODE 4 until a method to further cool the units becomes available, but actions to determine a method and cool the uni t to a condition outside of the Applicability must be initiated wi thin one hour and continued in a reasonable manner and without delay un til the unit is brought to MODE 5.SURVEILLANCE

REQUIREMENT

SSR3.7.8.1 This SR is modified by a Note indi cating that the isolation of the SW System components or systems may render those components inoperable, but does not affect the OPERABILITY of the SW System.Verifying the correct alignment for manual, power operated, and automatic valves in the SW System flow path provides assurance th at the proper flow paths exist for SW System operation. This SR does not apply to valves that

are locked, sealed, or otherwise secure d in position, since they are verified to be in the correct posit ion prior to being locked, sealed, or secured. This SR does not require any testing or (continued)

SW System B 3.7.8BASESNorth Anna Units 1 and 2B 3.7.8-7Revision 46SURVEILLANCE REQUIREMENT

SSR3.7.8.1 (continued)valve manipulation; rather, it invol ves verification that those valves capable of being misposit ioned are in the correct position. This SR does not apply to valves that cannot be ina dvertently misaligned, such as check valves. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.7.8.2 This SR verifies proper automatic ope ration of the SW System valves on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal testing.

This Surveillance is not required for valves that are locked, sealed, or

otherwise secured in the required pos ition under administrative controls.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.8.3This SR verifies proper automatic operation of the SW pumps on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal te sting during normal operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.1.2.UFSAR, Section6.2.2.3.UFSAR, Section5.5.4.

Intentionally Blank North Anna Units 1 and 2B 3.7.9-1Revision 0 UHSB 3.7.9B 3.7 PLANT SYSTEMSB 3.7.9Ultimate Heat Sink (UHS)BASESBACKGROUNDThe UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the Service Water (SW) System.

The ultimate heat sink is the Service Water Reservoir and its associated retaining structures, and is the norma l source of service water for Units 1 and 2.The Service Water Reservoir is locate d approximately 500 ft. south of the station site area. The Service Water Reservoir is adequate to provide sufficient cooling to permit simultaneous safe shutdown and cooldown of both units, and then maintain them in a safe-shutdown condition. Further, in the event of a design basis loss of coolant accident (LOCA) in one unit concurrent with a loss of offsite power to both units, the Service Water Reservoir is designed to provide suff icient water inventory to supply post-LOCA loads on one unit and shutdow n and cooldown loads on the other unit and maintain them in a safe-shutdown condition for at least 30days without makeup. After 30 days, makeup to the Service Water Reservoir is provided from the North Anna Reservoir as necessary to maintain cooling water inventory, ensuring a continued cooling capability. The Service Water Reservoir spray system is desi gned for operation of two units based on the occurrence of a LOCA on one unit with cooldown of the non-

accident unit and simultaneous loss of offsite power to both units.The two principal functions of the UHS are the dissipation of residual heat

after reactor shutdown, and dissipation of residual he at after an accident.

The North Anna Reservoir provides a backup source of service water using the auxiliary SW pumps, and can pr ovide makeup water to the Service Water Reservoir using the Circulating Water screen wash pumps, but is not credited for the DBA. The Lake Anna Dam impounds a lake with a surface area of 13,000acres and 305,000 acre-ft. of storage, at its normal- stage

elevation of 250 ft., along the channel of the North Anna River. The lake is normally used by the power station as (continued)

North Anna Units 1 and 2B 3.7.9-2Revision 0 UHSB 3.7.9BASESBACKGROUND (continued) a cooling pond for condenser circulating water. To improve the thermal performance of the lake, it has been divided by a series of dikes and canals into two parts. The larger, referred to as the North Anna Reservoir, is 9600 acres. The smaller part, called the waste heat treatment facility, is 3400 acres. When the North An na Reservoir is used by the SW System, water is withdrawn from the North Anna Reservoir and discharged to the waste heat treatment facility, though it is possible to discharg e water to the Service Water Reservoir.

The two sources of water are i ndependent, and each has separate, redundant supply and discharge headers. The only common points are the main redundant supply and discharge he aders in the service building where distribution to the components take s place. These common headers are encased in concrete.

Additional information on the design and operation of the system, along with a list of components served, can be found in Reference1.APPLICABLE SAFETY ANALYSESThe UHS is the sink for heat removed from the reactor core following all accidents and anticipate d operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation. Its

maximum post accident heat load occu rs in the first hour after a design basis LOCA. During this time, the Re circulation Spray (RS) subsystems

have started to remove the core decay heat.

The operating limits are based on conser vative heat transfer analyses for the worst case LOCA. The analyses provi de the details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative un certainties when calcula ting decay heat, and the worst case single active fail ure (e.g., single failure of an EDG). The UHS is designed in accordance with the Regulatory Guide1.27 (Ref.2) requirement for a 30day supply of cooling water in the UHS.

The UHS satisfies Criterion3 of 10CFR50.36(c)(2)(ii).

UHSB 3.7.9BASESNorth Anna Units 1 and 2B 3.7.9-3Revision 46 LCOThe UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficie nt volume of water at or below the maximum temperature that would allow the SW System to operate for at least 30days following the design ba sis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the SW System. To meet this condition, the Service Water Reservoi r temperature should not exceed 95F and the level should not fall below 313ft mean sea level during normal unit operation.APPLICABILITYIn MODES1, 2, 3, and4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.In MODE5 or6, the OPERABILITY requirements of the UHS are determined by the systems it supports.ACTIONSA.1 and A.2 If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this st atus, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 36hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challe nging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.7.9.1 This SR verifies that adequate long term (30day) cooling can be maintained. The specified level also ensures that sufficient NPSH is available to operate the SW pumps. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.

North Anna Units 1 and 2B 3.7.9-4Revision 46 UHSB 3.7.9BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.7.9.2 This SR verifies that the SW System is available with the maximum accident or normal design heat loads for 30days following a Design Basis Accident. The Surveillance Frequency is based on operat ing experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.2.Regulatory Guide1.27, March, 1974.

North Anna Units 1 and 2B 3.7.10-1Revision 39 MCR/ESGR EVS B 3.7.10B 3.7 PLANT SYSTEMSB 3.7.10Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS)BASESBACKGROUNDThe MCR/ESGR Emergency Ventilation System (EVS) provides a protected environment from whic h occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. The MCR/ESGR EVS consists of four 100% capacity redundant trains (2per unit) that can filter a nd recirculate air inside the MCR/ESGR envelope or supply filter ed makeup air to the MCR/ESGR envelope, and a MCR/ESGR boundary that limits the inleakage of unfiltered air. Each train consists of a heater, demister filter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorb er section for removal of gaseous activity (principally iodines), and a fan (Ref.1). Ductwork, valves,

dampers, doors, barriers, and instrument ation also form pa rt of the system. One EVS train is capable of performing the safety function of supplying outside filtered air. In the event of a Safety Injection (SI), the two MCR/ESGR EVS trains on the accident unit actuate automatically in recirculation. All availabl e trains of MCR/ESGR EVS start automatically on a fuel building radiation monitor signal or manual actuation of the MCR/ESGR Isolation Actuation Instrumentation. These trains can also be

aligned to provide filtered outside ai r when appropriate. Either train from the other unit can be manually actuate d to provide filtered outside air approximately 60minutes after the event. However, due to the location of the air intake for 1-HV-F-41, it can not be used to satisfy the requirements of LCO3.7.10. Two of the three remaining trains (1-HV-F-42, 2-HV-F-41, and 2-HV-F-42) are required for independence and redundancy.

The MCR/ESGR envelope is the area within the confines of the MCR/ESGR envelope boundary that contai ns the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses th e control room, and may encompass other non-critical areas to which frequent pers onnel access or continuous occupancy is not necessary in the event of an accident. The MCR/ESGR envelope is protected duri ng normal operation, natural (continued)

North Anna Units 1 and 2B 3.7.10-2Revision 39MCR/ESGR EVS B 3.7.10BASESBACKGROUND (continued) events, and accident conditions. Th e MCR/ESGR envelope boundary is the combination of walls, floor, r oof, ducting, doors, penetrations and equipment that physically form the MCR/ESGR envelope. The OPERABILITY of the MCR/ESGR envelope boundary must be maintained to ensure that the inleakage of unfiltered air into the

MCR/ESGR envelope will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to MCR/ESGR envelope occupants.

The MCR/ESGR envelope and its boundary are defined in the MCR/

ESGR Envelope Habitability

Program.Upon receipt of an actuating signal(s)

(i.e., SI, fuel building radiation monitors or manual), normal air supply to and exhaust from the MCR/ESGR envelope is is olated, and at least tw o trains of MCR/ESGR EVS receive a signal to actuate to recirculate air in the MCR/ESGR envelope. Approximately 60minutes after actuation of the MCR/ESGR Isolation Actuation Instrumentati on, a single MCR/ESGR EVS train is manually actuated or aligned to provide filtered outside air to the

MCR/ESGR envelope through HEPA filters and ch arcoal adsorbers. The demisters remove any entrained water droplets present, to prevent excessive moisture loading of the HEPA filters and charcoal adsorbers.

Continuous operation of each train for at least 10hours per month, with the heaters on, reduces moisture buildup on the HEPA filters and adsorbers. Both the demister a nd heater are important to the effectiveness of the HEPA filters and charcoal adsorbers.

Although not assumed in the Analysis of Record, pressurization of the MCR/ESGR envelope minimizes inf iltration of unfilt ered air through the MCR/ESGR envelope boundary from all the surrounding areas adjacent to the MCR/ESGR envelope boundary.

Redundant MCR/ESGR EVS supply and re circulation trains provide the required filtration of out side air should an ex cessive pressure drop develop across the other filter train.

(continued)

MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-3Revision 39BACKGROUND (continued)The MCR/ESGR EVS is designed in accordance with Seismic CategoryI requirements. Any of the actuation signal(s) will isolate the

MCR/ESGR envelope and start th e MCR/ESGR EVS trains for the affected unit in recirc ulation. Requiring two of the three MCR/ESGR EVS trains provides redundancy, assuring that at least one train is available to be realigned to provide filtered outside air.The MCR/ESGR EVS is designed to maintain a habitable environment in the MCR/ESGR envelope for 30da ys of continuous occupancy after a DBA without exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.3

) for alternative source terms.APPLICABLE SAFETY ANALYSESThe MCR/ESGR EVS components ar e arranged in redundant, safety related ventilation trains. The loca tion of most components and ducting within the MCR/ESGR envelope ensure s an adequate supply of filtered air to all areas requiring access. Th e MCR/ESGR EVS pr ovides airborne radiological protection for the MCR/

ESGR envelope occupants, as

demonstrated by the MCR/ESGR envel ope accident dose analyses for the most limiting DBA (LOCA) fission product release presented in the UFSAR, Chapter15 (Ref.2). The accident analysis assumes that at least one train is aligned to provide filt ered outside air to the MCR/ESGR envelope approximately 60minut es after MCR/ESGR envelope isolation, but does not take any credit for automatic start of the trains in the recirculation mode or any filtration of recirculated air. Since the

MCR/ESGR EVS train associated with 1-HV-F-41 can not be used to provide filtered outside air (due to the location of its air intake with respect to Vent StackB), it can not be used to satisfy the requirements of LCO3.7.10.

The North Anna UFSAR describes potentially hazardous chemicals stored onsite in quantities greater than 100lb. These include hydrogen, sulfuric acid, sodium hydroxide, hydrazine, ethanolamine, and sodium hypochlorite. Evaluations for accidental release of these chemicals indicate that the worst-case concentr ations at the control room intake would be expected to be less than their (continued)

North Anna Units 1 and 2B 3.7.10-4Revision 51MCR/ESGR EVS B 3.7.10BASESAPPLICABLE SAFETY ANALYSES(continued)respective toxicity limit (Refs.1 and4). The assessment assumed no action being taken by the control room operator (i.e., normal or emergency supply system remains operating).

In the event of fire/smoke external to the MCR/ESGR envelope, equipment and procedures are availabl e to maintain habitability of the

control room. Smoke detectors are installed in the return ducts to the MCR Air-Handling Units (AHUs), in the near vicinity of the ESGR AHUs, and in the MCR/ESGR EVS supply ducts, as well as other numerous locations in the ESGRs a nd MCR. Smoke detectors are also installed in the MCR/ESGR chiller r ooms, which are ventilated with air from the Turbine Building, and the Mechanical Equipment rooms. If smoke is detected, the MCR/ESGR normal and EVS supply can be manually isolated. The fire response procedures provide direction for removing smoke from the MCR or ESGRs. (Ref.5)The SGTR analysis assumes MCR/ESGR envelope isolation occurs. An unfiltered MCR/ESGR inleakage of 250cfm is assumed, with filtered makeup air of 900cfm commencing at 1hour.For the remainder of the DBAs, MCR/ESGR envelope isolation is not assumed. Normal ventilation with 500cfm of additional inleakage is assumed. The safety analysis for a fuel handling accident (FHA) assumes isolation of th e MCR/ESGR envelope.

The worst case single active failure of a component of the MCR/ESGR EVS, assuming a loss of offsite power, does not impair th e ability of the system to perform its design function.

The MCR/ESGR EVS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).

LCOTwo independent and redundant MCR/

ESGR EVS trains are required to be OPERABLE to ensure that at least one train is available to be manually aligned to provide outside filtered air to the MCR/ESGR envelope, if a single active failure disables one of the two required OPERABLE trains. Total system failu re, such as from a loss of both required EVS trains or from an inoperable MCR/ESGR envelope boundary, could result in exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.3) for alternative source terms, in the event of a large radioactive release.

(continued)

MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-5Revision 39 LCO(continued)

The MCR/ESGR EVS is considered OPERABLE when the individual components necessary to limit MCR/ESGR envel ope occupant exposure are OPERABLE in the two required trains of the MCR/ESGR EVS.

1-HV-F-41 can not be used to satisfy the requirements of LCO3.7.10.

An MCR/ESGR EVS train is OP ERABLE when the associated:a.Fan is OPERABLE;b.Demister filters, HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; andc.Heater, ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.The MCR/ESGR EVS is shared by Unit1 and Unit2.In order for the MCR/ESGR EVS trai ns to be considered OPERABLE, the MCR/ESGR envelope boundary must be maintained such that the MCR/ESGR envelope occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence

analyses for DBAs, and that MC R/ESGR envelope occupants are protected from hazardous chemicals and smoke.

The LCO is modified by a Note allowing the MCR/ESGR envelope boundary to be opened intermittently under administrative controls. This Note only applies to openings in the MCR/ESGR envelope boundary

that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s)

entering or exiting the area

. For other openings, th ese controls should be proceduralized and consist of stat ioning a dedicated individual at the opening who is in continuous communi cation with the operators in the MCR/ESGR envelope. This individua l will have a method to rapidly close the opening and restore the MCR/ESGR envelope boundary to a condition equivalent to the de sign condition when a need for MCR/ESGR isolation is indicated.

North Anna Units 1 and 2B 3.7.10-6Revision 39MCR/ESGR EVS B 3.7.10BASESAPPLICABILITYIn MODES1, 2, 3, and4, MC R/ESGR EVS must be OPERABLE to ensure that the MCR/ESGR envelope will remain habitable during and following a DBA.The MCR/ESGR EVS must be OPERABLE to respond to the release from a FHA involving recently irradiated fuel assemblies. The MCR/ESGR EVS is only required to be OPERABLE during fuel handling involving recently irradiated fuel assemblies (i.e., fuel assemblies that have occupied part of a critical reactor core within the previous 300hours) due to radioactive decay.ACTIONSA.1 When one required MCR/ESGR EVS tr ain is inoperable, for reasons other than an inoperable MCR/ESGR envelope boundary, action must be taken to restore OPERABLE status within 7days. In this Condition, the

remaining required OPERABLE MCR/ES GR EVS train is adequate to perform the MCR/ESGR envelope occupant protection function.

However, the overall reliability is reduced because a failure in the required OPERABLE EVS trains could result in loss of MCR/ESGR EVS function. The 7day Completion Time is based on the low

probability of a DBA occurring during this time period, a nd ability of the remaining trains to provide the required capability.

B.1, B.2, andB.3 If the unfiltered inleakage of potentially contaminated air past the MCR/ESGR envelope boundary and into the MCR/ESGR envelope can result in MCR/ESGR envelope occ upant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5rem total effect ive dose equivalent), or inadequate protection of MCR/ESGR envel ope occupants from hazardous chemicals or smoke, the MCR/ESGR envelope boundary is inoperable.

Actions must be taken to restore an OPERABLE MCR/ESGR envelope

boundary within 90 days. During th e period that the MCR/ESGR envelope boundary is considered inopera ble, action must be initiated to implement mitigating actions to lessen the effect on MCR/ESGR envelope occupants from the potential hazards of a radiological or

chemical event or a challenge from smoke. Actions must be taken within 24hours to verify that in the event of a DBA, the mitigating actions will ensure that MCR/ESGR envelope occupant (continued)

MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-7Revision 39ACTIONSB.1 (continued) radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA c onsequences, and that MCR/ESGR envelope occupants are protected from hazardous chemicals and smoke.

These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable MC R/ESGR envelope boundary) should be preplanned for implementati on upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24hour Completion Time is reasonable base d on the low probability of a DBA

occurring during this time period, a nd the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions wi ll ensure protection of MCR/ESGR envelope occupants within analyzed limits while limiting the probability that MCR/ESGR envelope occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the MCR/ESGR envelope boundary.

C.1 and C.2In MODE1, 2, 3, or4, if the inopera ble required MCR/ESGR EVS train or the inoperable MCR/ESGR envel ope boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this

status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1.1, D.1.2, and D.2During movement of recently irradiated fuel, if the inoperable MCR/ESGR EVS train cannot be restor ed to OPERABLE status within the required Completion Time, the MCR/ESGR envelope must be isolated immediately and the rema ining OPERABLE MCR/ESGR train placed in service within one hour. These actions will ensure that the

MCR/ESGR envelope is in a conf iguration that would protect the occupants from radioactive expos ure consistent with the DBA assumptions and ensure that any active failures w ould be readily detected.

North Anna Units 1 and 2B 3.7.10-8Revision 46MCR/ESGR EVS B 3.7.10BASESACTIONSD.1.1, D.1.2, and D.2 (continued)

An alternative to Required Action D.1 is to immediately suspend activities that present a potential fo r releasing radioactivity that might require isolation of the control room

. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to a safe position.

E.1During movement of recently irradiated fuel assemblies, if a required train of MCR/ESGR EVS train becomes inoperable due to an inoperable MCR/ESGR envelope boundary or two required MCR/ESGR EVS trains inoperable, action must be ta ken immediately to suspend activities that could result in a release of radi oactivity that might require isolation of the control room. This places the unit in a condition that minimizes

risk. This does not preclude the move ment of fuel to a safe position.

F.1When two required MCR/ESGR EVS trains are inoperable in MODE1, 2, 3, or4 for reasons other than an inoperable MCR/ESGR envelope boundary (i.e., ConditionB), the MCR/

ESGR EVS may not be capable of performing the intended function a nd the unit is in a condition outside the accident analyses. Therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE

REQUIREMENTSSR3.7.10.1Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on the MCR/ESGR EVS are not too se vere, testing each required train once every month provides an adequate check of this system. Monthly

heater operations dry out any moisture accumulated in the charcoal and HEPA filters from humidity in the ambient air. Each required train must be operated for 10continuous hours with the heaters energized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

MCR/ESGR EVS B 3.7.10BASESNorth Anna Units 1 and 2B 3.7.10-9Revision 39SURVEILLANCE REQUIREMENTS (continued)SR3.7.10.2This SR verifies that the required MCR/ESGR EVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing the performance of the demister filter, HEPA filter, charcoal adsorber efficiency, minimum and maximum flow rate, and the physical properties of the activated charcoal. Specific test

Frequencies and additiona l information are discus sed in detail in the VFTP.SR3.7.10.3 Not Used SR3.7.10.4 This SR verifies the OPERABIL ITY of the MCR/ESGR envelope boundary by testing for unfiltered ai r inleakage past the MCR/ESGR envelope boundary and into the MCR/ES GR envelope. The details of the testing are specified in the MCR/ES GR Envelope Habitability Program.

The MCR/ESGR envelope is considered habitable when the radiological dose to MCR/ESGR envel ope occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem TEDE and the MCR/ESGR envelope occupants are protected from hazardous

chemicals and smoke. This SR verifies that the unfiltered air inleakage into the MCR/ESGR envelope is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, ConditionB must be entered. Required ActionB.3 allows time to restore the MCR/ESGR envelope boundary to OPERABLE stat us provided mitigating actions can ensure that the MCR/ESGR envelope remains within the licensing basis habitability limits for the occupants following an accident.

Compensatory measures are discussed in Regulatory Guide1.196, SectionC.2.7.3, (Ref.6) which endorses, with exceptions, NEI 99-03, Section8.4 and AppendixF (Ref.7).

These compensatory measures may also be used as mitigating actions as required by Required ActionB.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref.8). Options for restoring the MCR/ESGR envelope boundary to OPERABLE status include changing the licensing basis DBA consequence analysis,

repairing the MCR/ESGR envelope boundary, or a combination of these actions.(continued)

North Anna Units 1 and 2B 3.7.10-10 Revision 39MCR/ESGR EVS B 3.7.10BASESSR3.7.10.4 (continued)

Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the

MCR/ESGR envelope boundary has been restored to OPERABLE status.REFERENCES1.UFSAR, Section6.4.2.UFSAR, Chapter15.3.10CFR50, AppendixA.

4.Control Room Habitability Study (Supplement to 1980 Onsite Control Room Habitability Study - North Anna Power Station Units1 and2, January1982.5.Letter from L.N. Hartz (Virgini a Electric and Power Company) to the USNRC, dated March3,2004, Response to Generic Letter2003-01, "Control Room Habitability - Control Room Testing & Technical Information."6.Regulatory Guide1.196.

7.NEI99-03, "Control Room Habitability Assessment," June2001.8.Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January30,2004, "NEI Draft White Paper, Use of Generic Letter91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No.ML040300694)

North Anna Units 1 and 2B 3.7.11-1Revision 15 MCR/ESGR ACSB 3.7.11B 3.7 PLANT SYSTEMSB 3.7.11Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS)BASESBACKGROUNDThe MCR/ESGR ACS provides cooling for the MCR/ESGR envelope following isolation of the MCR/ES GR envelope. The MCR/ESGR ACS also provides cooling for the MCR/

ESGR envelope during routine unit operation.

The MCR/ESGR ACS consists of two independent and redundant subsystems that provide cooling of MCR/ESGR envelope air. Each subsystem consists of tw o air handling units (one for the MCR and one for the ESGR), one chiller in one subsystem and two chillers in the other, valves, piping, instrumentation, and controls to provide for MCR/ESGR envelope cooling. One subsystem has one chiller, the other has two chillers, either of which can be used by that subsystem, but which are not electrically independent from each other.The MCR/ESGR ACS is an emergency system, parts of which may also operate during normal unit op erations. A single subs ystem will provide the required cooling to maintain the MCR/ESGR envelope within design limits. The MCR/ESGR ACS operation in maintaining the MCR/ESGR

envelope temperature is discussed in the UFSAR, Section9.4 (Ref.1).APPLICABLE SAFETY ANALYSESThe design basis of the MCR/ESGR ACS is to maintain the MCR/ESGR envelope temperature within limits for 30days of continuous occupancy

after a DBA.

The MCR/ESGR ACS components ar e arranged in redundant, safety related subsystems. During emergency operation, the MCR/ESGR ACS maintains the temperature within desi gn limits. A single active failure of a component of the MCR/ESGR ACS, with a loss of offsite power, does not impair the ability of the system to perform its design function. The MCR/ESGR ACS is designed in accordance with Seismic CategoryI requirements. The MCR/ESGR ACS is capable of removing sensible and latent heat loads from the M CR/ESGR envelope, which include consideration of equipment heat loads and personnel occupancy requirements, to ensure equipment OPERABILITY.

(continued)

North Anna Units 1 and 2B 3.7.11-2Revision 20 MCR/ESGR ACSB 3.7.11BASESAPPLICABLE SAFETY ANALYSES(continued)

The MCR/ESGR ACS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo independent and redundant subsystems of the MCR/ESGR ACS, providing cooling to the unit ESGR and associated portion of the MCR, are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits in the event of an accident.

The MCR/ESGR ACS is considered to be OPERABLE when the individual components necessary to c ool the MCR/ESGR envelope air are OPERABLE in both required subsystems

. Each subsystem consists of two air handling units (one for the MCR and one for the ESGR), one chiller,

valves, piping, instrumentation and c ontrols. The two subsystems provide air temperature cooling to the por tion of the MCR/ESGR envelope associated with the unit. In a ddition, an OPERABLE MCR/ESGR ACS must be capable of maintaining air circulation. An MCR/ESGR ACS subsystem does not have to be in operation to be considered OPERABLE.

