Revision as of 03:10, 15 June 2018

Text

Palo Verde, Units 1, 2, and 3 - Technical Specification (TS) Bases Revision 61
	ML15027A122
Person / Time
Site:	Palo Verde
Issue date:	12/19/2014
From:	Stephenson C J; Arizona Public Service Co
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML15027A129	List: ML15027A064; ML15027A122; ML15027A123; ML15027A124; ML15027A126;
References
	102-06979-TNW/CJS
	Download: ML15027A122 (843)
	v • d • e

[[:#Wiki_filter:PVNGS Palo Verde Nuclear Generating Station Units 1, 2, and 3 Technical Specification Bases Revision 61 December 19, 2014 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 1 Revision 61 December 19, 2014 B 2.1.1-1 0 B 2.1.1-2 0 B 2.1.1-3 37 B 2.1.1-4 21 B 2.1.1-5 54 B 2.1.2-1 0 B 2.1.2-2 31 B 2.1.2-3 0 B 2.1.2-4 54 B 3.0-1 49 B 3.0-2 0 B 3.0-3 0 B 3.0-4 0 B 3.0-5 42 B 3.0-6 48 B 3.0-7 48 B 3.0-8 42 B 3.0-9 42 B 3.0-10 42 B 3.0-11 42 B 3.0-12 42 B 3.0-13 42 B 3.0-14 49 B 3.0-15 50 B 3.0-16 50 B 3.0-17 50 B 3.0-18 49 B 3.0-19 49 B 3.0-20 49 B 3.0-21 49 B 3.0-22 49 B 3.1.1-1 28 B 3.1.1-2 0 B 3.1.1-3 43 B 3.1.1-4 43 B 3.1.1-5 27 B 3.1.1-6 56 B 3.1.2-1 28 B 3.1.2-2 0 B 3.1.2-3 43 B 3.1.2-4 28 B 3.1.2-5 0 B 3.1.2-6 43 B 3.1.2-7 12 B 3.1.2-8 47 B 3.1.2-9 56 B 3.1.3-1 0 B 3.1.3-2 0 B 3.1.3-3 0 B 3.1.3-4 0 B 3.1.3-5 0 B 3.1.3-6 56 B 3.1.4-1 0 B 3.1.4-2 31 B 3.1.4-3 0 B 3.1.4-4 0 B 3.1.4-5 0 B 3.1.5-1 0 B 3.1.5-2 52 B 3.1.5-3 52 B 3.1.5-4 52 B 3.1.5-5 52 B 3.1.5-6 52 B 3.1.5-7 52 B 3.1.5-8 52 B 3.1.5-9 60 B 3.1.5-10 60 B 3.1.5-11 56 B 3.1.5-12 56 B 3.1.6-1 0 B 3.1.6-2 46 B 3.1.6-3 42 B 3.1.6-4 42 B 3.1.6-5 56 B 3.1.6-6 46 B 3.1.7-1 57 B 3.1.7-2 0 B 3.1.7-3 53 B 3.1.7-4 48 B 3.1.7-5 25 B 3.1.7-6 0 B 3.1.7-7 0 B 3.1.7-8 56 B 3.1.7-9 56 B 3.1.8-1 52 B 3.1.8-2 52 B 3.1.8-3 52 B 3.1.8-4 52 B 3.1.8-5 56 B 3.1.9-1 0 B 3.1.9-2 0 B 3.1.9-3 0 B 3.1.9-4 0 B 3.1.9-5 56 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 2 Revision 61 December 19, 2014 B 3.1.9-6 56 B 3.1.10-1 0 B 3.1.10-2 53 B 3.1.10-3 0 B 3.1.10-4 37 B 3.1.10-5 56 B 3.1.10-6 0 B 3.1.11-1 0 B 3.1.11-2 53 B 3.1.11-3 0 B 3.1.11-4 53 B 3.1.11-5 0 B 3.2.1-1 53 B 3.2.1-2 10 B 3.2.1-3 53 B 3.2.1-4 0 B 3.2.1-5 0 B 3.2.1-6 0 B 3.2.1-7 56 B 3.2.1-8 56 B 3.2.2-1 52 B 3.2.2-2 10 B 3.2.2-3 0 B 3.2.2-4 52 B 3.2.2-5 1 B 3.2.2-6 0 B 3.2.2-7 56 B 3.2.3-1 52 B 3.2.3-2 10 B 3.2.3-3 0 B 3.2.3-4 52 B 3.2.3-5 0 B 3.2.3-6 0 B 3.2.3-7 60 B 3.2.3-8 56 B 3.2.3-9 56 B 3.2.3-10 0 B 3.2.4-1 52 B 3.2.4-2 10 B 3.2.4-3 0 B 3.2.4-4 52 B 3.2.4-5 60 B 3.2.4-6 53 B 3.2.4-7 53 B 3.2.4-8 56 B 3.2.4-9 56 B 3.2.5-1 52 B 3.2.5-2 10 B 3.2.5-3 0 B 3.2.5-4 52 B 3.2.5-5 0 B 3.2.5-6 56 B 3.2.5-7 0 B 3.3.1-1 35 B 3.3.1-2 53 B 3.3.1-3 53 B 3.3.1-4 60 B 3.3.1-5 53 B 3.3.1-6 53 B 3.3.1-7 53 B 3.3.1-8 53 B 3.3.1-9 53 B 3.3.1-10 53 B 3.3.1-11 53 B 3.3.1-12 53 B 3.3.1-13 53 B 3.3.1-14 53 B 3.3.1-15 53 B 3.3.1-16 53 B 3.3.1-17 53 B 3.3.1-18 53 B 3.3.1-19 53 B 3.3.1-20 53 B 3.3.1-21 53 B 3.3.1-22 53 B 3.3.1-23 53 B 3.3.1-24 53 B 3.3.1-25 53 B 3.3.1-26 53 B 3.3.1-27 53 B 3.3.1-28 53 B 3.3.1-29 53 B 3.3.1-30 53 B 3.3.1-31 53 B 3.3.1-32 53 B 3.3.1-33 53 B 3.3.1-34 53 B 3.3.1-35 53 B 3.3.1-36 53 B 3.3.1-37 53 B 3.3.1-38 53 B 3.3.1-39 53 B 3.3.1-40 56 B 3.3.1-41 56 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 3 Revision 61 December 19, 2014 B 3.3.1-42 56 B 3.3.1-43 56 B 3.3.1-44 56 B 3.3.1-45 53 B 3.3.1-46 56 B 3.3.1-47 57 B 3.3.1-48 56 B 3.3.1-49 56 B 3.3.1-50 53 B 3.3.1-51 53 B 3.3.2-1 50 B 3.3.2-2 0 B 3.3.2-3 1 B 3.3.2-4 35 B 3.3.2-5 35 B 3.3.2-6 51 B 3.3.2-7 35 B 3.3.2-8 35 B 3.3.2-9 50 B 3.3.2-10 38 B 3.3.2-11 42 B 3.3.2-12 42 B 3.3.2-13 56 B 3.3.2-14 56 B 3.3.2-15 56 B 3.3.2-16 56 B 3.3.2-17 56 B 3.3.2-18 35 B 3.3.3-1 53 B 3.3.3-2 53 B 3.3.3-3 53 B 3.3.3-4 53 B 3.3.3-5 53 B 3.3.3-6 53 B 3.3.3-7 53 B 3.3.3-8 53 B 3.3.3-9 53 B 3.3.3-10 56 B 3.3.3-11 56 B 3.3.3-12 56 B 3.3.4-1 0 B 3.3.4-2 0 B 3.3.4-3 0 B 3.3.4-4 0 B 3.3.4-5 0 B 3.3.4-6 31 B 3.3.4-7 0 B 3.3.4-8 0 B 3.3.4-9 0 B 3.3.4-10 0 B 3.3.4-11 0 B 3.3.4-12 0 B 3.3.4-13 56 B 3.3.4-14 56 B 3.3.4-15 56 B 3.3.5-1 0 B 3.3.5-2 0 B 3.3.5-3 0 B 3.3.5-4 35 B 3.3.5-5 0 B 3.3.5-6 0 B 3.3.5-7 0 B 3.3.5-8 31 B 3.3.5-9 54 B 3.3.5-10 54 B 3.3.5-11 54 B 3.3.5-12 1 B 3.3.5-13 0 B 3.3.5-14 0 B 3.3.5-15 35 B 3.3.5-16 51 B 3.3.5-17 35 B 3.3.5-18 54 B 3.3.5-19 54 B 3.3.5-20 54 B 3.3.5-21 35 B 3.3.5-22 35 B 3.3.5-23 52 B 3.3.5-24 38 B 3.3.5-25 42 B 3.3.5-26 56 B 3.3.5-27 56 B 3.3.5-28 56 B 3.3.5-29 56 B 3.3.5-30 35 B 3.3.6-1 0 B 3.3.6-2 0 B 3.3.6-3 0 B 3.3.6-4 0 B 3.3.6-5 31 B 3.3.6-6 0 B 3.3.6-7 27 B 3.3.6-8 27 B 3.3.6-9 0 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 4 Revision 61 December 19, 2014 B 3.3.6-10 0 B 3.3.6-11 0 B 3.3.6-12 0 B 3.3.6-13 0 B 3.3.6-14 0 B 3.3.6-15 0 B 3.3.6-16 0 B 3.3.6-17 27 B 3.3.6-18 0 B 3.3.6-19 56 B 3.3.6-20 0 B 3.3.6-21 56 B 3.3.6-22 46 B 3.3.7-1 2 B 3.3.7-2 2 B 3.3.7-3 0 B 3.3.7-4 0 B 3.3.7-5 0 B 3.3.7-6 42 B 3.3.7-7 0 B 3.3.7-8 56 B 3.3.7-9 56 B 3.3.8-1 0 B 3.3.8-2 44 B 3.3.8-3 0 B 3.3.8-4 0 B 3.3.8-5 0 B 3.3.8-6 56 B 3.3.8-7 56 B 3.3.8-8 56 B 3.3.9-1 48 B 3.3.9-2 48 B 3.3.9-3 55 B 3.3.9-4 55 B 3.3.9-5 56 B 3.3.9-6 56 B 3.3.9-7 56 B 3.3.10-1 0 B 3.3.10-2 0 B 3.3.10-3 0 B 3.3.10-4 0 B 3.3.10-5 18 B 3.3.10-6 0 B 3.3.10-7 0 B 3.3.10-8 14 B 3.3.10-9 14 B 3.3.10-10 57 B 3.3.10-11 50 B 3.3.10-12 50 B 3.3.10-13 50 B 3.3.10-14 50 B 3.3.10-15 50 B 3.3.10-16 50 B 3.3.10-17 50 B 3.3.10-18 50 B 3.3.10-19 56 B 3.3.10-20 56 B 3.3.10-21 50 B 3.3.11-1 0 B 3.3.11-2 2 B 3.3.11-3 2 B 3.3.11-4 42 B 3.3.11-5 42 B 3.3.11-6 56 B 3.3.11-7 56 B 3.3.12-1 15 B 3.3.12-2 61 B 3.3.12-3 37 B 3.3.12-4 37 B 3.3.12-5 56 B 3.3.12-6 56 B 3.4.1-1 10 B 3.4.1-2 53 B 3.4.1-3 0 B 3.4.1-4 0 B 3.4.1-5 56 B 3.4.2-1 7 B 3.4.2-2 57 B 3.4.3-1 52 B 3.4.3-2 52 B 3.4.3-3 0 B 3.4.3-4 52 B 3.4.3-5 52 B 3.4.3-6 0 B 3.4.3-7 56 B 3.4.3-8 52 B 3.4.4-1 0 B 3.4.4-2 50 B 3.4.4-3 7 B 3.4.4-4 56 B 3.4.5-1 0 B 3.4.5-2 38 B 3.4.5-3 38 B 3.4.5-4 56 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 5 Revision 61 December 19, 2014 B 3.4.5-5 56 B 3.4.6-1 0 B 3.4.6-2 6 B 3.4.6-3 52 B 3.4.6-4 6 B 3.4.6-5 56 B 3.4.7-1 0 B 3.4.7-2 6 B 3.4.7-3 52 B 3.4.7-4 54 B 3.4.7-5 0 B 3.4.7-6 56 B 3.4.7-7 52 B 3.4.8-1 0 B 3.4.8-2 58 B 3.4.8-3 58 B 3.4.8-4 58 B 3.4.9-1 41 B 3.4.9-2 31 B 3.4.9-3 41 B 3.4.9-4 41 B 3.4.9-5 56 B 3.4.9-6 56 B 3.4.10-1 53 B 3.4.10-2 7 B 3.4.10-3 0 B 3.4.10-4 54 B 3.4.11-1 0 B 3.4.11-2 53 B 3.4.11-3 0 B 3.4.11-4 52 B 3.4.11-5 56 B 3.4.11-6 54 B 3.4.12-1 1 B 3.4.12-2 34 B 3.4.12-3 48 B 3.4.12-4 56 B 3.4.12-5 31 B 3.4.13-1 0 B 3.4.13-2 55 B 3.4.13-3 55 B 3.4.13-4 52 B 3.4.13-5 55 B 3.4.13-6 55 B 3.4.13-7 52 B 3.4.13-8 52 B 3.4.13-9 56 B 3.4.13-10 56 B 3.4.13-11 55 B 3.4.14-1 0 B 3.4.14-2 34 B 3.4.14-3 60 B 3.4.14-4 38 B 3.4.14-5 38 B 3.4.14-6 38 B 3.4.14-7 56 B.3.4.14-8 56 B 3.4.15-1 0 B 3.4.15-2 60 B 3.4.15-3 0 B 3.4.15-4 0 B 3.4.15-5 56 B 3.4.15-6 56 B 3.4.15-7 54 B 3.4.16-1 2 B 3.4.16-2 10 B 3.4.16-3 60 B 3.4.16-4 42 B 3.4.16-5 56 B 3.4.16-6 56 B 3.4.17-1 59 B 3.4.17-2 59 B 3.4.17-3 59 B 3.4.17-4 59 B 3.4.17-5 59 B 3.4.17-6 59 B 3.4.18-1 38 B 3.4.18-2 40 B 3.4.18-3 38 B 3.4.18-4 38 B 3.4.18-5 38 B 3.4.18-6 38 B 3.4.18-7 38 B 3.4.18-8 38 B 3.5.1-1 0 B 3.5.1-2 53 B 3.5.1-3 7 B 3.5.1-4 0 B 3.5.1-5 0 B 3.5.1-6 0 B 3.5.1-7 1 B 3.5.1-8 1 B 3.5.1-9 57 B 3.5.1-10 56 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 6 Revision 61 December 19, 2014 B 3.5.2-1 0 B 3.5.2-2 53 B 3.5.2-3 53 B 3.5.2-4 0 B 3.5.2-5 0 B 3.5.2-6 0 B 3.5.2-7 1 B 3.5.2-8 22 B 3.5.2-9 57 B 3.5.2-10 56 B 3.5.3-1 0 B 3.5.3-2 48 B 3.5.3-3 0 B 3.5.3-4 0 B 3.5.3-5 0 B 3.5.3-6 2 B 3.5.3-7 2 B 3.5.3-8 56 B 3.5.3-9 56 B 3.5.3-10 56 B 3.5.4-1 15 B 3.5.4-2 0 B 3.5.4-3 42 B 3.5.5-1 54 B 3.5.5-2 54 B 3.5.5-3 55 B 3.5.5-4 54 B 3.5.5-5 51 B 3.5.5-6 51 B 3.5.5-7 51 B 3.5.5-8 56 B 3.5.5-9 56 B 3.5.6-1 0 B 3.5.6-2 1 B 3.5.6-3 0 B 3.5.6-4 56 B 3.5.6-5 56 B 3.6.1-1 0 B 3.6.1-2 53 B 3.6.1-3 0 B 3.6.1-4 29 B 3.6.1-5 29 B 3.6.2-1 45 B 3.6.2-2 53 B 3.6.2-3 0 B 3.6.2-4 0 B 3.6.2-5 0 B 3.6.2-6 0 B 3.6.2-7 0 B 3.6.2-8 57 B 3.6.3-1 36 B 3.6.3-2 43 B 3.6.3-3 49 B 3.6.3-4 43 B 3.6.3-5 43 B 3.6.3-6 43 B 3.6.3-7 43 B 3.6.3-8 43 B 3.6.3-9 43 B 3.6.3-10 43 B 3.6.3-11 43 B 3.6.3-12 43 B 3.6.3-13 43 B 3.6.3-14 43 B 3.6.3-15 43 B 3.6.3-16 56 B 3.6.3-17 56 B 3.6.3-18 56 B 3.6.3-19 56 B 3.6.4-1 53 B 3.6.4-2 38 B 3.6.4-3 56 B 3.6.5-1 0 B 3.6.5-2 1 B 3.6.5-3 56 B 3.6.5-4 0 B 3.6.6-1 0 B 3.6.6-2 0 B 3.6.6-3 53 B 3.6.6-4 7 B 3.6.6-5 1 B 3.6.6-6 56 B 3.6.6-7 56 B 3.6.6-8 56 B 3.6.6-9 54 B 3.7.1-1 28 B 3.7.1-2 50 B 3.7.1-3 34 B 3.7.1-4 34 B 3.7.1-5 54 B 3.7.1-6 54 B 3.7.2-1 40 B 3.7.2-2 42 B 3.7.2-3 40 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 7 Revision 61 December 19, 2014 B 3.7.2-4 40 B 3.7.2-5 40 B 3.7.2-6 40 B 3.7.2-7 59 B 3.7.2-8 54 B 3.7.2-9 54 B 3.7.3-1 1 B 3.7.3-2 1 B 3.7.3-3 37 B 3.7.3-4 0 B 3.7.3-5 54 B 3.7.4-1 58 B 3.7.4-2 58 B 3.7.4-3 58 B 3.7.4-4 58 B 3.7.4-5 58 B 3.7.4-6 58 B 3.7.5-1 0 B 3.7.5-2 0 B 3.7.5-3 40 B 3.7.5-4 27 B 3.7.5-5 42 B 3.7.5-6 42 B 3.7.5-7 9 B 3.7.5-8 56 B 3.7.5-9 56 B 3.7.5-10 56 B 3.7.5-11 54 B 3.7.6-1 54 B 3.7.6-2 54 B 3.7.6-3 55 B 3.7.6-4 56 B 3.7.7-1 0 B 3.7.7-2 59 B 3.7.7-3 1 B 3.7.7-4 56 B 3.7.7-5 56 B 3.7.8-1 1 B 3.7.8-2 60 B 3.7.8-3 1 B 3.7.8-4 60 B 3.7.9-1 0 B 3.7.9-2 44 B 3.7.9-3 56 B 3.7.10-1 10 B 3.7.10-2 59 B 3.7.10-3 1 B 3.7.10-4 56 B 3.7.11-1 50 B 3.7.11-2 50 B 3.7.11-3 51 B 3.7.11-4 55 B 3.7.11-5 50 B 3.7.11-6 55 B 3.7.11-7 57 B 3.7.11-8 56 B 3.7.11-9 50 B 3.7.12-1 1 B 3.7.12-2 21 B 3.7.12-3 55 B 3.7.12-4 56 B 3.7.13-1 0 B 3.7.13-2 0 B 3.7.13-3 0 B 3.7.13-4 57 B 3.7.13-5 56 B 3.7.14-1 0 B 3.7.14-2 21 B 3.7.14-3 56 B 3.7.15-1 3 B 3.7.15-2 56 B 3.7.16-1 7 B 3.7.16-2 0 B 3.7.16-3 56 B 3.7.16-4 0 B 3.7.17-1 61 B 3.7.17-2 3 B 3.7.17-3 3 B 3.7.17-4 3 B 3.7.17-5 3 B 3.7.17-6 52 B 3.8.1-1 35 B 3.8.1-2 2 B 3.8.1-3 34 B 3.8.1-4 34 B 3.8.1-5 20 B 3.8.1-6 57 B 3.8.1-7 42 B 3.8.1-8 50 B 3.8.1-9 42 B 3.8.1-10 43 B 3.8.1-11 50 B 3.8.1-12 48 B 3.8.1-13 48 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 8 Revision 61 December 19, 2014 B 3.8.1-14 48 B 3.8.1-15 48 B 3.8.1-16 41 B 3.8.1-17 41 B 3.8.1-18 41 B 3.8.1-19 41 B 3.8.1-20 41 B 3.8.1-21 41 B 3.8.1-22 41 B 3.8.1-23 57 B 3.8.1-24 50 B 3.8.1-25 56 B 3.8.1-26 56 B 3.8.1-27 56 B 3.8.1-28 56 B 3.8.1-29 53 B 3.8.1-30 56 B 3.8.1-31 50 B 3.8.1-32 56 B 3.8.1-33 56 B 3.8.1-34 56 B 3.8.1-35 50 B 3.8.1-36 56 B 3.8.1-37 45 B 3.8.1-38 56 B 3.8.1-39 56 B 3.8.1-40 56 B 3.8.1-41 56 B 3.8.1-42 56 B 3.8.1-43 56 B 3.8.1-44 56 B 3.8.1-45 56 B.3.8.1-46 56 B.3.8.1-47 45 B.3.8.1-48 53 B 3.8.2-1 0 B 3.8.2-2 0 B 3.8.2-3 0 B 3.8.2-4 21 B 3.8.2-5 21 B 3.8.2-6 0 B 3.8.3-1 0 B 3.8.3-2 0 B 3.8.3-3 50 B 3.8.3-4 0 B 3.8.3-5 54 B 3.8.3-6 56 B 3.8.3-7 56 B 3.8.3-8 41 B 3.8.3-9 56 B 3.8.3-10 54 B 3.8.4-1 61 B 3.8.4-2 61 B 3.8.4-3 61 B 3.8.4-4 61 B 3.8.4-5 61 B 3.8.4-6 61 B 3.8.4-7 61 B 3.8.4-8 61 B 3.8.4-9 61 B 3.8.4-10 61 B 3.8.4-11 61 B 3.8.5-1 1 B 3.8.5-2 61 B 3.8.5-3 61 B 3.8.5-4 61 B 3.8.5-5 61 B 3.8.6-1 61 B 3.8.6-2 61 B 3.8.6-3 61 B 3.8.6-4 61 B 3.8.6-5 61 B 3.8.6-6 61 B 3.8.6-7 61 B 3.8.6-8 61 B 3.8.6-9 61 B 3.8.6-10 61 B 3.8.7-1 48 B 3.8.7-2 48 B 3.8.7-3 53 B 3.8.7-4 53 B 3.8.7-5 56 B 3.8.8-1 1 B 3.8.8-2 1 B 3.8.8-3 21 B 3.8.8-4 56 B 3.8.8-5 56 B 3.8.9-1 51 B 3.8.9-2 0 B 3.8.9-3 51 B 3.8.9-4 0 B 3.8.9-5 0 B 3.8.9-6 0 B 3.8.9-7 0 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No. ______________________________________________________________________________ PALO VERDE UNITS 1, 2, AND 3 9 Revision 61 December 19, 2014 B 3.8.9-8 0 B 3.8.9-9 0 B 3.8.9-10 56 B 3.8.9-11 51 B 3.8.10-1 0 B 3.8.10-2 21 B 3.8.10-3 48 B 3.8.10-4 56 B 3.9.1-1 34 Corrected B 3.9.1-2 0 B 3.9.1-3 0 B 3.9.1-4 56 B 3.9.2-1 48 B 3.9.2-2 61 B 3.9.2-3 61 B 3.9.2-4 56 B 3.9.3-1 18 B 3.9.3-2 19 B 3.9.3-3 27 B 3.9.3-4 19 B 3.9.3-5 56 B.3.9.3-6 56 B 3.9.4-1 0 B 3.9.4-2 54 B 3.9.4-3 0 B 3.9.4-4 56 B 3.9.5-1 0 B 3.9.5-2 58 B 3.9.5-3 58 B 3.9.5-4 58 B 3.9.6-1 0 B 3.9.6-2 0 B 3.9.6-3 56 B 3.9.7-1 0 B 3.9.7-2 0 B 3.9.7-3 56 This page intentionally blank Reactor Core SLs B 2.1.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.1-1 REVISION 0 B 2.0 SAFETY LIMITS (SLs) B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires and SLs ensure that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and Anticipated Operational Occurrences (AOOs). This is accomplished by having a Departure from Nucleate Boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature. The restrictions of this SL prevent overheating of the fuel and cladding and possible cladding perforation that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state, peak Linear Heat Rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature. Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant. Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in the heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant. Reactor Core SLs B 2.1.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.1-2 REVISION 0 BACKGROUND The Reactor Protective System (RPS), in combination with the (continued) LCOs, is designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and THERMAL POWER level that would result in a violation of the reactor core SLs. _______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation and AOOs. The reactor core SLs are established to preclude violation of the following fuel design criteria: a. There must be at least a 95% probability at a 95% confidence level (95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; and b. The hot fuel pellet in the core must not experience centerline fuel melting. The RPS setpoints, LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation," in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for RCS temperature, pressure, flow rate and THERMAL POWER level that would result in a Departure from Nucleate Boiling Ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities. Automatic enforcement of these reactor core SLs is provided by the following functions: a. Pressurizer Pressure - High trip; b. Pressurizer Pressure - Low trip; c. Variable Overpower - High trip; d. Steam Generator Pressure - Low trip; e. Local Power Density - High trip; f. DNBR - Low trip; g. Steam Generator Level - Low trip; Reactor Core SLs B 2.1.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.1-3 REVISION 37 APPLICABLE h. Log Power Level - High trip; SAFETY ANALYSES (continued) i. Reactor Coolant Flow - Low trip; and j. Steam Generator Safety Valves. The limitation that the average enthalpy in the hot leg be less than or equal to the enthalpy of saturated liquid also ensures that the T measured by instrumentation used in the protection system design as a measure of the core power is proportional to core power. The SL represents a design requirement for establishing the protection system trip setpoints identified previously. LCO 3.2.1, "Linear Heat Rate (LHR)," and LCO 3.2.4, "Departure From Nucleate Boiling Ratio (DNBR)," or the assumed initial conditions of the safety analyses (as indicated in the UFSAR, Ref. 2) provide more restrictive limits to ensure that the SLs are not exceeded. ______________________________________________________________________________ SAFETY LIMITS SL 2.1.1.1 and SL 2.1.1.2 ensure that the minimum DNBR is not less than the safety analyses limit and that fuel centerline temperature remains below melting. The minimum value of the DNBR during normal operation and design basis AOOs is limited to 1.34, based on a statistical combination of CE-1 CHF correlation and engineering factor uncertainties, and is established as an SL. Additional factors such as rod bow and spacer grid size and placement will determine the limiting safety system settings required to ensure that the SL is maintained. Maintaining the dynamically adjusted peak LHR to k fuel centerline temperature < 5080F (decreasing by 58F per 10,000 MWD/MTU for burnup and adjusting for burnable poisons per CENPD-382-P-A), ensures that fuel centerline melt will not occur during normal operating conditions or design AOOs. The design melting point of new fuel with no burnable poison is 5080F. The melting point is adjusted downward from this temperature depending on the amount of burnup and amount and type of burnable poison in the fuel. The 58F per 10,000 MWD/MTU adjustment for burnup was accepted by the NRC in Reactor Core SLs B 2.1.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.1-4 REVISION 21 SAFETY LIMITS Topical Report CEN-386-P-A, "Verification of the (continued) Acceptability of a 1-Pin Burnup Limit of 60 MWD/kgU for Combustion Engineering 16x16 PWR Fuel," August 1992. Adjustments for burnable poisons are established based on NRC approved Topical Report CENPD-382-P-A, "Methodology for Core Designs Containing Erbium Burnable Absorbers," August 1993. A steady state peak linear heat rate of 21 kW/ft has been established as the Limiting Safety System Setting to prevent fuel centerline melting during normal steady state operation. Following design basis anticipated operational occurrences, the transient linear heat rate may exceed 21 kW/ft provided the fuel centerline melt temperature is not exceeded. However, if the transient linear heat rate does not exceed 21 kW/ft, then the fuel centerline melt temperature is also not exceeded. _______________________________________________________________________________ APPLICABILITY SL 2.1.1.1 and SL 2.1.1.2 only apply in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The steam generator safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3. Setpoints for the reactor trip functions are specified in LCO 3.3.1. In MODES 3, 4, 5, and 6, Applicability is not required, since the reactor is not generating significant THERMAL POWER. _______________________________________________________________________________ SAFETY LIMIT The following violation responses are applicable to the VIOLATIONS reactor core SLs. 2.2.1 If SL 2.1.1.1 or SL 2.1.1.2 is violated, the requirement to go to MODE 3 places the unit in a MODE in which this SL is not applicable. The allowed Completion Time of 1 hour recognizes the importance of bringing the unit to a MODE where this SL is not applicable and reduces the probability of fuel damage. Reactor Core SLs B 2.1.1 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.1-5 REVISION 54 REFERENCES 1. 10 CFR 50, Appendix A, GDC 10, 1988. 2. UFSAR, Sections 6 and 15. This page intentionally blank RCS Pressure SL B 2.1.2 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.2-1 REVISION 0 B 2.0 SAFETY LIMITS (SLs) B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS against over pressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, continued RCS integrity is ensured. According to 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the Reactor Coolant Pressure Boundary (RCPB) design conditions are not to be exceeded during normal operation and Anticipated Operational Occurrences (AOOs). Also, according to GDC 28 (Ref. 1), "Reactivity Limits," reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding. The design pressure of the RCS is 2500 psia. During normal operation and AOOs, the RCS pressure is kept from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, according to the ASME Code requirements prior to initial operation, when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code, Section XI (Ref. 3). Overpressurization of the RCS could result in a breach of the RCPB. If this occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases specified in 10 CFR 100, "Reactor Site Criteria" (Ref. 4). ______________________________________________________________________________ APPLICABLE The RCS pressurizer safety valves, the Main Steam Safety SAFETY ANALYSES Valves (MSSVs), and the Reactor Pressure - High trip have settings established to ensure that the RCS pressure SL will not be exceeded. RCS Pressure SL B 2.1.2 BASES _______________________________________________________________________________ (continued) ________________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.2-2 REVISION 31 APPLICABLE The RCS pressurizer safety valves are sized to prevent SAFETY ANALYSES system pressure from exceeding the design pressure by more (continued) than 10%, in accordance with Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, and hence the valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control actions are assumed except that the safety valves on the secondary plant are assumed to open when the steam pressure reaches the secondary plant safety valve settings. The Reactor Protective System (RPS) trip setpoints (LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation"), together with the settings of the MSSVs (LCO 3.7.1, "Main Steam Safety Valves (MSSVs)") and the pressurizer safety valves, provide pressure protection for normal operation and AOOs. In particular, the Pressurizer Pressure - High Trip setpoint is specifically set to provide protection against overpressurization (Ref. 5). Safety analyses for both the Pressure - High Trip and the RCS pressurizer safety valves are performed, using conservative assumptions relative to pressure control devices. More specifically, no credit is taken for operation of the following: a. Steam Bypass Control System; b. Pressurizer Level Control System; c. Pressurizer Pressure Control System; or d. Main Feedwater System _______________________________________________________________________________ SAFETY LIMITS The maximum transient pressure allowable in the RCS under the ASME Code, Section III, is 110% of design pressure. Therefore, the SL on maximum allowable RCS pressure is established at 2750 psia. RCS Pressure SL B 2.1.2 BASES ______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.2-3 REVISION 0 APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODE 6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCS can be pressurized. ______________________________________________________________________________ SAFETY LIMIT The following SL violation responses are applicable to the VIOLATIONS RCS pressure SLs. 2.2.2.1 If the RCS pressure SL is violated when the reactor is in MODE 1 or 2, the requirement is to restore compliance and be in MODE 3 within 1 hour. With RCS pressure greater than the value specified in SL 2.1.2 in MODE 1 or 2, the pressure must be reduced to below this value. A pressure greater that the value specified in SL 2.1.2 exceeds 110% of the RCS design pressure and may challenge system integrity. The allowed Completion Time of 1 hour provides the operator time to complete the necessary actions to reduce RCS pressure by terminating the cause of the pressure increase, removing mass or energy from the RCS, or a combination of these actions, and to establish MODE 3 conditions. 2.2.2.2 If the RCS pressure SL is exceeded in MODE 3, 4, or 5, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 3, 4, or 5 is potentially more severe than exceeding this SL in MODE 1 or 2, since the reactor vessel temperature may be lower and the vessel material, consequently, less ductile. As such, pressure must be reduced to less than the SL within 5 minutes. This action does not require reducing MODES, since this would require reducing temperature, which would RCS Pressure SL B 2.1.2 BASES _______________________________________________________________________________ ________________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 2.1.2-4 REVISION 54 SAFETY LIMIT 2.2.2.2 (continued) VIOLATIONS compound the problem by adding thermal gradient stresses to the existing pressure stress. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 14, GDC 15, and GDC 28. 2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000. 3. ASME, Boiler and Pressure Vessel Code, Section XI, Article IWX-5000. 4. 10 CFR 100. 5. UFSAR, Section 7. LCO Applicability B 3.0 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-1 REVISION 49 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.8 establish the general requirements applicable to all Specifications and apply at all times unless otherwise stated. ______________________________________________________________________________ LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification). ______________________________________________________________________________ LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that: a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified. There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-2 REVISION 0 LCO 3.0.2 ACTIONS.) The second type of Required Action specifies the (continued) remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation. Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications. The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits." The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time other conditions exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed. When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-3 REVISION 0 LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and: a. An associated Required Action and Completion Time is not met and no other Condition applies; or b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately. This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. Upon entering LCO 3.0.3, 1 hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-4 REVISION 0 LCO 3.0.3 A unit shutdown required in accordance with LCO 3.0.3 may be (continued) terminated and LCO 3.0.3 exited if any of the following occurs: a. The LCO is now met. b. A Condition exists for which the Required Actions have now been performed. c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited. The time limits of Specification 3.0.3 allow 37 hours for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours, then the time allowed for reaching MODE 5 is the next 35 hours, because the total time for reaching MODE 5 is not reduced from the allowable limit of 37 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed. In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-5 REVISION 42 LCO 3.0.3 The requirements of LCO 3.0.3 do not apply in other specified (continued) conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken. Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.14, "Fuel Storage Pool Water Level." LCO 3.7.14 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.14 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.14 of "Suspend movement of irradiated fuel assemblies in fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications. ______________________________________________________________________________ LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when Unit conditions are such that the requirements of the LCO would not be met in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c. LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-6 REVISION 48 LCO 3.0.4 Compliance with Required Actions that permit continued (continued) operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions. LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate. The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4 (b), must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-7 REVISION 48 LCO 3.0.4 LCO 3.0.4.b may be used with single, or multiple systems and (continued) components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components. The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented. The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk and use of the LCO 3.0.4.b allowance is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable. LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity), and may be applied to other Specifications based on NRC plant-specific approval. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-8 REVISION 42 LCO 3.0.4 The provisions of LCO 3.0.4 shall not prevent changes in (continued) MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5. Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification. Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO. ______________________________________________________________________________ LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate: a. The OPERABILITY of the equipment being returned to service; or b. The OPERABILITY of other equipment. The administrative controls ensure the time the equipment is returned to service in conflict with the requirements LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-9 REVISION 42 LCO 3.0.5 of the ACTIONS is limited to the time absolutely necessary (continued) to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the required testing. An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system. ______________________________________________________________________________ LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions. When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-10 REVISION 42 LCO 3.0.6 However, there are instances where a support system's (continued) Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. Specification 5.5.15, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6. Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and: a. A required system redundant to system(s) supported by the inoperable support system is also inoperable; or (EXAMPLE B3.0.6-1) b. A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable; or (EXAMPLE B3.0.6-2) c. A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable. (EXAMPLE B3.0.6-3) LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-11 REVISION 42 LCO 3.0.6 If this evaluation determines that a loss of safety function (continued) exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. This loss of safety function does not require the assumption of additional single failures or loss of offsite power. Since operation is being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. Similarly, the ACTIONS for inoperable offsite circuit(s) and inoperable diesel generator(s) provide the necessary restriction for cross train inoperabilities. This explicit cross train verification for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the definition of OPERABILITY). When a loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic start due to inoperable instrumentation, or loss of pump suction source due to low tank level) the appropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-12 REVISION 42 LCO 3.0.6 (continued) EXAMPLE B3.0.6-1 If System 2 of Train A is inoperable, and System 5 of Train B is inoperable, a loss of safety function exists in supported Systems 5, 10 and 11. EXAMPLE B3.0.6-2 If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5. EXAMPLE B3.0.6-3 If System 2 of Train A is inoperable, and System 1 of Train B is inoperable, a loss of safety function exists in Systems 2,4,5,8,9,10, and 11. For the examples above, support systems are to the left of the supported systems (i.e., System 1 supports System 2 and System 3). ______________________________________________________________________________ LCO 3.0.7 Special tests and operations are required at various times over the unit's life to demonstrate performance characteristics, to perform maintenance activities, and to perform special evaluations. Because TS normally preclude these tests and operations, Special Test Exceptions (STEs) allow specified requirements to be changed or suspended under controlled conditions. STEs are included in applicable sections of the Specifications. Unless LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-13 REVISION 42 LCO 3.0.7 otherwise specified, all other TS requirements remain (continued) unchanged and in effect as applicable. This will ensure that all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed or suspended to perform the special test or operation will remain in effect. The Applicability of an STE LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with STE LCOs is optional. A special test may be performed under either the provisions of the appropriate STE LCO or the other applicable TS requirements. If it is desired to perform the special test under the provisions of the STE LCO, the requirements of the STE LCO shall be followed. This includes the SRs specified in the STE LCO. Some of the STE LCOs require that one or more of the LCOs for normal operation be met (i.e., meeting the STE LCO requires meeting the specified normal LCOs). The Applicability, ACTIONS, and SRs of the specified normal LCOs, however, are not required to be met in order to meet the STE LCO when it is in effect. This means that, upon failure to meet a specified normal LCO, the associated ACTIONS of the STE LCO apply, in lieu of the ACTIONS of the normal LCO. Exceptions to the above do exist. There are instances when the Applicability of the specified normal LCO must be met, where its ACTIONS must be taken, where certain of its Surveillances must be performed, or where all of these requirements must be met concurrently with the requirements of the STE LCO. Unless the SRs of the specified normal LCOs are suspended or changed by the special test, those SRs that are necessary to meet the specified normal LCOs must be met prior to performing the special test. During the conduct of the special test, those Surveillances need not be performed unless specified by the ACTIONS or SRs of the STE LCO. ACTIONS for STE LCOs provide appropriate remedial measures upon failure to meet the STE LCO. Upon failure to meet these ACTIONS, suspend the performance of the special test and enter the ACTIONS for all LCOs that are then not met. Entry into LCO 3.0.3 may possibly be required, but this determination should not be made by considering only the failure to meet the ACTIONS of the STE LCO. LCO Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-14 REVISION 49 LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee. If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2. LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO 3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable. The 72 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function and due to the availability of the redundant train of the supported system. LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one train or subsystem of a multiple train or subsystem supported system. LCO 3.0.8.b allows 12 hours to restore the snubber(s) before declaring the supported system inoperable. The 12 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of LCO Applicability B 3.0 BASES ______________________________________________________________________________ ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-15 REVISION 50 LCO 3.0.8 the supported system occurring while the snubber(s) are (continued) not capable of performing their associated support function. LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the existing Maintenance Rule process to the extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associated support function. In order to utilize LCO 3.0.8, the restrictions listed below shall be met. 1. When LCO 3.0.8 is used, confirm that at least one train (or subsystem) of systems supported by the non-functional snubber(s) would remain capable of performing their required safety or support functions for postulated design loads other than seismic loads. LCO 3.0.8 does not apply to non-seismic snubbers. 