The MCR/ESGR ACS is considered OPERABLE when it is capable of being started by manual actions within 10minutes. The time of 10minutes is based on the time required to start the system manually following

required testing.APPLICABILITYIn MODES1, 2, 3, and4, and during movement of recently irradiated fuel assemblies, the MCR/ESGR ACS must be OPERABLE to ensure that the MCR/ESGR envelope temperature wi ll not exceed equipment operational requirements following isolation of the MCR/ESGR envelope. The MCR/ESGR ACS is only required to be OPERABLE during fuel handling involving handling recently i rradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 300 hours0.00347 days <br />0.0833 hours <br />4.960317e-4 weeks <br />1.1415e-4 months <br />), due to radioactive decay.ACTIONSA.1With one or more required MCR/ESGR ACS subsystem inoperable, and at

least 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken to restore OPERABLE status within 30days. In (continued)

MCR/ESGR ACSB 3.7.11BASESNorth Anna Units 1 and 2B 3.7.11-3Revision 20ACTIONSA.1 (continued) this Condition, the remaining OPERAB LE MCR/ESGR ACS subsystem is adequate to maintain the MCR/ESGR envelope temperature within limits.

However, the overall reliability is reduced because a single failure in the OPERABLE MCR/ESGR ACS subsys tem could result in loss of MCR/ESGR ACS function. The 30day Completion Time is based on the

low probability of an event requiring MCR/ESGR envelope isolation, the consideration that the remaining subsystem can provide the required protection, and that alternate safety or nonsafety related cooling means are available.

The LCO requires the OPERABILIT Y of a number of independent components. Due to the redundancy of subsystems and the diversity of components, the inoperability of one active component in a subsystem does not render the MCR/ESGR ACS incap able of performing its function. Neither does the inoperability of two different components, each in a different subsystem, necessarily result in a loss of function for the

MCR/ESGR ACS (e.g., an inoperable chiller in one subsystem, and an

inoperable air handler in the other). This allows increased flexib ility in unit operations under circumstances when components in opposite subsystems are inoperable.

B.1 and B.2In MODE1, 2, 3, or4, if the inoperable MCR/ESGR ACS subsystem cannot be restored to OPERABLE st atus within the required Completion Time, the unit must be placed in a MODE that minimizes the risk. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 During movement of recen tly irradiated fuel, if the required inoperable MCR/ESGR ACS subsystems cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCR/ESGR ACS subsystem must be placed in operation immediately. This action ensures that the remaining subsystem is OPERAB LE and that active failures will be readily detected.

(continued)

North Anna Units 1 and 2B 3.7.11-4Revision 46 MCR/ESGR ACSB 3.7.11BASESACTIONSC.1 and C.2 (continued)An alternative to Required ActionC.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes accident risk. This doe s not preclude the movement of fuel to a safe position.

D.1During movement of recently irradiated fuel assemblies, with less than 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the MCR/ESGR e nvelope. This places the unit in a condition that minimizes ri sk. This does not preclude the movement of fuel to a safe position.

E.1With less than 100% of the MCR/ES GR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available in MODE1, 2, 3, or4, the MCR/ESGR ACS may not be capable of performing its intended function. Therefore, LCO3.0.3 must be entered immediately.SURVEILLANCE

REQUIREMENT

SSR3.7.11.1 This SR verifies that the heat rem oval capability of any one of the three chillers for the unit is sufficient to remove the heat load assumed in the safety analyses in the MCR/ESGR envelope. This SR consists of a combination of testing and calculat ions. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section9.4.

North Anna Units 1 and 2B 3.7.12-1Revision 45 ECCS PREACS B 3.7.12B 3.7 PLANT SYSTEMSB 3.7.12Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS)BASESBACKGROUNDThe ECCS PREACS filters ai r from the area of the active ECCS components during the reci rculation phase of a loss of coolant accident (LOCA). The ECCS PREACS, in conjunction with other normally operating systems, also provides envir onmental control of temperature in the ECCS pump room areas.The charging/high head safety injecti on pump motors have internal fans that provide design cooling requireme nts without reliance on the central exhaust fans. The associated equipment in the Safeguards Building, Low Head Safety Injection (LHSI) and Outside Recirculat ion Spray (OSRS) pumps, remain operable for at least 60minutes without the safeguards exhaust fans in service.

The ECCS PREACS consists of two subsystems, the Safeguards Area Ventilation subsystem and the A uxiliary Building Central Exhaust subsystem. There are two redundant trains in the Safeguards Area Ventilation subsystem. Each train of the Safeguards Area Ventilation subsystem consists of one Safeguards Area exhaust fan, prefilter, and high efficiency particulate air (HEPA) filte r and charcoal adsorber assembly for removal of gaseous activit y (principally iodines) (shared with the other unit), and controls for the Safegua rds Area exhaust filter and bypass

dampers. Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem automatically initiates f iltered ventilation of the safeguards pump room followi ng receipt of a Containment Hi-Hi signal from the affected unit.

The Auxiliary Building Central exhaust subsystem consists of the following: three redundant central area exhaust fans (shared with other

unit), two redundant filter banks consisting of HEPA filter and charcoal adsorber assembly for removal of gase ous activity (principally iodines)

(shared with the other unit), and two redundant trains of controls for the Auxiliary Building Central exhaust subsystem filter (continued)

North Anna Units 1 and 2B 3.7.12-2Revision 45 ECCS PREACS B 3.7.12BASESBACKGROUND (continued) and bypass dampers (shared with the other unit). Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem initiates filtered ventilation of the charging pump cubicles following manual actuation.

The Auxiliary Building filter banks are shared by the Safeguards Area Ventilation subsystem and the A uxiliary Building Central Exhaust subsystem. Either Auxili ary Building filter bank ma y be aligned to either ECCS PREACS train. These filter banks are also used by the Auxiliary Building General area exhaust, fuel building exhaust, decontamination

building exhaust, and containment purge exhaust.

One Safeguards Area exhaust fan is normally operating and dampers are aligned to bypass the HEPA filters and charcoal adsorbers. During emergency operations, the ECCS PREACS dampers are realigned to begin filtration. Upon r eceipt of the actuating Engi neered Safety Feature Actuation System signal(s), normal air discharges from the Safeguards

Area room are diverted through the filter banks. Two Auxiliary Building Central Exhaust fans are normally operating. Air discharges from the Auxiliary Building Central Exhaust ar ea are manually diverted through the filter banks. Required Safeguards Ar ea and Auxiliary Building Central

Exhaust area fans are manually actuated if they are not already operating. The prefilters remove any large partic les in the air to prevent excessive loading of the HEPA filters and charcoal adsorbers.

The ECCS PREACS is discussed in the UFSAR, Section9.4 (Ref.1) and it may be used for normal, as well as post accident, atmospheric cleanup functions. The primary purpose of the heaters is to maintain the relative humidity at an acceptable level during normal operations, generally consistent with iodine removal efficiencies per Regulatory Guide1.52 (Ref.3). The heaters are not requi red for post-accident conditions.APPLICABLE SAFETY ANALYSESThe design basis of the ECCS PREACS is established by the large break

LOCA. The system evaluation as sumes ECCS leakage outside containment, such as safety in jection pump leakage, during the recirculation mode. In such a case, if ECCS leakage exceeds certain levels, the system is required in order to limit radioactive release to within the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (continued)

ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-3Revision 45APPLICABLE SAFETY ANALYSES (continued)(Ref.4) for alternative source terms. The analysis of the effects and consequences of a large break LOCA is presented in Reference2. The

ECCS PREACS also may actuate foll owing a small brea k LOCA, in those cases where the ECCS goes into the recirculation mode of long term cooling, to clean up releases of smalle r leaks, such as from valve stem packing. The analyses assume the fi ltration by the ECCS PREACS does not begin for 60minutes following an accident.

The ECCS PREACS satisfies Criterion3 of 10CFR 50.36(c)(2)(ii).LCOTwo redundant trains of the ECCS PREACS are required to be OPERABLE to ensure that at least one is available. Total system failure could result in elevated temperatures within the Safeguards Area, or in exceeding the control room operator dose limits of 10CFR50, AppendixA, GDC-19 (Ref.4) for alternative source terms.

ECCS PREACS is considered OPERABLE when the individual components necessary to maintain th e ECCS pump room ventilation and filtration are OPERAB LE in both trains.

An ECCS PREACS train is considered OPERABLE when its associated:a.Safeguards Area exhaust fan is OPERABLE;b.One Auxiliary Building HEPA filter and charcoal adsorber assembly (shared with the other unit) is OPERABLE;c.One Auxiliary Building Central exhaust system fan (shared with other unit) is OPERABLE;d.HEPA filter and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; ande.Ductwork, valves, and dampers are OPERABLE.

Safeguards Area and Auxiliary Building Central exhaust will fail safe to the FILTER position upon loss of power or instrument air. Dampers are considered OPERABLE if capable of moving to the safety position, or if administratively placed in the accident position.

(continued)

North Anna Units 1 and 2B 3.7.12-4Revision 45 ECCS PREACS B 3.7.12BASESLCO(continued)

Portions of ECCS PREACS may be removed from serv ice (e.g., tag out fans, open ductwork, etc.), in orde r to perform required testing and

maintenance. The system is OPERABLE in this condition if it can be

restored to service and perform its function within 60minutes following an accident.

In addition, the required Safeguards Area and charging pump cubicle boundaries for charging pumps not isol ated from the Reactor Coolant System must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors, except for those openings which are left open by design, including charging pump ladder wells.

The LCO is modified by a Note a llowing the ECCS pump room boundary openings not open by design to be opened intermittently under administrative controls. For entry a nd exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for ECCS pump room isolation is indicated.APPLICABILITYIn MODES1, 2, 3, and4, th e ECCS PREACS is required to be OPERABLE consistent with the OPERABILITY requirements of the

ECCS.In MODE5 or6, the ECCS PREACS is not required to be OPERABLE since the ECCS is not required to be OPERABLE.ACTIONSA.1With one ECCS PREACS train inopera ble for reasons other than Condition B (for example, insufficient ventilati on exhaust flow rate), action must be taken to restore OPERABLE status within 7days. During this time, the remaining OPERABLE train is adequa te to perform the ECCS PREACS function.The 7day Completion Time is appropria te because the risk contribution is less than that for the ECCS (72hour Completion Time), and there are backup ventilation systems for thes e ECCS pump rooms available to provide cooling as (continued)

ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-5Revision 45ACTIONSA.1 (continued)needed. The 7day Completion Time is based on the low probability of a Design Basis Accident (DBA) occu rring during this time period, and ability of the remaining train to provide the required capability.With two ECCS PREACS trains in operable for reas ons other than Condition C or D, LCO3.0.3 must be entered immediately.

B.1.1, B.1.2, and B.1.3With one ECCS PREACS train inoper able due to loss of its filtration capability, action must be taken wi thin one hour to determine if the filtration capability is required (ActionB.1.1). This is determined based on comparing the most recent ECCS system operational leakage log value against design basis unfiltered leakage assumptions. If the current total ECCS leakage is less than the maximum allowable unfiltered leakage assumed in the design bases, then the filtration capability of ECCS

PREACS is not required and an extende d period to restore operability can be applied. The value for "maximum allowable unfiltered ECCS leakage"

is documented in the UFSAR (reference 6). During this time, both trains remain operable to perform the ventilation exhaust/cool ing function. (For example, a problem with th e filter itself or its housing affects a single train, and both trains remain operable to perform the ventilation function using either the flow path of the remaining filter or the flow path of the bypass ductwork.)

The action to restore the inoperable train's filtration to operable status within 30days (ActionB.1.3) is reasonable, consistent with:(a)the dose analysis shows that no filtration function is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betwee n operating limits and actual dose limits,(c)the time necessary to complete repairs on the filter assembly and/or associated dampers may be significant, and(d)the other train of ECCS filtra tion remains operable to perform its intended safety function if needed.

(continued)

North Anna Units 1 and 2B 3.7.12-6Revision 45 ECCS PREACS B 3.7.12BASESACTIONSB.1.1, B.1.2, and B.1.3 (continued)

In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12hours in order to determine whether or not filtration capability is required (ActionB.1.2). Establishing monitoring on a 12hour frequency is based on operating history, which i ndicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the design basis dose calculations.

B.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filt ration capability of ECCS PREACS is required and actions must be taken to restore Operability of the filter within

seven days consistent with an inop erable PREACS train for any other reason.C.1.1, C.1.2, and C.1.3 If two ECCS PREACS trains are inopera ble due to loss of their filtration capability, action must be taken w ithin one hour to determine if the filtration capability is required (ActionC.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage is less than the maximum allowable unfiltered leakage, then the filtration

capability of ECCS PREACS is not immediately required and an extended period to restore operability can be applied. During this time, both trains

remain operable to perform the ventil ation exhaust/cooling function. Both trains of ECCS PREACS may be made inoperable without affecting the ventilation exhaust function by potenti al problems such as an inoperable bypass damper or a charcoal adsorber issue.

If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and rest ore at least one inoperable train to operable status within 14days (ActionC.1.3) are reasona ble, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betw een operating limits and actual dose limits,(continued)

ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-7Revision 45ACTIONSC.1.1, C.1.2, and C.1.3 (continued)(c)operating history indi cates that a sudden cha nge in ECCS leakage to greater than the maximum allowable unfiltered leakage is not expected,(d)the time necessary to complete repairs on the filter assembly and/or associated dampers may be significant, and(e)unnecessary two-unit shut down has associated risks.

In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12hours in order to determine whether or not filtration capability is required (ActionC.l.2)

. Establishing monitoring on a 12hour frequency is based on operating history, which indicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the

design basis dose calculations.

C.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filtration capability of ECCS PREACS is

required and actions must be taken to restore Operability of at least one train within sixty minutes, consistent with the dose analysis. The analysis assumes the filtration by PREACS does not begin for sixty minutes following an accident (see Applicable Safety Analyses).

D.1.1, D.1.2, and D.1.3 Breaching an ECCS pump room boundary would affect the filtration function of both trains of ECCS PR EACS, since the exhaust system may not be able to maintain a negative pressure on the boundary. However, the ventilation/cooling function would not be affected since the charging pump motors have internal fans that provi de design cooling re quirements without reliance on the central exhaust fans

, and the Safeguards Area boundaries are to the exterior atmosphere. Since the inlet to the exhaust ductwork in each pump cubicle in Safeguards is located just above the motor, cooler

outside air entering through a breach in a cubicle or the building general area (e.g., the outside door), would even tually be drawn into the cubicle, and out by the exhaust system. Thus, the ventilation and cooling function will not be affected by boundary breaches.

(continued)

North Anna Units 1 and 2B 3.7.12-8Revision 45 ECCS PREACS B 3.7.12BASESACTIONSD.1.1, D.1.2, and D.1.3 (continued)

If two ECCS PREACS trains are inope rable due to loss of the pump room boundary, action must be taken within one hour to determine if the filtration capability is required (ActionD.1.1). This is determined based on the Unit's operational ECCS leakage. If the current total ECCS leakage is

less than the maximum allowable unfiltered leakage, then the filtration

capability of ECCS PREACS is not immediately required and an extended period to restore operability can be applied. During th is time, the ability to perform the ventilation exhaust/cooling function remains unaffected.

If the filtration capability of ECCS PREACS is not required, actions to restore the filtration function and rest ore the boundary to operable status within 14days (ActionD.l.3) are reasonable, consistent with:(a)the dose analysis shows that no filtration is required when ECCS leakage is less than the maximum allowable unfiltered leakage,(b)significant margin exists betw een operating limits and actual dose limits,(c)operating history indi cates that a sudden chan ge in ECCS leakage to greater than the maximum allo wable unfiltered leakage is not expected, and(d)the time necessary to complete repairs and perform required testing may be significant.

In addition, ECCS leakage is requir ed to be monitored by walking down the areas every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> in order to determine whether or not filtration capability is required (Action D.1.2)

. Establishing monitoring on a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> frequency is based on operating history, which i ndicated that a sudden change in ECCS leakage is not expected, and the conservatisms in the design basis dose calculations.

D.2If total ECCS leakage is equal to or greater than the maximum allowable unfiltered leakage limit then the filt ration capability of ECCS PREACS is

required and actions must be taken to restore an operable ECCS pump room boundary within 24hours. Duri ng the period that the ECCS pump room boundary (continued)

ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-9Revision 46ACTIONSD.2 (continued) is inoperable, appropriate compensato ry measures consistent with the intent of GDC19 should be utilized to protect control r oom operators from potential hazards such as radioactive contamination. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24hour Completion Time is reasonable based on the low probabilit y of a DBA occurring during this time period, and the use of compensatory measures. The 24hour Completion Time is a typically reas onable time to diagnose, plan and possibly repair, and test most pr oblems with the ECCS pump room boundary.

E.1 and E.2 If the ECCS PREACS tr ain(s) or ECCS pump room boundary cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours, and in MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.7.12.1Standby systems should be checked periodically to ensure that they function properly. As the environment and norma l operating conditions on this system are not severe, testi ng each train once a month provides an adequate check on this system. Mont hly heater operations dry out any moisture that may have accumulated in the charcoal and HEPA filters from humidity in the ambient air. The system must be operated 10 continuous hours with the heaters energized. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

North Anna Units 1 and 2B 3.7.12-10 Revision 46 ECCS PREACS B 3.7.12BASESSURVEILLANCE REQUIREMENT

S (continued)SR3.7.12.2This SR verifies that Safeguards Ar ea exhaust flow and Auxiliary Building Central Exhaust subsystem flow, when actuated from the control room, diverts flow through the Auxiliary Building HEPA filter and charcoal adsorber assembly for the operating train. Exhaust flow is diverted

manually through the filters in case of a DBA requiring their use. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.12.3 This SR verifies that the required ECCS PREACS testi ng is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorbers efficiency, minimum system flow rate, and the ph ysical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP.SR3.7.12.4 This SR verifies that Safeguards Area exhaust flow for the operating Safeguards Area fan is diverted th rough the filters on an actual or simulated actuation signal. The Su rveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.7.12.5 This SR verifies the integrity of the ECCS pump room enclosure. The ability of the ECCS pump room to ma intain a negative pressure, with respect to potentially uncontaminated ad jacent areas, is periodically tested in a qualitative manner to verify pr oper functioning of each train of the ECCS PREACS. During the post accide nt mode of operation, the ECCS PREACS is designed to maintain a sl ight negative pressure in the ECCS pump room, with respect to adjacent areas, to prevent unfiltered LEAKAGE. A single train of ECCS PREACS is designed to maintain a negative pressure relative to adjacent areas. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.REFERENCES1.UFSAR, Section9.4.2.UFSAR, Section15.4.3.Regulatory Guide1.52 (Rev.2).

4.10CFR50, AppendixA.

ECCS PREACS B 3.7.12BASESNorth Anna Units 1 and 2B 3.7.12-11Revision 455.NUREG-0800, Rev.2, July1981.6.UFSAR, Figure15.4-110 Intentionally Blank North Anna Units 1 and 2B 3.7.13-1Revision 39 B 3.7.13B 3.7 PLANT SYSTEMSB 3.7.13Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.14-1Revision 39 B 3.7.14B 3.7 PLANT SYSTEMSB 3.7.14Not Used Intentionally Blank North Anna Units 1 and 2B 3.7.15-1Revision 20 FBVSB 3.7.15B 3.7 PLANT SYSTEMSB 3.7.15Fuel Building Vent ilation Syst em (FBVS)BASESBACKGROUNDThe FBVS discharges airborne radioactive particul ates from the area of the fuel pool following a fuel handling accident. The FBVS, in conjunction with other normally operating systems, also provides environmental control of temperature and hum idity in the fuel pool area.

The FBVS consists of duc twork, valves and damper s, instrumentation, and two fans.

The FBVS, which may also be operated during normal plant operations, discharges air from the fuel building.The FBVS is discussed in the UFSAR, Sections9.4.5 and15.4.5 (Refs.1 and2, respectively) because it may be used for normal, as well as post accident functions.APPLICABLE SAFETY ANALYSESThe FBVS design basis is established by the consequences of the limiting Design Basis Accident (DBA), which is a fuel handling accident involving handling recently irradiated fuel.

The analysis of the fuel handling accident, given in Reference2, assumes that all fuel rods in an assembly are damaged. The DBA analysis of the fuel handling accident assumes that the FBVS is functional with at l east one fan operating. The amount of fission products available for release from the fuel building is determined for a fuel handling accident. Due to radioactive decay, FBVS is only required to be OPERABLE during fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100hours). These assumptions and the analysis follow the guidance provided in Regulatory Guide1.183 (Ref.3).The fuel handling accident analysis for the fuel building assumes all of the radioactive material available for release is discharged from the fuel building by the FBVS.The FBVS satisfies Criterion3 of the 10CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.7.15-2Revision 20 FBVSB 3.7.15BASESLCOThe FBVS is required to be OPERABLE and in operation. Total system failure could result in the atmospheric release from the fuel building exceeding the 10CFR50, AppendixA, GDC-19 (Ref.4) limits for

alternative source terms, in the even t of a fuel handling accident involving handling recently irradiated fuel.

The FBVS is considered OPERABLE when the individual components are OPERABLE. The FBVS is considered OPERABLE when at least one fan is OPERABLE and in operation, the a ssociated FBVS ductwork, valves,

and dampers are OPERABLE, and air ci rculation can be maintained. In addition, an OPERABLE FBVS must ma intain a pressure in the fuel building pressure envelope £-0.125inch es water gauge with respect to atmospheric pressure.

The LCO is modified by a Note allo wing the fuel building boundary to be opened intermittently under administr ative controls. For entry and exit through doors the administrative contro l of the opening is performed by the person(s) entering or exiting the area.

For other openings, these controls consist of stationing a dedicated in dividual at the opening who is in continuous communication with the c ontrol room. This individual will have a method to rapidly close the ope ning when a need for fuel building isolation is indicated.APPLICABILITYDuring movement of recently irradiated fuel in the fuel handling area, the FBVS is required to be OPERABLE to al leviate the consequences of a fuel handling accident.ACTIONSLCO3.0.3 is not applicable while in MODE5 or6. However, since irradiated fuel assembly movement can occur in MODE1, 2, 3, or4, the ACTIONS have been modified by a Note stating that LCO3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not specify any act ion. If moving irradiated fuel assemblies while in MODE1, 2, 3, or4, the fuel movement is independent of reactor operations. Entering LCO3.0.3while in MODE1, 2, 3, or4, would require the unit to be shutdown unnecessarily.

FBVSB 3.7.15BASESNorth Anna Units 1 and 2B 3.7.15-3Revision 46ACTIONS(continued)

A.1When the FBVS is inoperable or not in operation during movement of recently irradiated fuel assemblies in the fuel building, action must be taken to place the unit in a condition in which the LCO does not apply. Action must be taken immediately to suspend movement of recently irradiated fuel assemblies in the fu el building. This does not preclude the movement of fuel to a safe position.SURVEILLANCE

REQUIREMENT

SSR3.7.15.1 This SR verifies the integrity of th e fuel building pressure envelope. The ability of the fuel building to maintain negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the FBVS. The FBVS is designed to maintain a slight negative pressure in the fuel bui lding, to prevent unfiltered LEAKAGE.

The FBVS is designed to maintain a -0.125inches water gauge with respect to atmospheric pressure. The Surveillance Fre quency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.4.5.2.UFSAR, Section15.4.5.3.Regulatory Guide1.183, July2000.4.10CFR50, AppendixA, GDC-19.

Intentionally Blank North Anna Units 1 and 2B 3.7.16-1Revision 20Fuel Storage Pool Water Level B 3.7.16B 3.7 PLANT SYSTEMSB 3.7.16Fuel Storage Pool Water LevelBASESBACKGROUNDThe minimum water le vel in the fuel storage pool meets the assumptions of iodine decontamination factors foll owing a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides

shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1). A desc ription of the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section9.1.3 (Ref.2). The assumptions of the fuel handling accident are given in the UFSAR, Section15.4.5 (Ref.3).APPLICABLE SAFETY ANALYSESThe minimum water level in the fuel storage pool meets the assumptions of the fuel handling accident described in Regulatory Guide1.183 (Ref.4). The resultant 2hour dose per person at the exclusion area boundary is within the Regulatory Guide1.183 limits.According to Reference4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a fuel handling accident. With 23ft of water, the assumptions of Reference4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the

fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be <23ft of water above the top of the fuel bundl e and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that all fuel rods fail, alt hough analysis shows that only the first few rows fail from a hypothetical maximum drop.

The fuel storage pool water level satisfies Criteria 2 and3 of 10CFR50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.7.16-2Revision 46Fuel Storage Pool Water Level B 3.7.16BASESLCOThe fuel storage pool wate r level is required to be 23ft over the top of irradiated fuel assemblies seated in the storage racks. The specified water level preserves the assumptions of the fuel handling accident analysis (Ref.3). As such, it is the mini mum required for fuel storage and movement within the fuel storage pool.APPLICABILITYThis LCO applies during movement of irradiated fuel assemblies in the fuel storage pool, since the potential fo r a release of fissi on products exists.ACTIONSA.1Required ActionA.1 is modified by a Note indicating that LCO3.0.3 does not apply.When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the

occurrence of a fuel handling accident

. This does not preclude movement of a fuel assembly to a safe position.

If moving irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not specify any action.

If moving irradiated fu el assemblies while in MODES1, 2, 3, and4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reas on to require a reactor shutdown.SURVEILLANCE

REQUIREMENT

SSR3.7.16.1This SR verifies sufficient fuel stor age pool water is available in the event of a fuel handling accident.

The water level in the fu el storage pool must be checked periodically. The Surveill ance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

Fuel Storage Pool Water Level B 3.7.16BASESNorth Anna Units 1 and 2B 3.7.16-3Revision 20SURVEILLANCE REQUIREMENT

SSR3.7.16.1 (continued)

During refueling operations, the level in the fuel storage pool is in equilibrium with the refueling canal, and the level in the refueling canal is checked daily in accordance with SR3.9.7.1.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section9.1.3.3.UFSAR, Section15.4.5.

4.Regulatory Guide1.183, July2000.

Intentionally Blank North Anna Units 1 and 2B 3.7.17-1Revision 0Fuel Storage Pool Boron Concentration B 3.7.17B 3.7 PLANT SYSTEMSB 3.7.17Fuel Storage Pool Boron ConcentrationBASESBACKGROUNDThe water in the spent fuel storage pool contains soluble boron, which results in large subcriticality marg ins under normal ope rating conditions. However, the NRC guidelines assume ac cident conditions, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel

assemblies in the fuel storage pool in a geometry which li mits the reactivity of the fuel assemblies and by the use of soluble boron in the fuel storage pool water. The required geometry for fuel assembly storage in the fuel storage pool is described in LCO3.7.18, "Spent Fuel Pool Storage." The accident analyses assume the presen ce of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool water, or a dilution of the boron dissolved in the fuel storage pool.

A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1).APPLICABLE SAFETY ANALYSESCriticality of the fuel assemblies in the fuel storage pool racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel storage pool geometry (Ref.2). There are three basic acceptance criteria

which ensure conformance with the design bases (Ref.3). They are:a.keff <1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure keff<0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postula ted accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.APPLICABLE SAFETY ANALYSES(continued)The postulated accidents considered when determining the required fuel

storage pool boron concentr ation are the misloading of a fuel assembly, an increase in fuel storage pool temp erature, and boron dilution. Analyses have shown that the amount of boron required by the LCO is sufficient to ensure that the most limiting misloadi ng of a fuel assembly results in a keff<0.95. The boron concentration limit also accommodates decreases in water density due to temperature in creases in the fuel storage pool.

Analyses have also shown that there is sufficient time to detect and North Anna Units 1 and 2B 3.7.17-2Revision 0Fuel Storage Pool Boron Concentration B 3.7.17BASESmitigate a boron dilution event prior to exceeding the design basis of keff<0.95. The fuel storage pool analys es do not credit the Boraflex neutron absorbing material in the fuel storage pool racks.The concentration of dissolved boron in the fuel storage pool satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe fuel storage pool boron c oncentration is required to be 2600ppm.

The specified concentration of dissolved boron in the fuel storage pool

preserves the assumptions used in the analyses which take credit for soluble boron and for fuel loading restrictions based on fuel enrichment

and burnup. The fuel loading restrictions are described in LCO3.7.18. The fuel storage pool boron concentration limit, when combined with fuel burnup and geometry limits in LCO3.

7.18, ensures that the fuel storage pool keff meets the limits in Section4.3, "Design Features."APPLICABILITYThis LCO applies whenever fuel assemblies are stored in the spent fuel storage pool. The required boron concentration ensures that the keff limits in Section4.3 are met when fuel is stored in the fuel storage pool.ACTIONSA.1 andA.2 The Required Actions are modified by a Note indicating that LCO3.0.3 does not apply.

When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accide nt in progress. This is most efficiently achieved by im mediately suspending the movement (continued)ACTIONSA.1 andA.2 (continued)of fuel assemblies. The concentration of boron is restored simultaneously with suspending movement of fuel assemblies. Prior to resuming movement of fuel assemblies, the con centration of boron must be restored

to within limit. This does not preclude movement of a fuel assembly to a safe position.If the LCO is not met while moving irradiated fuel assemblies in MODE5 or6, LCO3.0.3 would not be applicab le. If moving irradiated fuel assemblies while in MODE1, 2, 3, or4, the fuel movement is independent of reactor operation. Therefore, inabili ty to suspend movement of fuel assemblies is not sufficient reas on to require a reactor shutdown.

Fuel Storage Pool Boron Concentration B 3.7.17BASESNorth Anna Units 1 and 2B 3.7.17-3Revision 46SURVEILLANCE REQUIREMENT

SSR3.7.17.1 This SR verifies that th e concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. Th e Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section4.3.2.7.3.UFSAR, Section3.1.53.

Intentionally Blank North Anna Units 1 and 2B 3.7.18-1Revision 0Spent Fuel Pool Storage B 3.7.18B 3.8 PLANT SYSTEMSB 3.7.18Spent Fuel Pool StorageBASESBACKGROUNDThe fuel storage pool contains racks which hold the fuel assemblies. The arrangement of the fuel assemblies in th e fuel racks can be used to limit the interaction of the fuel assemblies and the resulting reactivity of the fuel in the fuel storage pool. The geometrical arrangement is based on classifying fuel assemblies as "high reactivity" or "low reactivity" based on the burnup and initial enrichment of the fuel assemblies. A 5x5 fuel location matrix is employed with acceptable locations for high and low reactivity fuel assemblies. Fuel assemblies may also be stored in fu el locations not associated with a storage matrix if the assemblies meet certain requirements.Storing the fuel assemblies in the locations required by the LCO ensures a fuel storage pool keff<1.0 for normal conditions. In addition, the water in the spent fuel storage pool contains soluble boron, which results in large subcriticality margins under normal operating conditions. However, the NRC guidelines assume accident conditi ons, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel assemblies as described in the LCO and by the use of soluble boron in the fuel storage pool water as required by LCO3.7.17, "Fuel Storage Pool Boron

Concentration." The accident analyses assume the presence of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO3.7

.18, a loss of cooling to the fuel storage pool resulting in a temperatur e increase of the fuel storage pool water, or a dilution of the boron di ssolved in the fuel storage pool.

A general description of the fuel storage pool design is given in the UFSAR, Section9.1.2 (Ref.1).APPLICABLE SAFETY ANALYSESCriticality of the fuel assemblies in the fuel storage pool racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel

storage(continued)

North Anna Units 1 and 2B 3.7.18-2Revision 0Spent Fuel Pool Storage B 3.7.18BASESAPPLICABLE SAFETY ANALYSES(continued)pool geometry (Ref.2). There are th ree basic acceptance criteria which ensure conformance with the design bases (Ref.3). They are:a.keff<1.0 assuming no soluble boron in the fuel storage pool,b.A soluble boron concentration sufficient to ensure keff<0.95, andc.An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postula ted accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.The postulated accidents considered wh en determining the required fuel storage pool arrangement and minimum boron concentration are the misloading of a fuel assembly, an incr ease in fuel storage pool temperature, and boron dilution. Analyses have show n that a combination of the fuel storage pool geometric arrangement and the amount of boron required by the LCO is sufficient to ensure that the most limiting misloading of a fuel

assembly results in a keff<0.95.The configuration of fuel assemblies in the fuel storage pool satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOThe restrictions on the placement of fuel assemblies within the spent fuel pool, in accordance with Figures3.7.18-1 and3.7.18-2, in the accompanying LCO, ensures the keff of the spent fuel storage pool will always remain <1.0. Figure3.7.18-1 is used to determine if a fuel assembly is acceptable for storage with out use of a fuel assembly matrix.

Based on the initial enrich ment and burnup, a fuel a ssembly may be stored without using a fuel assembly matrix, or must be stored in a high or low reactivity location of a fuel assembly matrix. Figure3.7.18-2 describes the fuel assembly matrix storage confi guration. These stor age restrictions, when combined with the fuel storage pool boron concentration limit in LCO3.7.17, ensure that the fuel storage pool keff meets the limits in Section4.3, "Design Features."APPLICABILITYThis LCO applies whenever any fuel assembly is stored in the fuel storage pool.

Spent Fuel Pool Storage B 3.7.18BASESNorth Anna Units 1 and 2B 3.7.18-3Revision 0ACTIONSA.1Required ActionA.1 is modified by a Note indicating that LCO3.0.3 does not apply.

When the configuration of fuel assemblies stored in the spent fuel storage pool is not in accordance with Figure3.7.18-1 and Figure3.7.18-2, the immediate action is to initiate action to make the necessary fuel assembly movement(s) to bring the configuration into compliance with the LCO.

If unable to move irradiated fuel assemblies while in MODE5 or6, LCO3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE1, 2, 3, or4, the action is independent of reactor operation. Therefore, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.SURVEILLANCE

REQUIREMENT

SSR3.7.18.1 This SR verifies by a combination of visual inspection and administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Figure3.7.18-1 and the fu el assembly storage location is in accordance with Figure3.7.18-2.REFERENCES1.UFSAR, Section9.1.2.2.UFSAR, Section4.3.2.7.3.UFSAR, Section3.1.53.

Intentionally Blank North Anna Units 1 and 2B 3.7.19-1Revision 0CC System B 3.7.19B 3.7 PLANT SYSTEMSB 3.7.19Component Cooling Water (CC) SystemBASESBACKGROUNDThe CCSystem provides a heat sink for the removal of process and operating heat from components during normal operation. The CCSystem serves as a barrier to the releas e of radioactive byproducts between potentially radioactive systems and the Service Water Syst em, and thus to the environment.The CCSystem consists of four subsystems shared between units. Each subsystem consists of one pump and one heat exchanger. The design basis of the CCSystem is a fast cooldown of one unit while maintaining normal

loads on the other unit. Three CC subsystems are required to accomplish this function. With only two CC subsyste ms available, a slow cooldown of one unit while maintaining normal loads on the other unit can be

accomplished. The removal of norma l operating heat loads (including common systems) requires two CC s ubsystems. During normal operation, the CC subsystems are cross connected between the units with two CC pumps and four CC heat exchangers in operation. Two pumps are normally running, with the other two in standby. A vented surge tank common to all four pumps ensures that sufficient net positive suction head is available.The CCSystem serves no accident mitigation function and is not a system which functions to mitigate the failur e of or presents a challenge to the integrity of a fission product barrier. The CCSystem is not designed to withstand a single failure. The CC System supports the Residual Heat Removal (RHR) System. The RHR syst em does not perform a design basis accident mitigation function.

Additional information on the design and operation of the system, along with a list of the components serv ed, is presented in the UFSAR, Section9.2.2 (Ref.1). The principal function of the CCSystem is the removal of decay heat from the reactor via the Residual Heat Removal (RHR) System.

North Anna Units 1 and 2B 3.7.19-2Revision 0CC System B 3.7.19BASESAPPLICABLE SAFETY ANALYSESThe CCSystem serves no accident mitigation function. The CCSystem

functions to cool the unit from RHR entry conditions (T cold <350F), to Tcold <140F. The time required to cool from 350F to 140F is a function of the number of CC and RHR trains operating. The CCSystem is

designed to reduce the temperature of the reactor coolant from 350°F to 140°F within 16hours based on a serv ice water temperature of 95°F and having two CC subsystems in service for the unit being cooled down.The CCSystem has been identified in the probabilistic safety assessment as significant to public health and safety. The CCSystem satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).

LCOShould the need arise to cooldown one unit quickly while the other unit is operating, three CC subsyste ms would be needed -

two to support the quick cooldown of one unit and one to support the normal heat loads of the operating unit. To ensure this function can be performed a total of three CC subsystems shared with the other unit are required to be OPERABLE.

A CC subsystem is considered OPERABLE when:

a.The pump and common surge tank are OPERABLE; andb.The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the function are OPERABLE.Each CC subsystem is considered OPERABLE if it is operat ing or if it can be placed in service from a sta ndby condition by manually unisolating a standby heat exchanger and/or manually starting a standby pump.APPLICABILITYIn MODES1, 2, 3, and4, the CCSystem is a normally operating system. In MODE4 the CCSystem must be pr epared to perform its RCS heat removal function, which is achieved by cooling the RHR heat exchanger.In MODE5 or6, the OPERABILITY requirements of the CCSystem are determined by the systems it supports.

CC System B 3.7.19BASESNorth Anna Units 1 and 2B 3.7.19-3Revision 0ACTIONSA.1 If one required CC subsystem is inopera ble, action must be taken to restore OPERABLE status within 7days.

In this Condition, the remaining OPERABLE CC subsystems are adequate to perform the heat removal function. The 7day Completion Time is reasonable, based on the redundant capabilities afforded by the OPERABLE subsystems.B.1 andB.2If the required CC subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE3 within 6hours and in MODE5 within 30hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner and without challe nging unit systems.C.1 andC.2If two required CC subsystems are inoperable, action must be taken to cool the unit to MODE4 within 12hours. Action must be initiated to place the unit in MODE5, where the LCO does not apply, within 13hours. The allowed Completion Times are reasona ble, based on operating experience, to reach the required unit conditions from full power c onditions in an orderly manner and without challenging unit systems.D.1 andD.2With no CC water available to suppl y the residual heat removal heat exchangers, action must be taken to cool the unit to MODE4 within 12hours. Alternate means to cool the unit must be found and the unit placed in MODE5, where the LCO does not apply. The allowed Completion Times are reasonable, base d on operating experience, to reach the required unit conditions from full power conditions in an orderly

manner and without challenging unit systems.

North Anna Units 1 and 2B 3.7.19-4Revision 46CC System B 3.7.19BASESSURVEILLANCE REQUIREMENT

SSR3.7.19.1Verifying the correct alignment for manual, power operated, and automatic valves in the CC flow path to the RHR heat exchangers provides assurance that the proper flow paths exist for CC operation. This SR does not apply to valves that are locked, sealed, or ot herwise secured in position, since these valves are verified to be in the corr ect position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather

, it involves verification that those valves capable of being misposit ioned are in the correct position.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.2.2.

North Anna Units 1 and 2B 3.8.1-1Revision 18 AC Sources-Operating B 3.8.1B 3.8ELECTRICAL POWER SYSTEMSB 3.8.1AC Sources-OperatingBASESBACKGROUNDThe unit Class1E AC Electrical Power Distribution System AC sources consist of offsite (preferred) power (via normal and alternate feeds), the Alternate AC (AAC) diesel, and the onsite standby power sources (TrainA(H) and TrainB(J) emergency diesel generators (EDGs)). As required by GDC17 (Ref.1), the design of the preferred AC electrical power system provides independence and redundancy to ensure an acceptable (i.e., qualified) source of power to the Engineered Safety Feature (ESF) systems.Additionally, the unit's electrical sour ces must include electrical sources from the other unit that are required to support the Service Water (SW), Main Control Room (MCR)/Emergen cy Switchgear Room (ESGR) Emergency Ventilation System (EVS),

Auxiliary Building central exhaust system, or Component Cooling Wate r (CC) safety functions. This requirement could include both of the other unit's offsite circuits and EDGs for this unit.

The onsite Class1E AC Dist ribution System is divi ded into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from bei ng performed. Each train, for a given unit, must have a connection to a qualified offsite (preferred) power source and a dedicated EDG. Also, for each unit, the two qualified offsite sources must be independent of each other. A minimum of two independent qualified offsite sources connecting the 230/500kV switchyard to each unit's ESF (emergency) buses is required. Since the Unit1 and2 offsite

sources may be shared, a minimum of two sources are required for the station. To be considered independent, a qualified offsite source must be both electrically and physically separated from other offsite sources. This independence must be maintained during possible automatic switching operations such as is initiated following a Unit2 trip when ESF bus1J is connected to the station service bus2B. In this situation, ESF bus1J is transferred to reserve station service transformer (RSST)B.

(continued)

North Anna Units 1 and 2B 3.8.1-2Revision 18 AC Sources-Operating B 3.8.1BASESBACKGROUND (continued)The 230/500kV switchyard, which is an integral part of the transmission network, is the source of offsite (preferred) power to the station Class1E electrical system. From the 230/500kV switchyard, five electrically and physically separated circuits are available to provide AC power, through either the system reserve transformers (SRTs) and RSSTs or the station service transformers (SSTs), to the 4.16kV ESF buses. A detailed description of the offsite power network and the circuits to the Class1E ESF buses is found in the UFSAR, Chapter8 (Ref.2).An offsite circuit consists of al l breakers, transformers, switches, interrupting devices, cabling, and contro ls required to transmit power from the offsite transmission network to the onsite Class1E ESF bus(es). Each one is "qualified" via anal ysis to show that they meet the requirements of GDc17.

Certain required unit loads are energi zed in a predetermined sequence in order to prevent overloading the transformers supplying offsite power to the onsite Class1E Distribution Syst em. After the initiating signal is received, permanently connected load s and all automatically connected loads, via the load sequencing timing re lays, needed to recover the unit or maintain it in a safe condition are energized.

The onsite standby power source for each 4.16kV ESF bus is a dedicated EDG. EDGsH andJ are dedicated to ESF busesH andJ, respectively. An EDG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF

bus degraded voltage or undervoltage signal (refer to LCO3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation"). After the EDG has started, it will automatically tie to its respective bus after offsite power is isolated as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. The EDGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal or a moment ary undervoltage condition. Following the loss of offsite power, an undervol tage signal strips nonpermanent loads from the ESF bus. When the EDG is tied to the ESF bus, loads are then

sequentially connected to their re spective ESF bus by the sequencing timing relays. The specific ESF equipment's sequencing timer controls the permissive and starting signals to motor breakers to prevent overloading the EDG by automatic load application.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-3Revision 18BACKGROUND (continued)

In the event of a loss of preferred (offsite) power, the ESF electrical loads are automatically connected to the EDGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA) without overloading the EDGs.Ratings for TrainH and TrainJ EDGs satisfy the require ments of Safety Guide9 (Ref.3). The continuous service rating of each EDG is 2750kW with 3000kW allowable for up to 2000hours per year. The ESF loads that are powered from the 4.16kV ESF buses are listed in Reference2.APPLICABLE SAFETY ANALYSESThe initial conditions of DBA and transient analyses in the UFSAR, Chapter6 (Ref.4) and Chapter15 (Ref.5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the

availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discusse d in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4,Reactor Coolant System (RCS);

and Section3.6, Containment Systems.The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accide nt analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a.An assumed loss of all offsite power or all onsite AC power; andb.A worst case single failure.

The AC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOA minimum of two qualified offsite circuits between the 230/500kV switchyard and the onsite Class1E Electrical Power System and two separate and independent EDGs for supplying the redundant trains for each unit ensure (continued)

North Anna Units 1 and 2B 3.8.1-4Revision 21 AC Sources-Operating B 3.8.1BASESLCO(continued)availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.Qualified offsite circuits include the two 500-34.5kV transformers and one 230-34.5kV transformers (collectively referred to as the SRTs) that feed three independent 34.5kV buses which supply the RSSTs. In addition, there are two 500kV lines from the switchyard to the Unit1 and Unit2 generator step-up transformers and SST

s. These circuits are described in the UFSAR and are part of th e licensing basis for the unit.In addition, the required automatic load sequencing timing relays must be OPERABLE. A "required" load sequen cing timing relay is one whose host component is capable of automatically loading onto an emergency bus.Each independent qualified offsite s ource must be capable of maintaining rated frequency and voltage, and accepting required loads during an

accident, while connected to the ESF buses.Normally, the qualified offsite sources for the Unit1 and2 ESF buses are from the 34.5kV buses3, 4, and5 which supply the RSSTs which feed the transfer buses. RSSTsA andB may be fed from the same 34.5kV bus, but RSSTC must be fed from a different 34.5kV bus than RSSTA and RSSTB. The D, E, andF transfer bus es supply the onsite electrical power to the four ESF buses for the two units. In addition to the normal alignment, the D andE transfer buses can be tied together via the 4160V bus0L installed as part of the AAC modifications.ESF bus1H is normally fed through the Ftransfer bus from RSSTC. ESF bus1J is normally fed through the Dtransfer bus from RSSTA. Station service bus1B can provide an alternate preferred feed for the ESF 1Hbus, while the ESF 1J has an alternate pr eferred feed from station service bus2B. ESF bus2H is normally fed through the Etransfer bus from RSSTB. In addition, ESF bus2H can also be fed through E transfer bus from RSSTA with breakers05L1 and05L3 on AAC bus0L closed. ESF bus2J is normally fed through the Ftransfer bus from RSSTC.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-5Revision 38 LCO(continued)The two 500kV lines connecting each unit's main step-up and SSTs with the switchyard are the remaining qualified sources of offsite (preferred) power that are available to power ESF buses. For Unit1, this source is

normally available followi ng a unit trip since there is an installed main generator breaker. Therefore, station service bus1B, which provides the

alternate preferred feed to the 1H ESF bus, normally will not be affected.

For Unit2, where there is no installed main generator breaker, station service bus2B, which provides the alternate preferred feed to ESF bus1J, will automatically transfer to RSSTB following a unit trip.Each EDG must be capable of starting, accelerating to rated speed and

voltage, and connecting to its resp ective ESF bus on detection of bus undervoltage or degraded voltage.

This will be accom plished within 10seconds. Each EDG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as EDG in standby with the engine hot and EDG in standby with the engine at ambient conditions. Additional EDG capabilities must be demonstrated to meet required Surveillances.

Proper sequencing of loads is a required function for EDG OPERABILITY.In the event of a loss of offsite (preferred) power supply to the emergency bus, the EDG will auto start and re-energize its associated bus. In this configuration the EDG will become i noperable due to the defeat of load sequencing timers. Upon completion of guidance in abnormal procedures for reconfiguration of the affected el ectrical bus to control loads, TS 3.8.1 Condition K may be exited as seque ncing timing relays are no longer required as long as the associated emergency bus is not subsequently paralleled to another bus. The diesel can be considered operable which would allow exiting TS 3.8.1 Conditions B and H and remaining in TS 3.8.1 Condition A.The other unit's offsite circuit(s) and EDG(s) are required to be OPERABLE to support the SW, MCR/

ESGR EVS, Auxiliary Building central exhaust, and CC functions ne eded for this unit. These functions share components, pump or fans, whic h are electrically powered from both units.(continued)

North Anna Units 1 and 2B 3.8.1-6Revision 38 AC Sources-Operating B 3.8.1BASESLCO(continued)The AC sources in one train must be separate and i ndependent (to the extent possible) of the AC sources in the other train. For the EDGs, separation and indepe ndence are complete.For the offsite AC sources, separati on and independence are to the extent practical.APPLICABILITYThe AC sources and sequencing timing relays are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.The AC power requirements for MODES5 and6 are covered in LCO3.8.2, "AC Sources-Shutdown."ACTIONSA.1To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to veri fy the OPERABILITY of the remaining required offsite circuit(s) on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR3.8.1.1 acceptance criteria

does not result in a Required Action not met. However, if a second required circuit fails SR3.8.1.1, the second offs ite circuit is inoperable, and ConditionG, for two offsite circ uits inoperable, is entered.

A.2Required ActionA.2, which only applie s if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated EDG will not result in a complete loss of safety function of critical redundant required features.

These features are powered from the redundant AC electrical power trains.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-7Revision 38ACTIONSA.2 (continued)The Completion Time for Required ActionA.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"

for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The train has no offsite power supplying its loads; andb.A required feature on the other train is inoperable.