2. When LCO 3.0.8 is used, a record of the design function of the nonfunctional snubber(s) (i.e., seismic vs. non-seismic), implementation of the applicable LCO 3.0.8 restrictions, and the associated plant configuration shall be available on a recoverable basis for NRC inspection. 3. When LCO 3.0.8.a is used, at least one AFW train (including a minimum set of supporting equipment required for its successful operation) or some alternative means of core cooling, not associated with the non-functional snubber(s), must be available. 4. When LCO 3.0.8.b is used, at least one AFW train (including a minimum set of supporting equipment required for its successful operation) not associated with the non-functional snubber(s), or some alternative means of core cooling (e.g., fire water system or "aggressive secondary cooldown" using the steam generators) must be available. SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-16 REVISION 50 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated. ______________________________________________________________________________ SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.g., CHANNEL CALIBRATION) specify that these tests are preformed by means of any series of sequential, overlapping, or total steps. Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when: a. The systems or components are known to be inoperable, although still meeting the SRs; or b. The requirements of the Surveillance(s) are known to be not met between required Surveillance performances. Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a Special Test Exception (STE) are only applicable when the STE is used as an allowable exception to the requirements of a Specification. SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-17 REVISION 50 SR 3.0.1 Unplanned events may satisfy the requirements (including (continued) applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition. Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status. Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed. Some examples of this process are: a. Auxiliary Feedwater (AFW) pump turbine maintenance during refueling that requires testing at steam pressures > 800 psi. However, if other appropriate testing is satisfactorily completed, the AFW System can be considered OPERABLE. This allows startup and other necessary testing to proceed until the plant reaches the steam pressure required to perform the testing. b. High Pressure Safety Injection (HPSI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPSI considered OPERABLE. This allows operation to reach the specified pressure to complete the necessary post maintenance testing. SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-18 REVISION 49 SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..." interval. SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities). The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. An example of where SR 3.0.2 does not apply is the Containment Leak Rate Testing Program. As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner. SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-19 REVISION 49 SR 3.0.2 The provisions of SR 3.0.2 are not intended to be used (continued) repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified. ______________________________________________________________________________ SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met. Reference Bases Section 3.0.2 for discussion and applicability of Frequency and 25% extension. This delay period provides an adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance. The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements. When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-20 REVISION 49 SR 3.0.3 specified, the missed Surveillance should be performed at (continued) the first reasonable opportunity. SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions. Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program. SR Applicability B 3.0 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-21 REVISION 49 SR 3.0.3 If a Surveillance is not completed within the allowed delay (continued) period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance. Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1. ______________________________________________________________________________ SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified Condition in the Applicability. This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4. However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR Applicability B 3.0 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.0-22 REVISION 49 SR 3.0.4 SR(s) to be performed is removed. Therefore, failing to (continued) perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3. The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5. The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency. SDM - Reactor Trip Breakers Open B 3.1.1 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.1-1 REVISION 28 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Open BASES BACKGROUND The reactivity control systems must be redundant and capable of holding the reactor core subcritical when shutdown under cold conditions, in accordance with GDC 26 (Ref. 1). Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel. SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs). As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion of all full strength control element assemblies (CEAs), assuming the single CEA of highest reactivity worth is fully withdrawn with Reactor Trip Breakers open. This reactivity worth is credited in establishing the required SDM. The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable CEAs and soluble boric acid in the Reactor Coolant System (RCS). The CEA System provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel design limits, assuming that the CEA of highest reactivity worth remains fully withdrawn. The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes, and maintain the reactor subcritical under cold conditions. During power operation, SDM control is ensured by operating with the shutdown CEAs fully withdrawn and the regulating CEAs within the limits of LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits." When the unit is in the shutdown and refueling modes, the SDM requirements are met by means of adjustments to the RCS boron concentration. SDM - Reactor Trip Breakers Open B 3.1.1 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.1-2 REVISION 0 APPLICABLE The minimum required SDM is assumed as an initial condition SAFETY ANALYSES in safety analysis. The safety analysis (Ref. 2) establishes a SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and AOOs, with the assumption of the highest worth CEA stuck out following a reactor trip. Specifically, for MODE 5, the primary safety analysis that relies on the SDM limits is the boron dilution analysis. The acceptance criteria for SDM are that specified acceptable fuel design limits are maintained. This is done by ensuring that: a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events; b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limit AOOs, and 280 cal/gm energy deposition for the CEA ejection accident). c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition. The most limiting accident for the SDM requirements is based on a main steam line break (MSLB), as described in the accident analysis (Ref. 2). The increased steam flow resulting from a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG), and consequently the RCS. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As initial RCS temperature decreases, the severity of an MSLB decreases. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the MSLB, a post trip return to power may occur; however, no fuel damage SDM - Reactor Trip Breakers Open B 3.1.1 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.1-3 REVISION 43 APPLICABLE occurs as a result of the post trip return power. Therefore, SAFETY ANALYSES operation of the plant in conformance with minimum SDM (continued) requirements ensures that, should a MSLB occur, control room and offsite radiological dose consequences will remain within licensing basis limits as described in the accident analyses (Ref. 2). In addition to the limiting MSLB transient, the SDM requirement for MODES 3, 4, and 5 must also protect against: a. Inadvertent boron dilution; b. Startup of an inactive reactor coolant pump (RCP); and c. CEA ejection. Each of these is discussed below. In the inadvertent boron dilution analysis, the amount of reactivity by which the reactor is subcritical is determined by the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. The initial subcritical boron concentration assumed in the analysis corresponds to the minimum SDM requirements. These two values (initial and critical boron concentrations), in conjunction with the configuration of the Reactor Coolant System (RCS) and the assumed dilution flow rate, directly affect the results of the analysis. For this reason the event is most limiting at the beginning of core life when critical boron concentrations are highest. The startup of an inactive RCP will not result in a "cold water" criticality, even if the maximum difference in temperature exists between the SG and the core. Although this event was considered in establishing the requirements for SDM, it is not the limiting event with respect to the specification limits. In the analysis of the CEA ejection event, maintaining SDM ensures the reactor remains subcritical following a CEA ejection and, therefore, satisfies the radially averaged enthalpy acceptance criterion considering power redistribution effects. SHUTDOWN MARGIN is the amount by which the core is subcritical, or would be subcritical immediately following a reactor trip, considering a single malfunction resulting in the highest worth CEA failing to insert. With any full strength CEAs not capable of being fully inserted, the SDM - Reactor Trip Breakers Open B 3.1.1 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.1-4 REVISION 43 APPLICABLE withdrawn reactivity worth of these CEAs must be accounted SAFETY ANALYSES for in the determination of SDM. The SDM satisfies (continued) Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed 10 CFR 100, "Reactor Site Criterion," limits (Ref. 4). For the boron dilution accident, if the LCO is violated, then the minimum required time assumed for operator action to terminate dilution may no longer be applicable. SDM is a core physics design condition that can be ensured through CEA positioning (regulating and shutdown CEAs) and through the soluble boron concentration. _______________________________________________________________________________ APPLICABILITY In MODES 3, 4 and 5 with the Reactor Trip Breakers Open or the CEA drive system not capable of CEA withdrawal, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.6, "Shutdown Control Element Assembly (CEA) Insertion Limits," and LCO 3.1.7. In MODES 3, 4 and 5 with the Reactor Trip Breakers Closed, SDM is addressed by LCO 3.1.2, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Closed." In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." _______________________________________________________________________________ ACTIONS A.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that boration will be continued until the SDM requirements are met. In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as SDM - Reactor Trip Breakers Open B 3.1.1 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.1-5 REVISION 27 ACTIONS A.1 (continued) possible, the boron concentration should be a highly concentrated solution, such as that normally found in the refueling water tank. The operator should borate with the best source available for the plant conditions. In determining the boration flow rate, the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle, when boron concentration may approach or exceed 2000 ppm. Assuming that a value of 1% k/k must be recovered and a boration flow rate of 26 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in less than 4 hours with a 4000 ppm source. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the SDM by 1% k/k. These boration parameters of 26 gpm and 4000 ppm represent typical values and are provided for the purpose of offering a specific example. ______________________________________________________________________________ SURVEILLANCE SR 3.1.1.1 REQUIREMENTS SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects: a. RCS boron concentration; b. CEA positions; c. RCS average temperature; d. Fuel burnup based on gross thermal energy generation; e. Xenon concentration; f. Samarium concentration; and g. Isothermal temperature coefficient (ITC). Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS. SDM - Reactor Trip Breakers Open B 3.1.1 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.1-6 REVISION 56 SURVEILLANCE SR 3.1.1.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 26. 2. UFSAR, Section 15.1. 3. UFSAR, Section 15.4. 4. 10 CFR 100. SDM - Reactor Trip Breakers Closed B 3.1.2 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.2-1 REVISION 28 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Closed BASES BACKGROUND The reactivity control systems must be redundant and capable of holding the reactor core subcritical when shut down under cold conditions, in accordance with GDC 26 (Ref. 1). Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel. SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs). As such, SDM defines the degree of subcriticality that would be obtained immediately following the insertion of all full strength control element assemblies (CEAs), assuming the single CEA of highest reactivity worth is fully withdrawn. The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable CEAs and soluble boric acid in the Reactor Coolant System (RCS). The CEA System provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding the acceptable fuel design limits, assuming that the CEA of highest reactivity worth remains fully withdrawn. The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes, and maintain the reactor subcritical under cold conditions. During power operation, SDM control is ensured by operating with the shutdown CEAs fully withdrawn and the regulating CEAs within the limits of LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits." When the unit is in the shutdown and refueling modes, the SDM requirements are met by means of adjustments to the RCS boron concentration. SDM - Reactor Trip Breakers Closed B 3.1.2 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-2 REVISION 0 APPLICABLE The minimum required SDM is assumed as an initial condition SAFETY ANALYSES in safety analysis. The safety analysis (Ref. 2) establishes a SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and AOOs with the assumption of the highest worth CEA stuck out following a reactor trip. Specifically, for MODE 5, the primary safety analysis that relies on the SDM limits is the boron dilution analysis. The acceptance criteria for SDM requirements are that the specified acceptable fuel design limits are maintained. This is done by ensuring that: a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events; b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio, fuel centerline temperature limits for AOOs, and 280 cal/gm energy deposition for the CEA ejection accident); and c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition. The most limiting accident for the SDM requirements is based on a main steam line break (MSLB), as described in the accident analysis (Ref. 2). The increased steam flow resulting from a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG), and consequently the RCS. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As initial RCS temperature decreases, the severity of an MSLB decreases. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the SDM - Reactor Trip Breakers Closed B 3.1.2 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-3 REVISION 43 APPLICABLE MSLB, a post trip return to power may occur; however, no SAFETY ANALYSES fuel damage occurs as a result of the post trip return to (continued) power. Therefore, operation of the plant in conformance with minimum SDM requirements ensures that, should a MSLB occur, control room and offsite radiological dose consequences will remain within licensing basis limits as described in the accident analysis (Ref. 2). In addition to the limiting MSLB transient, the SDM requirement for MODES 3, 4, and 5 must also protect against: a. Inadvertent boron dilution; b. An uncontrolled CEA withdrawal from a subcritical condition; c. Startup of an inactive reactor coolant pump (RCP); and d. CEA ejection. Each of these is discussed below. In the inadvertent boron dilution analysis, the amount of reactivity by which the reactor is subcritical is determined by the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. The initial subcritical boron concentration assumed in the analysis corresponds to the minimum SDM requirements. These two values (initial and critical boron concentrations), in conjunction with the configuration of the Reactor Coolant System (RCS) and the assumed dilution flow rate, directly affect the results of the analysis. For this reason the event is most limiting at the beginning of core life when critical boron concentrations are highest. The withdrawal of CEAs from subcritical conditions adds reactivity to the reactor core, causing both the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure. The withdrawal of CEAs also produces a time dependent redistribution of core power. The uncontrolled CEA withdrawal transient is terminated by a high power level trip. Power level, RCS pressure, peak fuel centerline temperature, and the DNBR do not exceed allowable limits. SDM - Reactor Trip Breakers Closed B 3.1.2 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-4 REVISION 28 APPLICABLE The startup of an inactive RCP will not result in a SAFETY ANALYSES "cold water" criticality, even if the maximum difference in (continued) temperature exists between the SG and the core. Although this event was considered in establishing the requirements for SDM, it is not the limiting event with respect to the specification limits. In the analysis of the CEA ejection event, SDM alone cannot prevent reactor criticality following a CEA ejection. At temperatures less than 500 F, the KN-1 requirement ensures the reactor remains subcritical and, therefore, satisfies the radially averaged enthalpy acceptance criterion considering power redistribution effects. Above 500 F, Doppler reactivity feedback is sufficient to preclude the need for a specific KN-1 requirement. The function of SHUTDOWN MARGIN is to ensure that the reactor remains subcritical following a design basis accident or anticipated operational occurrence. During operation in MODES 1 and 2, with keff greater than or equal to 1.0, the transient insertion limits of Specification 3.1.3.6 ensure that sufficient SHUTDOWN MARGIN is available. SHUTDOWN MARGIN is the amount by which the core is subcritical, or would be subcritical immediately following a reactor trip, considering a single malfunction resulting in the highest worth CEA failing to insert. With any full strength CEAs not capable of being fully inserted, the withdrawn reactivity worth of the CEAs must be accounted for in the determination of SDM. SHUTDOWN MARGIN requirements vary throughout the core life as a function of fuel depletion and reactor coolant system (RCS) cold leg temperature (Tcold). The most restrictive condition occurs at EOL, with Tcold at no-load operating temperature, and is associated with a postulated steam line break accident and the resulting uncontrolled RCS cooldown. In the analysis of this accident, the specified SHUTDOWN MARGIN is required to control the reactivity transient and ensure that the fuel performance and offsite dose criteria are satisfied. SDM - Reactor Trip Breakers Closed B 3.1.2 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.2-5 REVISION 0 APPLICABLE As (initial) Tcold decreases, the potential RCS cooldown and SAFETY ANALYSES the resulting reactivity transient are less severe and, (continued) therefore, the required SHUTDOWN MARGIN also decreases. Below Tcold of about 350°F, the inadvertent deboration event becomes limiting with respect to the applicable SHUTDOWN MARGIN requirements. Below 350°F, the specified SHUTDOWN MARGIN ensures that sufficient time for operator actions exists between the initial indication of the deboration and the total loss of shutdown margin. Accordingly, with the reactor trip breakers closed and the CEA drive system capable of CEA withdrawal, the SHUTDOWN MARGIN requirements are based upon these limiting conditions. Additional events considered in establishing requirements on SHUTDOWN MARGIN that are not limiting with respect to the Specification limits are single CEA withdrawal and startup of an inactive reactor coolant pump. The function of KN-1 is to maintain sufficient subcriticality to preclude inadvertent criticality following ejection of a single control element assembly (CEA). KN-1 is a measure of the core's reactivity, considering a single malfunction resulting in the highest worth inserted CEA being ejected. KN-1 requirements vary with the amount of positive reactivity that would be introduced assuming the CEA with the highest inserted worth ejects from the core. The KN-1 requirement ensures that a CEA ejection event while shutdown will not result in criticality. Above Tcold of 500°F, Doppler reactivity feedback is sufficient to preclude the need for a specific KN-1 requirement. With all CEAs fully inserted, KN-1 and SHUTDOWN MARGIN requirements are equivalent in terms of minimum acceptable core boron concentration. The requirement prohibiting criticality due to shutdown group CEA movement is associated with the assumptions used in the analysis of uncontrolled CEA withdrawal from subcritical conditions. Due to the high differential reactivity worth of the shutdown CEA groups, the analysis assumes that the initial shutdown reactivity is such that the reactor will remain subcritical in the event of unexpected or uncontrolled shutdown group withdrawal. The SDM satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). SDM - Reactor Trip Breakers Closed B 3.1.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-6 REVISION 43 LCO The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the reactivity control requirements of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed 10 CFR 100, "Reactor Site Criterion," limits (Ref. 4). For the boron dilution accident, if the LCO is violated, then the minimum required time assumed for operator action to terminate dilution may no longer be applicable. SDM, KN-1, and criticality due to Shutdown CEA withdrawal are core physics design conditions that can be ensured through CEA positioning (regulating and shutdown CEAs) and through the soluble boron concentration. _______________________________________________________________________________ APPLICABILITY In MODES 3, 4, and 5 with the Reactor Trip Breakers Closed and the CEA Drive System is capable of CEA withdrawal, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.6, "Shutdown Control Element Assembly (CEA) Insertion Limits," and LCO 3.1.7. MODES 3, 4 and 5 with the Reactor Trip Breakers Open, SDM is addressed by LCO 3.1.1, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Open." In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." _______________________________________________________________________________ ACTIONS A.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components and/or vary CEA position. It is assumed that boration will be continued until the SDM requirements are met. In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a highly SDM - Reactor Trip Breakers Closed B 3.1.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-7 REVISION 12 ACTIONS A.1 (continued) concentrated solution, such as that normally found in the refueling water tank. The operator should borate with the best source available for the plant conditions. In determining the boration flow rate the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle, when boron concentration may approach or exceed 2000 ppm. Assuming that a value of 1% k/k must be recovered and a boration flow rate of 26 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in less than 4 hours with a 4000 ppm source. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the SDM by 1% k/k. These boration parameters of 26 gpm and 4000 ppm represent typical values and are provided for the purpose of offering a specific example. B.1 and B.2 If the KN-1 requirements are not met or reactor criticality is achievable by Shutdown Group CEA movement, boration must be initiated promptly and CEA position varied to restore KN-1 within limit or to ensure criticality due to Shutdown Group CEA movement is not achievable. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components and vary CEA position. It is assumed that boration will be continued and CEA position varied to return KN-1 to within limit or prevent reactor criticality due to Shutdown Group CEA movement. CEA movement is only required if the specific limit exceeded can be improved by taking this action. In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a highly concentrated solution, such as that normally found in the refueling water tank. The operator should borate with the best source available for the plant conditions. SDM - Reactor Trip Breakers Closed B 3.1.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-8 REVISION 47 ACTIONS B.1 and B.2 (continued) In determining the boration flow rate the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle, when the boron concentration will exceed 2000 ppm. Assuming that a value of 1% k/k must be recovered and a boration flow rate of 26 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in less than 4 hours with a 4000 ppm source. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the SDM by 1% k/k. These boration parameters of 26 gpm and 4000 ppm represent typical values and are provided for the purpose of offering a specific example. _______________________________________________________________________________ SURVEILLANCE SR 3.1.2.1, 3.1.2.2 and 3.1.2.3 REQUIREMENTS SDM, KN-1, and criticality not being achievable with Shutdown Group CEA withdrawal are verified by performing a reactivity balance calculation, considering the listed reactivity effects: a. RCS boron concentration; b. CEA positions; c. RCS average temperature; d. Fuel burnup based on gross thermal energy generation; e. Xenon concentration; f. Samarium concentration; and g. Isothermal temperature coefficient (ITC). Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as that of the RCS. SDM - Reactor Trip Breakers Closed B 3.1.2 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.2-9 REVISION 56 SURVEILLANCE SR 3.1.2.1, 3.1.2.2 and 3.1.2.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 26. 2. UFSAR, Section 15.1. 3. UFSAR, Section 15.4. 4. 10 CFR 100 This page intentionally blank Reactivity Balance B 3.1.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Reactivity Balance BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable, such that, subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control element assembly (CEA) worth, or operation at Conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Open and LCO 3.1.2, "SHUTDOWN MARGIN (SDM), Reactor Trip Breaker Closed") in ensuring the reactor can be brought safely to cold, subcritical conditions. When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers, producing zero net reactivity. Reactivity balance is typically based on the critical boron curve, which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as CEA height, temperature, pressure, and power) provides a convenient method of ensuring that core reactivity is within design expectations, and that the calculational models used to generate the safety analysis are adequate. Reactivity Balance B 3.1.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-2 REVISION 0 BACKGROUND In order to achieve the required fuel cycle energy output, (continued) the uranium enrichment in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), CEAs, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration. When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The critical boron curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated. _______________________________________________________________________________ APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations. Every accident evaluation (Ref. 2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM, and reactivity transients such as CEA withdrawal accidents or CEA ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods provide an accurate representation of the core reactivity. Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion. The comparison between measured and predicted initial core reactivity provides a normalization for calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then Reactivity Balance B 3.1.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-3 REVISION 0 APPLICABLE the assumptions used in the reload cycle design analysis or SAFETY ANALYSES the calculational models used to predict soluble boron (continued) requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted critical boron curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred. The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the CEAs in their normal positions for power operation. The normalization is performed at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle. The reactivity balance satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The reactivity balance limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the nuclear design methodology are larger than expected. A limit on the reactivity balance of +/- 1% k/k has been established, based on engineering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation, and should therefore be evaluated. When measured core reactivity is within 1% k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached. Reactivity Balance B 3.1.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-4 REVISION 0 LCO These values are well within the uncertainty limits for (continued) analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely. _______________________________________________________________________________ APPLICABILITY The limits on core reactivity must be maintained during MODE 1 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODE 2 because enough operating margin exists to limit the affects of a reactivity anomaly and THERMAL POWER is low enough ( 5% RTP) such that reactivity anomalies are unlikely to occur. This Specification does not apply in MODES 2, 3, 4, and 5 because the reactor is shut down and the reactivity balance is not changing. In MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, "Boron Concentration") ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, or CEA replacement, or shuffling). _______________________________________________________________________________ ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis. Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be Reactivity Balance B 3.1.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-5 REVISION 0 ACTIONS A.1 and A.2 (continued) resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized, and power operation may continue. If operational restrictions or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined. The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required to allow continued reactor operation. B.1 If the core reactivity cannot be restored to within the 1% k/k, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 2 from full power conditions in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.1.3.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made considering that other core conditions are fixed or stable including CEA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance Reactivity Balance B 3.1.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.3-6 REVISION 56 SURVEILLANCE SR 3.1.3.1 (continued) REQUIREMENTS is performed prior to entering MODE 1 as an initial check on core conditions and design calculations at BOC. The SR is modified by three Notes. The first Note indicates that the normalization of predicted core reactivity to the measured value may take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A Note, "only required after 60 EFPD," is added to the Frequency column to allow this. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29. 2. UFSAR, Section 15. MTC B 3.1.4 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.4-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Moderator Temperature Coefficient (MTC) BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases. The MTC relates a change in core reactivity to a change in reactor coolant temperature. A positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature. The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result. The same characteristic is true when the MTC is positive and coolant temperature decreases occur. MTC values are predicted at selected burnups and temperatures during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less positive than that allowed by the LCO. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional burnable absorbers, either fixed lumped poison rods or poisons distributed within selected fuel rods to yield an MTC at the BOC within the range analyzed in the plant accident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit. MTC B 3.1.4 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.4-2 REVISION 31 APPLICABLE The acceptance criteria for the specified MTC are: SAFETY ANALYSES

a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and b. The MTC must be such that inherently stable power operations result during normal operation and during accidents, such as overheating and overcooling events. Reference 2 contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions, such as very large soluble boron concentrations, to ensure the accident results are bounding. Accidents that cause core overheating, either by decreased heat removal or increased power production, must be evaluated for results when the MTC is positive. Reactivity accidents that cause increased power production include the control element assembly (CEA) withdrawal transient from either subcritical or full THERMAL POWER. The limiting overheating event relative to plant response is based on the Loss of Condenser Vacuum event (Ref. 3). The most limiting event with respect to a positive MTC is a CEA withdrawal accident from a subcritical or low (hot zero) power condition, also referred to as a startup accident (Ref. 4). Accidents that cause core overcooling must be evaluated for results when the MTC is most negative. The event that produces the most rapid cooldown of the RCS, and is therefore the most limiting event with respect to the negative MTC, is a steam line break (SLB) event. Following the reactor trip for the postulated EOC SLB event, the large moderator temperature reduction combined with the large negative MTC may produce reactivity increases that are as much as the shutdown reactivity. When this occurs, a substantial fraction of core power is produced with all CEAs inserted, except the most reactive one, which is assumed withdrawn. Even if the reactivity increase produces slightly subcritical conditions, a large fraction of core power may be produced through the effects of subcritical neutron multiplication.

MTC B 3.1.4 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.4-3 REVISION 0 APPLICABLE MTC values are bounded in reload safety evaluations assuming SAFETY ANALYSES steady state conditions at BOC and EOC. A middle of cycle (continued) (MOC) measurement is conducted at conditions when the RCS boron concentration reaches approximately 300 ppm. The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions. The MTC satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO LCO 3.1.4 requires the MTC to be within the specified limits of the COLR to ensure the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation. The limit on a positive MTC ensures that core overheating accidents will not violate the accident analysis assumptions. The negative MTC limit for EOC specified in the COLR ensures that core overcooling accidents will not violate the accident analysis assumptions. MTC is a core physics parameter determined by the fuel and fuel cycle design and cannot be easily controlled once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement. The surveillance checks at BOC and MOC on an MTC provide confirmation that the MTC is behaving as anticipated, so that the acceptance criteria are met. ______________________________________________________________________________ APPLICABILITY In MODE 1, the limits on the MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE 2, the limits must also be maintained to ensure accidents, such as the uncontrolled CEA assembly or group withdrawal, will not violate the assumptions of the accident analysis. In MODES 3, 4, 5, and 6, this LCO is not applicable, since no Design Basis Accidents (DBAs) using the MTC as an analysis assumption are initiated from these MODES except for a MSLB in MODE 3. In this case, the analysis assumes worst case MTC, with the ECCS systems mitigating the event. MTC B 3.1.4 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.4-4 REVISION 0 APPLICABILITY However, the variation of the MTC, with temperature in (continued) MODES 3, 4, and 5, for DBAs initiated in MODES 1 and 2, is accounted for in the subject accident analysis. The variation of the MTC, with temperature assumed in the safety analysis, is accepted as valid once the BOC and MOC measurements are used for normalization. _______________________________________________________________________________ ACTIONS A.1 MTC is a function of the fuel and fuel cycle designs, and cannot be controlled directly once the designs have been implemented in the core. If MTC exceeds its limits, the reactor must be placed in MODE 3. This eliminates the potential for violation of the accident analysis bounds. The associated Completion Time of 6 hours is reasonable, considering the probability of an accident occurring during the time period that would require an MTC value within the LCO limits, and the time for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.1.4.1 and SR 3.1.4.2 REQUIREMENTS The SRs for measurement of the MTC at the beginning and middle of each fuel cycle provide for confirmation of the limiting MTC values. The MTC changes smoothly from most positive (least negative) to most negative value during fuel cycle operation, as the RCS boron concentration is reduced to compensate for fuel depletion. The requirement for measurement prior to operation > 5% RTP satisfies the confirmatory check on the most positive (least negative) MTC value. The requirement for measurement, within 7 days of (before or after) reaching 40 effective full power days and a 2/3 core burnup, satisfies the confirmatory check of the most negative MTC value. The measurement is performed at any THERMAL POWER so that the projected EOC MTC may be evaluated before the reactor actually reaches the EOC condition. MTC values may be extrapolated and compensated to permit direct comparison to the specified MTC limits. MTC B 3.1.4 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.4-5 REVISION 0 SURVEILLANCE SR 3.1.4.1 and SR 3.1.4.2 (continued) REQUIREMENTS SR 3.1.4.2 is modified by a Note that indicates performance is not required prior to entering MODE 1 or 2. Although this Surveillance is applicable in MODES 1 and 2, the reactor must be critical before the Surveillance can be completed. Therefore, entry into the applicable MODE prior to accomplishing the Surveillance is necessary. SR 3.1.4.2 is modified by a second Note, which indicates that if extrapolated MTC is more negative than the EOC COLR limit, the Surveillance may be repeated, and that shutdown must occur prior to exceeding the minimum allowable boron concentration at which MTC is projected to exceed the lower limit. An engineering evaluation is performed if the extrapolated value of MTC exceeds the Specification limits. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 11. 2. UFSAR, Section 15.0.

3. UFSAR, Section 15.2.

4. UFSAR, Section 15.4.

This page intentionally blank CEA Alignment B 3.1.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Control Element Assembly (CEA) Alignment BASES BACKGROUND The OPERABILITY (e.g., trippability) of the shutdown and regulating CEAs is an initial assumption in all safety analyses that assume CEA insertion upon reactor trip. Maximum CEA misalignment is an initial assumption in the safety analyses that directly affects core power distributions and assumptions of available SDM. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10 and GDC 26 (Ref. 1) and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Cooled Nuclear Power Plants" (Ref. 2). Mechanical or electrical failures may cause a CEA to become inoperable or to become misaligned from its group. CEA inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CEA worth for reactor shutdown. Therefore, CEA alignment and operability are related to core operation in design power peaking limits and the core design requirement of a minimum SDM. If a CEA(s) is discovered to be immovable but remains trippable and aligned, the CEA is considered to be OPERABLE. At anytime, if a CEA(s) is immovable, a determination of the trippability (OPERABILITY) of that CEA(s) must be made, and appropriate action taken. Limits on CEA alignment and operability have been established, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved. CEAs are moved by their control element drive mechanisms (CEDMs). Each CEDM moves its CEA one step (approximately 3/4 inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Control Element Drive Mechanism Control System (CEDMCS). CEA Alignment B 3.1.5 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.5-2 REVISION 52 BACKGROUND The CEAs are arranged into groups that are radially (continued) symmetric. Therefore, movement of the CEAs does not introduce radial asymmetries in the core power distribution. The shutdown and regulating CEAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip. The regulating CEAs also provide reactivity (power level) control during normal operation and transients. Their movement may be automatically controlled by the Reactor Regulating System. Part strength CEAs are not credited in the safety analyses for shutting down the reactor, as are the regulating and shutdown groups. The part strength CEAs are used solely for ASI control. The axial position of shutdown and regulating CEAs is indicated by two separate and independent systems, which are the Pulse Counting CEA Position Indication System (described in Ref. 4) and the Reed Switch CEA Position Indication System (described in Ref. 5). The Pulse Counting CEA Position Indicating System indicates CEA position to the actual step, if each CEA moves one step for each command signal. However, if each CEA does not follow the commands, the system will incorrectly reflect the position of the affected CEA(s). This condition may affect the operability of COLSS (refer to Section 3.2, Power Distribution Limits for the applicable actions) and should be detected by the Reed Switch Position Indication System through surveillance or alarm. Although the Reed Switch Position Indication System is less precise than the Pulse Counting CEA Position Indicating System, it is not subject to the same error mechanisms. CEA Alignment B 3.1.5 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-3 REVISION 52 APPLICABLE CEA misalignment accidents are analyzed in the safety SAFETY ANALYSES analysis (Ref. 3). The accident analysis defines CEA misoperation as any event, with the exception of sequential group withdrawals, which could result from a single malfunction in the reactivity control systems. For example, CEA misalignment may be caused by a malfunction of the CEDM, CEDMCS, or by operator error. A stuck CEA may be caused by mechanical jamming of the CEA fingers or of the gripper. Inadvertent withdrawal of a single CEA may be caused by an electrical failure in the CEA coil power programmers. A dropped CEA could be caused by an opening of the electrical circuit of the CEDM holding coil for a full strength, or part strength CEA. The acceptance criteria for addressing CEA inoperability or misalignment are that: There shall be no violations of: 1. specified acceptable fuel design limits, or 2. Reactor Coolant System (RCS) pressure boundary integrity. To ensure that these acceptance criteria are met, the CEAs shall be capable of inserting the required negative reactivity and in the time period assumed in the accident analysis upon a reactor trip. Three types of misalignment are distinguished. They are misalignment within deadband (< 6.6 inches), misalignment in excess of deadband, and CEA/subgroup drop. During movement of a group, one CEA may stop moving while the other CEAs in the group continue. This condition may cause excessive power peaking. This misalignment can be within or exceed the deadband. The last type of misalignment occurs when one CEA or subgroup drops partially or fully into the reactor core. This event causes an initial power reduction followed by a return towards the original power due to positive reactivity feedback from the negative moderator temperature coefficient. Increased peaking during the power increase may result in erosion of DNB margin. CEA Alignment B 3.1.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-4 REVISION 52 APPLICABLE Misalignments within deadband are evaluated to ensure SAFETY ANALYSES specified acceptable fuel design limits (SAFDLs) are not (continued) exceeded. Misalignments in excess of deadband considers the case of a single CEA withdrawn approximately 10 inches from a bank inserted to its insertion limit. Satisfying limits on departure from nucleate boiling ratio (DNBR) bounds the situation when a CEA is misaligned from its group by 6.6 inches. The effect of any misoperated CEA on the core power distribution will be assessed by the CEA calculators, and an appropriately augmented power distribution penalty factor will be supplied as input to the core protection calculators (CPCs). As the reactor core responds to the reactivity changes caused by the misoperated CEA and the ensuing reactor coolant and Doppler feedback effects, the CPCs will initiate a low DNBR or high local power density trip signal if SAFDLs are approached. The accident analysis analyzed a single four finger full and part strength CEA drop, a twelve finger drop, and a subgroup drop. The twelve finger and subgroup drops cause larger distortions than the four finger drops. With CEACS In Service (IS), the subgroup and twelve finger rod drops will result in a penalty factor such that a CPC trip will occur if SAFDLs are approached. The four finger CEA drop is protected by the thermal margin reserved in COLSS or CPC DNBR limit lines (COLR figures 3.2.4-2 for CEACs IS and 3.2.4-3 for CEACs OOS) when COLSS is Out of Service (OOS). With CEACs OOS, CPCs will not penalize DNBR nor LPD when CEAs are misaligned; therefore, additional thermal margin is required to be preserved due to the larger radial power distortion associated with twelve finger and subgroup drops. The most rapid approach to the DNBR SAFDL or the fuel centerline melt SAFDL is caused by a single full strength CEA drop with CEACS IS and either a twelve finger or subgroup drop with CEACS OOS. CEA Alignment B 3.1.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-5 REVISION 52 APPLICABLE In the case of the full strength CEA drop, a prompt decrease SAFETY ANALYSIS in core average power and a distortion in radial power are (continued) initially produced, which when conservatively coupled result in local power and heat flux increases, and a decrease in DNBR. A part strength CEA drop would cause a similar reactivity response although with less of a magnitude due to the full strength CEAs having a more significant reactivity worth. With CEACS OOS, a twelve finger and subgroup drop will result in greater radial power distortion. To accommodate the greater distortion without a reactor trip, increased thermal margin is required to be preserved. With CEACS IS, as the twelve finger drop is detected, core power and an appropriately augmented power distribution penalty factor are supplied to the CPCs. CPCs will trip if required to prevent SAFDLs from being exceeded. For plant operation within the DNBR and local power density (LPD) LCOs, DNBR and LPD trips can normally be avoided on a dropped 4-finger CEA since CEACs do not penalize DNBR or LPD for a four finger CEA drop. With CEACS IS and a subgroup drop, a distortion in power distribution, and a decrease in core power are produced. As the position of the dropped CEA subgroup is detected, an appropriate power distribution penalty factor is supplied to the CPCs, and a reactor trip signal on low DNBR is generated. CEA alignment satisfies Criteria 2 and 3 of 10 CFR 50.3(c)(2)(ii). ______________________________________________________________________________ LCO The limits on part strength, shutdown, and regulating CEA alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on OPERABILITY ensure that upon reactor trip, the CEAs will be available and will be inserted to provide enough negative reactivity to shut down the reactor. The OPERABILITY requirements also ensure that the CEA banks maintain the correct power distribution and CEA alignment. CEA Alignment B 3.1.5 BASES (continued) _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.5-6 REVISION 52 LCO The requirement is to maintain the CEA alignment to within (continued 6.6 inches between any CEA and all other CEAs in its group. Failure to meet the requirements of this LCO may produce unacceptable power peaking factors, DNBR, and LHRs, or unacceptable SDMs, all of which may constitute initial conditions inconsistent with the safety analysis. _______________________________________________________________________________ APPLICABILITY The requirements on CEA OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in which neutron (or fission) power is generated, and the OPERABILITY (e.g., trippability) and alignment of CEAs have the potential to affect the safety of the plant. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the reactor is shut down and not producing fission power. In the shutdown modes, the OPERABILITY of the shutdown and regulating CEAs has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.2, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Closed," for SDM in MODES 3, 4, and 5, and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during refueling. CEA Alignment B 3.1.5 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-7 REVISION 52 ACTIONS A.1 and A.2 A CEA may become misaligned, yet remain trippable. In this condition, the CEA can still perform its required function of adding negative reactivity should a reactor trip be necessary. If one or more CEAs (regulating, shutdown, or part strength) are misaligned by 6.6 inches and ~ 9.9 inches but trippable, or one CEA misaligned by > 9.9 inches but trippable, continued operation in MODES 1 and 2 may continue, provided, within 1 hour, the power is reduced in accordance with the limits in the COLR, and within 2 hours CEA alignment is restored. Regulating and part strength CEA alignment can be restored by either aligning the misaligned CEA(s) to within 6.6 inches of its group or aligning the misaligned CEA's group to within 6.6 inches of the misaligned CEA(s). Shutdown CEA alignment can be restored by aligning the misaligned CEA(s) to within 6.6 inches of its group. Xenon redistribution in the core starts to occur as soon as a CEA becomes misaligned. Reducing THERMAL POWER in accordance with the limits in the COLR ensures acceptable power distributions are maintained (Ref. 3). For small misalignments (< 9.9 inches) of the CEAs, there is: a. A small effect on the time dependent long term power distributions relative to those used in generating LCOs and limiting safety system settings (LSSS) setpoints; b. A negligible effect on the available SDM; and c. A small effect on the ejected CEA worth used in the accident analysis. With a large CEA misalignment ( 9.9 inches), however, this misalignment would cause distortion of the core power distribution. This distortion may, in turn, have a significant effect on the time dependent, long term power distributions relative to those used in generating LCOs and LSSS setpoints. The effect on the available SDM and the ejected CEA worth used in the accident analysis remain small. Therefore, this condition is limited to the single CEA misalignment, while still allowing 2 hours for recovery. CEA Alignment B 3.1.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-8 REVISION 52 ACTIONS A.1 and A.2 (continued) In both cases, a 2 hour time period is sufficient to: a. Identify cause of a misaligned CEA; b. Take appropriate corrective action to realign the CEAs; and c. Minimize the effects of xenon redistribution. The CEA must be returned to OPERABLE status within 2 hours. If a CEA misalignment results in the COLSS programs being declared INOPERABLE, refer to Section 3.2 Power Distribution Limits for applicable actions. B.1 and B.2 At least two of the following three CEA position indicator channels shall be OPERABLE for each CEA: a. CEA Reed Switch Position Transmitter (RSPT 1) with the capability of determining the absolute CEA positions within 5.2 inches, b. CEA Reed Switch Position Transmitter (RSPT 2) with the capability of determining the absolute CEA positions within 5.2 inches, and c. The CEA pulse counting position indicator channel. If only one CEA position indicator channel is OPERABLE for one CEA per CEA Group, continued operation in MODES 1 and 2 may continue, provided, within 6 hours, at least two position indicator channels are returned to OPERABLE status; or within 6 hours and once per 12 hours, verify that the CEA group with the inoperable position indicators are either fully withdrawn or fully inserted while maintaining the insertion limits of LCO 3.1.6, LCO 3.1.7 and LCO 3.1.8. CEAs are fully withdrawn when the requirements of LCO 3.1.6 and 3.1.7 are met. Additionally, the Upper Electrical Limit (UEL) CEA reed switches provide an acceptable indication of CEA position for a fully withdrawn condition. CEA Alignment B 3.1.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-9 REVISION 60 ACTIONS C.1 If a Required Action or associated Completion Time of Condition A or Condition B is not met, or if one or more regulating or shutdown CEAs are untrippable (immovable as a result of excessive friction or mechanical interference or known to be untrippable), the unit is required to be brought to MODE 3. By being brought to MODE 3, the unit is brought outside its MODE of applicability. When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be commenced. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Reducing THERMAL POWER in accordance with the Abnormal Operating procedures ensures acceptable power distributions are maintained. The specified ramp rate is intended to ensure DNBR SAFDLs are not challenged. If a full strength CEA is untrippable, it is not available for reactivity insertion during a reactor trip. With an untrippable CEA, meeting the insertion limits of LCO 3.1.6, "Shutdown Control Element Assembly (CEA) Insertion Limits," and LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits," does not ensure that adequate SDM exists. Therefore, the plant must be shut down in order to evaluate the SDM required boron concentration and power level for critical operation. Continued operation is allowed with untrippable part strength CEAs if the alignment and insertion limits are met. Continued operation is not allowed with one or more full length CEAs untrippable. This is because these cases are indicative of a loss of SDM and power distribution, and a loss of safety function, respectively. D.1 Continued operation is not allowed in the case of more than one CEA misaligned from any other CEA in its group by > 9.9 inches. For example, two CEAs in a group misaligned from any other CEA in that group by > 9.9. inches, or more than one CEA group that has a least one CEA misaligned from any other CEA in that group by > 9.9 inches. This is indicative of a loss of power distribution and a loss of CEA Alignment B 3.1.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-10 REVISION 60 ACTIONS D.1 (continued) safety function, respectively. Multiple CEA misalignments should result in automatic protective action. Therefore, with two or more CEAs misaligned more than 9.9 inches, this could result in a situation outside the design basis and immediate action would be required to prevent any potential fuel damage. Immediately opening the reactor trip breakers minimizes these effects. _______________________________________________________________________________ SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that individual CEA positions are within 6.6 inches (indicated reed switch positions) of all other CEAs in the group allows the operator to detect a CEA that is beginning to deviate from its expected position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.5.2 OPERABILITY of at least two CEA position indicator channels is required to determine CEA positions, and thereby ensure compliance with the CEA alignment and insertion limits. The CEA full in and full out limits provide an additional independent means for determining the CEA positions when the CEAs are at either their fully inserted or fully withdrawn positions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.5.3 Verifying each full strength CEA is trippable would require that each CEA be tripped. In MODES 1 and 2 tripping each full strength CEA would result in radial or axial power tilts, or oscillations. Therefore individual full strength CEAs are exercised to provide increased confidence that all full strength CEAs continue to be trippable, even if they are not regularly tripped. A movement of 5 inches is adequate to demonstrate motion without exceeding the alignment limit when only one full strength CEA is being moved. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Between required CEA Alignment B 3.1.5 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.5-11 REVISION 56 SURVEILLANCE SR 3.1.5.3 (continued) REQUIREMENTS performances of SR 3.1.5.3, if a CEA(s) is discovered to be immovable but remains trippable and aligned, the CEA is considered to be OPERABLE. At anytime, if a CEA(s) is immovable, a determination of the trippability (OPERABILITY) of that CEA(s) must be made, and appropriate action taken. SR 3.1.5.4 Performance of a CHANNEL FUNCTIONAL TEST of each reed switch position transmitter channel ensures the channel is OPERABLE and capable of indicating CEA position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.5.5 Verification of full strength CEA drop times determines that the maximum CEA drop time permitted is consistent with the assumed drop time used in the safety analysis (Ref. 3). Measuring drop times prior to reactor criticality, after reactor vessel head removal, ensures the reactor internals and CEDM will not interfere with CEA motion or drop time, and that no degradation in these systems has occurred that would adversely affect CEA motion or drop time. Individual CEAs whose drop times are greater than safety analysis assumptions are not OPERABLE. This SR is performed prior to criticality due to the plant conditions needed to perform the SR and the potential for an unplanned plant transient if the Surveillance were performed with the reactor at power. The 4 second CEA drop time is the maximum time it takes for a fully withdrawn individual full strength CEA to reach its 90% insertion position when electrical power is interrupted to the CEA drive mechanism with RCS Tcold greater than or equal to 550F and all reactor coolant pumps operating. The CEA drop time of full strength CEAs shall also be demonstrated through measurement prior to reactor criticality for specifically affected individual CEAs following any maintenance on or modification to the CEA drive system which could affect the drop time of those specific CEAs. CEA Alignment B 3.1.5 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.5-12 REVISION 56 REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26. 2. 10 CFR 50.46. 3. UFSAR, Section 15.4. 4. UFSAR, Section 7.7.1.3.2.3. 5. UFSAR, Section 7.5.1.1.4. Shutdown CEA Insertion Limits B 3.1.6 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.6-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Shutdown Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the shutdown CEAs are initial assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect core power distributions and assumptions of available SDM, ejected CEA worth, and initial reactivity insertion rate. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," and GDC 26, "Reactivity Limits" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on shutdown CEA insertion have been established, and all CEA positions are monitored and controlled during power operation to ensure that the reactivity limits, ejected CEA worth, and SDM limits are preserved. The shutdown CEAs are arranged into groups that are radially symmetric. Therefore, movement of the shutdown CEAs does not introduce radial asymmetries in the core power distribution. The shutdown and regulating CEAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip. The design calculations are performed with the assumption that the shutdown CEAs are withdrawn prior to the regulating CEAS. The shutdown CEAs must be capable of full withdrawal without the core going critical. This provides available negative reactivity for SDM in the event of boration errors. The shutdown CEAs are controlled manually by the control room operator. During normal unit operation, the shutdown CEAs are fully withdrawn. The shutdown CEAs must be completely withdrawn from the core prior to withdrawing regulating CEAs during an approach to criticality. The shutdown CEAs are then left in this position until the reactor is shut down. They affect core power, burnup distribution, and add negative reactivity to shut down the reactor upon receipt of a reactor trip signal. Shutdown CEA Insertion Limits B 3.1.6 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.6-2 REVISION 46 APPLICABLE Accident analysis assumes that the shutdown CEAs are fully SAFETY ANALYSES withdrawn any time the reactor is critical. This ensures that: a. The minimum SDM is maintained; and b. The potential effects of a CEA ejection accident are limited to acceptable limits. With the Shutdown CEAs at a fully withdrawn position (as defined in SR 3.1.6.1 Bases section), the requirements of LCO 3.1.6 are met and the assumptions made in the safety analyses are maintained. On a reactor trip, all CEAs (shutdown CEAs and regulating CEAs), except the most reactive CEA, are assumed to insert into the core. The shutdown and regulating CEAs shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal. The regulating CEAs may be partially inserted in the core as allowed by LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits." The shutdown CEA insertion limit is established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.2, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Closed") following a reactor trip from full power. The combination of regulating CEAs and shutdown CEAs (less the most reactive CEA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The shutdown CEA insertion limit also limits the reactivity worth of an ejected shutdown CEA. The acceptance criteria for addressing shutdown CEA as well as regulating CEA insertion limits and inoperability or misalignment are that: a. There be no violation of: 1. specified acceptable fuel design limits, or 2. Reactor Coolant System pressure boundary damage integrity; and Shutdown CEA Insertion Limits B 3.1.6 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.6-3 REVISION 42 APPLICABLE b. The core remains subcritical after accident SAFETY ANALYSES transients.