If at any time during the existence of ConditionA (one offsite circuit inoperable) a redundant required featur e subsequently becomes inoperable, this Completion Time begins to be tracked.Discovering no offsite power to one train of the onsite Class1E Electrical Power Distribution System coincide nt with one or more inoperable required support or supported features, or both, that ar e associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time fo r restoration before subjecting the unit to transients asso ciated with shutdown.The remaining OPERABLE offsite circ uit and EDGs are adequate to supply electrical power to TrainH and TrainJ of the onsite Class1E Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionA for a period that should not exceed 72hours. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE (continued)

North Anna Units 1 and 2B 3.8.1-8Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSA.3 (continued)offsite circuit and EDGs are adequate to supply electrical power to the onsite Class1E Distribution System.The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources

, a reasonable time for repairs, and the low probability of a DBA occurring during this period.The second Completion Time for Required ActionA.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionA is en tered while, for instance, an EDG is inoperable and that EDG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14days. This could lead to a total of 17days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, an EDG could again become inoperable, the circuit restored OPERABLE, and an additional 14days (for a total of 31days) allowed prior to complete restorati on of the LCO. The 17 day Completion Time provides a limit on the time al lowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The "AND" connector between the 72hour and 17day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.As in Required ActionA.2, the Completion Time allows for an exception to the normal "time zero" for beginni ng the allowed outage time "clock." This will result in establishing the "t ime zero" at the time that the LCO was initially not met, instead of at the time ConditionA was entered.

B.1Condition B is entered for an inoperable EDG and requires the OPERABILITY of additional electrical sources for the allowed Completion Time of 14 days. The addi tional electrical s ources required to be OPERABLE are the AAC diesel generator (DG) (Station Black Out

diesel generator), and both EDGs of the other unit. If any of these

additional sources are (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-9Revision 38ACTIONSB.1 (continued) inoperable at the time an EDG become s inoperable, or become inoperable with an EDG in Condition B, Condition C must also be entered for the inoperable EDG.To ensure a highly reliab le power source remains with an inoperable EDG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR3.8.1.1 accepta nce criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and

Required Actions must then be entered.

B.2Required ActionB.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a

complete loss of safety function of critical systems. These features are designed with redundant safety related trains. Redundant required feature

failures consist of inoperable features associated with a train, redundant to the train that has an inoperable EDG.The Completion Time for Required ActionB.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"

for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.An inoperable EDG exists; andb.A required feature on the other train (TrainH or TrainJ) is inoperable.

If at any time during the existence of this Condition (one EDG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required EDG inoperabl e coincident with one or more inoperable required support or suppor ted features, or both, that are associated with the OPERABLE EDG, results (continued)

North Anna Units 1 and 2B 3.8.1-10 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSB.2 (continued)in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time fo r restoration before subjecting the unit to transients asso ciated with shutdown.

In this Condition, the remaining OPERABLE EDG and offsite circuits are adequate to supply elect rical power to the onsite Class1E Distribution System. Thus, on a component basis, single failure protection for the

required feature's function may have been lost; however, function has not been lost. The 4hour Completion Time takes into account the OPERABILITY of the redundant counter part to the inoperable required feature. Additionally, the 4hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2Required ActionB.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG. If it can be determined that the cause of the inoperable EDG does not exist on the OPERABLE EDG, SR3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other EDG, the other EDG would be decl ared inoperable up on discovery and ConditionI of LCO3.8.1 would be ente red. Once the failure is repaired, the common cause failure no longer exists, and Required ActionB.3.1 is satisfied. If the cause of the initial inoperable EDG cannot be confirmed not to exist on the remaining EDG, performance of SR3.8.1.2 suffices to

provide assurance of continued OPERABILITY of that EDG.In the event the inoperable EDG is restored to OPERABLE status prior to

completing either B.3.1 or B.3.2, the pl ant corrective action program will continue to evaluate the common cause possibility, in cluding the other unit's EDGs. This continued evaluation, however, is no longer under the 24hour constraint imposed while in Condition B.According to Generic Letter84-15 (Ref.7), 24hours is reasonable to confirm that the OPERABLE EDG is not affected by the same problem as the inoperable EDG.

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-11Revision 38ACTIONS(continued)

B.4In ConditionB, the remaining OPERABLE EDG, offsite circuits, AAC DG, and the other unit's E DGs are adequate to suppl y electrical power to the onsite Class1E Distribution System. The 14day Completion Time takes into account the capac ity and capability of th e remaining AC sources, a reasonable time for repairs, and th e low probability of a DBA occurring during this period.The second Completion Time for Required ActionB.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any si ngle contiguous occurr ence of failing to meet the LCO. If ConditionB is entered while, for instance, an offsite circuit is inoperable and that circuit is subseque ntly restored OPERABLE, the LCO may already have been not met for up to 72hours. This could lead to a total of 17days, since initial failure to meet the LCO, to restore the EDG. At this time, an offsite circuit could again become inoperable, the

EDG restored OPERABLE, and an additional 72hours (for a total of 20days) allowed prior to complete restoration of the LCO. The 17day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which ConditionsA andB are entered concurrently. The "AND" connector between the 14day and 17day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.As in Required ActionB.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time ConditionB was entered.

C.1 and C.2To ensure a highly reliable electrical power source remains available when one EDG is inoperable, ConditionC is established to monitor the OPERABILITY of the AAC DG and the other unit's EDGs. ConditionB is entered any time an EDG becomes i noperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of the other unit's EDG(s) is inoperable, or become (continued)

North Anna Units 1 and 2B 3.8.1-12 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSC.1 and C.2 (continued) inoperable, in addition to the Required Actions of ConditionB, Required ActionsC.1 andC.2 limit the time th e EDG may be out of service to 72hours. If the AAC DG or the other un it's EDG(s) is inoperable when the EDG becomes inoperable, the allowed outage time (AOT) is limited to 72hours, unless the AAC DG and the other unit's EDG(s) are returned to OPERABLE status. If during the 72hour Completion Time ofC.1 orC.2,

the AAC DG and the other unit's EDG(s) are returned to OPERABLE status, ConditionC is exited and AOT is restricted by the Completion Time tracked in ConditionB. If the AAC DG or one or more of the other unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, ConditionC requires the restoration of the EDG or the AAC DG and the other unit's EDG(s) within 72hours or ConditionL is required to be entered.The 72hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.D.1, D.2, andD.3ConditionD is modified by a Note indi cating that separate Condition entry is allowed for each offsite circuit on th e other unit that provides electrical power to required shared components.To provide the necessary electrical power for the SW, MCR/ESGR EVS, Auxiliary Building central exhaust, and CC functions for a unit, AC electrical sources of both units ma y be required to be OPERABLE. ActionD is entered for one or more inoperable offsite circuit(s) on the other unit that is necessary to support required shared components. These shared components are the SW pump(s), MCR/ESGR EVS fan(s),

Auxiliary Building central exhaus t fan(s), and CC pumps. Required ActionD.1 verifies the OPERABILITY of the remaining required offsite

sources within an hour of the inoperability and every 8hours thereafter.

Since the Required Action only specifi es "perform," a failure of the SR3.8.1.1 acceptance criteria does not result in a Required Action not met.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-13Revision 38ACTIONSD.1, D.2, andD.3 (continued)The Completion Time for Required ActionD.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"

for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The required shared component has no offsite power; andb.A required shared component(s) in the same system is inoperable.

If at any time during the existence of ConditionD (one offsite circuit inoperable on the other unit needed to supply electrical power for a required shared component) another required shared component in the same system subsequently becomes inoperable, this Completion Time begins to be tracked.Discovering no offsite power on the ot her unit that supports a required shared component and an additional required shared component in the same system inoperable, results in starting the Completion Times for the Required Action.Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circ uits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC functions. The 24hour Completion Time takes into account the component OPERABILITY of the remaining shared component(s), a reasonable time for repairs, and the low probability of a DBA occurring during this period.

Operation may continue in Condition D for a period of 72hours. With one offsite circuit inoperable on the othe r unit supplying electrical power to a required shared component, the reliability of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust syst em, and CC functi ons are degraded. The potential for the loss of offsite power to the other required shared

components is increased, w ith the attendant potential for a challenge to SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, and CC

functions.

(continued)

North Anna Units 1 and 2B 3.8.1-14 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSD.1, D.2, andD.3 (continued)The required offsite circuit must be returned to OPERABLE status within 72hours, or the support function for th e associated shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCO3.7.8, "Service Water System," LCO3.7.10, "MCR/ESGR Emergency Ventilation System," LCO3.7.12, "Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System," and LCO3.7.19, "Component Cooling Water (CC) System," must be entered. The 72hour Completion Time takes into account the capacity and capability of the

remaining AC sources providing electri cal power to the required shared components, a reasonable time for repa irs and the low probability of a DBA occurring during this period of time.

E.1, E.2, and E.3To ensure a highly reliable power sour ce remains with an inoperable EDG, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Requi red Action only specifies "perform," a failure of SR3.8.1.1 accepta nce criteria does not result in a Required Action being not met. Required Action E.1 verifies the OPERABILITY of the required offsite sources within an hour of the inoperability and every 8hours thereafter. However, if a circuit fails to pass SR3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and

Required Actions must be entered.Required ActionE.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a complete loss of the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or CC functions.

The Completion Time for Required ActionE.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "c lock." In this Required Action, the Completion Time only begins on discovery that both:a.The required shared component with an inoperable EDG; andb.A required shared component(s) in the same system is inoperable.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-15Revision 38ACTIONSE.1, E.2, and E.3 (continued)

If at any time during the existence of Condition E (one EDG inoperable on the other unit needed to supply elec trical power for a required shared component) another required shared component subsequently becomes inoperable, this Completion Ti me begins to be tracked.

Discovering an EDG on the other unit that supports a required shared component and an additional require d shared component inoperable, results in starting the Completion Times for the Required Action. Four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.The remaining OPERABLE offsite circ uits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, Auxiliary Building central exhaust system, or CC functions. The 4hour Completion T ime takes into account the component OPERABILITY of the remaining shar ed components, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

Operation may continue in ConditionE for a period of 14days. With one EDG inoperable on the other unit supplyi ng electrical power to a required shared component, the reliability of the respective Function is degraded.

The potential for the loss of EDGs to the other required shared components is increased, with the attendant potential for a challenge to respective

Function.

The required EDG must be returned to OPERABLE status within 14days, or the support function for the associat ed shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 must be entered. The 14day Completion Time takes into account the capacity and capability of the remaining AC sources providing electrical power to the required shared components, a reasonable time for repairs and the low probability of a DBA occurring during this period of time.

North Anna Units 1 and 2B 3.8.1-16 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONS(continued)

F.1 and F.2To ensure a highly reliable electrical power source remains available when one EDG is inoperable that is re quired to support a required shared component on the other unit, Condition F is established to monitor the OPERABILITY of the AAC DG and the LCO3.8.1.b EDGs. ConditionF is entered any time an EDG that is required to support a required shared component that receives its electrical power from the other unit becomes inoperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of this unit's EDG(s) is inoperable, or become inoperable, in addition to the Required Actions of ConditionE, Required ActionsF.1 andF.2 limit the time the EDG may be out of service to 72hours. If the AAC DG or this unit's EDG(s) is inoperable when the other unit's ED G becomes inoperable, the AOT is limited to 72hours, unless the AAC DG a nd this unit's EDG(s) are returned to OPERABLE status. If during the 72hour Completion Time of F.1 orF.2, the AAC DG and this unit's EDG are return to OPERABLE status, ConditionF is exited and AOT is restricted by the Completion Time tracked in ConditionE. If the AAC DG or one or more of this unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, ConditionF re quires the restoration of the AAC DG and this unit's EDG(s) within 72hours or the supported shared component must be declared inoperable and LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 provides

the appropriate restrictions.The 72hour Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.

G.1 and G.2Required ActionG.1, which applies when two offsite circuits are inoperable, is intended to provide assura nce that an event with a coincident single failure will not result in a complete lo ss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12hours from that allowed for one train without offsite power (Required ActionA.2).

The rationale for the reduction to 12hours is that Regulatory Guide1.93 (Ref.6) allows a Completion Time of 24hours for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE.

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-17Revision 38ACTIONSG.1 and G.2 (continued)

When a concurrent redundant require d feature failure exists, this assumption is not the case, and a shorter Completion Time of 12hours is appropriate. These features are power ed from redundant AC safety trains.The Completion Time for Required ActionG.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"

for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:a.All required offsite circuits are inoperable; andb.A required feature is inoperable.

If at any time during the existence of ConditionG (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionG for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite el ectrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sour ces have not been degraded. This level of degradation generally co rresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more EDGs inoperable.

However, two factors tend to decrea se the severity of this level of degradation:a.The configuration of the redundant AC electri cal power system that remains available is not susceptible to a single bus or switching failure; andb.The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

North Anna Units 1 and 2B 3.8.1-18 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSG.1 and G.2 (continued)With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain th e unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case singl e failure were postulated as a part of the design basis in the safety analysis. Thus, the 24hour Completion Time provides a period of time to eff ect restoration of one of the offsite circuits commensurate with the importa nce of maintaining an AC electrical power system capable of m eeting its design criteria.According to Reference6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24hours. If two offsite sources are restored within 24hours, unrestricted operation may continue. If only one offsite source is restored within 24hours, power operation continues in accordance with ConditionA.

H.1 and H.2Pursuant to LCO3.0.6, the Distributi on System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of ConditionH are modified by a Note to indicate that when ConditionH is entered with no

AC source to any train, the C onditions and Required Actions for LCO3.8.9, "Distribution Systems-Op erating," must be immediately entered. This allows ConditionH to provide requirements for the loss of one offsite circuit and one EDG, wit hout regard to whether a train is de-energized. LCO3.8.9 provides the appropriate restrictions for a de-energized train.According to Regulatory Guide1.93 (Ref.6), operation may continue in ConditionH for a period that should not exceed 12hours.In ConditionH, individual redundancy is lost in both the offsite electrical power system and the onsite AC el ectrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the pow er systems in this Condition may appear higher than that in ConditionG (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-19Revision 38ACTIONSH.1 and H.2 (continued) single bus or switching failure. The 12hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

I.1With TrainH and TrainJ EDGs inope rable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources ar e available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this leve l of degradation, the risk associated with continued operation for a very s hort time could be less than that associated with an immediate c ontrolled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadve rtent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controll ed shutdown and to minimize the risk associated with this level of degradation.According to Reference6, with bo th EDGs inoperable, operation may continue for a period that should not exceed 2hours.

J.1With two LCO3.8.1.c required EDGs inoperable, as many as two required shared and potentially re quired components have no remaining standby AC sources. Thus, with an assumed loss of offsite power condition, the

required shared components powered from the other unit would be significantly degraded. Therefore, the required shared component would immediately be declared inoperable and LCOs3.7.8, 3.7.10, 3.7.12, and3.7.19 would provide the appropriate restrictions.

K.1 and K.2ConditionK is modified by a Note indi cating that separate Condition entry is allowed for each inoperable sequencing timing relay.

(continued)

North Anna Units 1 and 2B 3.8.1-20 Revision 38 AC Sources-Operating B 3.8.1BASESACTIONSK.1 and K.2 (continued)ConditionK is entered any time a required sequencing timing relay (STR) becomes inoperable. Required ActionK.1 directs the entry into the Required Actions and Completion Times associated for the individual

component served by the inoperable relay. The instrumentation signals that provide the actuation are governed by LCO3.3.2, "Engineered Safety Features Actuation System Instrument ation" for safety injection (SI),

Containment Spray (Containment Depressurization Actuation (CDA)) and LCO3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG)

Start Instrumentation" for the LOP.

The STRs provide a time delay for the individual component to close its breaker to the associated emergency electrical bus. Each component is sequenced onto the emergency bus by an initiating signal. Required ActionK.2 provides for the immediat e isolation of the component(s) ability to automatically load on an emergency electrical bus with an inoperable STR. This provides an assura nce that the component will not be loaded onto an emergency bus at an incorrect time. Improper loading sequence may cause the emergency bus to become inoperable. Rendering a component with an inoperable STR incapable of loading to the emergency bus prevents a possible overload condition. Upon implementation of ActionK.2.1, the inoperable sequencing timing relay is no longer required. Required ActionK.2.2 provides an alte rnative option for isolating the

component with an inoperable STR from the emergency bus by allowing the associated EDG to be declared inoperable.

L.1 and L.2If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this

status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,

based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-21Revision 38ACTIONS(continued)

M.1ConditionM corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additiona l time is justified for continued operation. The unit is required by LCO3.0.3 to commence a controlled shutdown.SURVEILLANCE

REQUIREMENT

SThe AC sources are designed to perm it inspection and testing of all important areas and featur es, especially those that have a standby function, in accordance with GDC18 (Ref.1). Periodic component tests are

supplemented by extensive functional te sts during refueling outages (under simulated accident conditions).

The SRs for demonstrating the OPERABILITY of the EDGs are in accordance with the recommendations of Safety Guide9 (Ref.3), Regulatory Guide1.108 (Ref.8), and Regulatory Guide1.137 (Ref.9),

as addressed in the UFSAR.Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The mini mum steady state output voltage of 3740V is 90% of the nominal 4160V out put voltage. This value, which is specified in ANSIC84.1 (Ref.10), allows for voltage drop to the terminals of 4000V motors whose minimum operati ng voltage is specified as 90% or 3600V. It also allows for voltage drops to motors and other equipment down through the 120V level where minimum operating voltage is also usually specified as 90% of name plate rating. The specified maximum steady state output voltage of 4580V is equal to the maximum operating voltage specified for 4000V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the EDG are 59.5Hz and 60.5Hz, respectively. These values are <+/-1% of the 60Hz nominal frequency and are derived from the safety analysis assumptions for operation of ECCS pump criteria.

North Anna Units 1 and 2B 3.8.1-22 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignmen t verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected

to the preferred or alternate power sources for Unit1 or the preferred power source for Unit2, and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.2 and SR3.8.1.7These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe

shutdown condition.To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note1 for SR3.8.1.2) to indicate that all EDG star ts for these Surv eillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.For the purposes of SR3.8.1.2 and SR3.8.1.7 testing, the EDGs are started from standby conditions. Standby conditi ons for an EDG mean that the diesel engine coolant and oil are being continuously circulated, as required, and temperature is being maintain ed consistent with manufacturer recommendations.

In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in wh ich the starting speed of EDGs is limited, warmup is limited to this lower speed, and the EDGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note2.

SR3.8.1.7 requires that the EDG star ts from standby conditions and achieves required voltage and frequency within 10seconds. The 10second start requirement supports the assu mptions of the design basis LOCA analysis in the UFSAR, Chapter15 (Ref.5).

(continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-23Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.2 and SR3.8.1.7 (continued)The 10second start requirement is not applicable to SR3.8.1.2 (see Note2) when a modified start procedur e as described above is used. If a modified start is not used, the 10second start requirement of SR3.8.1.7

applies.Since SR3.8.1.7 requires a 10second start, it is more restrictive than SR3.8.1.2, and it may be performed in lieu of SR3.8.1.2.

In addition to the SR requirements, the time for the EDG to reach steady state operation, unless the modified EDG start method is employed, is periodically monitored and the trend ev aluated to identify degradation of governor and voltage re gulator performance.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.3This Surveillance verifies that the EDGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of 90% to 100% of continuous rating (2500 to 2600 kW). A minimum run time of 60minutes is required to stabilize engine temperatures, while minimizing the time that the EDG is connected to the offsite source.

Although no power factor requirements are established by this SR, the EDG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the EDG. Routine

overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

North Anna Units 1 and 2B 3.8.1-24 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

SSR3.8.1.3 (continued)

This SR is modified by four Notes. Note1 indicates that diesel engine runs

for this Surveillance may include gr adual loading, as recommended by the manufacturer, so that mechanical stre ss and wear on the diesel engine are minimized. Note2 states that moment ary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note3 indicates that this Surveillance should be conducted on only one EDG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note4 stipulates a prer equisite requirement for performance of this SR. A successful EDG start must precede this test to credit satisfactory performance.SR3.8.1.4This SR provides verification that the level of fuel oil in the day tank is at or above the level which is required. The level is expressed as an

equivalent volume in gallons

, and is selected to ensu re adequate fuel oil for a minimum of 1hour of EDG operation at full load plus 10%.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.5 Microbiological fouling is a major cause of fuel oi l degradation. There are numerous bacteria that can grow in fu el oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is the most effectiv e means of controlling microbiological fouling. In addition, it elim inates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several

sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water mi nimizes fouling and provides data regarding the watertight integrity of the fuel (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-25Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.5 (continued)oil system. The Surveillance Freque ncy is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Progr am. This SR is for preventative maintenance. The presence of water does not necessarily represent failure

of this SR, provided the accumulated water is removed during the performance of this Surveillance.SR3.8.1.6This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fu el oil piping system is intact, the fuel delivery piping is not obstructed, and the cont rols and control systems for fuel transfer systems are OPERABLE. Only one fuel oil transfer subsystem is required to support an OPERABLE EDG.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.1.7See SR3.8.1.2.

SR3.8.1.8Transfer of each 4.16kV ESF bus power supply from the normal offsite circuit to the alternate offsite circ uit demonstrates the OPERABILITY of the alternate circuit dist ribution network to power the shutdown loads for Unit1 only. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.

(continued)

North Anna Units 1 and 2B 3.8.1-26 Revision 38 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

SSR3.8.1.8 (continued)This SR is modified by two Notes. Note1 states that the SR is applicable to Unit1 only. The SR is not applicable to Unit2 because it does not have an alternate offsite feed for the emergency buses. The reason for Note2 is

that, during operation with the reacto r critical, performance of this SR could cause perturbations to the electr ical distribution systems that could challenge continued steady state operation and, as a result, unit safety

systems. This restriction from norma lly performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post

work testing following corrective maintenance, corrective modification,

deficient or incomplete surveillan ce testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients a ssociated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or opera ted independently for the Surveillance; as well as the operator procedures avai lable to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.9 Each EDG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, wh ich, if excessive, might result in a trip of the engine. This Surveillan ce demonstrates the EDG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the single load for each EDG is 610kW. This Surveillance may be accomplished by:a.Tripping the EDG output breaker with the EDG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-27Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.9 (continued)b.Tripping its associated single larges t post-accident load with the EDG solely supplying the bus.As required by IEEE-308 (Ref.11), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between

synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.

The time, voltage, and frequency tolerances specified in this SR are derived from Safety Guide9 (Ref.3) recommendations for response during load sequence intervals.The 3seconds specified is equal to 60% of a typical 5second load sequence interval associated with sequencing of the largest load. The voltage and frequency speci fied are consistent with the design range of the equipment powered by the EDG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR3.8.1.9.b and SR3.8.1.9.c are steady state voltage and frequency values to whic h the system must recover following load rejection. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The Note ensures that the EDG is tested under load conditions that are as cl ose to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, the Note allows the surveillance to be conducted at a power factor other than 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.9 results in voltages on the emergency busses that are too high.

Under these conditions, the power factor should be maintained as clos e as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excita tion levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.

North Anna Units 1 and 2B 3.8.1-28 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE (continued)SR3.8.1.10 Consistent with the recommendations of Regulatory Guide1.108 (Ref.8), paragraph2.a.(1), this Surveillance de monstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the EDG. It further demonstrates the capability of the EDG to automatically achieve the required voltage and frequency within the specified time.The EDG autostart time of 10seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The

Surveillance should be continued for a minimum of 5minutes in order to demonstrate that all star ting transients have decayed and stability is achieved.

The requirement to verify the conn ection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logi

c. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valv es are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, and not desi red to be realigned to th e ECCS mode of operation.

In lieu of actual demonstration of c onnection and loading of loads, testing that adequately shows the capability of the EDG systems to perform these functions is acceptable. This testing may include any seri es of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated, as required, and temperature (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-29Revision 38SURVEILLANCE REQUIREMENT

SSR3.8.1.10 (continued)maintained consistent with manufactu rer recommendations. The reason for Note2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribut ion system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is fu rther amplified to allow portions of the Surveillance to be performe d for the purpose of reestablishing

OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and

other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or

operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.11This Surveillance demonstrates that the EDG automatically starts and achieves the required voltage and frequency within the specified time (10seconds) from the design basis actuation signal (LOCA signal) and operates for 5minutes. The 5minute period provides sufficient time to demonstrate stability. SR3.8.1.11.d and SR3.8.1.11.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on an ESF signal without loss of offsite power.The requirement to verify the connect ion of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded w ithout undue hardship or potential for undesired operation. For instance, ECCS in jection valves are not desired to be stroked open, or high pressure (continued)

North Anna Units 1 and 2B 3.8.1-30 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

SSR3.8.1.11 (continued)injection systems are not cap able of being operated at full flow. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perform these functions is acceptable. This testing may include any seri es of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated and temperature maintained consistent with manufacturer recommendations. The reason for Note2 is that during operation with the reac tor critical, performance of this Surveillance could cause perturbations to the elect rical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g.,

post work testing following corr ective maintenance, corrective modification, deficient or incomple te surveillance testing, and other unanticipated OPERABILITY conc erns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or

operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit sh utdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1 or2. Risk insights or deterministic methods may be

used for this assessment.