(continued) The most limiting SDM requirements for MODES 1 and 2 at EOC come from Steam Line Break (SLB). The requirements of the SLB event at EOC for both the full power and no load conditions are significantly larger than those of any other event at that time in cycle and, also, considerably larger than the most limiting requirements at BOC. Although the most limiting SDM requirements at EOC are much larger than those at BOC, the available SDM obtained via the scramming of the CEAs are also substantially larger due to the much lower boron concentration at EOC. To verify that adequate SDM are available throughout the cycle to satisfy the changing requirements, calculations are performed at both BOC and EOC. It has been determined that calculations at these two times in cycle are sufficient since the differences between available SDM and the limiting SDM requirements are the smallest at these times in the cycle. The measurement of CEA bank worth performed as part of the Startup Testing Program demonstrates that the core has expected shutdown capability. Consequently, adherence to LCOs 3.1.6 and 3.1.7 provides assurance that the available SDM at any time in cycle will exceed the limiting SDM requirements at that time in the cycle. The shutdown CEA insertion limits satisfy Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The shutdown CEAs must be within their insertion limits any time the reactor is critical or approaching criticality.

This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. ______________________________________________________________________________ APPLICABILITY The shutdown CEAs must be within their insertion limits, with the reactor in MODES 1 and 2. The applicability in MODE 2 begins anytime any regulating CEA is not fully inserted. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. Refer to LCO 3.1.1 and LCO 3.1.2, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breaker Closed," for SDM requirements in MODES 3, 4, Shutdown CEA Insertion Limits B 3.1.6 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.6-4 REVISION 42 APPLICABILITY and 5. LCO 3.9.1, "Boron Concentration," ensures adequate (continued) DM in MODE 6. This LCO has been modified by a Note indicating the LCO requirement is suspended during SR 3.1.5.3, which verifies the freedom of the CEAs to move, and requires the shutdown CEAs to move below the LCO limits, which would normally violate the LCO. _______________________________________________________________________________ ACTIONS A.1 Prior to entering this Condition, the shutdown CEAs were fully withdrawn. If a shutdown CEA is then inserted into the core, its potential negative reactivity is added to the core as it is inserted. If the CEA is not within limits, within 2 hours restore the CEA to within limits. The 2 hour total Completion Time allows the operator adequate time to adjust the CEA in an orderly manner and is consistent with the required completion Times in LCO 3.1.5, "Control Element Assembly (CEA) Alignment." B.1 When Required Action A.1 cannot be met or completed within the required Completion Time, a controlled shutdown should be commenced. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.1.6.1 REQUIREMENTS Verification that the shutdown CEAs are within their insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown CEAs (along with the regulating CEAs) will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip. This SR and Frequency ensure that the shutdown CEAs are withdrawn before the regulating CEAs are withdrawn during a unit startup. Shutdown CEA Insertion Limits B 3.1.6 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.6-5 REVISION 56 SURVEILLANCE SR 3.1.6.1 (continued) REQUIREMENTS Shutdown CEAs are considered fully withdrawn when each shutdown CEA is positioned to meet one of the following conditions: Condition 1: Pulse Counter 147.75 inches. and At least one Reed Switch Position Transmitter (RSPT) OR Condition 2: Upper Electrical Limit (UEL) position. Condition 1 necessitates that the Pulse Counter and at least one of the two Reed Switch Position Transmitters (RSPTs) be available to verify the position of each shutdown CEA. The Pulse Counter is a very accurate position indication system but is not as reliable (i.e., slip rod) as the other position indicating systems. The RSPTs are very reliable but are not as accurate as the Pulse Counter indicating system. Therefore, requiring these two systems together will account for instrument inaccuracies and reliability issues associated with these position indicators (instrument inaccuracies and the acceptability of these indicator limits are detailed in Reference 4). Additionally, a CEA at its UEL (Upper Electrical Limit) position alone provides an acceptable indication (accounting for inaccuracies) of CEA position to satisfy the condition for a CEA to be considered fully withdrawn. A CEA at its UEL position will be 147.75 inches withdrawn. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Shutdown CEA Insertion Limits B 3.1.6 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.6-6 REVISION 46 REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26. 2. 10 CFR 50.46. 3. UFSAR, Section 15.4. 4. Calculation 13-JC-SF-0202. Regulating CEA Insertion Limits B 3.1.7 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-1 REVISION 57 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Regulating Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the regulating CEAs are initial assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect core power distributions, assumptions of available SDM, and initial reactivity insertion rate. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," and GDC 26, "Reactivity Limits" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on regulating CEA insertion have been established, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking, ejected CEA worth, reactivity insertion rate, and SDM limits are preserved. The regulating CEA groups generally operate with a predetermined amount of position overlap, in order to approximate a linear relation between CEA worth and position (integral CEA worth). The regulating CEA groups are withdrawn and operate in a predetermined sequence. The group sequence, overlap limits, and fully withdrawn position are specified in the COLR. The regulating CEAs are used for precise reactivity control of the reactor. The positions of the regulating CEAs are manually or automatically controlled. They are capable of changing reactivity very quickly (compared to borating or diluting). The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteria specified in 10 CFR 50.46 (Ref. 2). Together, LCO 3.1.7; LCO 3.2.4, "Departure from Nucleate Boiling Ratio (DNBR)"; and LCO 3.2.5, "AXIAL SHAPE INDEX (ASI)," provide limits on control component operation and on monitored process variables to ensure the core operates within LCO 3.2.1, Regulating CEA Insertion Limits B 3.1.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-2 REVISION 0 BACKGROUND "Linear Heat Rate (LHR)"; LCO 3.2.2, "Planar Radial Peaking (continued) Factor (Fxy)"; and LCO 3.2.4, "Departure From Nucleate Boiling Ratio (DNBR)," limits in the COLR. Operation within the LHR limits given in the COLR prevents power peaks that would exceed the loss of coolant accident (LOCA) limits derived by the Emergency Core Cooling Systems analysis. Operation within the Fxy and departure from nucleate boiling (DNB) limits given in the COLR prevents DNB during a loss of forced reactor coolant flow accident. In addition to the LHR, Fxy, and DNBR limits, certain reactivity limits are preserved by regulating CEA insertion limits. The regulating CEA insertion limits also restrict the ejected CEA worth to the values assumed in the safety analyses and preserve the minimum required SDM in MODES 1 and 2. The establishment of limiting safety system settings and LCOs require that the expected long and short term behavior of the radial peaking factors be determined. The long term behavior relates to the variation of the steady state radial peaking factors with core burnup and is affected by the amount of CEA insertion assumed, the portion of a burnup cycle over which such insertion is assumed, and the expected power level variation throughout the cycle. The short term behavior relates to transient perturbations to the steady state radial peaks, due to radial xenon redistribution. The magnitudes of such perturbations depend upon the expected use of the CEAs during anticipated power reductions and load maneuvering. Analyses are performed, based on the expected mode of operation of the Nuclear Steam Supply System (base loaded, maneuvering, etc.). From these analyses, CEA insertions are determined and a consistent set of radial peaking factors defined. The long term steady state and short term insertion limits are determined, based upon the assumed mode of operation used in the analyses, and provide a means of preserving the assumptions on CEA insertions used. The long and short term insertion limits of LCO 3.1.7 are specified for the plant, which has been designed for primarily base loaded operation, but has the ability to accommodate a limited amount of load maneuvering. The regulating CEA insertion and alignment limits, ASI and Tq are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the regulating bank insertion limits control the reactivity that could be added in the Regulating CEA Insertion Limits B 3.1.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-3 REVISION 53 BACKGROUND event of a CEA ejection accident, and the shutdown and (continued) regulating bank insertion limits ensure the required SDM is maintained. Operation within the subject LCO limits will prevent fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a LOCA, loss of flow, ejected CEA, or other accident requiring termination by a Reactor Protective System trip function. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation (Condition I) and anticipated operational occurrences (Condition II). The acceptance criteria for the regulating CEA insertion, part strength CEA insertion, ASI, and Tq LCOs preclude core power distributions from occurring that would violate the following fuel design criteria: a. During a large break LOCA, the peak cladding temperature must not exceed a limit of 2200°F, 10 CFR 50.46 (Ref. 2); b. During CEA misoperation events, there must be at least a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition; c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 3); and d. The CEAs must be capable of shutting down the reactor with a minimum required SDM, with the highest worth CEA stuck fully withdrawn, GDC 26 (Ref. 1). Regulating CEA position, ASI, and Tq are process variables that together characterize and control the three dimensional power distribution of the reactor core. Fuel cladding damage does not occur when the core is operated outside these LCOs during normal operation. However, fuel cladding damage could result, should an Regulating CEA Insertion Limits B 3.1.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-4 REVISION 48 APPLICABLE accident occur with simultaneous violation of one or more of SAFETY ANALYSES these LCOs. Changes in the power distribution can cause (continued) increased power peaking and corresponding increased local LHRs. The SDM requirement is ensured by limiting the regulating and shutdown CEA insertion limits, so that the allowable inserted worth of the CEAs is such that sufficient reactivity is available in the CEAs to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth CEA remains fully withdrawn upon trip (Ref. 4). The most limiting SDM requirements for MODE 1 and 2 conditions at BOC are determined by the requirements of several transients, e.g., Loss of Flow, Seized Rotor, etc. However, the most limiting SDM requirements for MODES 1 and 2 at EOC come from just one transient, Steam Line Break (SLB). The requirements of the SLB event at EOC for both the full power and no load conditions are significantly larger than those of any other event at that time in cycle and, also, considerably larger than the most limiting requirements at BOC. Although the most limiting SDM requirements at EOC are much larger than those at BOC, the available SDM obtained via the scramming of the CEAs are also substantially larger due to the much lower boron concentration at EOC. To verify that adequate SDM are available throughout the cycle to satisfy the changing requirements, calculations are performed at both BOC and EOC. It has been determined that calculations at these two times in cycle are sufficient since the differences between available SDM and the limiting SDM requirements are the smallest at these times in the cycle. The measurement of CEA bank worth performed as part of the Startup Testing Program demonstrates that the core has expected shutdown capability. Consequently, adherence to LCOs 3.1.6 and 3.1.7 provides assurance that the available SDM at any time in cycle will exceed the limiting SDM requirements at that time in the cycle. Regulating CEA Insertion Limits B 3.1.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-5 REVISION 25 APPLICABLE Operation at the insertion limits or ASI limits may approach SAFETY ANALYSES the maximum allowable linear heat generation rate or peaking (continued) factor, with the allowed Tq present. Operation at the insertion limit may also indicate the maximum ejected CEA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected CEA worths. The regulating and shutdown CEA insertion limits ensure that safety analyses assumptions for reactivity insertion rate, SDM, ejected CEA worth, and power distribution peaking factors are preserved (Ref. 4). The regulating CEA insertion limits satisfy Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The limits on regulating CEA sequence, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected CEA worth is maintained, and ensuring adequate negative reactivity insertion on trip. The overlap between regulating banks provides more uniform rates of reactivity insertion and withdrawal, and is imposed to maintain acceptable power peaking during regulating CEA motion. The COLR provides separate figures for CEA insertion limits with COLSS in service and COLSS out of service. The power dependent insertion limit (PDIL) alarm circuit is required to be OPERABLE for notification that the CEAs are outside the required insertion limits. When the PDIL alarm circuit is inoperable, the verification of CEA positions is increased to ensure improper CEA alignment is identified before unacceptable flux distribution occurs. ______________________________________________________________________________ APPLICABILITY The regulating CEA sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2. These limits must be maintained, since they preserve the assumed power distribution, ejected CEA worth, SDM, and reactivity rate insertion assumptions. Applicability in Regulating CEA Insertion Limits B 3.1.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-6 REVISION 0 APPLICABILITY MODES 3, 4, and 5 is not required, since the power (continued) distribution assumptions would not be exceeded in these MODES. SDM is preserved in MODES 3, 4, and 5 by adjustments to the soluble boron concentration. This LCO is modified by a Note indicating the LCO requirement is suspended during SR 3.1.5.3. This SR verifies the freedom of the CEAs to move, and requires the regulating CEAs to move below the LCO limits, which would normally violate the LCO. The Note also allows the LCO to be not applicable during reactor power cutback operation, which inserts a selected CEA group (usually group 4 and 5) during loss of load events. The requirements of SR 3.1.7.2 for tracking accumulated time between the insertion limits is still applicable following a reactor power cutback operation. _______________________________________________________________________________ ACTIONS A.1 and A.2 Operation beyond the transient insertion limit may result in a loss of SDM and excessive peaking factors and may violate input assumptions of the CEA ejection and CEA misoperation events. The transient insertion limit should not be violated during normal operation; this violation, however, may occur during transients in response to changing plant conditions. When the regulating groups are inserted beyond the transient insertion limits, actions must be taken to either withdraw the regulating groups beyond the limits or to reduce THERMAL POWER to less than or equal to that allowed for the actual CEA insertion limit. Two hours provides a reasonable time to accomplish this, allowing the operator to deal with current plant conditions while limiting peaking factors to acceptable levels. B.1 If the CEAs are inserted between the short term steady state insertion limits and the transient insertion limits for intervals > 4 hours per 24 hour period, peaking factors can develop that are of concern due to Xenon changes (Ref. 4). Regulating CEA Insertion Limits B 3.1.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-7 REVISION 0 ACTIONS B.1 (continued) Additionally, since the CEAs can be in this condition without misalignment, penalty factors are not inserted in the core protection calculators to compensate for the developing peaking factors. Experience has shown that rapid power increases in areas of the core, in which the flux has been depressed, can result in fuel damage as the LHR in those areas rapidly increases. Restricting the rate of THERMAL POWER increases to 5% RTP per hour, following CEA insertion beyond the short term steady state insertion limits, ensures the power transients experienced by the fuel will not result in fuel failure (Ref. 4). The restriction on THERMAL POWER increases shall remain in effect until the Regulating CEA groups are inserted between short term steady state limit and the transient insertion limit for 4 hours per 24 hour interval. The 15 minute Completion Time ensures that prompt action shall be taken to restrict THERMAL POWER increases. C.1 With the regulating CEAs inserted between the long term steady state insertion limit and the transient insertion limit, and with the core approaching the 5 effective full power days (EFPD) per 30 EFPD, or 14 EFPD per 365 EFPD limits, the core approaches the acceptable limits placed on operation with flux patterns outside those assumed in the long term burnup assumptions. In this case, the CEAs must be returned to within the long term steady state insertion limits, or the core must be placed in a condition in which the abnormal fuel burnup cannot continue. A Completion Time of 2 hours is a reasonable time to return the CEAs to within the long term steady state insertion limits. The required Completion Time of 2 hours from initial discovery of a regulating CEA group outside the limits until its restoration to within the long term steady state limits, shown on the figures in the COLR, allows sufficient time for borated water to enter the Reactor Coolant System from the chemical addition and makeup systems, and to cause the regulating CEAs to withdraw to the acceptable region. It is reasonable to continue operation for 2 hours after it is Regulating CEA Insertion Limits B 3.1.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-8 REVISION 56 ACTIONS C.1 (continued) discovered that the 5 day or 14 day EFPD limit has been exceeded. This Completion Time is based on limiting the potential xenon redistribution, the low probability of an accident, and the steps required to complete the action. D.1 With the PDIL circuit inoperable, performing SR 3.1.7.1 within 1 hour and every 4 hours thereafter ensures improper CEA alignments are identified before unacceptable flux distributions occur. E.1 When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be commenced. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.1.7.1 REQUIREMENTS With the PDIL alarm circuit OPERABLE, verification of each regulating CEA group position is sufficient to detect CEA positions that may approach the acceptable limits, and provides the operator with time to undertake the Required Action(s) should the sequence or insertion limits be found to be exceeded. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. PDIL alarms are received on both the Plant Computer (PC) and the Core Monitoring Computer (CMC)/Core Operating Limit Supervisory System (COLSS) after the CMC/COLSS Upgrade. SR 3.1.7.1 is modified by a Note indicating that entry is allowed into MODE 2 without having performed the SR. This is necessary, since the unit must be in the applicable MODES in order to perform Surveillances that demonstrate the LCO limits are met. Regulating CEA Insertion Limits B 3.1.7 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.7-9 REVISION 56 SURVEILLANCE SR 3.1.7.2 REQUIREMENTS (continued) Verification of the accumulated time of CEA group insertion between the long term steady state insertion limits and the transient insertion limits ensures the cumulative time limits are not exceeded. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.3 Demonstrating the PDIL alarm circuit OPERABLE verifies that the PDIL alarm circuit is functional. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26. 2. 10 CFR 50.46. 3. Regulatory Guide 1.77, Rev. 0, May 1974. 4. UFSAR, Section 15.4. This page intentionally blank Part Strength CEA Insertion Limits B 3.1.8 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.8-1 REVISION 52 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Part Strength Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the part strength CEAs are initial assumptions in the safety analyses for CEA misoperation events. The insertion limits directly affect core power distributions. The applicable criteria for these power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Plants" (Ref. 2). Limits on part strength CEA insertion have been established, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution defined by the design power peaking limits is preserved. The part strength CEAs are used for axial power shape control of the reactor. The positions of the part strength CEAs are manually controlled. They are capable of changing reactivity very quickly (compared to borating or diluting). The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteria specified in 10 CFR 50.46 (Ref. 2). Together, LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits"; LCO 3.1.8; LCO 3.2.4, "Departure From Nucleate Boiling Ratio (DNBR)"; and LCO 3.2.5, "AXIAL SHAPE INDEX (ASI)," provide limits on control component operation and on monitored process variables to ensure the core operates within the linear heat rate (LHR) (LCO 3.2.1, "Linear Heat Rate (LHR)"); planar peaking factor (Fxy) (LCO 3.2.2, "Planar Radial Peaking Factors (Fxy)"); and LCO 3.2.4 limits in the COLR. Operation within the limits given in the COLR prevents power peaks that would exceed the loss of coolant accident (LOCA) limits derived by the Emergency Core Cooling Systems analysis. Operation within the Fxy and departure from nucleate boiling (DNB) limits given in the COLR prevents DNB during a loss of forced reactor coolant flow accident. Part Strength CEA Insertion Limits B 3.1.8 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.8-2 REVISION 52 BACKGROUND The establishment of limiting safety system settings and (continued) LCOs requires that the expected long and short term behavior of the radial peaking factors be determined. The long term behavior relates to the variation of the steady state radial peaking factors with core burnup; it is affected by the amount of CEA insertion assumed, the portion of a burnup cycle over which such insertion is assumed, and the expected power level variation throughout the cycle. The short term behavior relates to transient perturbations to the steady state radial peaks due to radial xenon redistribution. The magnitudes of such perturbations depend upon the expected use of the CEAs during anticipated power reductions and load maneuvering. Analyses are performed, based on the expected mode of operation of the Nuclear Steam Supply System (base loaded, maneuvering, etc.). From these analyses, CEA insertions are determined, and a consistent set of radial peaking factors are defined. The long term (steady state) and short term insertion limits are determined, based upon the assumed mode of operation used in the analyses; they provide a means of preserving the assumptions on CEA insertions used. The long and short term insertion limits of LCO 3.1.8 are specified for the plant, which has been designed primarily for base loaded operation, but has the ability to accommodate a limited amount of load maneuvering. _______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation (Condition I) and anticipated operational occurrences (Condition II). The regulating CEA insertion, part strength CEA insertion, ASI, and Tq LCOs preclude core power distributions from occurring that would violate the following fuel design criteria: a. During a large break LOCA, the peak cladding temperature must not exceed 2200°F (Ref. 2); b. During CEA misoperation events, there must be at least a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition; c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 3); and Part Strength CEA Insertion Limits B 3.1.8 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.8-3 REVISION 52 APPLICABLE d. The CEAs must be capable of shutting down the reactor SAFETY ANALYSES with a minimum required SDM, with the highest worth (continued) CEA stuck fully withdrawn, GDC 26 (Ref. 1). Regulating CEA position, part strength CEA position, ASI, and Tq are process variables that together characterize and control the three dimensional power distribution of the reactor core. Fuel cladding damage does not occur when the core is operated outside these LCOs during normal operation. However, fuel cladding damage could result, should an accident occur with simultaneous violation of one or more of these LCOs. Changes in the power distribution can cause increased power peaking and corresponding increased local LHRs. The part strength CEA insertion limits satisfy Criterion 2 of 10 CFR 50.36 (c)(2)(ii). The part strength CEAs are required due to the potential peaking factor violations that could occur if part strength CEAs exceed insertion limits. ______________________________________________________________________________ LCO The limits on part strength CEA insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution. ______________________________________________________________________________ APPLICABILITY The part strength insertion limits shall be maintained with the reactor in MODES 1 and 2. These limits must be maintained, since they preserve the assumed power distribution. Applicability in lower MODES is not required, since the power distribution assumptions would not be exceeded in these MODES. Part Strength CEA Insertion Limits B 3.1.8 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.8-4 REVISION 52 ACTIONS A.1, A.2 and B.1 If the part strength CEA groups are inserted beyond the following limits, flux patterns begin to develop that are outside the range assumed for long term fuel burnup; 1) Transient insertion limits; 2) Between the long term (steady-state) insertion limit and the transient insertion limit for; a) 7 or more effective full power days (EFPD) out of any 30 EFPD period; b) 14 EFPD or more out of any 365 EFPD period. If allowed to continue beyond this limit, the peaking factors assumed as initial conditions in the accident analysis may be invalidated (Ref. 4). Restoring the CEAs to within limits or reducing THERMAL POWER to that fraction of RTP that is allowed by CEA group position, using the limits specified in the COLR, ensures that acceptable peaking factors are maintained. Since these effects are cumulative, actions are provided to limit the total time the part strength CEAs can be out of limits in any 30 EFPD or 365 EFPD period. Since the cumulative out of limit times are in days, an additional Completion Time of 2 hours is reasonable for restoring the part strength CEAs to within the allowed limits. C.1 When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should commence. A Completion Time of 6 hours is reasonable, based on operating experience, for reaching Mode 3 from full power conditions in an orderly manner and without challenging plant systems. Part Strength CEA Insertion Limits B 3.1.8 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.8-5 REVISION 56 SURVEILLANCE SR 3.1.8.1 REQUIREMENTS Verification of each part strength CEA group position is sufficient to detect CEA positions that may approach the limits, and provide the operator with time to undertake the Required Action(s), should insertion limits be found to be exceeded. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26. 2. 10 CFR 50.46. 3. Regulatory Guide 1.77, Rev. 0, May 1974. 4. UFSAR, Section 15.4. This page intentionally blank STE-SDM B 3.1.9 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.9-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 Special Test Exceptions (STE) - SHUTDOWN MARGIN (SDM) BASES BACKGROUND The primary purpose of the SDM STE is to permit relaxation of existing LCOs to allow the performance of certain PHYSICS TESTS. These tests are conducted to determine the control element assembly (CEA) worth. Section XI of 10 CFR 50, Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Processing Plants" (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. Testing is required as an integral part of the design, fabrication, construction, and operation of the power plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59, "Changes, Tests, and Experiments" (Ref. 2). The key objectives of a test program are to (Ref. 3): a. Ensure that the facility has been adequately designed; b. Validate the analytical models used in design and analysis; c. Verify assumptions used for predicting plant response; d. Ensure that installation of equipment in the facility has been accomplished in accordance with the design; and e. Verify that operating and emergency procedures are adequate. To accomplish these objectives, testing is required prior to initial criticality, after each refueling shutdown, and during startup, low power operation, power ascension, and at power operation. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the STE-SDM B 3.1.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.9-2 REVISION 0 BACKGROUND core are consistent with the design predictions and that the (continued) core can be operated as designed (Ref. 4). PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of testing required to ensure that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worths, reactivity coefficients, flux symmetry, and core power distribution. _______________________________________________________________________________ APPLICABLE It is acceptable to suspend certain LCOs for PHYSICS TESTS SAFETY ANALYSES because fuel damage criteria are not exceeded. Even if an accident occurs during PHYSICS TESTS with one or more LCOs suspended, fuel damage criteria are preserved because adequate limits on power distribution and shutdown capability are maintained during PHYSICS TESTS. Reference 5 defines the requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1985 (Ref. 4). PHYSICS TESTS for reload fuel cycles are given in Table 1 of ANSI/ANS-19.6.1-1985. Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. As long as the linear heat rate (LHR) remains within its limit, fuel design criteria are preserved. In this test, the following LCOs are suspended: a. LCO 3.1.2, "SHUTDOWN MARGIN (SDM) - Reactor Trip Breakers Closed"; b. LCO 3.1.6, "Shutdown Control Element Assembly (CEA) Insertion Limits"; and c. LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits." STE-SDM B 3.1.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.9-3 REVISION 0 APPLICABLE Therefore, this LCO places limits on the minimum amount of SAFETY ANALYSES CEA worth required to be available for reactivity control (continued) when CEA worth measurements are performed. The individual LCOs cited above govern SDM, CEA group height, insertion, and alignment. Additionally, the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature Tc, and pressurizer pressure contribute to maintaining departure from nucleate boiling (DNB) parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 6). The criteria for the loss of forced reactor coolant flow accidents are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria. SRs are conducted as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these SRs allows PHYSICS TESTS to be conducted without decreasing the margin of safety. Requiring that shutdown reactivity equivalent to at least the highest estimated CEA worth (of those CEAs actually withdrawn) be available for trip insertion from the OPERABLE CEAs, provides a high degree of assurance that shutdown capability is maintained for the most challenging postulated accident, a stuck CEA. Since LCO 3.1.2 is suspended, however, there is not the same degree of assurance during this test that the reactor would always be shut down if the highest worth CEA was stuck out and calculational uncertainties or the estimated highest CEA worth was not as expected (the single failure criterion is not met). This situation is judged acceptable, however, because specified acceptable fuel damage limits are still met. The risk of experiencing a stuck CEA and subsequent criticality is reduced during this PHYSICS TEST exception by the requirements to determine CEA positions every 2 hours; by the trip of each CEA to be withdrawn within 7 days prior to STE-SDM B 3.1.9 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.9-4 REVISION 0 APPLICABLE suspending the SDM requirements; and by ensuring that SAFETY ANALYSES shutdown reactivity is available, equivalent to the (continued) reactivity worth of the estimated highest worth withdrawn CEA (Ref. 5). PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total planar radial peaking factor, total integrated radial peaking factor, Tq, and ASI, which represent initial condition input (power peaking) to the accident analysis. Also involved are the shutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR. PHYSICS TESTS meet the criteria for inclusion in the Technical Specifications since the components and process variable LCOs suspended during PHYSICS TESTS meet Criteria 1, 2, and 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO provides that a minimum amount of CEA worth is immediately available for reactivity control when CEA worth measurement tests are performed. This STE is required to permit the periodic verification of the actual versus predicted worth of the regulating and shutdown CEAs. The SDM requirements of LCO 3.1.2, the shutdown CEA insertion limits of LCO 3.1.6, and the regulating CEA insertion limits of LCO 3.1.7 may be suspended. _______________________________________________________________________________ APPLICABILITY This LCO is applicable in MODES 2 and 3. Although CEA worth testing is conducted in MODE 2, sufficient negative reactivity is inserted during the performance of these tests to result in temporary entry into MODE 3. Because the intent is to immediately return to MODE 2 to continue CEA worth measurements, the STE allows limited operation to 6 consecutive hours in MODE 3 as indicated by the Note, without having to borate to meet the SDM requirements of LCO 3.1.2. STE-SDM B 3.1.9 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.9-5 REVISION 56 ACTIONS A.1 With any CEA not fully inserted and less than the minimum required reactivity equivalent available for insertion, or with all CEAs inserted and the reactor subcritical by less than the reactivity equivalent of the highest worth withdrawn CEA, restoration of the minimum shutdown reactivity requirements must be accomplished by increasing the RCS boron concentration. The required Completion Time of 15 minutes for initiating boration allows the operator sufficient time to align the valves and start the boric acid pumps and is consistent with the Completion Time of LCO 3.1.2. In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a highly concentrated solution, such as that normally found in the refueling water tank. The operator should borate with the best source available for the plant conditions. In determining the boration flow rate the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle, when boron concentration may approach or exceed 2000 ppm. Assuming that a value of 1% k/k must be recovered and a boration flow rate of 26 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in less than 4 hours with a 4000 ppm source. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the SDM by 1% k/k. These boration parameters of 26 gpm and 4000 ppm represent typical values and are provided for the purpose of offering a specific example. ______________________________________________________________________________ SURVEILLANCE SR 3.1.9.1 REQUIREMENTS Verification of the position of each partially or fully withdrawn full strength, or part strength CEA is necessary to ensure that the minimum negative reactivity requirements for insertion on a trip are preserved. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. STE-SDM B 3.1.9 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.9-6 REVISION 56 SURVEILLANCE SR 3.1.9.2 REQUIREMENTS (continued) Prior demonstration that each CEA to be withdrawn from the core during PHYSICS TESTS is capable of full insertion, when tripped from at least a 50% withdrawn position, ensures that the CEA will insert on a trip signal. The 7 day Frequency ensures that the CEAs are OPERABLE prior to reducing SDM requirements to less than the limits of LCO 3.1.2. SR 3.1.9.3 During MODE 3, verification that the reactor is subcritical by at least the reactivity equivalent of the highest estimated CEA worth ensures that the minimum negative reactivity requirements are preserved. The negative reactivity requirements are verified by performing a reactivity balance calculation, considering the listed reactivity effects: a. RCS boron concentration; b. CEA positions; c. RCS average temperature; d. Fuel burnup based on gross thermal energy generation; e. Xenon concentration; and f. Samarium concentration. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix B, Section XI. 2. 10 CFR 50.59. 3. Regulatory Guide 1.68, Revision 2, August 1978. 4. ANSI/ANS-19.6.1-1985, December 13, 1985. 5. UFSAR, Chapter 14. 6. 10 CFR 50.46. 7. UFSAR, Chapter 15. STE-MODES 1 and 2 B 3.1.10 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.10-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.10 Special Test Exceptions (STE) - MODES 1 and 2 BASES BACKGROUND The primary purpose of these MODES 1 and 2 STEs is to permit relaxation of existing LCOs to allow the performance of certain PHYSICS TESTS. These tests are conducted to determine specific reactor core characteristics. Section XI of 10 CFR 50, Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Processing Plants" (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. Testing is required as an integral part of the design, fabrication, construction, and operation of the power plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59, "Changes, Tests, and Experiments" (Ref. 2). The key objectives of a test program are to (Ref. 3): a. Ensure that the facility has been adequately designed; b. Validate the analytical models used in design and analysis; c. Verify assumptions used for predicting plant response; d. Ensure that installation of equipment in the facility has been accomplished in accordance with design; and e. Verify that operating and emergency procedures are adequate. To accomplish these objectives, testing is required prior to initial criticality, after each refueling shutdown, and during startup, low power operation, power ascension, and at power operation. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4). STE-MODES 1 and 2 B 3.1.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.10-2 REVISION 53 BACKGROUND PHYSICS TESTS procedures are written and approved in (continued) accordance with established formats. The procedures include all information necessary to permit a detailed execution of testing required to ensure that design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worth, reactivity coefficients, flux symmetry, and core power distribution. _______________________________________________________________________________ APPLICABLE It is acceptable to suspend certain LCOs for PHYSICS TESTS SAFETY ANALYSES because fuel damage criteria are not exceeded. Even if an accident occurs during PHYSICS TESTS with one or more LCOs suspended, fuel damage criteria are preserved because the limits on power distribution and shutdown capability are maintained during PHYSICS TESTS. Reference 5 defines requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1985 (Ref. 4). Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. As long as the linear heat rate (LHR) remains within its limit, fuel design criteria are preserved. In this test, the following LCOs are suspended: LCO 3.1.4, "Moderator Temperature Coefficient (MTC)"; LCO 3.1.5, "Control Element Assembly (CEA) Alignment"; LCO 3.1.6, "Shutdown Control Element Assembly (CEA) Insertion Limits"; LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits (FTxy)"; LCO 3.1.8, "Part Strength Control Element Assembly (CEA) Insertion Limits"; LCO 3.2.2, "Planar Radial Peaking Factors"; LCO 3.2.3, "AZIMUTHAL POWER TILT (Tq)"; LCO 3.2.5, "AXIAL SHAPE INDEX (ASI)"; and LCO 3.3.3, "Control Element Assembly Calculators (CEACs)". STE-MODES 1 and 2 B 3.1.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.10-3 REVISION 0 APPLICABLE The safety analysis (Ref. 6) places limits on allowable SAFETY ANALYSES THERMAL POWER during PHYSICS TESTS and requires that the LHR (continued) and the departure from nucleate boiling (DNB) parameter be maintained within limits. The power plateau of 85% RTP and the associated trip setpoints are required to ensure these limits are maintained. The individual LCOs governing CEA group height, insertion and alignment, ASI, total planar radial peaking factor, total integrated radial peaking factor, and Tq, preserve the LHR limits. Additionally, the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature (Tc), and pressurizer pressure contribute to maintaining DNB parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 7). The criteria for the loss of forced reactor coolant flow accident are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria. During PHYSICS TESTS, one or more of the LCOs that normally preserve the LHR and DNB parameter limits may be suspended. The results of the accident analysis are not adversely impacted, however, if LHR and DNB parameters are verified to be within their limits while the LCOs are suspended. Therefore, SRs are placed as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these Surveillances allows PHYSICS TESTS to be conducted without decreasing the margin of safety. PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total planar radial peaking factor, total integrated radial peaking factor, Tq, and ASI, which represent initial condition input (power peaking) to the accident analysis. Also involved are the shutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR. STE-MODES 1 and 2 B 3.1.10 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.10-4 REVISION 37 APPLICABLE PHYSICS TESTS meet the criteria for inclusion in the SAFETY ANALYSES Technical Specifications, since the component and process (continued) variable LCOs suspended during PHYSICS TESTS meet Criteria 1, 2, and 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO permits individual CEAs to be positioned outside of their normal group heights and insertion limits during the performance of PHYSICS TESTS, such as those required to: a. Measure CEA worth; b. Determine the reactor stability index and damping factor under xenon oscillation conditions; c. Determine power distributions for nonnormal CEA configurations; d. Measure rod shadowing factors; and e. Measure temperature and power coefficients. Additionally, it permits the center CEA to be misaligned during PHYSICS TESTS required to determine the isothermal temperature coefficient (ITC), MTC, and power coefficient. The requirements of LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, LCO 3.1.7, LCO 3.1.8, LCO 3.2.2, LCO 3.2.3, LCO 3.2.5 and LCO 3.3.3, may be suspended during the performance of PHYSICS TESTS provided THERMAL POWER is restricted to test power plateau, which shall not exceed 85% RTP and that a minimum amount of CEA worth is immediately available for reactivity control. _______________________________________________________________________________ APPLICABILITY This LCO is applicable in MODES 1 and 2 because the reactor must be critical at various THERMAL POWER levels to perform the PHYSICS TESTS described in the LCO section. Limiting the test power plateau to 85% RTP ensures that LHRs are maintained within acceptable limits. STE-MODES 1 and 2 B 3.1.10 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.1.10-5 REVISION 56 ACTIONS A.1 If THERMAL POWER exceeds the test power plateau in MODE 1, THERMAL POWER must be reduced to restore the additional thermal margin provided by the reduction. The 15 minute Completion Time ensures that prompt action shall be taken to reduce THERMAL POWER to within acceptable limits. B.1 and B.2 If Required Action A.1 cannot be completed within the required Completion Time, PHYSICS TESTS must be suspended within 1 hour. Allowing 1 hour for suspending PHYSICS TESTS allows the operator sufficient time to change any abnormal CEA configuration back to within the limits of LCO 3.1.5, LCO 3.1.6, and LCO 3.1.7. Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification. ______________________________________________________________________________ SURVEILLANCE SR 3.1.10.1 REQUIREMENTS Verifying that THERMAL POWER is equal to or less than that allowed by the test power plateau, as specified in the PHYSICS TEST procedure and required by the safety analysis, ensures that adequate LHR and departure from nucleate boiling ratio margins are maintained while LCOs are suspended. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.10.2 Verification of the position of each partially or fully withdrawn full strength or part strength CEA is necessary to ensure that the minimum negative reactivity requirements for insertion on a trip are preserved. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program, STE-MODES 1 and 2 B 3.1.10 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.10-6 REVISION 0 REFERENCES 1. 10 CFR 50, Appendix B, Section XI. 2. 10 CFR 50.59. 3. Regulatory Guide 1.68, Revision 2, August 1978. 4. ANSI/ANS-19.6.1-1985, December 13, 1985. 5. UFSAR, Chapter 14. 6. UFSAR, Section 15.3. 7. 10 CFR 50.46. STE-Reactivity Coefficient Testing B 3.1.11 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.11-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.11 Special Test Exceptions (STE) - Reactivity Coefficient Testing BASES BACKGROUND The primary purpose of Reactivity Coefficient Testing is to permit relaxation of existing LCOs to allow the performance of certain PHYSICS TESTS. These tests are conducted to determine isothermal temperature coefficient, moderator temperature coefficient, and power coefficient. Section XI of 10 CFR 50, Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Processing Plants" (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. Testing is required as an integral part of the design, fabrication, construction, and operation of the power plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59, "Changes, Tests, and Experiments" (Ref. 2). The key objectives of a test program are to (Ref. 3): a. Ensure that the facility has been adequately designed; b. Validate the analytical models used in design and analysis; c. Verify assumptions used for predicting plant response; d. Ensure that installation of equipment in the facility has been accomplished in accordance with design; and e. Verify that operating and emergency procedures are adequate. To accomplish these objectives, testing is required prior to initial criticality, after each refueling shutdown, and during startup, low power operation, power ascension, and at power operation. STE-Reactivity Coefficient Testing B 3.1.11 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.11-2 REVISION 53 BACKGROUND The PHYSICS TESTS requirements for reload fuel cycles ensure (continued) that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4). PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of testing required to ensure that design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worth, reactivity coefficients, flux symmetry, and core power distribution. _______________________________________________________________________________ APPLICABLE It is acceptable to suspend certain LCOs for PHYSICS TESTS SAFETY ANALYSES because fuel damage criteria are not exceeded. Even if an accident occurs during PHYSICS TESTS with one or more LCOs suspended, fuel damage criteria are preserved because the limits on power distribution and shutdown capability are maintained during PHYSICS TESTS. Reference 5 defines requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1985 (Ref. 4). Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. As long as the linear heat rate (LHR) and DNBR remain within its limits, fuel design criteria are preserved. In this test, the following LCOs are suspended: LCO 3.1.7, "Regulating Control Element Assembly (CEA) Insertion Limits"; LCO 3.1.8, "Part Strength Control Element Assembly (CEA) Insertion Limits"; and LCO 3.4.1, "RCS Pressure, Temperature, and Flow Limits" (LCO 3.4.1.b, RCS Cold Leg Temperature only). STE-Reactivity Coefficient Testing B 3.1.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.11-3 REVISION 0 APPLICABLE The safety analysis (Ref. 6) requires that the LHR and the SAFETY ANALYSES departure from nucleate boiling (DNB) parameter be (continued) maintained within limits. The associated trip setpoints are required to ensure these limits are maintained. The individual LCOs governing CEA group height, insertion and alignment, ASI, total planar radial peaking factor, total integrated radial peaking factor, and Tq, preserve the LHR limits. Additionally, the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature (Tc), and pressurizer pressure contribute to maintaining DNB parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 7). The criteria for the loss of forced reactor coolant flow accident are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria. During PHYSICS TESTS, one or more of the LCOs that normally preserve the LHR and DNB parameter limits may be suspended. The results of the accident analysis are not adversely impacted, however, if LHR and DNB parameters are verified to be within their limits while the LCOs are suspended. Therefore, SRs are placed as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these Surveillances allows PHYSICS TESTS to be conducted without decreasing the margin of safety. PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total planar radial peaking factor, total integrated radial peaking factor, Tq, and ASI, which represent initial condition input (power peaking) to the accident analysis. Also involved are the shutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR. STE-Reactivity Coefficient Testing B 3.1.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.11-4 REVISION 53 APPLICABLE PHYSICS TESTS meet the criteria for inclusion in the SAFETY ANALYSIS Technical Specifications, since the component and process (continued) variable LCOs suspended during PHYSICS TESTS meet Criteria 1, 2, and 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO permits Part Strength CEAs and Regulating CEAs to be positioned outside of their normal group heights and insertion limits, and RCS cold leg temperature to be outside its limits during the performance of PHYSICS TESTS. These PHYSICS TESTS are required to determine the isothermal temperature coefficient (ITC), MTC, and power coefficient. The requirements of LCO 3.1.7, LCO 3.1.8, and LCO 3.4.1, (for RCS cold leg temperature only) may be suspended during the performance of PHYSICS TESTS provided COLSS is in service. _______________________________________________________________________________ APPLICABILITY This LCO is applicable in MODE 1 with THERMAL POWER > 20% RTP because the reactor must be critical at THERMAL POWER levels > 20% RTP to perform the PHYSICS TESTS described in the LCO section. _______________________________________________________________________________ ACTIONS A.1 With the LHR or DNBR outside the limits specified in the COLR, adequate safety margin is not assured and power must be reduced to restore LHR and DNBR to within limits. The required Completion Time of 15 minutes ensures prompt action is taken to restore LHR or DNBR to within limits. STE-Reactivity Coefficient Testing B 3.1.11 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.1.11-5 REVISION 0 ACTIONS B.1 (continued) When the Required Action cannot be met or completed within the required Completion Time, PHYSICS TEST must be suspended within 1 hour. Allowing 1 hour for suspending PHYSICS TEST allows the operator sufficient time to change any abnormal conditions back to within the limits of LCO 3.1.7, LCO 3.1.8, and LCO 3.4.1. Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification. ______________________________________________________________________________ SURVEILLANCE SR 3.1.11.1 REQUIREMENTS With THERMAL POWER greater than or equal to 20% RTP, LHR and DNBR can be continuously monitored using the COLSS since the COLSS is available with THERMAL POWER above 20% RTP. If COLSS is not available, LHR and DNBR can be continuously monitored using any OPERABLE CPC channel. Continuous monitoring is required to ensure that the LHR and DNBR limits are satisfied at all times. SRs 3.2.1.1 and 3.2.4.1 provide the specific requirements for performing this SR. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix B, Section XI. 2. 10 CFR 50.59. 3. Regulatory Guide 1.68, Revision 2, August 1978. 4. ANSI/ANS-19.6.1-1985, December 13, 1985. 5. UFSAR, Chapter 14. 6. UFSAR, Section 15.3. 7. 10 CFR 50.46. This page intentionally blank LHR B 3.2.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-1 REVISION 53 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Linear Heat Rate (LHR) BASES BACKGROUND The purpose of this LCO is to limit the core power distribution to the initial values assumed in the accident analyses. Operation within the limits imposed by this LCO limits or prevents potential fuel cladding failures that could breach the primary fission product barrier and release fission products to the reactor coolant in the event of a Loss Of Coolant Accident (LOCA), ejected Control Element Assembly (CEA) accident, or other postulated accident requiring termination by a Reactor Protective System (RPS) trip function. This LCO limits the damage to the fuel cladding during an accident by ensuring that the plant is operating within acceptable bounding conditions at the onset of a transient. Methods of controlling the power distribution include: a. Using full strength or part strength CEAs to alter the axial power distribution; b. Decreasing CEA insertion by boration, thereby improving the radial power distribution; and c. Correcting off optimum conditions (e.g., a CEA drop or misoperation of the unit) that cause margin degradations. The core power distribution is controlled so that, in conjunction with other core operating parameters (e.g., CEA insertion and alignment limits), the power distribution does not result in violation of this LCO. The limiting safety system settings and this LCO are based on the accident analyses (Refs. 1 and 2), so that specified acceptable fuel design limits are not exceeded as a result of Anticipated Operational Occurrences (AOOs), and the limits of acceptable consequences are not exceeded for other postulated accidents. Limiting power distribution skewing over time also minimizes xenon distribution skewing, which is a significant factor in controlling the axial power distribution. LHR B 3.2.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-2 REVISION 10 BACKGROUND Power distribution is a product of multiple parameters, (continued) various combinations of which may produce acceptable power distributions. Operation within the design limits of power distribution is accomplished by generating operating limits on the LHR and Departure from Nucleate Boiling (DNB). Proximity to the DNB condition is expressed by the Departure from Nucleate Boiling Ratio (DNBR), defined as the ratio of the cladding surface heat flux required to cause DNB to the actual cladding surface heat flux. The minimum DNBR value during both normal operation and AOOs is the DNBR Safety Limit as calculated by the CE-1 Correlation (Ref. 3) and corrected for such factors as rod bow and grid spacers. It is accepted as an appropriate margin to DNB for all operating conditions. There are two systems that monitor core power distribution online: the Core Operating Limit Supervisory System (COLSS) and the Core Protection Calculators (CPCs). The COLSS and CPCs that monitor the core power distribution are capable of verifying that the LHR and the DNBR do not exceed their limits. The COLSS performs this function by continuously monitoring the core power distribution and calculating core power operating limits corresponding to the allowable peak LHR and DNBR. The CPCs perform this function by continuously calculating an actual value of DNBR and Local Power Density (LPD) for comparison with the respective trip setpoints. The COLSS indicates continuously to the operator how far the core is from the operating limits and provides an audible alarm if an operating limit is exceeded. Such a condition signifies a reduction in the capability of the plant to withstand an anticipated transient, but does not necessarily imply an immediate violation of fuel design limits. If the margin to fuel design limits continues to decrease, the RPS ensures that the specified acceptable fuel design limits are not exceeded by initiating a reactor trip. The COLSS continually generates an assessment of the calculated margin for specified LHR and DNBR limits. The data required for these assessments include measured incore neutron flux, CEA positions, and Reactor Coolant System (RCS) inlet temperature, pressure, and flow. LHR B 3.2.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-3 REVISION 53 BACKGROUND In addition to the monitoring performed by the COLSS, the (continued) RPS (via the CPCs) continually infers the core power distribution and thermal margins by processing reactor coolant data, signals from excore neutron flux detectors, and input from redundant reed switch assemblies that indicate CEA positions. In this case, the CPCs assume a minimum core power of 20% RTP because the power range excore neutron flux detecting system is inaccurate below this power level. If power distribution or other parameters are perturbed as a result of an AOO, the high LPD or low DNBR trips in the RPS initiate a reactor trip prior to exceeding fuel design limits. The LHR and DNBR algorithms are valid within the limits on ASI, Fxy and Tq. These limits are obtained directly from initial core or reload analysis. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation or AOOs (Ref. 4). The power distribution and CEA insertion and alignment LCOs prevent core power distributions from reaching levels that violate the following fuel design criteria: a. During a LOCA, peak cladding temperature must not exceed 2200°F (Ref. 5); b. During a loss of flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4); c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 al/gm (Ref. 6); and d. The control rods (excluding part strength rods) must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7). LHR B 3.2.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-4 REVISION 0 APPLICABLE The power density at any point in the core must be limited SAFETY ANALYSES to maintain the fuel design criteria (Refs. 4 and 5). This (continued) is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak LHR and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in determining the power distribution. Fuel cladding failure during a LOCA is limited by restricting the maximum Linear Heat Generation Rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 5). Peak cladding temperatures exceeding 2200°F cause severe cladding failure by oxidation due to a Zircaloy water reaction. The LCOs governing the LHR, ASI, CEAs, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses (Ref. 1). Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and can correspondingly increase local LHR. The LHR satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The power distribution LCO limits are based on correlations between power peaking and certain measured variables used as inputs to the LHR and DNBR operating limits. The power distribution LCO limits are provided in the COLR. The limitation on LHR ensures that in the event of a LOCA the peak temperature of the fuel cladding does not exceed 2200°F. LHR B 3.2.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-5 REVISION 0 APPLICABILITY Power distribution is a concern any time the reactor is critical. The power distribution LCOs, however, are only applicable in MODE 1 above 20% RTP. The reasons these LCOs are not applicable below 20% RTP are: a. The incore neutron detectors that provide input to the COLSS, which then calculates the operating limits, are inaccurate due to the poor signal to noise ratios at relatively low core power levels; and b. As a result of this inaccuracy, the CPCs assume minimum core power of 20% RTP when generating LPD and DNBR trip signals. When core power is below 20% RTP, the core is operating well below its thermal limits and the resultant CPC calculated LPD and DNBR trips are highly conservative. ______________________________________________________________________________ ACTIONS A.1 Operation at or below the COLSS calculated power limit based on the LHR ensures that the LHR limit is not exceeded. If the COLSS calculated core power limit based on the LHR exceeds the operating limit, restoring the LHR to within limit in 1 hour ensures that prompt action is taken to reduce LHR to below the specified limit. One hour is a reasonable time to return LHR to within limits when the limit is exceeded without a trip due to events such as a dropped CEA or an axial xenon oscillation. B.1, B.2.1, and B.2.2 If the COLSS is not available the OPERABLE LPD channels are monitored to ensure that the LHR limit is not exceeded. Operation within this limit ensures that in the event of a LOCA the fuel cladding temperature does not exceed 2200°F. Four hours is allowed for restoring the LHR limit to within the region of acceptable operation. This duration is reasonable because the COLSS allows the plant to operate with less LHR margin (closer to the LHR limit than when monitoring the CPCs). LHR B 3.2.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-6 REVISION 0 ACTIONS B.1, B.2.1, and B.2.2. (continued) When operating with the COLSS out of service and LHR not within the region of acceptable operation, there is a possibility of a slow undetectable transient that degrades the LHR slowly over the 4 hour period and is then followed by an AOO or an accident. To remedy this, the CPC calculated values of LHR are monitored every 15 minutes when the COLSS is out of service and LHR not within the region of acceptable operation. The 15 minute frequency is adequate to allow the operator to identify an adverse trend in conditions that could result in an approach to the LHR limit. Also, a maximum allowable change in the CPC calculated LHR ensures that further degradation requires the operators to take immediate action to restore LHR to within limits or reduce reactor power to comply with the Technical Specifications (TS). With an adverse trend, one hour is allowed for restoring LHR to within limits if the COLSS is not restored to OPERABLE status. Implementation of this requirement ensures that reductions in core thermal margin are quickly detected, and if necessary, results in a decrease in reactor power and subsequent compliance with the existing COLSS out of service TS limits. If LHR cannot be monitored every 15 minutes, assume that there is an adverse trend. With no adverse trend, four hours is allowed to restore the LHR to within limits if the COLSS is not restored to OPERABLE status. This duration is reasonable because the Frequency of the CPC determination of LHR is increased and if operation is maintained steady, the likelihood of exceeding the LHR limit during this period is not increased. The likelihood of induced reactor transients from an early power reduction is also decreased. C.1 If the LHR cannot be returned to within its limit or the LHR cannot be determined because of the COLSS and CPC inoperability, core power must be reduced. Reduction of core power to 20% RTP ensures that the core is operating within its thermal limits and places the core in a conservative condition based on the trip setpoints generated by the CPCs, which assume a minimum core power of 20% RTP. LHR B 3.2.1 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.2.1-7 REVISION 56 ACTIONS C.1 (continued) The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach 20% RTP in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.2.1.1 REQUIREMENTS With the COLSS out of service, the operator must monitor the LHR with any OPERABLE local power density channel. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that states that the SR is applicable only when the COLSS is out of service. Continuous monitoring of the LHR is provided by the COLSS, which calculates core power and core power operating limits based on the LHR and continuously displays these limits to the operator. A COLSS margin alarm is annunciated in the event that the THERMAL POWER exceeds the core power operating limit based on LHR. This SR is also modified by a Note that states that the SR is not required to be performed until 2 hours after MODE 1 with THERMAL POWER > 20% RTP. During plant startup (increase from 15-18% RTP), the plant dynamics associated with the downcomer to economizer swapover may result in a temporary power increase above 20% RTP. The 2 hours after reaching 20% RTP is required for plant stabilization. SR 3.2.1.2 Verification that the COLSS margin alarm actuates at a THERMAL POWER level equal to or less than the core power operating limit based on the LHR in units of kilowatts per foot ensures the operator is alerted when conditions approach the LHR operating limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. LHR B 3.2.1 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.1-8 REVISION 56 REFERENCES 1. UFSAR, Section 15. 2. UFSAR, Section 6. 3. CE-1 Correlation for DNBR. 4. 10 CFR 50, Appendix A, GDC 10. 5. 10 CFR 50.46. 6. Regulatory Guide 1.77, Rev. 0, May 1974. 7. 10 CFR 50, Appendix A, GDC 26. Fxy B 3.2.2 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-1 REVISION 52 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 Planar Radial Peaking Factors (Fxy) BASES BACKGROUND The purpose of this LCO is to limit the core power distribution to the initial values assumed in the accident analyses. Operation within the limits imposed by this LCO either limits or prevents potential fuel cladding failures that could breach the primary fission product barrier and release fission products to the reactor coolant in the event of a Loss Of Coolant Accident (LOCA), loss of flow accident, ejected Control Element Assembly (CEA) accident, or other postulated accident requiring termination by a Reactor Protective System (RPS) trip function. This LCO limits damage to the fuel cladding during an accident by ensuring that the plant is operating within acceptable conditions at the onset of a transient. Methods of controlling the power distribution include:

a. Using full strength or part strength CEAs to alter the axial power distribution; b. Decreasing CEA insertion by boration, thereby improving the radial power distribution; and c. Correcting off optimum conditions (e.g., a CEA drop or misoperation of the unit) that cause margin degradations. The core power distribution is controlled so that, in conjunction with other core operating parameters (CEA insertion and alignment limits), the power distribution does not result in violation of this LCO. Limiting safety system settings and this LCO are based on the accident analyses (Refs. 1 and 2), so that specified acceptable fuel design limits are not exceeded as a result of Anticipated Operational Occurrences (AOOs), and the limits of acceptable consequences are not exceeded for other postulated accidents. Limiting power distribution skewing over time also minimizes xenon distribution skewing, which is a significant factor in controlling axial power distribution. Power distribution is a product of multiple parameters, various combinations of Fxy B 3.2.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-2 REVISION 10 BACKGROUND which may produce acceptable power distributions. Operation (continued) within the design limits of power distribution is accomplished by generating operating limits on Linear Heat Rate (LHR) and Departure from Nucleate Boiling (DNB). Proximity to the DNB condition is expressed by the Departure from Nucleate Boiling Ratio (DNBR), defined as the ratio of the cladding surface heat flux required to cause DNB to the actual cladding surface heat flux. The minimum DNBR value during both normal operation and AOOs is the DNBR Safety Limit as calculated by the CE-1 Correlation (Ref. 3) and corrected for such factors as rod bow and grid spacers, and it is accepted as an appropriate margin to DNB for all operating conditions. There are two systems that monitor core power distribution online: the Core Operating Limit Supervisory System (COLSS) and the Core Protection Calculators (CPCs). The COLSS and CPCs that monitor the core power distribution are capable of verifying that the LHR and the DNBR do not exceed their limits. The COLSS performs this function by continuously monitoring the core power distribution and calculating core power operating limits corresponding to the allowable peak LHR and DNBR values. The CPCs perform this function by continuously calculating actual values of DNBR and Local Power Density (LPD) for comparison with the respective trip setpoints. DNBR penalty factors are included in both the COLSS and CPC DNBR calculations to accommodate the effects of rod bow.

The amount of rod bow in each assembly is dependent upon the average burnup experienced by that assembly. Fuel assemblies that incur higher than average burnup experience greater rod bow. Conversely, fuel assemblies that receive lower than average burnup experience less rod bow. In design calculations for a reload core, each batch of fuel is assigned a penalty applied to the maximum integrated planar radial power peak of the batch. This penalty is correlated with the amount of rod bow determined from the maximum average assembly burnup of the batch. A single net penalty for the COLSS and CPCs is then determined from the penalties associated with each batch that comprises a core reload, accounting for the offsetting margins due to the lower radial power peaks in the higher burnup batches. The COLSS indicates continuously to the operator how far the core is to the operating limits and provides an audible Fxy B 3.2.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-3 REVISION 0 BACKGROUND alarm if an operating limit is exceeded. Such a condition (continued) signifies a reduction in the capability of the plant to withstand an anticipated transient, but does not necessarily imply an immediate violation of fuel design limits. If the margin to fuel design limits continues to decrease, the RPS ensures that the specified acceptable fuel design limits are not exceeded for AOOs by initiating a reactor trip. The COLSS continually generates an assessment of the calculated margin for LHR and DNBR specified limits. The data required for these assessments include measured incore neutron flux, CEA positions, and Reactor Coolant System (RCS) inlet temperature, pressure, and flow. In addition to monitoring performed by the COLSS, the RPS (via the CPCs) continually infers the core power distribution and thermal margins by processing reactor coolant data, signals from excore neutron flux detectors, and input from redundant reed switch assemblies that indicates CEA position. In this case, the CPCs assume a minimum core power of 20% RTP. This threshold is set at 20% RTP because the power range excore neutron flux detecting system is inaccurate below this power level. If power distribution or other parameters are perturbed as a result of an AOO, the high LPD or low DNBR trips in the RPS initiate a reactor trip prior to exceeding fuel design limits. The limits on ASI, Fxy, and Tq represent limits within which the LHR and DNBR algorithms are valid. These limits are obtained directly from the initial core or reload analysis. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation or AOOs (Ref. 4). The power distribution and CEA insertion and alignment LCOs prevent core power distributions from reaching levels that violate the following fuel design criteria: a. During a LOCA, peak cladding temperature must not exceed 2200°F (Ref. 5); Fxy B 3.2.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-4 REVISION 52 APPLICABLE b. During CEA misoperation events or a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4); c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6); and d. The control rods (excluding part strength rods) must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7). The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak LHR and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and the uncertainties in the determination of power distribution. Fuel cladding failure during a LOCA is limited by restricting the maximum Linear Heat Generation Rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 5). Peak cladding temperatures exceeding 2200°F cause severe cladding failure by oxidation due to a Zircaloy water reaction. The LCOs governing LHR, ASI, CEAs, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses (Ref. 1). Fuel cladding damage does not occur because of conditions outside the limits of these LCOs for ASI, Fxy, and Tq during normal operation. However, fuel cladding damage results if an accident occurs from initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can Fxy B 3.2.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-5 REVISION 1 APPLICABLE cause increased power peaking and correspondingly increased SAFETY ANALYSES LHR. (continued) Fxy satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The power distribution LCO limits are based on correlations between power peaking and certain measured variables used as inputs to the LHR and DNBR operating limits. The power distribution LCO limits are provided in the COLR. Limiting the calculated Planar Radial Peaking Factors (FCxy) used in the COLSS and CPCs to values greater than the measured Planar Radial Peaking Factors (FMxy) ensures that the limits calculated by the COLSS and CPCs remain valid. The Planar Radial Peaking Factor is the ratio of the peak to plane average power density of the individual fuel rods in a given horizontal plane, excluding the effects of azimuthal tilt. ______________________________________________________________________________ APPLICABILITY Power distribution is a concern any time the reactor is critical. The power distribution LCOs, however, are only applicable in MODE 1 above 20% RTP. The reasons these LCOs are not applicable below 20% RTP are: a. The incore neutron detectors that provide input to the COLSS, which then calculates the operating limits, are inaccurate because of the poor signal to noise ratio that they experience at relatively low core power levels; and b. As a result of this inaccuracy, the CPCs assume a minimum core power of 20% RTP when generating the LPD and DNBR trip signals. When the core power is below 20% RTP, the core is operating well below its thermal limits, and the resultant CPC calculated LPD and DNBR trips are highly conservative. ______________________________________________________________________________ ACTIONS A.1.1 and A.1.2 When the FMxy values exceed the FCxy values used in the COLSS and CPCs, nonconservative operating limits and trip setpoints may be calculated. In this case, action must be taken to ensure that the COLSS operating limits and CPC trip Fxy B 3.2.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-6 REVISION 0 ACTIONS A.1.1 and A.1.2 (continued) setpoints remain valid with respect to the accident analysis. The operator can do this by performing the Required Actions A.1.1 and A.1.2. The 6 hour Completion Time provides the time required to calculate the required multipliers and make the necessary adjustments to the CPC addressable constants. During this period the DNBR and LHR setpoints may be slightly nonconservative but DNBR and LHR are still within limits. Therefore, 6 hours is an acceptable Completion Time to perform these actions considering the low probability of an accident occurring during this time period. A.2 As an alternative to Required Actions A.1.1 and A.1.2, the operator may adjust the affected values of FCxy used in the COLSS and CPCs to values FMxy. The 6 hour Completion Time provides the time required to calculate the required multipliers and make the necessary adjustments to the CPC addressable constants. During this period the DNBR and LHR setpoints may be slightly nonconservative but DNBR and LHR are still within limits. Therefore, 6 hours is an acceptable Completion Time to perform these actions considering the low probability of an accident occurring during this time period. A.3 If Required Actions A.1.1 and A.1.2 or A.2 cannot be accomplished within 6 hours, the core power must be reduced. Reduction to 20% RTP or less ensures that the core is operating within the specified thermal limits and places the core in a conservative condition based on the trip setpoints generated by the COLSS and CPC operating limits; these limits are established assuming a minimum core power of 20% RTP. Six hours is a reasonable time to reach 20% RTP in an orderly manner and without challenging plant systems. Fxy B 3.2.2 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.2-7 REVISION 56 SURVEILLANCE SR 3.2.2.1 REQUIREMENTS This periodic Surveillance is for determining, using the Incore Detector System, that FMxy values are FCxy values used in the COLSS and CPCs. It ensures that the FCxy values used remain valid throughout the fuel cycle. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Determining the FMxy values after each fuel loading when THERMAL POWER is > 40% RTP, but prior to its exceeding 70% RTP, ensures that the core is properly loaded. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 15. 2. UFSAR, Section 6. 3. CE-1 Correlation for DNBR.

4. 10 CFR 50, Appendix A, GDC 10.

5. 10 CFR 50.46.

6. Regulatory Guide 1.77, Rev. 0, May 1974.

7. 10 CFR 50, Appendix A, GDC 26.