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-31Revision 46SURVEILLANCE (continued)SR3.8.1.12 This Surveillance demonstrates that EDG noncritical protective functions (e.g., high jacket water temperature) are bypassed on actual or simulated signals from an ESF actuation, a loss of voltage, or a loss of voltage signal concurrent with an ESF actuation test signal, and critical protective

functions (engine overspeed and generator differential current) trip the EDG to avert substantial damage to the EDG unit. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with suff icient time to react appropriately. The EDG availability to mitigate the DBA is more critical than protecting the engine against mi nor problems that ar e not immediately detrimental to emergency operation of the EDG.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required EDG from service. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following

corrective maintenance, corrective m odification, deficient or incomplete surveillance testing, and other unant icipated OPERABILITY concerns)

provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the

operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk in sights or deterministic methods may be used for this assessment.

North Anna Units 1 and 2B 3.8.1-32 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

S(continued)SR3.8.1.13Regulatory Guide1.108 (Ref.8), paragraph2.a.(3), provides an acceptable method to demonstrate once per 18months that the EDGs can start and run continuously at full load capability for an interval of not less than 24hours, 2hours of which is at a load equivalent from 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent

from 90% to 100% of the continuous duty rating of the EDG. The EDG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubr icating and warmup, discussed in SR3.8.1.2, and for gradual loading, discussed in SR3.8.1.3, are applicable to this SR.

The load band is provided to avoid routine overloading of the EDG.

Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This Surveillance is modified by three Notes. Note1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients a bove the power factor limit will not invalidate the test. The reason for Note2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safe ty systems. This restriction from normally performing the Surveillance in MODE1 or2 is further amplified to allow the Surveillance to be performed for th e purpose of reestablishing OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Su rveillance, and a perturbation of the offsite or onsite system when th ey are tied together or operated independently for the Surveillance; as well as (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-33Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.13 (continued)the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1 or2. Risk in sights or deterministic methods may be used for this assessment. Note3 en sures that the EDG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.9. This power factor is repr esentative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, Note3 allows the

surveillance to be conducted at a power factor other than 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.9 results in voltages on the emergency busses that are too high.

Under these conditions, the power factor should be maintained as clos e as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excita tion levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.SR3.8.1.14This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to s hutdown from normal Surveillances, and achieve the required voltage and frequency within 10seconds. The 10second time is derived fr om the requirements of th e accident analysis to respond to a design basis large break LOCA. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and

is controlled under the Surveill ance Frequency Control Program.This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the EDG. Routine overloa ds may result in more frequent

teardown inspections in accordance with vendor recomme ndations in order to maintain EDG OPERABILITY. The requirement that the (continued)

North Anna Units 1 and 2B 3.8.1-34 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

SSR3.8.1.14 (continued)diesel has operated for at least 2hour s at full load conditions, or after operating temperatures reach a stabilized state, prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot

conditions. Momentary transients due to changing bus loads do not invalidate this test. Note2 allows all EDG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.SR3.8.1.15 Consistent with the recommendations of Regulatory Guide1.108 (Ref.8), paragraph2.a.(6), this Surveillance ensures that the manual synchronization and load transfer from the EDG to the offsite source can be made and the EDG can be returned to ready to load status when offsite

power is restored. It also ensures that the autostart logic is reset to allow the EDG to reload if a subsequent loss of offsite power occurs. The EDG is considered to be in ready to load status when the EDG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequenc ing timing relays are reset. EDG loading of the emergency bus is limited to normal energized loads.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow th e Surveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential

outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-35Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.15 (continued)of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the

avoided risk of a unit shutdown and star tup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1, 2, 3, or4. Risk insights or deterministi c methods may be used for this assessment.SR3.8.1.16 Under accident conditions, with a loss of offsite power, safety injection, containment spray, or recirculation spray, loads are sequentially connected to the bus by the automatic load se quencing timing relays. The sequencing timing relays control the permissive and starting signals to motor breakers

to prevent overloading of the EDGs due to high motor starting currents.

The load sequence time interval tolerances, listed in the Technical Requirements Manual (Ref.12), ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference2 provides a su mmary of the automatic loading of

ESF buses.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow th e Surveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corre ctive modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed (continued)

North Anna Units 1 and 2B 3.8.1-36 Revision 46 AC Sources-Operating B 3.8.1BASESSURVEILLANCE REQUIREMENT

SSR3.8.1.16 (continued)Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied togeth er or operated inde pendently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.17In the event of a DBA coincident with a loss of offsite power, the EDGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the EDG operation, as discussed in the Bases for SR3.8.1.10, during a loss of offs ite power actuati on test signal in conjunction with an ESF actuation signal.

In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perfor m these functions is acceptable. This testing may include any series of seque ntial, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note1 is to minimize wear and tear on the EDGs during test ing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circul ated and temperature maintained consistent with manufacturer reco mmendations for EDGs. The reason for Note2 is that the performance of th e Surveillance would remove a required offsite circuit from service, perturb the electrical distri bution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is fu rther amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (continued)

AC Sources-Operating B 3.8.1BASESNorth Anna Units 1 and 2B 3.8.1-37Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.1.17 (continued)

(e.g., post work testing following co rrective maintenance, corrective modification, deficient or incomple te surveillance testing, and other unanticipated OPERABILITY conc erns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or

operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.1.18This Surveillance demonstrates that the EDG starting independence has not been compromised. Also, this Surveill ance demonstrates that each engine can achieve proper speed within the specified time when the EDGs are started simultaneously.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Note is to minimize wear on the EDG during testing. For the purpos e of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperat ure maintained c onsistent with manufacturer recommendations.REFERENCES1.UFSAR, Chapter3.2.UFSAR, Chapter8.

3.Safety Guide9, March1971.

4.UFSAR, Chapter6.

5.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.8.1-38 Revision 21 AC Sources-Operating B 3.8.1BASESREFERENCES (continued)6.Regulatory Guide1.93, Rev.0, December1974.7.Generic Letter84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July2,1984.8.Regulatory Guide1.108, Rev.1, August1977.9.Regulatory Guide1.137, Rev.1, October1979.

10.ASME Code for Operation and Main tenance of Nuclear Power Plants.11.IEEE Standard308-1971.

12.Technical Requirements Manual.

North Anna Units 1 and 2B 3.8.2-1Revision 0 AC Sources-Shutdown B 3.8.2B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.2AC Sources-ShutdownBASESBACKGROUNDA description of the AC sources is provided in the Bases for LCO3.8.1, "AC Sources-Operating."APPLICABLE SAFETY ANALYSESThe OPERABILITY of the minimum AC sources during MODES5 and6 and during movement of recently irradi ated fuel assemblies ensures that:a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, AC electrical power is only required to mitigate fuel handling accident involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term

recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

In general, when the unit is shut down, the Technica l Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the f act that many Desi gn Basis Accidents (DBAs) that are analyzed in MODES1, 2, 3, and4 have no specific analyses in MODES5 and6. Worst case bounding events are deemed not credible in MODES5 and6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in (continued)

North Anna Units 1 and 2B 3.8.2-2Revision 0 AC Sources-Shutdown B 3.8.2BASESAPPLICABLE SAFETY ANALYSES(continued) minimal consequences. These deviati ons from DBA analysis assumptions and design requirements during shut down conditions are allowed by the LCO for required systems.

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in re cognition that certain testing and maintenance activities must be conduc ted provided an acceptable level of risk is not exceeded. During MODES5 and6, performance of a significant number of required testing and maintenance activities is also required. In MODES5 and6, the activities are generally planned and administratively

controlled. Relaxations from MODE1, 2, 3, and4 LCO requirements are acceptable during shutdown modes based on:a.The fact that time in an outage is limited. This is a ri sk prudent goal as well as a utility economic consideration.b.Requiring appropriate compensatory measures for cer tain conditions.

These may include administrative c ontrols, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.c.Prudent utility consid eration of the risk associated with multiple activities that could affect multiple systems.d.Maintaining, to the extent practic al, the ability to perform required functions (even if not meeting MODE1, 2, 3, and4 OPERABILITY requirements) with systems assu med to function during an event.

In the event of an accident dur ing shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite pow er or a loss of all onsite emergency diesel generator (EDG) power.

The AC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOOne offsite circuit capable of supplying the onsite Class1E power distribution subsystem(s) of LCO3.8.10, "Distribution Systems-Shutdown," ensures that all required loads are (continued)

AC Sources-Shutdown B 3.8.2BASESNorth Anna Units 1 and 2B 3.8.2-3Revision 0 LCO(continued)powered from offsite power. An OPERABLE EDG, associated with the distribution system trains required to be OPERABLE by LCO3.8.10,

ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and EDG ensures the availability of sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling recently irradiated fuel).The qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es). Qualified offsite circuits are those that are desc ribed in the UFSAR and are part of the licensing basis for the unit.Offsite circuits consist of 34.5kV buses3, 4, and5 supplying the Reserve Station Service Transformer(s) (RSST) which feed the transfer buses. The D, E, andF transfer buses supply the onsite electrical power to the four emergency buses for the two units. Unit1 emergency busH is fed through the Ftransfer bus from the CRSST. Unit1 emergency busJ is fed through the Dtransfer bus from the ARSST. Unit1 station service bus1B can be an alternate feed for Unit1 Hemergency bus, while Unit1 J bus may be fed from Unit2 station service bus2B. Unit2 emergency busH is fed through the Etransfer bus from the BRSST. Unit2 emergency busJ is fed through the Ftransfer bus from the CRSST. The RSSTs can be fed by any 34.5kV bus (3, 4, or5) provided RSSTsA andB are fed from a different 34.5kV bus than RSSTC.

The EDG must be capable of starti ng, accelerating to rated speed and voltage, and connecting to its resp ective ESF bus on detection of bus undervoltage or degraded voltage. The EDG must be capable of accepting required loads within the assumed load ing sequence intervals, and continue to operate until offsite power can be restored to the ESF bus. These capabilities are required to be met fro m a variety of initial conditions such as EDG in standby with th e engine hot and the EDG in standby at ambient conditions.

Proper sequencing of loads is a required function for EDG OPERABILITY.

(continued)

North Anna Units 1 and 2B 3.8.2-4Revision 20 AC Sources-Shutdown B 3.8.2BASESLCO(continued)It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circ uit to supply all required trains.APPLICABILITYThe AC sources required to be OPERABLE in MODES5 and6 and during movement of recently irradiated fuel assemblies provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel assemblies in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling

condition.

The AC power requirements for MODES1, 2, 3, and4 are covered in LCO3.8.1.ACTIONSA.1An offsite circuit would be considered inoperable if it were not available to the necessary portions of the electri cal power distribution subsystem(s). One train with offsite power avai lable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By the allowance

of the option to declare required features inoperable, with no offsite power available, appropriate restrictions w ill be implemented in accordance with the affected required features LCO's ACTIONS.

AC Sources-Shutdown B 3.8.2BASESNorth Anna Units 1 and 2B 3.8.2-5Revision 0ACTIONS(continued)

A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4With the offsite circuit not available to all required trains, the option would still exist to declare all required features inoperabl

e. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required EDG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive

reactivity additions that could result in loss of required SDM (MODE5) or boron concentration (MODE6). Suspending positive reactivity additions

that could result in failure to meet the minimum SDM or boron

concentration limit is required to assure continued safe operation.

Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for

minimum SDM or refueling boron concen tration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increas es when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of

required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability or the occurrence of postula ted events. It is further required to immediately initiate action to rest ore the required AC sources and to continue this action until restoration is accomplis hed in order to provide the necessary AC power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during wh ich the unit safety systems may be without sufficient power.Pursuant to LCO3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of ConditionA are modified by a Note to indicate that when ConditionA is entered with no AC power to (continued)

North Anna Units 1 and 2B 3.8.2-6Revision 0 AC Sources-Shutdown B 3.8.2BASESACTIONSA.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) any required ESF bus, the ACTIONS for LCO3.8.10 must be immediately entered. This Note allows ConditionA to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO3.8.10 would provide the appropriate restrict ions for the situation involving a de-energized train.SURVEILLANCE

REQUIREMENT

SSR3.8.2.1SR3.8.2.1 requires the SRs from LCO3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES1, 2, 3, and4.

SR 3.8.1.8 is not required to be met since only one of fsite circuit is required to be OPERABLE. SR3.8.1.11 and SR 3.8.1.17 are not required because the ESF actuation signals are not required to be OPERABLE. SR3.8.1.18 is excepted because starting independence is not required with the EDG(s) that is not required to be OPERABLE.

This SR is modified by a Note. The reason for this Note is to preclude requiring the required OPER ABLE EDG(s) from being paralleled with the offsite power network or otherw ise rendered inoperable during performance of SRs, and to preclude de-energizing a required 4160 V ESF bus or disconnecting a required offsite circuit duri ng performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the EDG. It is th e intent that these SRs must still be capable of being met, bu t actual performance is not required during periods when the EDG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO3.8.1 fo r a discussion of each SR.REFERENCESNone.

North Anna Units 1 and 2B 3.8.3-1Revision31Diesel Fuel Oil and Starting Air B 3.8.3B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.3Diesel Fuel Oil and Starting AirBASESBACKGROUNDThe fuel oil storage system has sufficient capacity to operate two EDGs for a period of 7days with each supplyi ng the maximum post loss of coolant accident load demand discussed in the UFSAR, Section9.5.4.2 (Ref.1). This onsite fuel oil capacity is suffic ient to operate the EDGs for longer than the time to replenish the ons ite supply from outside sources.The fuel oil storage system consists of two underground tanks. Fuel oil is transferred from an underground tank to each EDG day tank by a lead fuel oil transfer pump. An additional underground tank and fuel oil transfer pump is associated with each E DG day tank to provide a redundant subsystem. Independent level switches on the day tank operate the lead and backup fuel oil transfer subsystems. Only one fuel oil tran sfer subsystem is required for the EDG to be consid ered OPERABLE. All outside tanks, pumps, and piping are located underground or in a missile protected area.

For proper operation of the standby EDGs, it is necessary to ensure the

proper quality of the fuel oil. Regulatory Guide1.137 (Ref.2) addresses the recommended fuel oil practices as supplemented by ANSIN195 (Ref.3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity),

and impurity level.Each EDG has an air start system that contains two separate and independent subsystems. Normally, each subsystem is aligned to provide starting air to the associated EDG. Ea ch subsystem consists of a receiver and a compressor, however, the receiver pressurized to 175psig is the only component required to maintain ope rability of each diesel starting air subsystem. Only one air start receiver is required for the EDG to be considered OPERABLE.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.4), and in the UFSAR, Chapter15 (Ref.5), assume Engineered Safety (continued)

North Anna Units 1 and 2B 3.8.3-2Revision31Diesel Fuel Oil and Starting Air B 3.8.3BASESAPPLICABLE SAFETY ANALYSES(continued)Feature (ESF) systems are OPERABLE. The EDGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolan t System (RCS); and Section3.6, Containment Systems.The DBA and transient analyses assume the operation of one EDG associated with the unit on which an ac cident is postulated to occur and the operation of one EDG on the unit which is unaffected by the accident to support shared systems. LCO3.8.1 re quires two EDGs to be OPERABLE and one EDG from the other unit to be OPERABLE. However, only sufficient fuel oil to operate one EDG and one EDG on the other unit is required to satisfy the assumptions of the DBA and transient analysis and to support EDG OPERABILITY.Since diesel fuel oil and the air star t subsystem support the operation of the standby AC power sources, they satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOStored diesel fuel oil is required to have sufficient supply for 7days of full load operation for two EDGs. It is also required to meet specific standards for quality. This requirement, in c onjunction with an ability to obtain replacement supplies within 2days, supports the availability of EDGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurren ce (AOO) or a postulated DBA with loss of offsite power. EDG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO3.8.1, "AC Sources-Operating," and LCO3.8.2, "AC

Sources-Shutdown."One air start receiver is required to ensure EDG OPERABILITY. The required starting air receiver is required to have a minimum of 175psig to provide the EDG with more than one start attempt without recharging the air start receivers.APPLICABILITYThe AC sources (LCO3.8.1 and LCO3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it

in a safe shutdown condition (continued)

Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-3Revision 37APPLICABILITY (continued) after an AOO or a postulated DBA. Si nce stored diesel fuel oil and the starting air subsystem support LCO3.8.1 and LCO3.8.2, stored diesel fuel oil and starting air are required to be within limits when the EDG(s) is required to be OPERABLE.

All four EDGs (two per unit) are normally associated with both tanks which make up the fuel oil storage syst em. All EDGs that are required to be OPERABLE are associated with the fuel oil storage system. The determination of which EDGs are re quired to be OPERABLE is based on the requirements of LCO3.8.1, "AC Sources-Operating," and LCO3.8.2, "AC Sources-Shutdown."ACTIONSThe ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each EDG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable EDG subsys tem. Complying with the Required Actions for one inoperable EDG s ubsystem may allow for continued operation, and subsequent inoperable EDG subsystem(s) are governed by separate Condition entry and application of asso ciated Required Actions.

A.1, A.2, A.3, and A.4In this Condition, an underground fuel oi l storage tank is not within limits for the purpose of tank repair or inspection. Every ten years each fuel oil

tank must be inspected. Because both tanks are the source of fuel oil for all EDGs on both units, a dual unit outage would be required in order to provide the necessary time to complete the required maintenance or

inspection. Prior to removal of the ta nk for repairs or inspection, verify 50,000gallons of replacement fuel oil is available offsite and

transportation is availabl e to deliver that volume of fuel oil within 48hours. Restrictions are placed on th e remaining fuel oil storage tank and the 210,000-gallon above ground tank. Under this Condition, verification

of the redundant fuel oil tank is requi red to confirm the required minimum amount of diesel fuel oil. In additi on, the above ground tank, used to supply make up to the underground tanks, is requi red to be verified to contain the minimum level corresponding to 100,000gallons. Verifications of onsite fuel oil are required on a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> frequency to ensure an adequate source (continued)

North Anna Units 1 and 2B 3.8.3-4Revision 37Diesel Fuel Oil and Starting Air B 3.8.3BASESACTIONS(continued) of fuel oil to the EDGs remains available. The underground fuel oil tank that is being inspected or repaired must be restored within limits in 7days. This time is considered reasonable based on the required maintenance and the requirements provided by the Required Actions.

A note is provided which permits a one-time extension of the 7-day Completion Time to 14days for each fuel oil storage tank. To extend the Completion Time from 7 to 14days

, the Incremental Conditional Core Damage Probability and incremental conditional large early release probability limits of RG1.177 were used as the criteria to identify

potentially risk significant configur ations. The results of the analysis identified several components that should not be scheduled for planned maintenance during the one-time extended Completion Time. The

following components will not be sc heduled for planned maintenance during the extended Completion Time nor will the 14-day Completion Time be entered with any of the following components out of service:

?Reserve Station Service Transformers 1-EP-ST 2A, 2B, and2C

?Transfer BusesD, E, andF

?Buses1 and2

?Transformers1 and2

?BreakersL102 andL202

?Emergency Diesel Generators 1/2 EE-EG-1/2 H andJ

?Emergency Switchgear Air Handlers 1/2-HV-AC-6/7

?Charging Pumps 1/2 CH-P-1A/B/C (two pumps on the same unit)

In the event one of the components above become inoperable during the extended Completion Time th e risk will be managed in accordance with the Tier3, Risk-Informed Plant Configurat ion Control Management practices.

(continued)

Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-5Revision 37ACTIONS(continued)

In addition, the following compensatory measure will be established and implemented prior to entry and while in the extended AOT:1.The condition of the offsite power supply and switchyard will be evaluated prior to entering the ex tended EDG UFOST CT for elective maintenance.2.Determine acceptable grid conditions for entering an extended EDG UFOST CT to perform elective maintenance. An extended EDG UFOST CT will not be entered to perform elective maintenance when grid stress conditions are high.3.No elective maintenance will be scheduled in the switchyard that would challenge offsite power availability and no elective maintenance will be scheduled on the main, auxiliary [station service], or startup [res erve station service] transformers associated with the unit during the proposed extended EDG UFOST CT.4.The system dispatcher will be contacted once per day to ensure no significant grid perturbations ar e expected during the extended EDG UFOST CT.5.The turbine-driven AFW pump will not be removed from service for planned maintenance activities during the extended EDG UFOST CT.6.Operating crews will be briefe d on the EDG UFOST work plan and procedural actions regarding:LOOP and Station Black Out 4 kV safeguards bus cross-tie [Unit 2 emergency bus cross-tie]Reactor Coolant System bleed and feed7.Weather conditions will be evalua ted prior to entering the extended EDG CT for elective maintenance. An extended EDG UFOST CT will not be entered for elective maintenance purposes if official

weather forecasts are predicting severe conditions (tornado or thunderstorm warnings).8.No elective maintenance will be scheduled for the plant DC system.

(continued)

North Anna Units 1 and 2B 3.8.3-6Revision 37Diesel Fuel Oil and Starting Air B 3.8.3BASESACTIONS(continued)9.Perform an assessment of the overall impact of maintenance on plant risk using a Configuration Risk Management Program before entering TS for planned EDG UFOST maintenance activities.

B.1In this Condition, the 7day fuel oil s upply is not available. The EDG fuel oil transfer pumps are aligned so th at the lead pump for each EDG takes suction on the 'A'tank. The backup pum ps are aligned to take suction on the 'B'tank. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6day supply. These circumstances may

be caused by events, such as full load operation required after an inadvertent start while at minimum required leve l, or feed and bleed operations, which may be necessitated by increasing particulate levels or

any number of other oil quality degradations. This restriction allows sufficient time for obtaining th e requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48hours is considered sufficie nt to complete restoration of the required level prior to declaring th e EDG inoperable. This period is acceptable based on the remaining capacity (>6days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. This Condition applies for reasons other than ConditionA.

C.1This Condition is entered as a result of a failure to meet the acceptance criterion of SR3.8.3.2. Normally, trending of particulate levels allows sufficient time to correc t high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and er rors in laboratory analys is can produce failures that do not follow a trend. Since the pr esence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31days), it is pr udent to allow a brief period prior to declaring the associated EDG inoperable. The 7day Completion Time allows for further evaluation, resamp ling and re-analysis of the EDG fuel oil stored in th e below ground tanks.

Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-7Revision 37ACTIONS(continued)

D.1With the new fuel oil properties defined in the Bases for SR3.8.3.2 not within the required limits, a period of 30days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with

previously stored fuel oil, remains accep table, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these pr ocedures. Even if an EDG start and load was required during this time inte rval and the fuel oil properties were outside limits, there is a high like lihood that the EDG would still be capable of performing its intended function.

E.1With the one required starting air receiver pressure <175psig, sufficient capacity for several EDG start attempts does not exist. However, as long as the receiver pressure is >150psig, ther e is adequate capacity for at least one start attempt, and the EDG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48hours is considered sufficient to complete restoration to the required pressure prior to declaring the EDG inoperable.

This period is acceptable based on the remaining air start capacity, the fact that most EDG starts are accomplished on the first attempt, a nd the low probability of an event during this brief period.F.1With a Required Action and associated Completion Time not met, or one or more EDG's fuel oil or the required starting air receiver not within limits for reasons other than addressed by ConditionsA throughE, the associated EDG(s) may be incapable of performi ng its intended function and must be immediately declared inope rable. Only one starting air receiver is required.

North Anna Units 1 and 2B 3.8.3-8Revision 46Diesel Fuel Oil and Starting Air B 3.8.3BASESSURVEILLANCE REQUIREMENT

SSR3.8.3.1This SR provides verification that there is an adequate inve ntory of fuel oil in the storage tanks to support two EDGs' operation for 7days at full load. The 7day period is sufficient time to place the unit in a safe shutdown

condition and to bring in replenishment fuel from an offsite location.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.3.2The tests listed below are a means of determining whet her new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrim ental impact on diesel engine combustion. If results from these tests ar e within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storag e tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31days. The tests, limits, and applicable ASTM Standards are as follows:a.Sample the new fuel oil in accordance with ASTM D4057-88 (Ref.6);b.Verify in accordance with the tests specified in ASTM D975-89 (Ref.6) that the sample has an ab solute specific gravity at 60/60F of 0.83 and 0.89 or an API gravity at 60°F of 27x and 39x when tested in accordance with ASTMD287-82 (Ref.6), a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes, and a flash point of 125F; andc.Verify that the new fuel oil is checked for water and sediment content within limits when tested in accordance with ASTMD1796-83 (Ref.6).(continued)

Diesel Fuel Oil and Starting Air B 3.8.3BASESNorth Anna Units 1 and 2B 3.8.3-9Revision 37SURVEILLANCE REQUIREMENT

SSR3.8.3.2 (continued)

Failure to meet any of th e above limits is cause fo r rejecting the new fuel oil, but does not represent a failure to meet the LCO con cern since the fuel oil is not added to the storage tanks.Within 31days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table1 of ASTMD975-89 (Ref.7) are met for ne w fuel oil when tested in accordance with ASTMD975-89 (Ref.6), except that the analysis for sulfur may be performed in accordance with ASTMD4294-98 (Ref.6), ASTMD1552-88 (Ref.6) or ASTMD2622-82 (Ref.6). The 31day period is acceptable because the fuel oil propert ies of interest, even if they were not within stated limits, would not have an immediate effect on EDG operation. This Surveillance ensures the availability of hi gh quality fuel oil for the EDGs.Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not

mean the fuel oil will not burn properl y in a diesel engi ne. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTMD6217-98 (Ref.6). This me thod involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. Each tank is considered and tested separately.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.SR3.8.3.3 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each EDG is available. The system design requirements were verified for a mini mum of five engine start cycles without recharging. A start cycle is measured in terms of time (continued)

North Anna Units 1 and 2B 3.8.3-10 Revision 46Diesel Fuel Oil and Starting Air B 3.8.3BASESSURVEILLANCE REQUIREMENT

SSR3.8.3.3 (continued)(seconds of cranking). With receiver pressurized >150psig, there is adequate capacity for at least one start. The pressure specified in this SR is intended to reflect the lowest value at which more than one start can be accomplished.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.3.4 Microbiological fouling is a major cause of fuel oi l degradation. There are numerous bacteria that can grow in fu el oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks eliminates the necessary environment for bacterial survival. This is the most effectiv e means of controlling microbiological fouling. In addition, it elim inates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several

sources, including condensation, ground water, rain water, and contaminated fuel oil, and from br eakdown of the fuel oil by bacteria.

Frequent checking for and removal of accumulated water minimizes fouling and provides data re garding the watertight integrity of the fuel oil

system. The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section9.5.4.2.2.Regulatory Guide1.137.3.ANSIN195-1976, AppendixB.

4.UFSAR, Chapter6.

5.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.8.3-11 Revision 37 Diesel Fuel Oil and Starting Air B 3.8.3BASESREFERENCES (continued)6.ASTM Standards: D4057-88; D975-89; D1522-88; D2622-82; D2276-82; D4292-98; D6217-98; D287-82; D1796-83.7.ASTM Standards, D975, Table1, 1989.

Intentionally Blank North Anna Units 1 and 2B 3.8.4-1Revision 0 DC Sources-Operating B 3.8.4B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.4DC Sources-OperatingBASESBACKGROUNDThe station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety relate d equipment and preferred AC vital bus power (via inverters). As required by Reference1, the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functi ons, assuming a single failur

e. The DC electrical power system also conforms to the recommendations of Safety Guide6 (Ref.2) and IEEE-308 (Ref.3).The 125VDC electrical power system consists of two independent and redundant safety related Class1E DC electrical power subsystems (TrainH and TrainJ). Each subsystem consists of two 125VDC batteries, the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling. A spare battery charger is installed on each train and can be substituted for either of the train's chargers.During normal operation, the 125VDC load is powered from the battery chargers with the batteries floating on th e system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.The TrainH and TrainJ DC electri cal power subsystems provide the control power for its associated Class1E AC power load group, 4.16kV switchgear, and 480V load centers. Th e DC electrical power subsystems also provide DC electrical power to th e inverters, which in turn power the AC vital buses.

The DC power distribution system is de scribed in more detail in Bases for LCO3.8.9, "Distribution Systems-Operating," and LCO3.8.10, "Distribution Systems-Shutdown."

Each battery has adequate storage ca pacity to carry the required load continuously for at least 2hours.

(continued)

North Anna Units 1 and 2B 3.8.4-2Revision 8 DC Sources-Operating B 3.8.4BASESBACKGROUND (continued)Each 125VDC battery is se parately housed in a vent ilated room apart from its charger and distribution centers. E ach subsystem is located in an area separated physically and el ectrically from the other subsystem to ensure that a single failure in one subsys tem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class1E subsystems, such as batteries, battery chargers, or distribution panels.The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref.5).Each TrainH and TrainJ DC electri cal power subsyste m has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24hours while supplying normal steady state loads discussed in the UFSAR, Chapter8 (Ref.4).

The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.

For the other unit, the DC electrical power system provides control power for breakers and electrical power fo r solenoid operated valves that are needed to support operation of each required Service Water (SW) pump, Main Control Room (MCR)/Emergen cy Switchgear Room (ESGR) Emergency Ventilation System (EVS

) fan, Auxiliary Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/ESGR EVS, Auxiliary Building central e xhaust system, and CC are shared systems.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.6), and in the UFSAR, Chapter15 (Ref.7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical pow er system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during al l MODES of operation.

(continued)

DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-3Revision 43APPLICABLE SAFETY ANALYSES(continued)The OPERABILITY of the DC sources is consistent with the initial assumptions of the accide nt analyses and is ba sed upon meeting the design basis of the unit. This includes ma intaining the DC sources OPERABLE during accident conditions in the event of:a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.The OPERABILITY of the EDG DC el ectrical power system ensures the EDG may perform its required safety function.

The DC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it

in a safe condition after an anticipa ted operational occurr ence (AOO) or a postulated DBA. Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref.4).

The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to the associated DC bus(es).

Additionally, the unit's electrical sour ces must include DC sources from the other unit that are required to support the SW, MCR/ESGR EVS, or CC safety functions. Control power for breakers and electrical power for solenoid operated valves are examples of support systems required to be

OPERABLE that are needed for the operation of each required SW pump, MCR/ESGR EVS fan, (continued)

North Anna Units 1 and 2B 3.8.4-4Revision 43 DC Sources-Operating B 3.8.4BASESLCO(continued)

Auxiliary Building central exhaust fan, and CC pump. SW, MCR/ESGR EVS, and CC are shared systems.APPLICABILITYThe DC electrical power sources are required to be OPERABLE in MODES1, 2, 3, and4 to ensure safe unit operation and to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provide d, and containment integrity and other vital functions are maintained in the event of a postulated DBA.The EDG DC system is required to be OPERABLE in MODES1, 2, 3, and4 to ensure the OPERABILITY of the associated EDG in accordance with LCO3.8.1. In MODES5 or6, the OPERABILITY requirements of the EDG DC system are determined by the EDGs that they support in accordance with LCO3.8.2.

The DC electrical power requirements for MODES5 and6 are addressed in the Bases for LCO3.8.5, "DC Sources-Shutdown."ACTIONSA.1ConditionA represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized

during normal operation. It is, therefor e, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2hour limit is consistent with the allowed time for an inoperable DC distribution system train.If one of the required LCO3.8.4.a DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and asso ciated inoperable battery), the remaining LCO3.8.4.a DC electrical power subsystem has the capacity to support a safe shutdown and to miti gate an accident condition. For the Station batteries, a spare battery char ger may be substituted for the normal charger without (continued)

DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-5Revision 43ACTIONSA.1 (continued)entry into ConditionA. Since a subse quent worst case si ngle failure would, however, result in the complete loss of the remaining 125VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2hours. The 2hour Completion Time is based on Regulatory Guide1.93 (Ref.8) and reflects a reasonable time to assess unit status as a function of the inope rable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.

B.1 and B.2 If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,

based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems. The Completion Time to bring the unit to MODE5 is consistent with the time required in Regulatory Guide1.93 (Ref.8).

C.1ConditionC represents the loss of the ability of the EDG DC system (e.g., inoperable battery charger or inoperabl e battery) to supply necessary power to the associated EDG. In this condition, the associated EDG is immediately declared inoperable and the associated Conditions or Required Actions of LCO3.8.1 are followed.

D.1ConditionD represents the loss of one or more required LCO3.8.4.c DC electrical power subsystem(s) needed to support the operation of required shared components on the other unit. SW, MCR/ESGR EVS, and CC are

shared systems. In this conditi on, the associated required shared components are declared inoperable immediately. The associated Conditions or Required Actions of LCO3.7.8, "Service Water System,"

(continued)

North Anna Units 1 and 2B 3.8.4-6Revision 46 DC Sources-Operating B 3.8.4BASESACTIONSD.1 (continued)LCO3.7.10, "MCR/ESGR Emergency Ventilation Systems," LCO3.7.12, "Emergency Core Cooling System Pump Room Exhaust Air Cleanup System," and LCO3.7.19, "Component Cooling Water (CC) System," are followed.SURVEILLANCE

REQUIREMENT

SSR3.8.4.1For Station and EDG batteries, verifyi ng battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of th e batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged

state. The voltage requirements are ba sed on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surv eillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.4.2Visual inspection of both Station and EDG batteries to de tect corrosion of the battery cells and connections, or measurement of the resistance of each intercell, interrack, intertier, a nd terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of visible corrosion does not necessarily represent a failure of this SR provided visible corrosion is removed during performance of SR3.8.4.4.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-7Revision 46SURVEILLANCE REQUIREMENT

S(continued)SR3.8.4.3Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage

or deterioration does not necessarily re present a failure of this SR, provided an evaluation determines that the phys ical damage or de terioration does not affect the OPERABILITY of the battery (its ability to perform its design function). The Surveillance Frequenc y is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.8.4.4 and SR3.8.4.5Station and EDG battery visual inspect ion and resistance measurements of intercell, interrack, intertier, a nd terminal connections provide an indication of physical dama ge or abnormal deteriorat ion that could indicate degraded battery condition. The anticorr osion material is used to help ensure good electrical connections a nd to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible

corrosion is a preventive maintenance SR. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.SR3.8.4.6 and SR3.8.4.7SR3.8.4.6 requires that each Station battery charger be capable of supplying 270amps and 125V for 4hours. These requirements are based on the design capacity of the chargers (Ref.4). According to Regulatory Guide1.32 (Ref.10), the battery charger supply is required to be based on the largest combined dema nds of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit

during these demand occurrences.

The minimum required amperes and duration ensures that these re quirements can be satisfied.SR3.8.4.7 requires that each EDG battery charger be capable of supplying 10amps and 125V for 4hours. These values ar e based on the design requirements of the charger.

(continued)

North Anna Units 1 and 2B 3.8.4-8Revision 46 DC Sources-Operating B 3.8.4BASESSURVEILLANCE REQUIREMENT

SSR3.8.4.6 and SR3.8.4.7 (continued)

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The spare charger for the Station batteries is

required to be tested to the same criteria as the normal charger if it is to be used as a substitute charger.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.8.4.8A Station battery service te st is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference4.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. Note1 allows the performance of a modified performance discharge test in lieu of a service test.A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest

rate of the duty cycle). This will confirm the battery's ability to meet the critical period of the load duty cycl e, in addition to determining its percentage of rated capacity. In itial conditions for the modified performance discharge test should be identical to those specified for a

service test.It may consist of just two rates; for instance, the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performan ce test, both of which envelope the duty cycle of the service test. Sin ce the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the (continued)

DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-9Revision 46SURVEILLANCE REQUIREMENT

SSR3.8.4.8 (continued)performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the batter y service test for the duration of time equal to that of the service test.Note2 allows the performance discharge test in lieu of the service test.The reason for Note3 is that performing the Surveillance on the Station batteries would perturb the electrical distribution system and challenge safety systems. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amp lified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing fo llowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and

other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This a ssessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or

operated independently for the partial Su rveillance; as well as the operator procedures available to cope with th ese outcomes. These shall be measured against the avoided risk of the unit s hutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or deterministic methods may be used for this assessment.SR3.8.4.9A battery performance discharge test for Station and EDG batteries is a test of constant current capacity of a ba ttery to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.

A battery modified performance discharge test is described in the Bases for SR 3.8.4.8. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.9.

(continued)

North Anna Units 1 and 2B 3.8.4-10 Revision 46 DC Sources-Operating B 3.8.4BASESSURVEILLANCE REQUIREMENT

SSR3.8.4.9 (continued)The acceptance criteria for this Surv eillance are consiste nt with IEEE-450 (Ref.9) and IEEE-485 (Ref.5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's

rating. A capacity of 80% shows that th e battery rate of deterioration is increasing, even if there is ample cap acity to meet the load requirements.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. If the ba ttery shows degradation, or if the battery has reached 85% of its expected life, the Surveillance Frequency is reduced to 18months. Degradation is indicated, according to IEEE-450 (Ref.9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. The 60month Fr equency is consistent with the recommendations in IEEE-450 (Ref.9) and the 18month Frequency is consistent with operating experience.

This SR is modified by a Note. The reason for the Noteis that performing the Surveillance would perturb the electrical distri bution system and challenge safety systems for the Statio n batteries. This restriction from normally performing the Surveillance in MODE1, 2, 3, or4 is further amplified to allow portions of the Su rveillance to be performed for the purpose of reestablishing OPERAB ILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, a nd other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of

the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE1, 2, 3, or4. Risk insights or determinis tic methods may be used for this

assessment.

DC Sources-Operating B 3.8.4BASESNorth Anna Units 1 and 2B 3.8.4-11Revision 0REFERENCES1.UFSAR, Chapter3.2.Safety Guide6, March10,1971.3.IEEE-308-1971.

4.UFSAR, Chapter8.

5.IEEE-485-1983, June1983.

6.UFSAR, Chapter6.

7.UFSAR, Chapter15.

8.Regulatory Guide1.93, December1974.

9.IEEE-450-1987.

10.Regulatory Guide1.32, February1977.

11.Regulatory Guide1.129, December1974.

Intentionally Blank North Anna Units 1 and 2B 3.8.5-1Revision 0 DC Sources-Shutdown B 3.8.5B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.5DC Sources-ShutdownBASESBACKGROUNDA description of the DC sources is provided in the Bases for LCO3.8.4, "DC Sources-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2), assume that Engineered Safety Feature system s are OPERABLE. Th e DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during all MODES of operation. The EDG DC system provides power for the required EDG as described in LCO3.8.2, "AC Sources-Shutdown."The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum DC electrical power sources during MODES5 and6 and during movement of recently irradiated fuel assemblies ensures that:

a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term

recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2B 3.8.5-2Revision 20 DC Sources-Shutdown B 3.8.5BASESAPPLICABLE SAFETY ANALYSES(continued)

The DC sources satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThe DC electrical power subsystem(s), each subsystem consisting of two batteries, one battery charger per battery, and the co rresponding control equipment and interconnecting cabling within the train, are required to be OPERABLE to support required trains of the distribution systems required OPERABLE by LCO3.8.10, "Distribut ion Systems-Shutdown." The EDG DC system, consisting of a battery, battery charger, and the corresponding control equipment and interconnection cabling for the EDG, are required to be OPERABLE to support the EDG required by LCO3.8.2, "AC Sources-Shutdown." This ensures the availability of sufficient DC

electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated even ts during shutdown (e.g., fuel handling accidents involving handling r ecently irradiated fuel).APPLICABILITYThe DC electrical power sour ces and EDG DC system required to be OPERABLE in MODES5 and6, and during movement of recently

irradiated fuel assemblies

, provide assurance that:a.Required features to provide ade quate coolant inventory makeup are available for the recently irradiated fuel assemblies in the core;b.Required features needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a

critical reactor core within the previous 300hours) are available;c.Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling

condition.The DC electrical power and EDG DC system requirements for MODES1, 2, 3, and4 are covered in LCO3.8.4.

DC Sources-Shutdown B 3.8.5BASESNorth Anna Units 1 and 2B 3.8.5-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, and A.2.4 The train with DC power available may be capable of supporting sufficient systems to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allo wing the option to declare required features inoperable with the associat ed DC power sour ce(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. In many instances, this option

may involve undesired administrative ef forts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity a dditions) that could result in loss of required SDM (MODE5) or boron concentration (MODE6).

Suspending positive reactiv ity additions that could re sult in failure to meet the minimum SDM or boron concentrat ion limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentrat ion greater than what would be required in the RCS for minimum SD M or refueling boron concentration.

This may result in an overall re duction in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action unt il restoration is accomplis hed in order to provide the necessary DC electrical power to the unit safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC

electrical power subsystems should be completed as quickly as possible in order to minimize the time during wh ich the unit safety systems may be without sufficient power.

North Anna Units 1 and 2B 3.8.5-4Revision 0 DC Sources-Shutdown B 3.8.5BASESACTIONS(continued)

B.1With the required EDG's DC system inoperable, the EDG is not OPERABLE and the applicable Conditions and Required Actions of LCO3.8.2, "AC Sources-Shutdown," must be entered immediately.SURVEILLANCE

REQUIREMENT

SSR3.8.5.1SR3.8.5.1 requires performance of all Surveillances required by SR3.8.4.1 through SR3.8.4.9. Therefore, see the corresponding Bases for LCO3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the required OPERABLE DC sources or EDG DC system from being discharged below their capabili ty to provide the required power supply or otherwise rende red inoperable during the pe rformance of SRs. It is the intent that these SRs must stil l be capable of be ing met, but actual performance is not required.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.8.6-1Revision 0Battery Cell Parameters B 3.8.6B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.6Battery Cell ParametersBASESBACKGROUNDThis LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the Station and EDG batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO3.8.5, "DC Sources-Shutdown."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2),

assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries, and control and switching during all MODES of operation. The EDG DC electri cal power system consists of the battery, battery charger, and interc onnecting cabling supplying power to the associated EDG components to supply the required DC voltage to allow the EDG to perform the required safety function.The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accide nt analyses and is ba sed upon meeting the design basis of the unit. This includes maintain ing at least one train of DC sources OPERABLE during accident conditions, in the event of:

a.An assumed loss of all offsite AC power or all onsite AC power; andb.A worst case single failure.

Battery cell parameters satisfy the Criterion3 of 10CFR 50.36(c)(2)(ii).

LCOBattery cell parameters must remain within acceptable limits to ensure availability of the required DC pow er to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical system function even with CategoryA andB limits not met.

North Anna Units 1 and 2B 3.8.6-2Revision 0Battery Cell Parameters B 3.8.6BASESAPPLICABILITYThe battery cell parameters are required so lely for the support of the associated DC electrical power subs ystem(s) and EDG DC system(s).

Therefore, the battery is only requi red when the DC power source is required to be OPERABLE. Refer to th e Applicability discussion in Bases for LCO3.8.4 and LCO3.8.5.ACTIONSA.1, A.2, and A.3With one or more cells in one or more batteries not within limits (i.e., CategoryA limits not met, CategoryB limits not met, or CategoryA andB limits not met) but within the CategoryC limits specified in Table3.8.6-1 in the accompanying LCO, the batter y is degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be consider ed inoperable solely as a result of Category A or B limits not met and operation is permitted for a limited period.The pilot cell electrolyte level and float voltage are required to be verified to meet the CategoryC limits within 1hour (Required ActionA.1). This check will provide a quick indication of the status of the remainder of the

battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to pe rform the required verification.Verification that the CategoryC limits are met (Required ActionA.2) provides assurance that during the time needed to restore the parameters to the CategoryA and B limits, the batter y is still capable of performing its intended function. A period of 24hours is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to

perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable.

The verification is repeated at 7day intervals until the parameters are restored to Category A orB limits. This periodic verification is consistent with the normal Frequency of pilot cell Surveillances.

(continued)

Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-3Revision 46ACTIONSA.1, A.2, and A.3 (continued)

Continued operation is only permitted for 31days before battery cell parameters must be restored to within CategoryA andB limits. With the consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limit s, this time is ac ceptable prior to declaring the battery inoperable.

B.1With one or more batteries with one or more battery cell parameters outside the CategoryC limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not assured and the

corresponding DC electrical power subsystem or EDG DC system must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of ConditionA within the required Completion Time or average electrolyte temperature of representative cells falling below 60F for the Station batteries, are also cause for immediately declaring the associated DC electrical power subsystem inoperable. Representative cells will consist of at least 10cells.SURVEILLANCE

REQUIREMENT

SSR3.8.6.1This SR verifies that CategoryA battery cell parameters are consistent with IEEE-450 (Ref.3), which recommends re gular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte level of pilot cells. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program.SR3.8.6.2 The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. In addition, within 24hours of a battery discharge <110V or a battery overcharge >150V, the battery must be demonstrated to meet CategoryB limits. Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to 110V, do not constitute a battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also(continued)

North Anna Units 1 and 2B 3.8.6-4Revision 46Battery Cell Parameters B 3.8.6BASESSURVEILLANCE REQUIREMENT

SSR3.8.6.2 (continued)consistent with IEEE-450 (Ref.3), wh ich recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.SR3.8.6.3This Surveillance verification that the average temperature of representative cells of the Station batteries is >60F, is consistent with a recommendation of IEEE-450 (Ref.3). The Surveillance Frequency is

based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillan ce Frequency Control Program.

Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an

acceptable operating range. This limit is based on manufacturer

recommendations.Table 3.8.6-1This table delineates the limits on el ectrolyte level, float voltage, and specific gravity for three differen t categories. The meaning of each category is discussed below.

CategoryA defines the normal paramete r limit for each designated pilot cell in each battery. The cells selected as pilot cel ls are those whose level, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.The CategoryA limits specified for electrolyte level are based on manufacturer recommendations and are consistent with the guidance in IEEE-450 (Ref.3), with the extra 1/4inch allowance above the high water level indication for operating margin to account for temperatures and charge effects. In addition to this allowance, footnote a to Table3.8.6-1

permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physi cal damage, and that adequate electron transfer capability is maintained in the event of transient conditions.

IEEE-450 (Ref.3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72hours.

(continued)

Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-5Revision 0SURVEILLANCE REQUIREMENT

STable 3.8.6-1 (continued)The CategoryA limit specified for float voltage is 2.13V per cell. This value is based on the recommendations of IEEE-450 (Ref.3

), which states that prolonged operation of cells <2.13V can reduce the life expectancy of cells.The CategoryA limit specified for specific gravity for each pilot cell is 1.200 (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging current th at had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref.3), the specific gravity readings are based on

a temperature of 77F (25C).The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3F (1.67C) above 77F (25C), 1point (0.001) is added to the reading; 1point is subtr acted for each 3F below 77F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.CategoryB defines the normal parameter limits for each connected cell.

The term "connected cell" excludes any battery cell that may be jumpered out.

The CategoryB limits specified for el ectrolyte level and float voltage are the same as those specified for CategoryA and have been discussed above. The CategoryB limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells >1.205 (0.010 below the manufacturer fully charged, nominal specific gravity). These values are based on manufacturer's recommendati ons. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell will not mask overall degradation of the battery.CategoryC defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the CategoryC limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

(continued)

North Anna Units 1 and 2B 3.8.6-6Revision 0Battery Cell Parameters B 3.8.6BASESSURVEILLANCE REQUIREMENT

STable 3.8.6-1 (continued)The CategoryC limits specified for el ectrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The CategoryC limits for float voltage is based on IEEE-450 (Ref.3

), which states that a cell voltage of 2.07V or below, unde r float conditions and not caused by elevated temperature of the cell, i ndicates internal cel l problems and may require cell replacement.The CategoryC limit of average specific gravity 1.195 is based on manufacturer recommendations (0.020 below the manufacturer recommended fully charged, nominal spec ific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery.

The footnotes to Table3.8.6-1 are applicable to CategoryA, B, andC specific gravity. Footnote(b) to Table3.8.6-1 requires the above

mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when Station battery charging current is <2amps on float charge. This current provides, in general, an indication of overall battery condition.

Because of specific gravity gradie nts that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity meas urement for determining the state of charge. This phenomenon is discussed in IEEE-450 (Ref.3). Footnote(c) to Table3.8.6-1 allows the float charge cu rrent to be used as an alternate to specific gravity for up to 7days following a Station battery recharge. Within 7days, each connected cell's sp ecific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity

gradients are not significant, and c onfirming measurements may be made in less than 7days.

Battery Cell Parameters B 3.8.6BASESNorth Anna Units 1 and 2B 3.8.6-7Revision 0REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.3.IEEE-450-1980.

Intentionally Blank North Anna Units 1 and 2B 3.8.7-1Revision 0 Inverters-Operating B 3.8.7B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.7Inverters-OperatingBASESBACKGROUNDThe inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses. The inverters can be powered from a battery charger or from the station battery. The station battery provides an unint erruptible power source for the instrumentation and controls for the Reactor Trip System (RTS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on

inverters and their operating charact eristics are found in the UFSAR, Chapter8 (Ref.1).APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.2) and Chapter15 (Ref.3),

assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RTS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are

discussed in more deta il in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolant System (RCS); and Section3.6, Containment Systems.The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes ma intaining required AC vital buses OPERABLE during accident conditions in the event of:

a.An assumed loss of all offsite AC electrical power or all onsite AC electrical power; andb.A worst case single failure.Inverters are a part of the distribution system and, as such, satisfy Criterion3 of 10CFR50.36(c)(2)(ii).