This page intentionally blank Tq B 3.2.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-1 REVISION 52 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 AZIMUTHAL POWER TILT (Tq) BASES BACKGROUND The purpose of this LCO is to limit the core power distribution to the initial values assumed in the accident analyses. Operation within the limits imposed by this LCO either limits or prevents potential fuel cladding failures that could breach the primary fission product barrier and release fission products to the reactor coolant in the event of a Loss Of Coolant Accident (LOCA), loss of flow accident, ejected Control Element Assembly (CEA) accident, or other postulated accident requiring termination by a Reactor Protective System (RPS) trip function. This LCO limits the amount of damage to the fuel cladding during an accident by ensuring that the plant is operating within acceptable conditions at the onset of a transient. Methods of controlling the power distribution include: a. Using full strength or part strength CEAs to alter the axial power distribution; b. Decreasing CEA insertion by boration, thereby improving the radial power distribution; and c. Correcting off optimum conditions, (e.g., a CEA drop or misoperation of the unit) that cause margin degradations. The core power distribution is controlled so that, in conjunction with other core operating parameters (e.g., CEA insertion and alignment limits), the power distribution does not result in violation of this LCO. The limiting safety system settings and this LCO are based on the accident analyses (Refs. 1 and 2), so that specified acceptable fuel design limits are not exceeded as a result of Anticipated Operational Occurrences (AOOs) and the limits of acceptable consequences are not exceeded for other postulated accidents. Limiting power distribution skewing over time also minimizes xenon distribution skewing, which is a significant factor in controlling axial power distribution. Tq B 3.2.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-2 REVISION 10 BACKGROUND Power distribution is a product of multiple parameters, (continued) various combinations of which may produce acceptable power distributions. Operation within the design limits of power distribution is accomplished by generating operating limits on the Linear Heat Rate (LHR) and the Departure from Nucleate Boiling (DNB). Proximity to the DNB condition is expressed by the Departure from Nucleate Boiling Ratio (DNBR), defined as the ratio of the cladding surface heat flux required to cause DNB to the actual cladding surface heat flux. The minimum DNBR value during both normal operation and AOOs is the DNBR Safety Limit as calculated by the CE-1 Correlation (Ref. 3) and corrected for such factors as rod bow and grid spacers, and it is accepted as an appropriate margin to DNB for all operating conditions. There are two systems that monitor core power distribution online: the Core Operating Limit Supervisory System (COLSS) and the Core Protection Calculators (CPCs). The COLSS and CPCs that monitor the core power distribution are capable of verifying that the LHR and the DNBR do not exceed their limits. The COLSS performs this function by continuously monitoring the core power distribution and calculating core power operating limits corresponding to the allowable peak LHR and DNBR. The CPCs perform this function by continuously calculating actual values of DNBR and Local Power Density (LPD) for comparison with the respective trip setpoints. A DNBR penalty factor is included in the COLSS and CPC DNBR calculation to accommodate the effects of rod bow. The amount of rod bow in each assembly is dependent upon the average burnup experienced by the assembly. Fuel assemblies that incur higher than average burnup experience greater magnitude of rod bow. Conversely, fuel assemblies that receive lower than average burnup experience less rod bow. In design calculations for a reload core, each batch of fuel is assigned a penalty applied to the maximum integrated planar radial power peak of the batch. This penalty is correlated with the amount of rod bow that is determined from the maximum average assembly burnup of the batch. A single net penalty for the COLSS and CPCs is then determined from the penalties associated with each batch that comprises a core reload, accounting for the offsetting margins caused by the lower radial power peaks in the higher burnup batches. Tq B 3.2.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-3 REVISION 0 BACKGROUND The COLSS indicates continuously to the operator how far the (continued) core is from the operating limits and provides an audible alarm if an operating limit is exceeded. Such a condition signifies a reduction in the capability of the plant to withstand an anticipated transient, but does not necessarily imply an immediate violation of fuel design limits. If the margin to fuel design limits continues to decrease, the RPS ensures that the specified acceptable fuel design limits are not exceeded for AOOs by initiating a reactor trip. The COLSS continually generates an assessment of the calculated margin for LHR and DNBR specified limits. The data required for these assessments include measured incore neutron flux data, CEA positions, and Reactor Coolant System (RCS) inlet temperature, pressure, and flow. In addition to the monitoring performed by the COLSS, the RPS (via the CPCs) continually infers the core power distribution and thermal margins by processing reactor coolant data, signals from excore neutron flux detectors, and input from redundant reed switch assemblies that indicates CEA position. In this case, the CPCs assume a minimum core power of 20% RTP. This threshold is set at 20% RTP because the power range excore neutron flux detection system is inaccurate below this power level. If power distribution or other parameters are perturbed as a result of an AOO, the high local power density or low DNBR trips in the RPS initiate a reactor trip prior to exceeding fuel design limits. The limits on the ASI, Fxy, and Tq represent limits within which the LHR and DNBR algorithms are valid. These limits are obtained directly from the initial core or reload analysis. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES operation and AOOs (Ref. 4). The power distribution and CEA insertion and alignment LCOs preclude core power distributions that violate the following fuel design criteria: a. During a LOCA, peak cladding temperature must not exceed 2200°F (Ref. 5); Tq B 3.2.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-4 REVISION 52 APPLICABLE b. During CEA misoperation events or a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4); c. During a CEA ejection accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6); and d. The control rods (excluding part strength rods) must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7). The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 1). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak LHR and DNB parameters are within operating limits supported by the accident analysis (Ref. 2) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in the determination of power distribution. Fuel cladding failure during a LOCA is limited by restricting the maximum Linear Heat Generation Rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 1). Peak cladding temperatures exceeding 2200°F cause severe cladding failure by oxidation due to a Zircaloy water reaction. The LCOs governing LHR, ASI, CEAs, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits of these variables ensures that their actual values are within the range used in the accident analyses (Ref. 1). Tq B 3.2.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-5 REVISION 0 APPLICABLE Fuel cladding damage does not occur from conditions outside SAFETY ANALYSES the limits of these LCOs during normal operation. However, (continued) fuel cladding damage could result if an accident occurs due to initial conditions outside the limits of these LCOs. The potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs. Tq satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The power distribution LCO limits are based on correlations between power peaking and certain measured variables used as inputs to the LHR and DNBR operating limits. The power distribution LCO limits are provided in the COLR. The limitations on the Tq are provided to ensure that design operating margins are maintained. Tq greater than the limit in the COLR with COLSS in service or > 0.03 with COLSS out of service is not expected. If it occurs, the actions to be taken ensure that operation is restricted to only those conditions required to identify the cause of the tilt. It is necessary to explicitly account for power asymmetries because the radial peaking factors used in the core power distribution calculations are based on an untilted power distribution. ______________________________________________________________________________ APPLICABILITY Power distribution is a concern any time the reactor is critical. The power distribution LCOs, however, are only applicable in MODE 1 above 20% RTP. The reasons these LCOs are not applicable below 20% RTP are: a. The incore neutron detectors that provide input to the COLSS, which then calculates the operating limits, are inaccurate due to the poor signal to noise ratio that they experience at relatively low core power levels. Tq B 3.2.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-6 REVISION 0 APPLICABILITY b. As a result of this inaccuracy, the CPCs assume a (continued) minimum core power of 20% RTP when generating LPD and DNBR trip signals. When the core power is below this level, the core is operating well below its thermal limits and the resultant CPC calculated LPD and DNBR trips are highly conservative. _______________________________________________________________________________ ACTIONS A.1 and A.2 If the measured Tq is greater than the Tq allowance used in the CPCs but within the limit in the COLR with COLSS in service or ~ 0.03 with COLSS out of service, nonconservative trip setpoints may be calculated. Required Action A.1 restores Tq to within its specified limits by repositioning the CEAs, and the reactor may return to normal operation. A Completion Time of 2 hours is sufficient time to allow the operator to reposition the CEAs because significant radial xenon redistribution does not occur within this time. If the Tq cannot be restored within 2 hours, the Tq allowance in the CPCs must be adjusted, per Required Action A.2, to be equal to or greater than the measured value of Tq to ensure that the design safety margins are maintained. The COLSS Tq alarm must also be adjusted to the new CPC allowance, so that the COLSS Tq alarm is still valid. B.1, B.2, B.3, B.4, and B.5 Required Actions B.1, B.2, B.3, B.4, and B.5 are modified by a Note that requires action B.5 be performed if power reduction commences prior to restoring Tq within the limit. This requirement ensures that corrective action is taken before unrestricted power operation resumes. If the measured Tq is not within the limit in the COLR with COLSS in service or > 0.03 with COLSS out of service, THERMAL POWER is reduced to ~ 50% RTP within 4 hours. The 4 hours allows enough time to take action to restore Tq prior to reducing power and limits the probability of operation with a power distribution out of limits. Such actions include performing SR 3.2.3.2, which provides a value of Tq that can be used in subsequent actions. Tq B 3.2.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-7 REVISION 60 ACTIONS B.1, B.2, B.3, B.4, and B.5 (continued) Also in the case of a tilt generated by a CEA misalignment, the 4 hours allows recovery of the CEA misalignment. Except as a result of CEA misalignment, a measured Tq not within the limit in the COLR with COLSS in service or > 0.03 with COLSS out of service is not expected. If it occurs, continued operation of the reactor may be necessary to discover the cause of the tilt. Operation then is restricted to only those conditions required to identify the cause of the tilt. It is necessary to explicitly account for power asymmetries because the radial power peaking factors used in the core power distribution calculation are based on an untilted power distribution. If the measured Tq is not restored to within its specified limits, the reactor continues to operate with an axial power distribution mismatch. Continued operation in this configuration may induce an axial xenon oscillation, which results in increased LHGRs when the xenon redistributes. If the measured Tq cannot be restored to within its limit within 4 hours, reactor power must be reduced. Reducing THERMAL POWER to < 50% RTP within 4 hours provides an acceptable level of protection from increased power peaking due to potential xenon redistribution while maintaining a power level sufficiently high enough to allow the tilt to be analyzed. The Variable Overpower trip setpoints are reduced to ~ 55% RTP to ensure that the assumptions of the accident analysis regarding power peaking are maintained. After power has been reduced to ~ 50% RTP, the rate and magnitude of changes in the core flux are greatly reduced. Therefore, 16 hours is an acceptable time period to allow for reduction of the Variable Overpower trip setpoints, Required Action B.2. The 16 hour Completion Time allowed to reduce the Variable Overpower trip setpoints is required to perform the actions necessary to reset the trip setpoints. THERMAL POWER is restricted to 50% RTP until the measured Tq is restored to within its specified limit by correcting the out of limit condition. This action prevents the operator from increasing THERMAL POWER above the conservative limit when a significant Tq has existed, but allows the unit to continue operation for diagnostic purposes. Tq B 3.2.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-8 REVISION 56 ACTIONS B.1, B.2, B.3, B.4, and B.5 (continued) If Tq is restored prior to identifying and correcting the cause, the plant corrective action program will continue to evaluate the cause of the out of limit condition. After a THERMAL POWER increase following restoration of Tq, operation may proceed provided the measured Tq is determined to remain within its specified limit at the increased THERMAL POWER level. The provision to allow discontinuation of the Surveillance after verifying that Tq is within its specified limit at least once per hour for 12 hours or until Tq is verified to be within its specified limit at a THERMAL POWER 95% RTP provides an acceptable exit from this action after the measured Tq has been returned to an acceptable value. C.1 If the measured Tq cannot be restored or determined within its specified limit, core power must be reduced. Reduction of core power to ~ 20% RTP ensures that the core is operating within its thermal limits and places the core in a conservative condition based on the trip setpoints generated by the CPCs, which assume a minimum core power of 20% RTP. Six hours is a reasonable time to reach 20% RTP in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.2.3.1 REQUIREMENTS Continuous monitoring of the measured Tq by the incore nuclear detectors is provided by the COLSS. A COLSS alarm is annunciated in the event that the measured Tq exceeds the value used in the CPCs. With the COLSS out of service, the operator must calculate Tq and verify that it is within its specified limits. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Tq B 3.2.3 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.2.3-9 REVISION 56 SURVEILLANCE SR 3.2.3.1 (continued) REQUIREMENTS This SR is also modified by a Note that states that the SR is not required to be performed until 2 hours after MODE 1 with THERMAL POWER > 20% RTP. During plant startup (increase from 15-18% RTP), the plant dynamics associated with the downcomer to economizer swapover may result in a temporary power increase above 20% RTP. The 2 hours after reaching 20% RTP is required for plant stabilization. SR 3.2.3.2 Verification that the COLSS Tq alarm actuates at a value less than the value used in the CPCs ensures that the operator is alerted if Tq approaches its operating limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.2.3.3 Independent confirmation of the validity of the COLSS calculated Tq ensures that the COLSS accurately identifies Tq's. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Tq B 3.2.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.3-10 REVISION 0 REFERENCES 1. UFSAR, Section 15. 2. UFSAR, Section 6. 3. CE-1 Correlation for DNBR. 4. 10 CFR 50, Appendix A, GDC 10. 5. 10 CFR 50.46. 6. Regulatory Guide 1.77, Rev. 0, May 1974. 7. 10 CFR 50, Appendix A, GDC 26. DNBR B 3.2.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-1 REVISION 52 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.4 Departure from Nucleate Boiling Ratio (DNBR) BASES BACKGROUND The purpose of this LCO is to limit the core power distribution to the initial value assumed in the accident analyses. Specifically, operation within the limits imposed by this LCO either limits or prevents potential fuel cladding failures that could breach the primary fission product barrier and release fission products to the reactor coolant in the event of a Loss Of Coolant Accident (LOCA), loss of flow accident, ejected Control Element Assembly (CEA) accident, or other postulated accident requiring termination by a Reactor Protective System (RPS) trip function. This LCO limits the amount of damage to the fuel cladding during an accident by ensuring that the plant is operating within acceptable conditions at the onset of a transient. Methods of controlling the power distribution include: a. Using full strength or part strength CEAs to alter the axial power distribution; b. Decreasing CEA insertion by boration, thereby improving the radial power distribution; and c. Correcting off optimum conditions (e.g., a CEA drop or misoperation of the unit) that cause margin degradations. The core power distribution is controlled so that, in conjunction with other core operating parameters (e.g., CEA insertion and alignment limits), the power distribution does not result in violation of this LCO. The limiting safety system settings and this LCO are based on the accident analysis (Refs. 1 and 2), so that specified acceptable fuel design limits are not exceeded as a result of Anticipated Operational Occurrences (AOOs) and the limits of acceptable consequences are not exceeded for other postulated accidents. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in controlling axial power distribution. DNBR B 3.2.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-2 REVISION 10 BACKGROUND Power distribution is a product of multiple parameters, (continued) various combinations of which may produce acceptable power distributions. Operation within the design limits of power distribution is accomplished by generating operating limits on the Linear Heat Rate (LHR) and the Departure from nucleate boiling (DNB). Proximity to the DNB condition is expressed by the DNBR, defined as the ratio of the cladding surface heat flux required to cause DNB to the actual cladding surface heat flux. The minimum DNBR value during both normal operation and AOOs is the DNBR Safety Limit as calculated by the CE-1 Correlation (Ref. 3) and corrected for such factors as rod bows and grid spacers and it is accepted as an appropriate margin to DNB for all operating conditions. There are two systems that monitor core power distribution online: the Core Operating Limits Supervisory System (COLSS) and the Core Protection Calculators (CPCs). The COLSS and CPCs that monitor the core power distribution are capable of verifying that the LHR and DNBR do not exceed their limits. The COLSS performs this function by continuously monitoring the core power distribution and calculating core power operating limits corresponding to the allowable peak LHR and DNBR. The CPCs perform this function by continuously calculating an actual value of DNBR and LPD for comparison with the respective trip setpoints. A DNBR penalty factor is included in both the COLSS and CPC DNBR calculation to accommodate the effects of rod bow. The amount of rod bow in each assembly is dependent upon the average burnup experienced by that assembly. Fuel assemblies that incur higher than average burnup experience a greater magnitude of rod bow. Conversely, fuel assemblies that receive lower than average burnup experience less rod bow. In design calculations for a reload core, each batch of fuel is assigned a penalty that is applied to the maximum integrated planar radial power peak of the batch. This penalty is correlated with the amount of rod bow that is determined from the maximum average assembly burnup of the batch. A single net penalty for the COLSS and CPCs is then determined from the penalties associated with each batch that comprises a core reload, accounting for the offsetting margins due to the lower radial power peaks in the higher burnup batches. DNBR B 3.2.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-3 REVISION 0 BACKGROUND The COLSS indicates continuously to the operator how far the (continued) core is from the operating limits and provides an audible alarm when an operating limit is exceeded. Such a condition signifies a reduction in the capability of the plant to withstand an anticipated transient, but does not necessarily imply an immediate violation of fuel design limits. If the margin to fuel design limits continues to decrease, the RPS ensures that the specified acceptable fuel design limits are not exceeded during AOOs by initiating a reactor trip. The COLSS continually generates an assessment of the calculated margin for LHR and DNBR specified limits. The data required for these assessments include measured incore neutron flux, CEA positions, and Reactor Coolant System (RCS) inlet temperature, pressure, and flow. In addition to the monitoring performed by the COLSS, the RPS (via the CPCs) continually infers the core power distribution and thermal margins by processing reactor coolant data, signals from excore neutron flux detectors, and input from redundant reed switch assemblies that indicates CEA position. In this case, the CPCs assume a minimum core power of 20% RTP because the power range excore neutron flux detecting system is inaccurate below this power level. If power distribution or other parameters are perturbed as a result of an AOO, the high local power density or low DNBR trips in the RPS initiate a reactor trip prior to exceeding fuel design limits. The limits on ASI, Fxy, and Tq represent limits within which the LHR and DNBR algorithms are valid. These limits are obtained directly from the initial core or reload analysis. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation or AOOs (Ref. 4). The power distribution and CEA insertion and alignment LCOs prevent core power distributions from reaching levels that violate the following fuel design criteria: a. During a LOCA, peak cladding temperature must not exceed 2200°F (Ref. 5); DNBR B 3.2.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-4 REVISION 52 APPLICABLE b. During CEA misoperation events or a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 3); c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6); and d. The control rods (excluding part strength rods) must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7). The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 4). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak LHR and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in the determination of power distribution. Fuel cladding failure during a LOCA is limited by restricting the maximum Linear Heat Generation Rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 4). Peak cladding temperatures exceeding 2200°F may cause severe cladding failure by oxidation due to a Zircaloy water reaction. The LCOs governing LHR, ASI, CEAs, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analyses (Ref. 1). DNBR B 3.2.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-5 REVISION 60 APPLICABLE Fuel cladding damage does not occur from conditions outside SAFETY ANALYSES the limits of these LCOs during normal operation. However, (continued) fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs. DNBR satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The power distribution LCO limits are based on correlations between power peaking and certain measured variables used as inputs to the LHR and DNBR operating limits. The power distribution LCO limits are provided in the COLR. With the COLSS in service and at least one of the Control Element Assembly Calculators (CEACs) OPERABLE in each operable CPC Channel, the DNBR will be maintained by ensuring that the core power calculated by the COLSS is equal to or less than the permissible core power operating limit based on DNBR calculated by the COLSS. In the event that the COLSS is in service but the above condition is not met, the DNBR is maintained by ensuring that the core power calculated by the COLSS is equal to or less than a reduced value of the permissible core power operating limit calculated by the COLSS. In this condition, the calculated operating limit must be reduced by the allowance specified in the COLR. In instances for which the COLSS is out of service and at least one of the CEACs are OPERABLE in each operable CPC Channel, the DNBR is maintained by operating within the acceptable region specified in the COLR and using any OPERABLE CPC channel. Alternatively, when the COLSS is out of service and the above condition is not met, the DNBR is maintained by operating within the acceptable region specified in the COLR for this condition and using any OPERABLE CPC channel with two inoperable CEACs. Note that the DNBR Margin Operating Limit based on CPC COLR limits (Figures 3.2.4-2 & 3.2.4-3) should not be used during a four finger CEA misalignment event as the radial distortion (static and xenon transient) and azimuthal tilt are not accounted for in the CPC DNBR calculation in all cases. DNBR B 3.2.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-6 REVISION 53 LCO With the COLSS out of service, the limitation on DNBR as a (continued) operating conditions consistent with the analysis assumptions that have been analytically demonstrated adequate to maintain an acceptable minimum DNBR for all AOOs. Operation of the core with a DNBR at or above this limit ensures that an acceptable minimum DNBR is maintained in the event of the most limiting AOO (i.e., loss of flow transient, CEA misoperation events, or asymmetric SG transient). _______________________________________________________________________________ APPLICABILITY Power distribution is a concern any time the reactor is critical. The power distribution LCOs, however, are only applicable in MODE 1 above 20% RTP. The reasons these LCOs are not applicable below 20% RTP are: a. The incore neutron detectors that provide input to the COLSS, which then calculates the operating limits, are inaccurate due to the poor signal to noise ratio that they experience at relatively low core power levels. b. As a result of this inaccuracy, the CPCs assume a minimum core power of 20% RTP when generating the Local Power Density (LPD) and DNBR trip signals. When the core power is below this level, the core is operating well below the thermal limits and the resultant CPC calculated LPD and DNBR trips are highly conservative. _______________________________________________________________________________ ACTIONS A.1 Operating at or above the minimum required value of the DNBR ensures that an acceptable minimum DNBR is maintained in the event of a postulated AOO. If the core power as calculated by the COLSS exceeds the core power limit calculated by the COLSS based on the DNBR, fuel design limits may not be maintained following an AOO and prompt action must be taken to restore the DNBR above its minimum Allowable Value. With the COLSS in service, 1 hour is a reasonable time for the operator to initiate corrective actions to restore the DNBR above its specified limit, because of the low probability of a severe transient occurring in this relatively short time. DNBR B 3.2.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-7 REVISION 53 ACTIONS B.1, B.2.1, and B.2.2 (continued) If the COLSS is not available the OPERABLE DNBR channels are monitored to ensure that the DNBR is not exceeded. Maintaining the DNBR within this specified range ensures that no postulated accident results in consequences more severe than those described in the UFSAR, Chapter 15. A 4 hour Frequency is allowed to restore the DNBR limit to within the region of acceptable operation. This Frequency is reasonable because the COLSS allows the plant to operate with less DNBR margin (closer to the DNBR limit) than when monitoring with the CPCs. When operating with the COLSS out of service and DNBR outside the region of acceptable operation, there is a possibility of a slow undetectable transient that degrades the DNBR slowly over the 4 hour period and is then followed by an anticipated operational occurrence or an accident. To remedy this, the CPC calculated values of DNBR are monitored every 15 minutes when the COLSS is out of service and DNBR outside the region of acceptable operation. The 15 minute frequency is adequate to allow the operator to identify an adverse trend in conditions that could result in an approach to the DNBR limit. Also, a maximum allowable change in the CPC calculated DNBR ensures that further degradation requires the operators to take immediate action to restore DNBR to within limits or reduce reactor power to comply with the Technical Specifications (TS). With an adverse trend, 1 hour is allowed for restoring DNBR to within limits if the COLSS is not restored to OPERABLE status. Implementation of this requirement ensures that reductions in core thermal margin are quickly detected and, if necessary, results in a decrease in reactor power and subsequent compliance with the existing COLSS out of service TS limits. If DNBR cannot be monitored every 15 minutes, assume that there is an adverse trend. With no adverse trend, 4 hours is allowed for restoring the DNBR to within limits if the COLSS is not restored to OPERABLE status. This duration is reasonable because the Frequency of the CPC determination of DNBR has been increased, and, if operation is maintained steady, the likelihood of exceeding the DNBR limit during this period is not increased. The likelihood of induced reactor transients from an early power reduction is also decreased. DNBR B 3.2.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-8 REVISION 56 ACTIONS C.1 (continued) If the DNBR cannot be restored or determined within the allowed times of Conditions A and B, core power must be reduced. Reduction of core power to ~ 20% RTP ensures that the core is operating within its thermal limits and places the core in a conservative condition based on trip setpoints generated by the CPCs, which assume a minimum core power of 20% RTP. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach 20% RTP from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.2.4.1 REQUIREMENTS With the COLSS out of service, the operator must monitor the DNBR as indicated on all of the OPERABLE DNBR channels of the CPCs to verify that the DNBR is within the specified limits shown in the COLR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that states that the SR is only applicable when the COLSS is out of service. Continuous monitoring of the DNBR is provided by the COLSS, which calculates core power and core power operating limits based on the DNBR and continuously displays these limits to the operator. A COLSS margin alarm is annunciated in the event that the THERMAL POWER exceeds the core power operating limit based on the DNBR. This SR is also modified by a Note that states that the SR is not required to be performed until 2 hours after MODE 1 with THERMAL POWER > 20% RTP. During plant startup (increase from 15-18% RTP), the plant dynamics associated with the downcomer to economizer swapover may result in a temporary power increase above 20% RTP. The 2 hours after reaching 20% RTP is required for plant stabilization. DNBR B 3.2.4 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.4-9 REVISION 56 SURVEILLANCE SR 3.2.4.2 REQUIREMENTS (continued) Verification that the COLSS margin alarm actuates at a power level equal to or less than the core power operating limit, as calculated by the COLSS, based on the DNBR, ensures that the operator is alerted when operating conditions approach the DNBR operating limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 15. 2. UFSAR, Chapter 6. 3. CE-1 Correlation for DNBR. 4. 10 CFR 50, Appendix A, GDC 10. 5. 10 CFR 50.46. 6. Regulatory Guide 1.77, Rev. 0, May 1974. 7. 10 CFR 50, Appendix A, GDC 26. This Page Intentionally Left Blank ASI B 3.2.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-1 REVISION 52 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.5 AXIAL SHAPE INDEX (ASI) BASES BACKGROUND The purpose of this LCO is to limit the core power distribution to the initial values assumed in the accident analysis. Operation within the limits imposed by this LCO either limits or prevents potential fuel cladding failures that could breach the primary fission product barrier and release fission products to the reactor coolant in the event of a Loss Of Coolant Accident (LOCA), loss of flow accident, ejected Control Element Assembly (CEA) accident, or other postulated accident requiring termination by a Reactor Protective System (RPS) trip function. This LCO limits the amount of damage to the fuel cladding during an accident by ensuring that the plant is operating within acceptable conditions at the onset of a transient. Methods of controlling the axial power distribution include: a. Using full strength or part strength CEAs to alter the axial power distribution; b. Decreasing CEA insertion by boration, thereby improving the axial power distribution; and c. Correcting off optimum conditions (e.g., a CEA drop or misoperation of the unit) that cause margin degradations. The core power distribution is controlled so that, in conjunction with other core operating parameters (CEA insertion and alignment limits), the power distribution does not result in violation of this LCO. The limiting safety system settings are based on the accident analyses (Refs. 1 and 2), so that specified acceptable fuel design limits are not exceeded as a result of Anticipated Operational Occurrences (AOOs) and the limits of acceptable consequences are not exceeded for other postulated accidents. Limiting power distribution skewing over time also minimizes xenon distribution skewing, which is a significant factor in controlling axial power distribution. ASI B 3.2.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-2 REVISION 10 BACKGROUND Power distribution is a product of multiple parameters, (continued) various combinations of which may produce acceptable power distributions. Operation within the design limits of power distribution is accomplished by generating operating limits on the Linear Heat Rate (LHR) and the Departure from Nucleate Boiling (DNB). Proximity to the DNB condition is expressed by the Departure from Nucleate Boiling Ratio (DNBR), defined as the ratio of the cladding surface heat flux required to cause DNB to the actual cladding surface heat flux. The minimum DNBR value during both normal operation and AOOs is the DNBR Safety Limit as calculated by the CE-1 Correlation (Ref. 3), and corrected for such factors as rod bow and grid spacers, and it is accepted as an appropriate margin to DNB for all operating conditions. There are two systems that monitor core power distribution online: the Core Operating Limit Supervisory System (COLSS) or the Core Protection Calculators (CPCs). The COLSS and CPCs monitor the core power distribution and are capable of verifying that the LHR and DNBR do not exceed their limits. The COLSS performs this function by continuously monitoring the core power distribution and calculating core power operating limits corresponding to the allowable peak LHR and DNBR. The CPCs perform this function by continuously calculating actual values of DNBR and local power density (LPD) for comparison with the respective trip setpoints. A DNBR penalty factor is included in both the COLSS and CPC DNBR calculations to accommodate the effects of rod bow. The amount of rod bow in each assembly is dependent upon the average burnup experienced by that assembly. Fuel assemblies that incur higher than average burnup experience greater rod bow. Conversely, fuel assemblies that receive lower than average burnup experience less rod bow. In design calculations for a reload core, each batch of fuel is assigned a penalty that is applied to the maximum integrated planar radial power peak of the batch. This penalty is correlated with the amount of rod bow that is determined from the maximum average assembly burnup of the batch. A single net penalty for the COLSS and CPC is then determined from the penalties associated with each batch that comprises a core reload, accounting for the offsetting margins due to the lower radial power peaks in the higher burnup batches. ASI B 3.2.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-3 REVISION 0 BACKGROUND The COLSS indicates continuously to the operator how far the (continued) core is from the operating limits and provides an audible alarm if an operating limit is exceeded. Such a condition signifies a reduction in the capability of the plant to withstand an anticipated transient, but does not necessarily imply an immediate violation of fuel design limits. If the margin to fuel design limits continues to decrease, the RPS ensures that the specified acceptable fuel design limits are not exceeded for AOOs by initiating a reactor trip. The COLSS continually generates an assessment of the calculated margin for LHR and DNBR specified limits. The data required for these assessments include measured incore neutron flux, CEA positions, and Reactor Coolant System (RCS) inlet temperature, pressure, and flow. In addition to the monitoring performed by the COLSS, the RPS (via the CPCs) continually infers the core power distribution and thermal margins by processing reactor coolant data, signals from excore neutron flux detectors, and input from redundant reed switch assemblies that indicates CEA position. In this case, the CPCs assume a minimum core power of 20% RTP because the power range excore neutron flux detecting system is inaccurate below this power level. If power distribution or other parameters are perturbed as a result of an AOO, the high local power density or low DNBR trips in the RPS initiate a reactor trip prior to exceeding fuel design limits. The limits on ASI, Fxy, and Tq represent limits within which the LHR and DNBR algorithms are valid. These limits are obtained directly from the initial core or reload analysis. ______________________________________________________________________________ APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES operation or AOOs (Ref. 4). The power distribution and CEA insertion and alignment LCOs prevent core power distributions from reaching levels that violate the following fuel design criteria: a. During a LOCA, peak cladding temperature must not exceed 2200°F (Ref. 5); ASI B 3.2.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-4 REVISION 52 APPLICABLE b. During CEA misoperation events or a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4); c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6); d. The control rods (excluding part strength rods) must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7). The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak LHR and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations among measured quantities, the power distribution, and uncertainties in the determination of power distribution. Fuel cladding failure during a LOCA is limited by restricting the maximum Linear Heat Generation Rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 5). Peak cladding temperatures exceeding 2200°F may cause severe cladding failure by oxidation due to a Zircaloy water reaction. The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analysis (Ref. 1). Fuel cladding damage does not occur from conditions outside these LCOs during normal operation. However, fuel cladding damage results when an accident occurs due to initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs. ASI B 3.2.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-5 REVISION 0 APPLICABLE SAFETY ANALYSES (continued) The ASI satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The power distribution LCO limits are based on correlations between power peaking and certain measured variables used as inputs to LHR and DNBR operating limits. The power distribution LCO limits are provided in the COLR. The COLR provides separate limits that are based on different combinations of COLSS and CEACs being in and out of service. The limitation on ASI ensures that the actual ASI value is maintained within the range of values used in the accident analyses. The ASI limits ensure that with Tq at its maximum upper limit, the DNBR does not drop below the DNBR Safety Limit for AOOs. ______________________________________________________________________________ APPLICABILITY Power distribution is a concern any time the reactor is critical. The power distribution LCOs, however, are only applicable in MODE 1 above 20% RTP. The reasons these LCOs are not applicable below 20% RTP are: a. The incore neutron detectors that provide input to the COLSS, which then calculates the operating limits, are inaccurate due to the poor signal to noise ratio that they experience at relatively low core power levels. b. As a result of this inaccuracy, the CPCs assume a minimum core power of 20% RTP when generating the LPD and DNBR trip signals. When the core power is below this level, the core is operating well below the thermal limits and the resultant CPC calculated LPD and DNBR trips are strongly conservative. ASI B 3.2.5 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-6 REVISION 56 ACTIONS A.1 The ASI limits specified in the COLR ensure that the LOCA and loss of flow accident criteria assumed in the accident analyses remain valid. If the ASI exceeds its limit, a Completion Time of 2 hours is allowed to restore the ASI to within its specified limit. This duration gives the operator sufficient time to reposition the regulating or part strength CEAs to reduce the axial power imbalance. The magnitude of any potential xenon oscillation is significantly reduced if the condition is not allowed to persist for more than 2 hours. B.1 If the ASI is not restored to within its specified limits within the required Completion Time, the reactor continues to operate with an axial power distribution mismatch. Continued operation in this configuration induces an axial xenon oscillation, and results in increased LHGRs when the xenon redistributes. Reducing thermal power to 20% RTP reduces the maximum LHR to a value that does not exceed the fuel design limits if a design basis event occurs. The allowed Completion Time of 4 hours is reasonable, based on operating experience, to reduce power in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.2.5.1 REQUIREMENTS The ASI can be monitored by both the incore (COLSS) and excore (CPC) neutron detector systems. The COLSS provides the operator with an alarm if an ASI limit is approached. Verification of the ASI ensures that the operator is aware of changes in the ASI as they develop. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ASI B 3.2.5 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.2.5-7 REVISION 0 SURVEILLANCE SR 3.2.5.1 (continued) REQUIREMENTS (continued) This SR is modified by a Note that states that the SR is not required to be performed until 2 hours after MODE 1 with THERMAL POWER > 20% RTP. During plant startup (increase from 15-18% RTP), the plant dynamics associated with the downcomer to economizer swapover may result in a temporary power increase above 20% RTP. The 2 hours after reaching 20% RTP is required for plant stabilization. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 15. 2. UFSAR, Chapter 6. 3. CE-1 Correlation for DNBR. 4. 10 CFR 50, Appendix A, GDC 10. 5. 10 CFR 50.46. 6. Regulatory Guide 1.77, Rev. 0, May 1974. 7. 10 CFR 50, Appendix A, GDC 26. This page intentionally blank RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-1 REVISION 35 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation ~ Operating BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents. The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. Except for the Trip Function 6 and 7, the LSSS defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs). For Trip Functions 6 and 7, the UFSAR Trip Setpoint is the LSSS. During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are: The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB); Fuel centerline melting shall not occur; and The Reactor Coolant System (RCS) pressure SL of 2750 psia shall not be exceeded. Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs. Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref.

2) limits. Different accident categories allow a different fraction of these limits based on probability of RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-2 REVISION 53 BASES BACKGROUND occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event. The RPS is segmented into four interconnected modules. These modules are: Measurement channels; Bistable trip units; RPS Logic; and Reactor trip circuit breakers (RTCBs). This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal feature for those trips with operating bypasses. The RPS Logic and RTCBs are addressed in LCO 3.3.4, "Reactor Protective System (RPS) Logic and Trip Initiation." The CEACs are addressed in LCO 3.3.3, "Control Element Assembly Calculators (CEACs)." Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured. The excore nuclear instrumentation, the core protection calculators (CPCs), and the CEACs, though complex, are considered components in the measurement channels of the Variable Over Power - High, Logarithmic Power Level - High, DNBR - Low, and Local Power Density (LPD) - High trips. Four identical measurement channels, designated channels A through D, with electrical and physical separation, are provided for each parameter used in the generation of trip signals, with the exception of the control element assembly (CEA) position indication used in the CPCs. Each measurement channel provides input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the control room.

RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-3 REVISION 53 BASES BACKGROUND Measurement Channels (continued) Measurement channels used as an input to the RPS are not used for control functions. When a channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping bistables monitoring the same parameter in two or more channels will de-energize Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all four RTCBs to open, interrupting power to the CEAs, allowing them to fall into the core. Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 1). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring. Adequate channel to channel independence includes physical and electrical independence of each channel from the others. This allows operation in two-out-of-three logic with one channel removed from service until following the next MODE 5 entry. Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control function, this arrangement meets the applicable requirements of standards referenced in the UFSAR, Chapter 7 (Ref. 4). The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. Four separate CPCs perform the calculations independently, one for each of the four RPS channels. The CPCs provide outputs to drive display indications (DNBR margin, LPD margin, and calibrated neutron flux power levels) and provide DNBR - Low and LPD - High pretrip and trip signals. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-4 REVISION 60 BASES BACKGROUND Measurement Channels (continued) The CPC channel outputs for the DNBR - Low and LPD - High trips operate contacts in the Matrix Logic in a manner identical to the other RPS trips. Each CPC receives the following inputs: Hot leg and cold leg temperatures; Pressurizer pressure; Reactor coolant pump speed; Excore neutron flux levels; Target CEA positions; and CEAC penalty factors. Each CPC is programmed with "addressable constants." These are various alignment values, correction factors, etc., that are required for the CPC computations. They can be accessed for display or for the purpose of changing them as necessary. The CPCs use this constant and variable information to perform a number of calculations. These include the calculation of CEA group and subgroup deviations (and the assignment of conservative penalty factors), correction and calculation of average axial power distribution (APD) (based on excore flux levels and CEA positions), calculation of coolant flow (based on pump speed), and calculation of calibrated average power level (based on excore flux levels and T power). The DNBR calculation considers primary pressure, inlet temperature, coolant flow average power, APD, radial peaking factors, and CEA deviation penalty factors from the CEACs to calculate the state of the limiting (hot) coolant channel in the core. A DNBR - Low trip occurs when the calculated value reaches the minimum DNBR trip setpoint. The LPD calculation considers APD, average power, radial peaking factors (based upon target CEA position), and CEAC penalty factors to calculate the current value of compensated peak power density. An LPD - High trip occurs when the calculated value reaches the trip setpoint. The four CPC channels provide input to the four DNBR - Low and four LPD - High RPS trip channels. They effectively act as the sensor and bistable trip units (using many inputs) for these trips. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-5 REVISION 53 BASES BACKGROUND Measurement Channels (continued) The CEACs perform the calculations required to determine the position of CEAs within their subgroups for the CPCs. Two independent CEACs within each CPC channel compare the position of each CEA to its subgroup position. If a deviation is detected by either CEAC, an annunciator sounds and appropriate "penalty factors" are transmitted to the CPC in the affected channel. These penalty factors conservatively adjust the effective operating margins to the DNBR - Low and LPD - High trips. Each CEA has two separate reed switch position transmitter (RSPT) assemblies mounted outside the Reactor Coolant Pressure Boundary (RCPB), designated RSPT 1 and RSPT 2. CEA position from the RSPTs is processed by two CEA Position Processors (CPPs) located in each CPC channel. The CPPs transmit CEA position to the appropriate CEAC in all four CPC channels over optically isolated datalinks, such that CEAC 1 in all channels receives the position of all CEAs based upon RSPT 1, and CEAC 2 receives the position of all CEAs based upon RSPT 2. Thus the position of all CEAs is independently monitored by both CEACs in each CPC channel. The CPCs display the position of each CEA to the operator on a separate single CEA Position Flat Panel Display. Each CPC channel is connected to the display by means of an optically isolated data link. The operator may select the channel for display. Selecting channel A or B will display CEA position based upon RSPT 1 on each CEA, whereas selecting channel C or D will display CEA position based upon RSPT 2 on each CEA. CEACS are addressed in LCO 3.3.3. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-6 REVISION 53 BASES BACKGROUND Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation. There are four channels of bistables, designated A, B, C, and D, for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks. The contacts from these bistable relays are arranged into six coincidence matrices, comprising and Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate a reactor trip (two-out-of-four logic). Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the CPC generated DNBR - Low and LPD - High trips. The CPC auxiliary trip functions (e.g., CPC VOPT algorithm) do not have any direct contact outputs to the PPS. The auxiliary trip functions act through the DNBR - Low and LPD - High trip contacts to de-energize the associated CPC initiation relays that provide a channel trip signal to the PPS parameters 3 and 4 bistable relays. Other CPC trip functions may also apply a penalty factor to cause a DNBR or LPD trip. The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref. 5). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6). Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-7 REVISION 53 BASES BACKGROUND Bistable Trip Units (continued) uncertainties, is provided in "Calculation of Trip Setpoint Values" (Ref. 7). The UFSAR Trip Setpoints are based on the calculated total loop uncertainty consistent with the methodology as documented in the UFSAR (RG 1.105, Revision 1, November 1976) (Ref. 14). The general relationship among the PVNGS trip setpoint terms is as follows: The calculated Limiting Setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety limit is maintained. A channel is inoperable if its actual setpoint is non-conservative with respect to its Allowable Value. To maintain the margins of safety assumed in the safety analyses, the calculations of the trip variables for the DNBR - Low and Local Power Density - High trips include the measurement, calculational, and processor uncertainties and dynamic allowances as defined in the latest applicable revision of CEN-305-P, "Functional Design Requirements for a Core Protection Calculator" (Ref. 10) and CEN-304-P, "Functional Design Requirements for a Control Element Assembly Calculator," (Ref. 11). The safety analyses also credit the CPC auxiliary trip functions (VOPT, T-hot Saturation, ASGT, and Low RCS Pressure), which act through the DNBR - Low and LPD - High trip contacts, to provide core protection during Anticipated Operational Occurrences and Design Basis Accidents (Ref. 5 and 8). Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed. Note that in LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS, except for Trip Functions 6 and 7. For Trip Functions 6 and 7, the UFSAR Trip Setpoint is the LSSS. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-8 REVISION 53 BASES BACKGROUND Bistable Trip Units (continued) Functional testing of the entire RPS, from bistable input through the opening of individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. CPC and CEAC functional testing is performed quarterly and during refueling. UFSAR, Section 7.2 (Ref. 8), provides more detail on RPS testing. Processing transmitter calibration is normally performed on refueling basis. RPS Logic The RPS Logic, addressed in LCO 3.3.4, consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize. The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths. Each trip path provides power to one of the four normally energized RTCB initiation relays. The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition. Each trip path is responsible for opening one of the four RTCBs. The RTCB initiation relays, when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the breakers. Actuation of either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs). RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-9 REVISION 53 BASES BACKGROUND RPS Logic (continued) When a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four initiation relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all four RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel. The Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, initiation relays, and the initiation relay contacts in the RTCB control circuitry. It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a trip condition. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-10 REVISION 53 BASES BACKGROUND RPS Logic (continued) In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. These bypasses are enabled manually in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied. Operating bypasses are normally implemented in the bistable, so that normal trip indication is also disabled. Trips with operating bypasses include Pressurizer Pressure - Low, Logarithmic Power Level - High, and CPC (DNBR - Low and LPD - High). Refer also to B 3.3.5 for ESFAS operating bypasses. Reactor Trip Circuit Breakers (RTCBs) The reactor trip switchgear, addressed in LCO 3.3.4, consists of four RTCBs. Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel, such that the loss of either MG set does not de-energize the CEDMs. Power is supplied from the MG sets to the CEDM's via two redundant paths (trip legs). Trip legs 1 and 3 are in parallel with Trip legs 2 and 4. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses. Each of the two trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. Each RTCB is operated by either a manual reactor trip push button, a Supplementary Protection System (SPS) trip relay or an RPS actuated Initiation relay. There are four Manual Trip push buttons each push button operates one of the four RTCBs. Depressing either of the push buttons in both trip legs will result in a reactor trip. When a Manual Trip is initiated using the control room push buttons, the RPS trip paths and Initiation relays are not utilized, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-11 REVISION 53 BASES BACKGROUND Reactor Trip Circuit Breakers (RTCBs) (continued) Manual Trip circuitry includes the push button and interconnecting wiring to the RTCBs necessary to actuate both the undervoltage and shunt trip attachments but excludes the Initiation relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic. Functional testing of the entire RPS, from bistable input through the opening of individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. UFSAR, Section 7.2 (Ref. 8), explains RPS testing in more detail. APPLICABLE Design Basis Definition SAFETY ANALYSES The RPS is designed to ensure that the following operational criteria are met: The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied; Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the RPS instrumentation network. Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions. Those functions for which no credit is taken, termed equipment protective functions, are not needed from a safety perspective. Each RPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each trip setpoint falls into one of three general categories: Category 1: To ensure that the SLs are not exceeded during AOOs; Category 2: To assist the ESFAS during accidents; and Category 3: To prevent material damage to major plant components (equipment protective). RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-12 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES The RPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTCBs are closed. Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis are part of the NRC staff approved licensing basis for the plant. Noncredited Functions include the Steam Generator #1 Level - High, and the Steam Generator #2 Level - High. These trips minimize the potential for equipment damage. The specific safety analysis applicable to each protective function is identified below: 1. Variable Over Power-High (RPS) The Variable Over Power - High Trip (RPS-VOPT) is provided to protect the reactor core during positive reactivity addition excursions. Under steady state conditions the trip setpoint will stay above the neutron power level signal by a preset value, called the band function. When the power level increases the setpoint will increase to attempt to maintain the separation defined by the Band function, however the rate of the setpoint change is limited by the rate function. If the power level signal increases faster than the setpoint, a trip will occur when the power level eventually equals the trip setpoint. The maximum value the setpoint can have is determined by the ceiling function. A positive reactivity excursion transient will be detected by one or more RPS Functions. The Variable Over Power-High trip (RPS-VOPT) can provide protection against core damage during the following events: Uncontrolled CEA Withdrawal From Subcritical and Low Power (AOO); and CEA Ejection (Accident). RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-13 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES 2. Logarithmic Power Level - High The Logarithmic Power Level - High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition. In MODES 2, 3, 4, and 5, with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when logarithmic power is < 1E-4% NRTP. For events originating above this power level, other trips provide adequate protection. MODES 3, 4, and 5, with the RTCBs closed, are addressed in LCO 3.3.2, "Reactor Protective System (RPS) Instrumentation - Shutdown." In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE. The indication and alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12, "Boron Dilution Alarm System (BDAS)". 3. Pressurizer Pressure - High The Pressurizer Pressure - High trip provides protection for the high RCS pressure SL. In conjunction with the pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against overpressurization of the RCPB during the following events: Loss of Condenser Vacuum (AOO); CEA Withdrawal From Low Power Conditions (AOO); Chemical and Volume Control System Malfunction (AOO); and Main Feedwater System Pipe Break (Accident). RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-14 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES 4. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip is provided to trip the reactor to assist the ESF System in the event of loss of coolant accidents (LOCAs). During a LOCA, the SLs may be exceeded; however, the consequences of the accident will be acceptable. A Safety Injection Actuation Signal (SIAS) and a Containment Isolation Actuation Signal (CIAS) are initiated simultaneously. 5. Containment Pressure - High The Containment Pressure - High trip prevents exceeding the containment design pressure psig during a design basis LOCA or main steam line break (MSLB) accident. During a LOCA or MSLB the SLs may be exceeded; however, the consequences of the accident will be acceptable. An SIAS, CIAS, and MSIS are initiated simultaneously. 6, 7. Steam Generator Pressure - Low The Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low trips provide protection against an excessive rate of heat extraction from the steam generators and resulting rapid, uncontrolled cooldown of the RCS. This trip is needed to shut down the reactor and assist the ESF System in the event of an MSLB or main feedwater line break accident. A main steam isolation signal (MSIS) is initiated simultaneously. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-15 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES 8, 9. Steam Generator Level - Low The Steam Generator #1 Level - Low and Steam Generator #2 Level - Low trips ensure that a reactor trip signal is generated for the following events to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink: Inadvertent Opening of a Steam Generator Atmospheric Dump Valve (AOO); Loss of Condenser Vacuum (AOO); Loss of Normal Feedwater Event (AOO); Feedwater System Pipe Break (Accident); and Single RCP Rotor Seizure (AOO) 10, 11. Steam Generator Level - High The Steam Generator #1 Level - High and Steam Generator #2 Level - High trips are provided to protect the turbine from excessive moisture carryover in case of a steam generator overfill event. A Main Steam Isolation Signal (MSIS) is initiated simultaneously. 12, 13. Reactor Coolant Flow - Low The Reactor Coolant Flow Steam Generator #1-Low and Reactor Coolant Flow Steam Generator #2-Low trips provide protection against an RCP Sheared Shaft Event. A trip is initiated when the pressure differential across the primary side of either steam generator decreases below a variable setpoint. This variable setpoint stays below the pressure differential by a preset value called the step function, unless limited by a preset maximum decreasing rate determined by the Ramp Function, or a set minimum value determined by the Floor Function. The setpoints ensure that a reactor trip occurs to limit fuel failure and ensure offsite doses are within 10 CFR 100 guidelines. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-16 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES 14. Local Power Density - High The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following AOOs and assist the ESF systems in the mitigation of the following accidents. The LPD - High trip provides protection against fuel centerline melting due to the occurrence of excessive local power density peaks during the following AOOs: Decrease in Feedwater Temperature; Increase in Feedwater Flow; Increased Main Steam Flow (not due to the steam line rupture) Without Turbine Trip; Uncontrolled CEA Withdrawal From Low Power; Uncontrolled CEA Withdrawal at Power; and CEA Misoperation For the events listed above (except CEA Misoperation where the DNBR and LPD trips will occur near simultaneously), DNBR - Low will trip the reactor first, since DNB would occur before fuel centerline melting would occur. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-17 REVISION 53 BASES APPLICABLE Design Basis Definition (continued) SAFETY ANALYSES 15. Departure from Nucleate Boiling Ratio (DNBR) - Low The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following AOOs and assist the ESF systems in the mitigation of the following accidents. The DNBR - Low trip provides protection against core damage due to the occurrence of locally saturated conditions in the limiting (hot) channel during the following events and is the primary reactor trip (trips the reactor first) for these events: Decrease in Feedwater Temperature; Increase in Feedwater Flow; Increased Main Steam Flow (not due to steam line rupture) Without Turbine Trip; Increased Main Steam Flow (not due to steam line rupture) With a Concurrent Single Failure of an Active Component; Steam Line Break With Concurrent Loss of Offsite AC Power; Loss of Normal AC Power; Partial Loss of Forced Reactor Coolant Flow; Total Loss of Forced Reactor Coolant Flow; Single Reactor Coolant Pump (RCP) Shaft Seizure; Uncontrolled CEA Withdrawal From Low Power; Uncontrolled CEA Withdrawal at Power; CEA Misoperation; Primary Sample or Instrument Line Break; and Steam Generator Tube Rupture. In the above list, only the steam line break, the steam generator tube rupture, the RCP shaft seizure, and the sample or instrument line break are accidents. The rest are AOOs. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-18 REVISION 53 BASES APPLICABLE 15. Departure from Nucleate Boiling Ratio (DNBR)-Low SAFETY ANALYSES (continued) In the safety analyses for transients involving reactivity and power distribution anomalies, credit may be taken for the CPC VOPT auxiliary trip algorithm in lieu of the RPS VOPT trip function. The exact trip credited (CPC or RPS) is documented in chapter 15 of the UFSAR under the individual event sections. The CPC VOPT auxiliary trip acts through the CPC DNBR-Low and LPD-High trip contacts to provide over power protection. When credit is taken for the CPC VOPT algorithm, the CPC VOPT setpoints installed in the plant are based on the safety analyses and may differ from the RPS VOPT allowable values and nominal setpoints. The setpoints associated with the CPC VOPT are controlled via Addressable Constants (TS Section 5.4.1) and Reload Data Block Constants (Ref. 8 and 13). The CPC VOPT auxiliary trip algorithm may provide protection against core damage during the following events: Uncontrolled CEA Withdrawal From Low Power (AOO); Uncontrolled CEA Withdrawal at Power (A00); Single CEA Withdrawal within Deadband (AOO); Steam Bypass Control System Misoperation (AOO); CEA Ejection (Accident); and Main Steam Line Break (Accident). RPS Instrumentation ~ Operating B 3.3.1 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.1-19 REVISION 53 BASES APPLICABLE 15. Departure from Nucleate Boiling Ratio (DNBR)-Low SAFETY ANALYSES (continued) The DNBR algorithm used in the CPC is valid only within the limits indicated below and operation outside of these limits will result in a CPC initiated trip. PARAMETER LIMITING VALUE RCS Cold Leg Temperature - Low 505°F RCS Cold Leg Temperature - High 590°F Axial Shape Index - Positive Not more positive than +0.5 Axial Shape Index - Negative Not more negative than -0.5 Pressurizer Pressure - Low 1860 psia Pressurizer Pressure - High 2388 psia Integrated Radial Peaking Factor - Low 1.28 Integrated Radial Peaking Factor - High 7.00 Quality Margin - Low > 0 Interlocks/Bypasses The operating bypasses and their Allowable Values are addressed in footnotes to Table 3.3.1-1. They are not otherwise addressed as specific Table entries. The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The basis for each of the operating bypasses is discussed under individual trips in the LCO section: a. Logarithmic Power Level - High;