North Anna Units 1 and 2B 3.8.7-2Revision 0 Inverters-Operating B 3.8.7BASESLCOThe inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated ope rational occurrence (AOO) or a

postulated DBA.

Maintaining the required inverter s OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is main tained. The four inverters (two per train) ensure an uninterruptible suppl y of AC electrical power to the AC vital buses even if the 4.16kV safety buses are de-energized.OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage within tolerances, and power input to the inverter from a 125VDC station battery. Alternatively, power supply may be from a battery charger as long as th e station battery is available as the uninterruptible power supply.

This LCO is modified by a Note that allows one inverter to be disconnected from its associated battery for 24hours, if the vital bus is powered from a constant voltage transformer and all other inverters are OPERABLE. This allows an equalizing charge to be placed on the associated battery. If the inverters were not disconnected, th e resulting voltage condition might damage the inverters. Th ese provisions minimize th e loss of equipment that would occur in the event of a loss of offsite power. The 24hour time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.

The intent of this Note is to lim it the number of inverters that may be disconnected. Only those inverters a ssociated with the single battery undergoing an equalizing charge may be disconnected. All other inverters must be aligned to their associated batteries, regardless of the number of inverters or unit design.

Inverters-Operating B 3.8.7BASESNorth Anna Units 1 and 2B 3.8.7-3Revision 11APPLICABILITYThe inverters are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.Inverter requirements for MODES5 and6 are covered in the Bases for LCO3.8.8, "Inverters-Shutdown."ACTIONSA.1With a required inverter inoperable, its associated AC vital bus becomes

inoperable until it is re-energized from its c onstant voltage source transformer.

For this reason a Note ha s been included in ConditionA requiring the entry into the Conditions and Required Actions of LCO3.8.9, "Distribution Systems-Operating." This ensures that the vital bus is re-energized within 2hours.Required ActionA.1 allows 7days to fi x the inoperable inverter and return it to service. The 7day limit is based upon a risk evaluation, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety system s such a shutdown might entail. When the AC vital bus is powered from its co nstant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter s ource to the AC vital buses is the preferred source for powering instrumentati on trip setpoint devices.The following compensatory measures will be implemented when an instrument bus inverter is unavailable:

a.Entry into ConditionA will not be planned concurrent with EDG maintenance, and (continued)

North Anna Units 1 and 2B 3.8.7-4Revision 46 Inverters-Operating B 3.8.7BASESACTIONSA.1 (continued)b.Entry into ConditionA will not be planned concurrent with planned maintenance on another RPS/ESFAS channel that results in that channel being in a tripped condition.

B.1With one or more required LCO3.8.7.b i nverters inoperable, the reliability of the shared component(s) on the othe r unit is degraded. In this condition, the associated shared component is declared inoperable within 7days. Service Water, Main Control Room/Emergency Switchgear Room Emergency Ventilation System, and Component Cooling Water are shared systems.C.1 and C.2 If the inoperable devices or compone nts cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable, based on

operating experience, to reach the requi red unit conditions from full power conditions in an orderly manner a nd without challenging unit systems.SURVEILLANCE

REQUIREMENT

SSR3.8.7.1This Surveillance verifies that the inverters are functi oning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper vol tage output ensures that the required power is readily available for the instrumentation of the RTS and ESFAS connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter8.2.UFSAR, Chapter6.3.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.8.8-1Revision 0 Inverters-Shutdown B 3.8.8B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.8Inverters-ShutdownBASESBACKGROUNDA description of the inverters is provided in the Bases for LCO3.8.7, "Inverters-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2),

assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure th e availability of necessary power to the Reactor Trip System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum inve rters to each AC vital bus during MODES5 and6 ensures that:

a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the inverter(s) are only required to mitigate fuel handl ing accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time frame establishe d by analysis. The term recently is defined as all irradiated fuel assemb lies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2B 3.8.8-2Revision 20 Inverters-Shutdown B 3.8.8BASESAPPLICABLE SAFETY ANALYSES(continued)

The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe required inverter(s) ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anti cipated operational occurrence or a postulated DBA. The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16kV safety buses are de-energized. OPER ABILITY of the inverters requires that the AC vital bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during

shutdown (e.g., fuel handling acci dents involving handling recently

irradiated fuel). Supported system (s) that do not provide automatic function(s) may be connected to a vita l bus that is powered by a constant voltage transformer (example: Low Te mperature Overpres sure Protection, when not in automatic).APPLICABILITYThe inverters required to be OPERABLE in MODES5 and6 and during movement of recently irradiated fuel assemblies provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e

., fuel that has occupied part of a critical core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling

condition.Inverter requirements for MODES1, 2, 3, and4 are covered in LCO3.8.7.

Inverters-Shutdown B 3.8.8BASESNorth Anna Units 1 and 2B 3.8.8-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, and A.2.4 The required OPERABLE Inverters are capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, recently irradiated fuel movement, and opera tions with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoper able, appropriate restrictions will be implemented in accordance with the affected required

features LCOs' Required Actions. In many instances, this option may involve undesired administrative effo rts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity a dditions) that could result in loss of required SDM (MODE5) or boron concentration (MODE6).

Suspending positive reactiv ity additions that could re sult in failure to meet the minimum SDM or boron concentrat ion limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentrat ion greater than what would be required in the RCS for minimum SD M or refueling boron concentration.

This may result in an overall re duction in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability of the occurrence of postula ted events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quick ly as possible in order to minimize the time the unit safety systems may be without power or powered from a constant voltage source transformer.

North Anna Units 1 and 2B 3.8.8-4Revision 46 Inverters-Shutdown B 3.8.8BASESSURVEILLANCE REQUIREMENT

SSR3.8.8.1This Surveillance verifies that the inverters are functi oning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper vol tage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.8.9-1Revision 0Distribution Systems-Operating B 3.8.9B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.9Distribution Systems-OperatingBASESBACKGROUNDThe onsite Class1E AC, DC, and AC vital bus el ectrical power distribution systems are divided by train into tw o redundant and independent AC, DC, and AC vital bus electrical pow er distribution subsystems.The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16kV bus and secondary 480V buses and load centers. Each 4.16kV ESF bus has at least one separate and independent offsite source of power as well as a dedicated onsite emergency diesel generator (EDG) source. Unit1 has a normal offsite source and an alternate offsite source. Transfer to the alternate offsite source is a manual operation. Unit2 has a normal offsite source, and no

alternate source. In the event of a loss of offsite power, the EDGs for the affected buses will start and load. The EDGs for Unit1 will continue to run until (a)the safety bus is transferred to the alternate offsite source, or (b)the normal offsite source is restored. The Unit2 EDGs will continue to run until the normal offside source is restored. If offsite sources are unavailable, the onsite EDG supplies power to the 4.16kV ESF bus. Control power for the 4.16kV breakers is supplied from the Class1E

batteries. Additional description of th is system may be found in the Bases for LCO3.8.1, "AC Sources-Operating," and the Bases for LCO3.8.4, "DC Sources-Operating."

The secondary AC electrical power di stribution subsystem for each train includes the safety related buses and load centers shown in TableB3.8.9-1.The 120VAC vital buses are arranged in two load groups per train and are normally powered from the inverters.

The alternate power supply for the vital buses are constant voltage s ource transformers powered from the same train as the associated inverter, and its use is governed by LCO3.8.7, "Inverters-Operating." Each constant voltage source transformer is powered from a Class1E AC bus.

There are two independent 125VDC electrical power distribution subsystems for each train.

(continued)

North Anna Units 1 and 2B 3.8.9-2Revision 43 Distribution Systems-Operating B 3.8.9BASESBACKGROUND (continued)

For the other unit, one AC and DC bus on that unit is needed to support operation of each required Service Wa ter (SW) pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation

System (EVS) fan, Auxiliary Building central exhaust fan, and Component Cooling Water (CC) pump. SW, MCR/

ESGR EVS, and CC are shared systems.Two trains of electrical circuits on the AC Vital bus es provide power to the Auxiliary Building Central exhaust subsystem filter a nd bypass dampers. One circuit is associated with the manual control switch on the Unit1 ventilation Panel is powered from the Vital Bus 1-I. The other circuit is associated with the manual control switch on the Unit2 Ventilation Panel is powered from Vital Bus 2-III. Either circuit will realign all associated dampers to the filter position. Vital pow er is not required as the system is

aligned to operate the dampers to the filter (accident) position upon loss of power.The list of all required distribution buses is presented in TableB3.8.9-1.APPLICABLE SAFETY ANALYSESThe initial conditions of Design Ba sis Accident (DBA) and transient analyses in the UFSAR, Chapter6 (Ref.1), and in the UFSAR, Chapter15 (Ref.2), assume ESF systems are OPERABLE. The AC, DC

, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensu re the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System,

and containment design li mits are not exceeded. Th ese limits are discussed in more detail in the Bases for Section3.2, Power Distribution Limits; Section3.4, Reactor Coolant System (RCS); and Section3.6, Containment Systems.The OPERABILITY of the AC, DC, a nd AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon m eeting the design basis of the unit.

This includes maintaining power di stribution systems OPERABLE during accident conditions in the event of:a.An assumed loss of all offsite power or all onsite AC electrical power; andb.A worst case single failure.

The distribution systems satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).

LCOThe distribution systems satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).

Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-3Revision 35The required power distribution subsystems listed in TableB3.8.9-1 ensure the availability of AC, DC, a nd AC vital bus electrical power for the systems required to shut down the re actor and maintain it in a safe condition after an anticipated ope rational occurrence (AOO) or a

postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.Maintaining the TrainH and TrainJ AC

, DC, and AC vita l bus electrical power distribution subsystems OPERABLE ensures that the redundancy

incorporated into the design of ESF is not defeated. Therefore, a single

failure within any system or with in the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power di stribution subsystems require the associated buses and load centers to be energized to their proper voltages.

OPERABLE DC electrical power di stribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage from the associated inverter via i nverted DC voltage, or constant voltage transformer.

In addition, tie breakers between redundant safety related AC, DC, and AC vital bus power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsys tem, that could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable.

This applies to the onsite, safety related redundant electrical power di stribution subsystems. It does not, however, preclude redundant Class1E 4.16kV buses from being powered from the same offsite circuit.APPLICABILITYThe electrical power distribution subsys tems are required to be OPERABLE in MODES1, 2, 3, and4 to ensure that:a.Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; andb.Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. Electrical power distribution subsystem requirements for MODES5 and6 are covered in the Bases for LCO3.8.10, "Distribution

Systems-Shutdown."

North Anna Units 1 and 2B 3.8.9-4Revision 35 Distribution Systems-Operating B 3.8.9BASESACTIONSA.1With one or more LCO3.8.9.a AC electrical power distribution subsystem(s) inoperable, the minimu m safety functions can still be accomplished, assuming no single failur e, as long as one set of redundant required equipment (AC buses and lo ad centers) supporting each safety function remains energized to their proper voltages. Redundant required equipment is listed in TableB3.8.9-1.

The overall reliability is reduced, however, because a single failure in the remaining power distribution

subsystems could result in the mini mum required ESF functions not being supported. Therefore, the required AC buses and load centers must be restored to OPERABLE status within 8hours.ConditionA worst scenario is one trai n without AC power (i.e., no offsite power to the train and the associated EDG inoperable).

In this Condition, the unit is more vulnerable to a complete loss of AC power.

It is, therefore, imperative that the unit operator's a ttention be focuse d on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8hour time limit before requiring a unit shutdown in this C ondition is acceptable because of:a.The potential for decreased safety if the unit operator's attention is diverted from the evalua tions and actions necessar y to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; andACTIONSA.1 (continued)b.The potential for an event in c onjunction with a si ngle failure of a redundant component in the train with AC power.The second Completion Time for Required ActionA.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionA is entered wh ile, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2hours. This could lead to a total of 10hours, since initial failure of the LCO, to restore the AC distribution syst em. At this time, a DC circuit could again become inoperable, and AC di stribution restored OPERABLE. This could continue indefinitely.The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionA was entered. The 16hour Completion Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-5Revision 35Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.Required ActionA.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO3.8.4, "DC Sources-Operating," to be entered for DC train(s) made inoperable power distribution subsystem(s). This is an exception to LCO3.0.6 and ensures the proper actions are taken for thes e components. Inoperability of a

distribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.

B.1With one or more LCO3.8.9.a AC vital buses inoperable and a loss of function has not yet occurred, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional singleACTIONSB.1 (continued) failure could result in the minimu m required ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 2hours by pow ering the bus from the associated inverter via inverted DC, or constant voltage transformer.ConditionB represents one or more AC vital buses without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the un it is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative

that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the re maining vital buses and restoring power to the affected vital bus.This 2hour limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power. Taking exception to LCO3.0.2 for com ponents without adequate vital AC power, that would have the Required Action Completion Times shorter than 2hours if declared inoperable, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable

operations to continue; North Anna Units 1 and 2B 3.8.9-6Revision 35 Distribution Systems-Operating B 3.8.9BASESb.The potential for decreased safety by requiring entry into numerous applicable Conditions and Require d Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary ev aluations and actions for restoring power to the affected train; andc.The potential for an event in c onjunction with a si ngle failure of a redundant component.The 2hour Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERAB LE status, the redundant capability afforded by the other OPERABLE vital bu ses, and the low probability of a DBA occurring during this period.The second Completion Time for Required ActionB.1 establishes a limit on the maximum allowed for any comb ination of required distribution subsystems to beACTIONSB.1 (continued) inoperable during any singl e contiguous occurrence of failing to meet the LCO. If ConditionB is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8hours. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to re store the vital bus distribut ion system. At this time, an AC train could again become i noperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionB was entered. The 16hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

C.1With one or more LCO3.8.9.a DC buses inoperable and a loss of function has not yet occurred, the remaining DC electrical power distribution subsystems are capable of supporti ng the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown

condition, assuming no single failure. Th e overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimu m required ESF functions not being supported. Therefore, the DC bus(es) must be restored to OPERABLE status within 2hours by powering the bus(es) from the associated battery or charger.

Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-7Revision 35ConditionC represents one or more DC buses without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situat ion, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the rema ining trains and restoring power to the affected train.ACTIONSC.1 (continued)This 2hour limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO3.0.2 for components without adequate DC power,

which would have Required Action Completion Times shorter than 2hours, is acceptable because of:a.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;b.The potential for decreased safety by requiring entry into numerous applicable Conditions and Require d Actions for components without DC power and not providing sufficie nt time for the operators to perform the necessary evaluations a nd actions for restoring power to the affected train; andc.The potential for an event in c onjunction with a si ngle failure of a redundant component.The 2hour Completion Time for DC bus es is consistent with Regulatory Guide1.93 (Ref.3).

The second Completion Time for Required ActionC.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If ConditionC is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO

may already have been not met for up to 8hours. This could lead to a total of 10hours, since initial failure of th e LCO, to restore the DC distribution

system. At this time, an AC train c ould again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.

North Anna Units 1 and 2B 3.8.9-8Revision 43 Distribution Systems-Operating B 3.8.9BASESThis Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time ConditionC was entered. The 16hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.ACTIONSD.1With one or more required LCO3.8.9.b AC electrical power distribution

subsystem(s) inoperable, the shared co mponent(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems. The associated Conditions or Requi red Actions of LCO3.7.8, "Service Water System," LCO3.7.10, "MCR/ESGR Emergency Ventilation System," and LCO3.7.19, "Component Cooling Water (CC) System," are followed.

E.1With one or more required LCO3.8.9.b DC electrical power distribution subsystem(s) inoperable, the shared co mponent(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems. The associated Conditions or Requi red Actions of LCO3.7.8, 3.7.10, 3.7.12, and3.7.19 are followed.F.1With one or more required LCO3.8.9.b AC vital electrical power distribution subsystem(s) inoperable, the shared component(s) on the other unit is not capable of operating. In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and CC are shared systems.G.1 and G.2If the inoperable LCO3.8.9.a distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this

status, the unit must be brought to at least MODE3 within 6hours and to MODE5 within 36hours. The allowed Completion Times are reasonable,

based on operating experience, to reach the required unit conditions from full power conditions in an orderl y manner and without challenging unit systems.

Distribution Systems-Operating B 3.8.9BASESNorth Anna Units 1 and 2B 3.8.9-9Revision 46ACTIONSH.1ConditionH corresponds to a level of de gradation in the electrical power distribution system that causes a required safety function to be lost. When more than one inoperable LCO3.8.9.a electrical pow er distribution subsystem results in the loss of a required function, the unit is in a condition outside the accident analysis. Therefore, no additional time is

justified for continued operation. LCO3.0.3 must be entered immediately to commence a controlled shutdown.SURVEILLANCE

REQUIREMENT

SSR3.8.9.1This Surveillance verifies that th e required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independ ence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as we ll as control functions for critical system loads connected to these buses. Verification of proper

voltage availability for 480volt buses and load ce nters may be performed by indirect methods. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.3.Regulatory Guide1.93, December1974.

North Anna Units 1 and 2B 3.8.9-10Revision0 Distribution Systems-Operating B 3.8.9BASES* Each train of the AC and DC electrical power distribution systems is a subsystem.TableB 3.8.9-1 (page1 of1)

AC and DC Electrical Po wer Distribution SystemsTYPEVOLTAGETRAIN H*TRAIN J*Unit 1Unit 2Unit 1Unit 2AC emergency buses4160 VESF BusESF Bus1H2H1J2J480 VLoad CentersLoad Centers1H2H1J2J1H12H11J12J1DC buses125 VBus 1-I2-IBus 1-III2-IIIBus 1-II2-IIBus 1-IV2-IV AC vitalbuses120 VBus 1-12-1Bus 1-32-3Bus 1-22-2Bus 1-42-4 North Anna Units 1 and 2B 3.8.10-1Revision 0 Distribution Systems-Shutdown B 3.8.10B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.10Distribution Systems-ShutdownBASESBACKGROUNDA descripti on of the AC, DC, and AC vital bus electrical pow er distribution systems is provided in the Bases for LCO3.8.9, "Distribution Systems-Operating."APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident and transient analyses in the UFSAR, Chapter6 (Ref.1) and Chapter15 (Ref.2), assume

Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power di stribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.The OPERABILITY of the AC, DC, a nd AC vital bus electrical power distribution system is cons istent with the initial as sumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.The OPERABILITY of the minimum AC

, DC, and AC vital bus electrical power distribution subsystems during MODES5 and6, and during movement of recently irradiated fuel assemblies ensures that:a.The unit can be maintained in th e shutdown or refueling condition for extended periods;b.Sufficient instrumentation and c ontrol capability is available for monitoring and maintaining the unit status; andc.Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the AC and DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time fram e established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2B 3.8.10-2Revision 20 Distribution Systems-Shutdown B 3.8.10BASESAPPLICABLE SAFETY ANALYSES(continued)

The AC and DC electrical power distribution systems satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOVarious combinations of subsys tems, equipment, and components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the el ectrical distribution system necessary to support OPERABILITY of requi red systems, equipment, and components-all specifically addre ssed in each LCO and implicitly required via the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postula ted events during shutdown (e.g., fuel handling accidents involving handli ng recently irradiated fuel).APPLICABILITYThe AC and DC electrical pow er distribution subsystems required to be OPERABLE in MODES5 and6, and during movement of recently irradiated fuel assemblies

, provide assurance that:a.Systems to provide adequate cool ant inventory makeup are available for the irradiated fuel in the core;b.Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e

., fuel that has occupied part of a critical core within the previous 300hours) are available;c.Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; andd.Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling

condition.The AC, DC, and AC vital bus electrical power distri bution subsystems requirements for MODES1, 2, 3, and4 are covered in LCO3.8.9.

Distribution Systems-Shutdown B 3.8.10BASESNorth Anna Units 1 and 2B 3.8.10-3Revision 20ACTIONSA.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant trains of electrical power distri bution subsystems to be OPERABLE, one OPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the af fected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently

conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fu el assemblies, and operations involving positive reactivity additions) that c ould result in loss of required SDM (MODE5) or boron concentration (MODE6). Suspending positive

reactivity additions that could result in failure to meet the minimum SDM or boron concentration limi t is required to assure continued safe operation.

Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for

minimum SDM or refueling boron concen tration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increas es when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of

required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condi tion. These actions minimize the probability of the occurrence of postula ted events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety

systems.Notwithstanding performance of the a bove conservative Required Actions, a required residual heat removal (RHR

) subsystem may be inoperable. In this case, Required Acti ons A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO3.0.6, the RHR ACTIONS would not be entered.

(continued)

North Anna Units 1 and 2B 3.8.10-4Revision 46 Distribution Systems-Shutdown B 3.8.10BASESACTIONSA.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)Therefore, Required Action A.2.5 is provided to direct declaring RHR inoperable, which results in ta king the appropria te RHR actions.The Completion Time of immediately is consistent with the required times for actions requiring prompt attent ion. The restoration of the required distribution subsystems should be co mpleted as quickly as possible in order to minimize the time the unit safety systems may be without power.SURVEILLANCE

REQUIREMENT

SSR3.8.10.1This Surveillance verifies that th e required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as

well as control functions for critical system loads connect ed to these buses. Verification of proper voltage availability for 480volt buses and load centers may be performed by indirect methods. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter6.2.UFSAR, Chapter15.

North Anna Units 1 and 2B 3.9.1-1Revision 0 Boron Concentration B 3.9.1B 3.9REFUELING OPERATIONSB 3.9.1Boron ConcentrationBASESBACKGROUNDThe limit on the boron concentrat ions of the Reactor Coolant System (RCS), the refueling canal, and th e refueling cavity during refueling ensures that the reactor remains subcritical during MODE6. Refueling boron concentration is the soluble bor on concentration in the coolant in each of these volumes having direct access to the reactor core during

refueling.The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the sp ecified boron concentration in order to maintain an overall core reactivity of keff 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowe d by plant procedures.GDC26 requires that two independent reactivity control systems of different design principles be provided (Ref.1). On e of these systems must

be capable of holding the reactor co re subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable

of maintaining the reactor subcritical in cold c onditions by maintaining the boron concentration.The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refu eling. After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed to form the refueling cavity. The refueling canal and the refueling cavity

are then flooded with borated water from the Refueling Water Storage Tank through the open reactor vesse l by gravity feeding or by the use of the Low Head Safety Injection System pumps.

The pumping action of the Residual He at Removal (RHR) System in the RCS and the natural circulation due to thermal driving heads in the reactor vessel and refueling cavity mix the added concentrated boric acid with the water in the refueling canal. The RHR System is in operation during (continued)

North Anna Units 1 and 2B 3.9.1-2Revision 0 Boron Concentration B 3.9.1BASESBACKGROUND (continued)refueling (see LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level") to provide forced circulation in the RCS and assist in ma intaining the boron concentrations in the RCS, the refueling canal, and th e refueling cavity above the COLR limit.APPLICABLE SAFETY ANALYSESDuring refueling operati ons, the reactivity condition of the core is established to protect against inadvertent positive reactivity addition and is conservative for MODE6. The boron concentration limit specified in the COLR is based on the core reactivity at the begi nning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and th e plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensure that the keff of the core will remain 0.95 during the refueling operation. Hence, at least a 5% k/k margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a

single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThe LCO requires that a minimum bor on concentration be maintained in the RCS, the refueling canal, and the refueling cavity while in MODE6. The boron concentration limit specified in the COLR ensures that a core keff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE6.APPLICABILITYThis LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subc ritical. The required boron concentration ensures a keff 0.95. Above MODE6, (continued)

Boron Concentration B 3.9.1BASESNorth Anna Units 1 and 2B 3.9.1-3Revision 0APPLICABILITY (continued)LCO3.1.1, "SHUTDOWN MARGIN (SDM)"

ensures that an adequate amount of negative reactivity is avai lable to shut down the reactor and maintain it subcritical.

The applicability is modifi ed by a Note. The Note states that the limits on boron concentration are only applicable to the refuel ing canal and refueling cavity when those volumes are connected to the RCS. When the refueling canal and refueling cavity are isolated from the RCS, no potential path for

boron dilution exists.ACTIONSA.1 and A.2Continuation of CORE ALTERATIONS or positive reactivity additions

(including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron

concentration of any coolan t volume in the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivit y additions must be suspended immediately.Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operations that individually add limited positive reacti vity (e.g., temperature fluctuations from inventory addition or temperatur e control fluctuations), but when combined with all other operations affecting core reactivity (e.g.,

intentional boration) result in overa ll net negative react ivity addition, are not precluded by this action.

A.3In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must be initiated immediately.In determining the required combin ation of boration flow rate and concentration, no unique Design Basis Event must be satisfied. The only requirement is to restore the boron c oncentration to its required value as soon as possible. In order to rais e the boron concentration as soon as possible, the operator should begin borat ion with the best source available for unit conditions.

(continued)

North Anna Units 1 and 2B 3.9.1-4Revision 46 Boron Concentration B 3.9.1BASESACTIONSA.3 (continued)

Once actions have been initiated, th ey must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.SURVEILLANCE

REQUIREMENT

SSR3.9.1.1This SR ensures that the coolant boron concentration in the RCS, and

connected portions of the refueling canal and the refueling cavity, is within the COLR limits. The boron concentrat ion of the coolant in each required volume is determined periodically by chemical analysis. Prior to re-connecting portions of the refueling canal or the refueling cavity to the

RCS, this SR must be met per SR3.0.1. If any dilution activity has occurred while the cavity or canal were disconnected from the RCS, this SR ensures the correct boron concentration prior to communication with the RCS.The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section3.1.22.

North Anna Units 1 and 2B 3.9.2-1Revision 8Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2B 3.9 REFUELING OPERATIONSB 3.9.2Primary Grade Water Flow Path Isolation Valves-MODE6BASESBACKGROUNDDuring MODE6 operations, the is olation valves for primary grade water flow paths that are connected to the Reactor Cool ant System (RCS) must be closed to prevent unplanned boron di lution of the reactor coolant. The isolation valves must be locked, sealed or otherwise secured in the closed position.The Chemical and Volume Control Syst em is capable of supplying borated and unborated water to the RCS th rough various flow paths. Since a positive reactivity addition made by uncontrolled reduction of the boron concentration is inappropriate during MODE6, isolation of all primary grade water flow paths prevents an unplanned boron dilution.APPLICABLE SAFETY ANALYSESThe possibility of an inadvertent boron dilution event (Ref.1) occurring during MODE6 refueling operations is precluded by adherence to this LCO, which requires that primary grade water flow paths be isolated.

Closing the required valves during refueling operations prevents the flow of unborated water to the filled portion of the RCS. The valves are used to

isolate primary grade water flow paths.

These valves have the potential to indirectly allow dilution of the RCS boron concentration in MODE6. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODE6.The RCS boron concentration satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOThis LCO requires that flow paths to the RCS from primary grade water sources be isolated to prevent unplanned boron dilution during MODE6 and thus avoid a reduction in SDM.For Unit1, primary grade water flow pa ths may be isolated from the RCS by closing valve 1-CH-217. Alternatively, 1-CH-220, 1-CH-241, 1-CH-FCV-1114B and 1-CH-FCV-1113B may be used in lieu of 1-CH-217. For Unit2, primary grade water (continued)

North Anna Units 1 and 2B 3.9.2-2Revision 8Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2BASESLCO(continued)flow paths may be isolated from the RCS by closing valve 2-CH-140. Alternatively, 2-CH-160, 2-CH-156, 2-CH-FCV-2114B, and 2-CH-FCV-2113B may be us ed in lieu of 2-CH-140.

The LCO is modified by a Note which allows the primary grade water flow path isolation valves to be opened unde r administrative control for planned boron dilution or makeup activities.APPLICABILITYIn MODE6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of primary grade water flow paths to the RCS.In MODES3, 4, and5, LCO3.1.8, Primary Grade Water Flow Path Isolation Valves, requires the primary grade water flow paths to the RCS to be isolated to prevent an inadvertent boron dilution.

In MODES1 and2, the boron dilution accident was analyzed and was found to be capable of being mitigated.ACTIONSA.1Continuation of CORE ALTERATIONS is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate primary grade water flow paths not lock ed, sealed or otherwise secured in the closed position, all operations involving CORE ALTERATIONS must be suspended immediately. The Completion Time of "immediately" for performance of Required ActionA.1 shall not preclude completion of movement of a component to a safe position.ConditionA has been modified by a Note to require that Required ActionA.3 be completed whenever ConditionA is entered.

A.2Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the primary grade water flow path isolation valves secured closed. Locking, sealing, or securing the valves in the

closed position ensures that the valv es cannot be inadvertently opened. The Completion Time of 15minutes provides sufficient time to close, lock,

seal, or otherwise secure the flow path isolation valve.

Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2BASESNorth Anna Units 1 and 2B 3.9.2-3Revision 46ACTIONS(continued)

A.3Due to the potential of having dilu ted the boron concentration of the reactor coolant, SR3.9.1.1 (verification of boron concentration) must be performed to demonstrate that the re quired boron concentration exists. The Completion Time of 4hours is sufficient to obtain and analyze a reactor coolant sample for boron concentration.SURVEILLANCE

REQUIREMENT

SSR3.9.2.1These valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODE6 operations is remote due to the large mass of borated water in the refueling cavity and the fact that the primary

grade water flow paths are isolated, precluding a dilution. The boron concentration is checked during MODE6 under SR3.9.1.1. The

Frequency is based on verifying that the isolation valves are locked, sealed, or otherwise secured within 15mi nutes following a boron dilution or makeup activity. This Frequency is based on engineering judgment and is considered reasonable in view of othe r administrative controls that will ensure that the valve opening is an unlikely possibility.REFERENCES1.UFSAR, Section15.2.4.

Intentionally Blank North Anna Units 1 and 2B 3.9.3-1Revision 0Nuclear Instrumentation B 3.9.3B 3.9 REFUELING OPERATIONSB 3.9.3Nuclear InstrumentationBASESBACKGROUNDThe source range neutron flux monitors are used during refueling operations to monitor the core reac tivity condition. The installed source range neutron flux monitors are part of the Nuclear Instrumentation System (NIS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core.The installed source range neutron flux monitors are BF3 detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the ne utron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6cps). The

detectors also provide c ontinuous visual indication and an audible alarm in the control room to alert operators to a possible dilution accident. The NIS is designed in accordance with the criteria presented in Reference1.APPLICABLE SAFETY ANALYSESTwo OPERABLE source range neutron flux monitors are required to provide a signal to alert the operato r to unexpected changes in core reactivity such as with a boron dilution accident (Ref.2) or an improperly loaded fuel assembly. The need for a safety analysis for an uncontrolled

boron dilution accident is eliminated by isolating all unborated water sources as required by LCO3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE6."

The source range neutron flux monitors satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant m onitoring capability is available to detect changes in core reactivity.

North Anna Units 1 and 2B 3.9.3-2Revision 0Nuclear Instrumentation B 3.9.3BASESAPPLICABILITYIn MODE6, the source range ne utron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES2, 3, 4, and5, these same installed source range detectors a nd circuitry are also required to be OPERABLE by LCO3.3.1, "Reactor Trip System (RTS) Instrumentation."ACTIONSA.1 and A.2With only one source ra nge neutron flux monitor OPERABLE, redundancy has been lost. Since these instrume nts are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO3.9.1 must be suspended immediately. Suspending positive reactivity additions that could result in failure to m eet the minimum boron concen tration limit is required to assure continued safe operation. In troduction of coolant inventory must be from sources that have a boron concentration greater than that what would be required in the RCS for mi nimum refueling bor on concentration.

This may result in an overall reducti on in RCS boron concentration, but provides acceptable margin to ma intaining subcritical operations.

Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

B.1With no source range neutron flux monitor OPERABLE, action to restore a

monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.

B.2With no source range neutron flux m onitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR3.9.1.1 to ensure that the required boron concentration exists.(continued)

Nuclear Instrumentation B 3.9.3BASESNorth Anna Units 1 and 2B 3.9.3-3Revision 46ACTIONSB.2 (continued)The Completion Time of once per 12hours is sufficient to obtain and analyze a reactor coolant sample for boron concentration and ensures that unplanned changes in boron concentr ation would be identified. The 12hour Frequency is reasonable, c onsidering the low probability of a change in core reactivity during this time period.SURVEILLANCE

REQUIREMENT

SSR3.9.3.1SR3.9.3.1 is the performance of a CHANNEL CHECK, which is a

comparison of the parameter indica ted on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in

fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.9.3.2SR3.9.3.2 is the performance of a CHANNEL CALIBRATION every 18months. This SR is modified by a Note stating that ne utron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the source range ne utron flux monitors consists of obtaining the detector plateau or pr eamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The 18month Frequency is based on the need to perform this Surveillance under the conditions that apply duri ng a unit outage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Chapter3.2.UFSAR, Chapter15.

Intentionally Blank North Anna Units 1 and 2B 3.9.4-1Revision 20 Containment Penetrations B 3.9.4B 3.9 REFUELING OPERATIONSB 3.9.4Containment PenetrationsBASESBACKGROUNDDuring movement of recently irradiated fuel assemblies within containment, a release of fission produc t radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES1, 2, 3, and4, this is accomplished by maintaining containment OPERABLE as described in LCO3.6.1, "Containment." In MODE6, the potenti al for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the

containment from the outside atmos phere can be less stringent. The LCO requirements are referred to as "c ontainment closure" rather than "containment OPERABILITY." Contai nment closure means that all potential escape paths are closed or cap able of being closed. Since there is no potential for containment pressurization, the AppendixJ leakage criteria and tests are not required.

The containment serves to contain fission product ra dioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained wi thin the requirements of Regulatory Guide1.183 (Ref.2). Additionally, th e containment provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, wh ich is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containm ent. During movement of recently irradiated fuel assemblies within cont ainment, the equipment hatch must be held in place by at least fourbolts. G ood engineering practice dictates that the bolts required by this LCO be approximately equally spaced.

The containment air locks, which are al so part of the containment pressure boundary, provide a means for personnel access during MODES1, 2, 3, and4 unit operation in accordance with LCO3.6.2, "Containment Air Locks." One of the containment air lo cks is an integral part of the containment equipment hatch. During refueling the air lock (continued)

North Anna Units 1 and 2B 3.9.4-2Revision 20 Containment Penetrations B 3.9.4BASESBACKGROUND (continued)that is part of the containment equipment hatch is typically replaced by a temporary hatch plate. While the tempor ary hatch plate is installed, there is only one air lock by which to enter c ontainment. The LCO only applies to containment air locks that are insta lled. Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of unit shutdown when containment closure is not required, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain

open for extended periods when frequent containment entry is necessary.

During movement of recently irradiated fuel assemblies within containment, containment closure is re quired; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed.The requirements for contai nment penetration closure ensure that a release of fission product radioactivity within containment will be restricted from escaping to the environment. The closure restrictions are sufficient to restrict fission product radioactivity release from the containment due to a fuel handling accident involving handling of recently irradiated fuel.The Containment Purge and Exhaust System includes a 36inch purge penetration and a 36inch exhaust penetration. During MODES1, 2, 3, and4, the two valves in each of the purge and exhaust flow paths are secured in the closed pos ition. The Containment Purge and Exhaust System is not subject to a Specification in MODE5.In MODE6, large air exchanges ar e necessary to conduct refueling operations. The 36inch purge system is used for this purpose.

The containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side.

Isolation may be achieved by an OPERABLE automatic isolation valve, or

by a manual isolation valve, blind fl ange, or equivalent. Equivalent isolation methods must be approved and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the

other containment penetrat ions during recently irradiated fuel movements.

Containment Penetrations B 3.9.4BASESNorth Anna Units 1 and 2B 3.9.4-3Revision 20APPLICABLE SAFETY ANALYSESDuring movement of irradiated fuel assemblies within containment, the most severe radiological consequences result from a fuel handling accident involving handling recently irradiated fu el. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref.1). Fuel handling accidents, analyzed in Reference2, involve dropping a single irradiated fuel assembly and handling tool. The requirements of LCO3.9.7, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100hours prior to movement of irradiated fu el (i.e., fuel that has not been recently irradiated) without containment closure capability

ensures that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses th at are within the guideline values specified in Regulatory Guide1.183 (Ref.2).

Containment penetrations satisfy Criterion3 of 10CFR 50.36(c)(2)(ii).LCOThis LCO limits the consequences of a fuel handling accident involving handling recently irradiat ed fuel in containment by limiting the potential escape paths for fission product radioactivity released within containment.

The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge an d exhaust penetrations. For the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by a containment purge and exhaust isolation valve.

The LCO is modified by a Note allowing penetration flow paths with direct access from the containment atmosphere to the outside atmosphere to be unisolated under administrative controls. Administrative controls ensure that 1)appropriate personnel are aware of the open st atus of the penetration flow path during movement of recently irradiated fuel assemblies within containment, and 2)specified indi viduals are designated and readily available to isolate the flow path in the event of a fuel handling accident.APPLICABILITYThe containment penetration requirements are applicable during movement of recently irradiated fuel assemblies within containment because this is

when there is a potential for the limiting fuel handling accident. In MODES1, 2, 3, (continued)

North Anna Units 1 and 2B 3.9.4-4Revision 46 Containment Penetrations B 3.9.4BASESAPPLICABILITY (continued)and4, containment penetration requirements are addressed by LCO3.6.1. In MODES5 and6, when movement of irradiated fuel assemblies within containment is not being conducted, th e potential for a design basis fuel handling accident does not exist. Additionally, due to radioactive decay, containment closure capability is onl y required during a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has

occupied part of a cri tical reactor core within the previous 100hours). A fuel handling accident involving fuel with a minimum decay time of 100hours prior to movement will resu lt in doses that are within the guideline values specified in Regulatory Guide1.183 (Ref.2) even without containment closure capability. Th erefore, under these conditions no requirements are placed on cont ainment penetration status.ACTIONSA.1 If the containment equipment hatc h, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere is not in the required status, including the Containment Purge and Exhaust Isolat ion System not capable of manual actuation when the purge and exhaus t valves are open, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending movement of rece ntly irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.SURVEILLANCE

REQUIREMENT SSR3.9.4.1This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open purge and exhaust valves will demonstrate that the valves are not blocked from closing. Also the Surveillance will demonstrate that each valve operator has motive power, which will ensure that each valve is

capable of being manually closed.

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Containment Penetrations B 3.9.4BASESNorth Anna Units 1 and 2B 3.9.4-5Revision 46SURVEILLANCE REQUIREMENT

SSR3.9.4.2This Surveillance demonstrates that each containment purge and exhaust valve actuates to its isolati on position on manual initiation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This Surveillance will ensure that the valves are capable of being closed after a postulated fuel handling accident involving handling recently irradiated fuel to limit a release of fission product radioactivity from the containment. The SR is modified by a Note stating that this Surveillance is not required to be met for valves in isolated

penetrations. The LCO provides the option to close penetrations in lieu of requiring manual initiation capability.REFERENCES1.UFSAR, Section15.4.7.2.Regulatory Guide1.183, July2000.

Intentionally Blank North Anna Units 1 and 2B 3.9.5-1Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5B 3.9 REFUELING OPERATIONSB 3.9.5Residual Heat Removal (RHR) and Coolant Circulation-High Water LevelBASESBACKGROUNDThe purpose of the RHR System in MODE6 is to remove decay heat and sensible heat from the Reactor Coolan t System (RCS) to provide mixing of borated coolant and to prevent boron stratification (Ref.1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold

leg(s). Operation of the RHR System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlli ng the flow of reactor coolant through the RHR heat exchanger(s) and the bypa ss. Mixing of the reactor coolant is maintained by this continuous circul ation of reactor coolant through the RHR System.APPLICABLE SAFETY ANALYSESIf the reactor coolant temperat ure is not maintained below 200F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant

would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE6, with the water level 23ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit

removal of the RHR loop from oper ation for short durations, under the condition that the boron concentrati on is not diluted. This conditional removal from operation of the RHR l oop does not result in a challenge to the fission product barrier.The RHR System satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).

LCOOnly one RHR loop is required for decay heat removal in MODE6, with the water level 23ft above the top of the reactor vessel flange. Only one RHR loop is required to be (continued)

North Anna Units 1 and 2B 3.9.5-2Revision 0 RHR and Coolant Circulation-High Water Level B 3.9.5BASESLCO(continued)OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one RHR loop must be OPERABLE and in operation to provide:a.Removal of decay heat;b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.

An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and cont rols to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.The LCO is modified by a Note th at allows the required operating RHR loop to be removed from operation for up to 1hour per 8hour period, provided no operations ar e permitted that would dilute the RCS boron concentration by introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is

maintained is prohibited because uniform concentrat ion distribution cannot be ensured without forced circulation.

This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles

and RCS to RHR isolation valve testing. During this 1hour period, decay

heat is removed by natural convection to the large mass of water in the refueling cavity.APPLICABILITYOne RHR loop mu st be OPERABLE and in operation in MODE6, with the water level 23ft above the top of the react or vessel flange, to provide decay heat removal. The 23ft wate r level was selected because it corresponds to the 23ft requirement established for fuel movement in LCO3.9.7, "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section3.4, Reactor

Coolant System (RCS). RHR loop requirements in MODE6 with the water level <23ft are located in LCO3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level."

RHR and Coolant Circulation-High Water Level B 3.9.5BASESNorth Anna Units 1 and 2B 3.9.5-3Revision 0ACTIONSRHR loop requirements are me t by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.

A.1If RHR loop requirements are not met, th ere will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inve ntory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum refueling boron concentrati on. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

A.2If RHR loop requirements ar e not met, actions shal l be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat rem oval from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23ft above the reactor vessel flange

provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a

prudent action under this condition.

A.3If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE6 and the refueling water level 23ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.

A.4, A.5, A.6.1, and A.6.2If LCO3.9.5 is not met, the foll owing actions must be taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; and (continued)

North Anna Units 1 and 2B 3.9.5-4Revision 46 RHR and Coolant Circulation-High Water Level B 3.9.5BASESACTIONSA.4, A.5, A.6.1, and A.6.2 (continued)c.each penetration pr oviding direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation system.With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmo sphere. Performing the actions described above ensures th at all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allows fixing of most RHR problems and is reasonable, based on the low probabi lity of the coolant boiling in that time.SURVEILLANCE

REQUIREMENT

SSR3.9.5.1 This Surveillance demonstrates that the RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.UFSAR, Section5.5.4.

North Anna Units 1 and 2B 3.9.6-1Revision 0RHR and Coolant Circulation-Low Water Level B 3.9.6B 3.9 REFUELING OPERATIONSB 3.9.6Residual Heat Removal (RHR) and Coolant Circulation-Low Water LevelBASESBACKGROUNDThe purpose of the RHR System in MODE6 is to remove decay heat and sensible heat from the Reactor Coolan t System (RCS) to provide mixing of borated coolant, and to prevent bor on stratification (Ref.1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlli ng the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor

coolant is maintained by this conti nuous circulation of reactor coolant through the RHR System.APPLICABLE SAFETY ANALYSESIf the reactor coolant temperat ure is not maintained below 200F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.The RHR System satisfies Criterion4 of 10CFR 50.36(c)(2)(ii).LCOIn MODE6, with the water level <23f t above the top of the reactor vessel flange, both RHR loops must be OPERABLE. Additionally, one loop of RHR must be in operati on in order to provide:a.Removal of decay heat; (continued)

North Anna Units 1 and 2B 3.9.6-2Revision 0RHR and Coolant Circulation-Low Water Level B 3.9.6BASESLCO(continued)b.Mixing of borated coolant to minimize the possibility of criticality; andc.Indication of reactor coolant temperature.

This LCO is modified by two Notes. Note1 permits the RHR pumps to be removed from operation for 15minutes when switching from one train to another. The circumstan ces for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained >10F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped. Note2 allows one RHR loop to be inoperable for a period of 2hours

provided the other loop is OPERABLE a nd in operation. Prior to declaring the loop inoperable, consideration s hould be given to the existing unit configuration. This consideration should include that the core time to boil is short, there is no draining operati on to further reduce RCS water level and that the capability exists to inject borated water into the reactor vessel.

This permits surveillance tests to be performed on the inoperable loop during a time when these te sts are safe and possible.

An OPERABLE RHR loop consists of an RHR pump, a heat exchanger,

valves, piping, instruments and contro ls to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.APPLICABILITYTwo RHR loops are required to be OPERABLE, and one RHR loop must be in operation in MODE6, with the water level <23ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs in Section3.4,

Reactor Coolant System (RCS). RHR loop requirements in MODE6 with the water level 23ft are located in LCO3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level."ACTIONSA.1 and A.2If less than the required number of RHR loops are OPERABLE, action

shall be immediately initiated and con tinued until the RHR loop is restored to OPERABLE status and to operation (continued)

RHR and Coolant Circulation-Low Water Level B 3.9.6BASESNorth Anna Units 1 and 2B 3.9.6-3Revision 0ACTIONSA.1 and A.2 (continued) or until 23ft of water level is establishe d above the reactor vessel flange. When the water level is 23ft above the reacto r vessel flange, the Applicability changes to that of LCO3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

B.1If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron

concentrations cannot occur by the a ddition of water with a lower boron concentration than that contained in the RCS, because all of the unborated water sources are isolated.

B.2If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in ConditionsA andB concurrently, the restoration of two OPERABLE RHR

loops and one operating RHR loop should be accomplished expeditiously.

B.3, B.4, B.5.1, and B.5.2 If no RHR is in operation, the following actions must be taken:a.the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;b.one door in each installed air lock must be closed; andc.each penetration pr oviding direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPER ABLE Containment Purge and Exhaust Isolation system.With RHR loop requirements not met, the potential exists for the coolant to

boil and release radioactive gas to th e containment atmo sphere. Performing the actions described (continued)

North Anna Units 1 and 2B 3.9.6-4Revision 46RHR and Coolant Circulation-Low Water Level B 3.9.6BASESACTIONSB.3, B.4, B.5.1, and B.5.2 (continued)above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allows fixing of most RHR problems and is reasonable, based on the low probabi lity of the coolant boiling in that time.SURVEILLANCE

REQUIREMENT

SSR3.9.6.1This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, during operation of the RHR loop with the water level lowered to the level of the reactor vessel nozzles, the RHR pump net positive suction head requirements must be met. The Surveillance Frequency is based on

operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR3.9.6.2Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be pl aced in operation, if needed, to maintain decay heat rem oval and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to

the required pump. The Surveillan ce Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that st ates the SR is not required to be performed until 24hours after a re quired pump is not in operation.REFERENCES1.UFSAR, Section5.5.4.

North Anna Units 1 and 2B 3.9.7-1Revision 20Refueling Cavity Water Level B 3.9.7B 3.9 REFUELING OPERATIONSB 3.9.7Refueling Cavity Water LevelBASESBACKGROUNDThe movement of irradiated fuel assemblies within containment requires a minimum water level of 23ft above th e top of the reactor vessel flange. During refueling, this maintains sufficient water level in the containment, refueling canal, fuel transfer canal, refueling cavity, and spent fuel pool. Sufficient water is necessary to reta in iodine fission product activity in the water in the event of a fuel handling accident (Refs.1 and2). Sufficient iodine activity would be retained to limit offsite dos es from the accident to the limits of Regulatory Guide1.183.APPLICABLE SAFETY ANALYSESDuring movement of irradiated fuel assemblies, the water level in the refueling canal and the refueling ca vity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide1.183 (Ref.1). A minimum water level of 23ft allows an effective iodine decontamination factor of 200 (AppendixB Assumption2 of Ref.1) to be used in the accident analysis for iodine. This relates to the assumption that 99.5% of the total iodine released from the pellet to cladding gap of all the droppe d fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 8% of the fuel rod I-131 inventory and 5% of all other iodine isotopes, which are included as other halogens (Ref.1).The fuel handling accident analysis inside containment is described in Reference2. With a minimum water level of 23ft, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref.1).

Refueling cavity water level satisfies Criterion2 of 10CFR 50.36(c)(2)(ii).LCOA minimum refueling cavity water level of 23ft above the reactor vessel flange is required to ensure that the radiological c onsequences of a postulated fuel handling accident inside containment are within acceptable limits.

North Anna Units 1 and 2B 3.9.7-2Revision 46Refueling Cavity Water Level B 3.9.7BASESAPPLICABILITYLCO3.9.7 is applicable when moving irradiated fuel assemblies within containment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO3.7.16, "Fuel Storage Pool Water Level."ACTIONSA.1With a water level of <23ft above the top of the reactor vessel flange, all operations involving movement of irradi ated fuel assemblies within the containment shall be suspended immediat ely to ensure that a fuel handling accident cannot occur.

The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.SURVEILLANCE REQUIREMENT

SSR3.9.7.1Verification of a minimum water level of 23ft above the top of the reactor vessel flange ensures that the design ba sis for the analysis of the postulated fuel handling accident during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fu el rods that are postulate d to result from a fuel handling accident inside containment (Ref.2).

The Surveillance Frequency is base d on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES1.Regulatory Guide1.183, July2000.2.UFSAR, Section15.4.7.

Retrieved from "https://kanterella.com/w/index.php?title=ML13302B892&oldid=799295"