b. DNBR - Low and LPD - High.

The RPS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-20 REVISION 53 BASES LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions. The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR (Ref. 8). The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship will ensure that sufficient margin to the safety and/or analytical limit is maintained. Only the Allowable Values (AVs) are specified for each RPS trip Function in the LCO. The AV is considered an operability limit for the channel. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. If the as-found instrument setting is found to be non-conservative with respect to the AV, or the as-left instrument setting cannot be returned to a setting within As-Left Tolerance (ALT), or the instrument is not functioning as required: then the instrument channel shall be declared inoperable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-21 REVISION 53 BASES LCO defined in the "Plant Protection System Selection of Trip (continued) Setpoint Values" (Ref. 7). The Bases for the individual Function requirements are as follows: 1. Variable Over Power-High (RPS) This LCO requires all four channels of Variable Over Power High (RPS) to be OPERABLE in MODES 1 and 2. The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Variable Over Power High (RPS) reactor trips during normal plant operations. When the RPS VOPT trip function is credited in the safety analyses, the Allowable Value is based on the analyses and is low enough for the system to maintain a margin to unacceptable fuel or fuel cladding damage should a positive reactivity excursion event occur. 2. Logarithmic Power Level - High This LCO requires all four channels of Logarithmic Power Level - High to be OPERABLE in MODE 2. In MODES 3, 4, or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal conditions are addressed in LCO 3.3.2. The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur. The Logarithmic Power Level - High trip may be bypassed when logarithmic power is above 1E-4% NRTP to allow the reactor to be brought to power during a reactor startup. This operating bypass is automatically removed when logarithmic power decreases below 1E-4% NRTP. Above 1E-4% NRTP, the Variable Over Power - High and Pressurizer Pressure - High trips provide protection for reactivity transients. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-22 REVISION 53 BASES LCO 2. Logarithmic Power Level - High (continued) The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE. When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-23 REVISION 53 BASES LCO 3. Pressurizer Pressure - High This LCO requires four channels of Pressurizer Pressure - High to be OPERABLE in MODES 1 and 2. The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these valves during normal plant operation. In the event of a loss of condenser vacuum at 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS. 4. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to prevent a reactor trip during normal plant operation and pressurizer pressure transients. However, the setpoint is high enough that with a LOCA, the reactor trip will occur soon enough to allow the ESF systems to perform as expected in the analyses and mitigate the consequences of the accident. 5. Containment Pressure - High The LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1 and 2. The Allowable Value is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. It is set low enough to initiate a reactor trip when an abnormal condition is indicated. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-24 REVISION 53 BASES LCO 6, 7 Steam Generator Pressure - Low (continued) This LCO requires four channels of Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low to be OPERABLE in MODES 1 and 2. This UFSAR Trip Setpoint is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core. If the moderator temperature coefficient is negative a reactor trip is required to offset that effect. The trip setpoint may be manually decreased as steam generator pressure is reduced during controlled plant cooldown, provided the margin between steam generator pressure and the setpoint is maintained 200 psia. This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until the time is reached when the setpoints are no longer needed to protect the plant. The setpoint increases automatically as steam generator pressure increases until the specified trip setpoint is reached. Footnote (aa), which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments in outside its As-Found RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-25 REVISION 53 BASES LCO 6, 7. Steam Generator Pressure - Low (continued) Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability. Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends. Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint. The specified field installed trip setpoint is termed as the Design Setpoint (DSp) and is equal to or more conservative than the UFSAR Trip Setpoint. The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within the ALT, or the instrument is not functioning as required: then the instrument channel shall be declared inoperable. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-26 REVISION 53 BASES LCO 8, 9. Steam Generator Level - Low (continued) This LCO requires four channels of Steam Generator #1 Level - Low and Steam Generator #2 Level - Low for each steam generator to be OPERABLE in MODES 1 and 2. The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations. The input signal providing the reactor trip input also provides an input to a bistable that initiates auxiliary feedwater to the affected generator via the Auxiliary Feedwater Actuation Signal (AFAS). The trip setpoint ensures that there will be sufficient water inventory in the steam generator at the time of the trip to provide a margin of at least 10 minutes before auxiliary feedwater is required to prevent degraded core cooling. The reactor trip will remove the heat source (except decay heat), thereby conserving the reactor heat sink. 10, 11. Steam Generator Level - High This LCO requires four channels of Steam Generator #1 Level - High and Steam Generator #2 Level - High to be OPERABLE in MODES 1 and 2. The Allowable Value is high enough to allow for normal plant operation and transients without causing a reactor trip. It is set low enough to ensure a reactor trip occurs before the level reaches the steam dryers. Having steam generator water level at the trip value is indicative of the plant not being operated in a controlled manner. 12, 13. Reactor Coolant Flow ~ Low This LCO requires four channels of Reactor Coolant Flow Steam Generator #1-Low and Reactor Coolant Flow Steam Generator # 2-Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal plant operations while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event. LCO 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," ensure adequate RCS flow rate is maintained. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-27 REVISION 53 BASES LCO 14. Local Power Density ~ High This LCO requires four channels of LPD - High to be OPERABLE. The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable. A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function. The CPC channel has many redundant features designed to improve channel reliability. A minimum subset of features must be functional in order for the CPC to be capable of performing its safety related trip function. Therefore, the channel may remain OPERABLE in the presence of a subset of channel failures, while maintaining the ability to provide the LPD-High trip function. On line CPC channel diagnostics make use of redundant features to maintain channel operability to the extent possible, and provide alarm and annunciation of detectable failures. Those detectable CPC channel failures resulting in a loss of protective function and channel inoperability will result in a CPC Fail indication and associated Low DNBR and High LPD channel trips. Input failures resulting in a sensor out of range affecting one or more CPC process inputs will result in a CPC Sensor Failure indication. In addition, since the CPC software limits the sensor value to the lower or upper range limit value, a CPC channel trip would be generated in most cases due to these extreme values. Detectable failures, whether they result in a channel inoperability or not, are logged in a system event list. Redundancy is demonstrated as follows: a. Each CPC channel redundantly processes analog process and nuclear instrumentation inputs. Only one of the two redundant analog processing modules is required to maintain operability. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-28 REVISION 53 BASES LCO 14. Local Power Density ~ High (continued) b. CEA position is redundantly processed by two CEA Position Processors (CPPs) in each CPC channel, and transmitted to the appropriate CEACs in all four CPC channels over one way fiber-optically isolated data links. Only one source of CEA position is required to maintain channel operability. c. Each CPC channel has two redundant operator interface panels, a maintenance test panel (MTP) in the Core Protection Calculator System (CPCS) cabinet, and an Operator's Module (OM) in the control room. Neither is required for the CPC to perform its safety related function. However, one must be functional to assist personnel in performing certain surveillances. Upon failure of the OM, MTP, or both, the CPC channel will remain operable. Each CPCS channel contains six processor modules. Failures of these modules are treated as follows: CPC Processor Module failure - this failure results in a CPC channel inoperability, as addressed by this LCO. Aux CPC Processor Module failure - this failure does not result in a CPC channel inoperability since this module does not perform any safety related functions. CEAC 1 Processor Module failure - this failure is addressed in LCO 3.3.3. CEAC 2 Processor Module failure - this failure is addressed in LCO 3.3.3. CPP 1 Processor Module failure - this failure is addressed in LCO 3.3.3. CPP 2 Processor Module failure - this failure is addressed in LCO 3.3.3. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-29 REVISION 53 BASES LCO 14. Local Power Density ~ High (continued) The CPC channels may be manually bypassed below 1E-4% NRTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-30 REVISION 53 BASES LCO 14. Local Power Density ~ High (continued) When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met. This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off. LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low This LCO requires four channels of DNBR - Low to be OPERABLE. The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable. A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function. The CPC channel has many redundant features designed to improve channel reliability. A minimum subset of features must be functional in order for the CPC to be capable of performing its safety related trip function. Therefore, the channel may remain OPERABLE in the presence of a subset of channel failures, while maintaining the ability to provide the DNBR-Low trip function. On line CPC channel diagnostics make use of redundant features to maintain channel operability to the extent possible, and provide alarm and annunciation of detectable failures. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-31 REVISION 53 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (continued) Those detectable CPC channel failures resulting in a loss of protective function and channel inoperability will result in a CPC Fail indication and associated Low DNBR and High LPD channel trips. Input failures resulting in a sensor out of range affecting one or more CPC process inputs will result in a CPC Sensor Failure indication. In addition, since the CPC software limits the sensor value to the lower or upper range limit value, a CPC channel trip would be generated in most cases due to these extreme values. Detectable failures, whether they result in a channel inoperability or not, are logged in a system event list. Redundancy is demonstrated as follows:

a. Each CPC channel redundantly processes analog process and nuclear instrumentation inputs. Only one of the two redundant analog processing modules is required to maintain operability. b. CEA position is redundantly processed by two CEA Position Processors (CPPs) in each CPC channel, and transmitted to the appropriate CEACs in all four CPC channels over one way fiber-optically isolated data links. Only one source of CEA position is required to maintain channel operability. c. Each CPC channel has two redundant operator interface panels, a maintenance test panel (MTP) in the Core Protection Calculator System (CPCS) cabinet, and an Operator's Module (OM) in the control room. Neither is required for the CPC to perform its safety related function. However, one must be functional to assist personnel in performing certain surveillances. Upon failure of the OM, MTP, or both, the CPC channel will remain operable.

RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-32 REVISION 53 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (continued) Each CPCS channel contains six processor modules. Failures of these modules are treated as follows: CPC Processor Module failure - this failure results in a CPC channel inoperability, as addressed by this LCO. Aux CPC Processor Module failure - this failure does not result in a CPC channel inoperability since this module does not perform any safety related functions. CEAC 1 Processor Module failure - this failure is addressed in LCO 3.3.3. CEAC 2 Processor Module failure - this failure is addressed in LCO 3.3.3. CPP 1 Processor Module failure - this failure is addressed in LCO 3.3.3. CPP 2 Processor Module failure - this failure is addressed in LCO 3.3.3. The CPC channels may be manually bypassed below 1E-4% NRTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-33 REVISION 53 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (continued) The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE. When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met. This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-34 REVISION 53 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (continued) Interlocks/Bypasses The LCO on operating bypass permissive removal channels requires that the automatic operating bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODEs addressed in the specific LCO for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed. Refer also to B 3.3.5 for ESFAS operating bypasses. This LCO applies to the operating bypass removal feature only. If the bypass enable function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level - High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint. The interlock function Allowable Values are based upon analysis of functional requirements for the bypassed function. These are discussed above as part of the LCO discussion for the affected functions. APPLICABILITY This LCO is applicable to the RPS Instrumentation in MODES 1 and 2. LCO 3.3.2 is applicable to the RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal. The requirements for the CEACs in MODES 1 and 2 are addressed in LCO 3.3.3. The RPS Matrix Logic, Initiation Logic, RTCBs, and Manual Trips in MODES 1, 2, 3, 4, and 5 are addressed in LCO 3.3.4. RPS Instrumentation ~ Operating B 3.3.1 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.1-35 REVISION 53 BASES APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during AOOs and assists the ESFAS in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are: The Logarithmic Power Level - High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. Steam Generator Pressure-Low trip, is required in MODE 3, with the RTCBs closed to provide protection for steam line break events in MODE 3. The Logarithmic Power Level - High trip, and the Steam Generator Pressure-Low trip in these lower MODES are addressed in LCO 3.3.2. The Logarithmic Power Level - High trip is bypassed prior to MODE 1 entry and is not required in MODE 1. The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less conservative than the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-36 REVISION 53 BASES ACTIONS In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable, and the unit must enter the Condition for the particular protection Function affected. When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation. One Note has been added to the ACTIONS. Note 1 has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function. With a channel process measurement circuit that affects multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below: Process Measurement Circuit Functional Unit (Bypassed or Tripped) 1. Linear Power Variable Overpower (RPS) (Subchannel or Linear) Local Power Density-High (RPS) DNBR-Low (RPS) 2. Pressurizer Pressure-High Pressurizer Pressure-High (RPS) (Narrow Range) Local Power Density-High (RPS) DNBR-Low (RPS) 3. Steam Generator Pressure-Low Steam Generator Pressure-Low (RPS) Steam Generator #1 Level-Low (ESF) Steam Generator #2 Level-Low (ESF) 4. Steam Generator Level-Low Steam Generator Level-Low (RPS) (Wide Range) Steam Generator #1 Level-Low (ESF) Steam Generator #2 Level-Low (ESF) 5. Core Protection Calculator Local Power Density-High (RPS) DNBR-Low (RPS) RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-37 REVISION 53 BASES ACTIONS A.1 and A.2 (continued) Condition A applies to the failure of a single trip channel or associated instrument channel inoperable in any RPS automatic trip Function. RPS coincidence logic is two-out-of-four. If one RPS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 1 hour (Required Action A.1). The 1 hour allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel in bypass, the coincidence logic is now in a two-out-of-three configuration. The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip. The intent of this requirement is that should a failure occur that cannot be repaired during power operation, then continued operation is allowed without requiring a plant shutdown. However, the failure needs to be repaired during the next MODE 5 outage. Allowing the unit to exit MODE 5 is acceptable, as the appropriate retest may not be possible until normal operating pressures and temperatures are achieved. If the failure occurs while in MODE 5, then the problem needs to be resolved during that shutdown, and OPERABILITY restored prior to the subsequent MODE 2 entry. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-38 REVISION 53 BASES ACTIONS B.1 (continued) Condition B applies to the failure of two channels in any RPS automatic trip Function. Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip. One of the two inoperable channels will need to be restored to operable status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-39 REVISION 53 BASES ACTIONS C.1, C.2.1, and C.2.2 (continued) Condition C applies to one automatic bypass removal channel inoperable. If the inoperable operating bypass removal channel for any operating bypass channel cannot be restored to OPERABLE status within 1 hour, the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the affected automatic trip channel placed in maintenance (trip channel) bypass or trip. The operating bypass removal channel and the automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A. D.1 and D.2 Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour, the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the operating bypass either removed or one automatic trip channel placed in maintenance (trip channel) bypass and the other in trip within 1 hour. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant must shut down per LCO 3.0.3 as explained in Condition B. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-40 REVISION 56 BASES ACTIONS E.1 (continued) Condition E is entered when the Required Action and associated Completion Time of Condition A, B, C, or D are not met. If the Required Actions associated with these Conditions cannot be completed within the required Completion Time, the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The SRs for any particular RPS Function are found in the SR REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing. SR 3.3.1.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-41 REVISION 56 BASES SURVEILLANCE SR 3.3.1.1 (continued) REQUIREMENTS Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In the case of RPS trips with multiple inputs, such as the DNBR and LPD inputs to the CPCs, a CHANNEL CHECK must be performed on all inputs. SR 3.3.1.2 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 12 hours after reaching 70% RTP is for plant stabilization, data taking, and flow verification. This check (and if necessary, the adjustment of the CPC addressable constant flow coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications, as determined by the Core Operating Limits Supervisory System (COLSS). The flow measurement uncertainty may be included in the BERR1 term in the CPC and is equal to or greater than 4%. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-42 REVISION 56 BASES SURVEILLANCE SR 3.3.1.3 REQUIREMENTS (continued) The CPC System Event Log is checked to monitor the CPC channel performance, including redundant features not required for the CPC to perform its safety related trip function. The system event log provides a historical record of the last thirty detected CPC channel error conditions. A detected error condition may not render a channel inoperable, unless it is accompanied by a CPC Fail indication. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.4 A daily calibration (heat balance) is performed when THERMAL POWER is 20%. The Linear Power Level signal and the CPC addressable constant multipliers are adjusted to make the CPC T power and nuclear power calculations agree with the calorimetric calculation if the absolute difference is 2% when THERMAL POWER is 80% RTP, and -0.5% to 10% when THERMAL POWER is between 20% and 80%. The value of 2% when THERMAL POWER is 80% RTP, and -0.5% to 10% when THERMAL POWER is between 20% and 80% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the Linear Power Level signal and the CPC addressable constant coefficients) are adequate to ensure that the accuracy of these CPC calculations is maintained within the analyzed error margins. The power level must be > 20% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-43 REVISION 56 BASES SURVEILLANCE SR 3.3.1.4 (continued) REQUIREMENTS The tolerance between 20% and 80% RTP is +10% to reduce the number of adjustments required as the power level increases. The -0.5% tolerance between 20% and 80% RTP is based on the reduced accuracy of the calorimetric data inputs at low power levels. Performing a calorimetric calibration with a -0.5% tolerance at low power levels ensures the difference will remain within -2.0% when power is increased above 80% RTP. If a calorimetric calculation is performed above 80% RTP, it will use accurate inputs to the calorimetric calculation available at higher power levels. When the power level is decreased below 80% RTP an additional performance of the SR to the -0.5% to 10% tolerance is not required if the SR has been performed above 80% RTP. During any power ascension from below 80% to above 80% RTP, the calibration requirements of ITS SR 3.3.1.4 must be met (except during PHYSICS TESTS, as allowed by the Note in SR 3.3.1.4). This is accomplished by performing SR 3.3.1.4 between 75% and 80% RTP during power ascension with an acceptance criteria of -0.5% to <2% to bound the requirements for both below and above 80% RTP. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Frequency is modified by a Note indicating this Surveillance need only be performed within 12 hours after reaching 20% RTP. The 12 hours after reaching 20% RTP is required for plant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A second Note in the SR indicates the SR may be suspended during PHYSICS TESTS. The conditional suspension of the daily calibrations under strict administrative control is necessary to allow special testing to occur. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-44 REVISION 56 BASES SURVEILLANCE SR 3.3.1.5 REQUIREMENTS (continued) The RCS flow rate indicated by each CPC is verified to be less than or equal to the RCS total flow rate. The Note indicates the Surveillance is performed within 12 hours after THERMAL POWER is 70% RTP. This check (and, if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications as determined either using the reactor coolant pump differential pressure instrumentation and the ultrasonic flow meter adjusted pump curves or by a calorimetric calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.6 The three vertically mounted excore nuclear instrumentation detectors in each channel are used to determine APD for use in the DNBR and LPD calculations. Because the detectors are mounted outside the reactor vessel, a portion of the signal from each detector is from core sections not adjacent to the detector. This is termed shape annealing and is compensated for after every refueling by performing SR 3.3.1.11, which adjusts the gains of the three detector amplifiers for shape annealing. SR 3.3.1.6 ensures that the preassigned gains are still proper. When power is < 15% the CPCs do not use the excore generated signals for axial flux shape information. The Note allowing 12 hours after reaching 15% RTP is required for plant stabilization and testing. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.7 A CHANNEL FUNCTIONAL TEST on each channel is performed to ensure the entire channel will perform its intended function when needed. The SR is modified by two Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level - High channels to be performed 2 hours after logarithmic power drops below 1E-4% NRTP. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-45 REVISION 53 BASES SURVEILLANCE SR 3.3.1.7 (continued) REQUIREMENTS The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 8. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include: Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference 9. Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. Trip Path Tests Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, thereby opening the affected RTCB. The RTCB must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-46 REVISION 56 BASES SURVEILLANCE Trip Path Tests (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately. The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector. The power range excore test signal is inserted at the drawer input, since there is no preamplifier. The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using software. This software includes preassigned addressable constant values that may differ from the current values. Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants. SR 3.3.1.8 A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference 9. Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-47 REVISION 57 BASES SURVEILLANCE SR 3.3.1.8 (continued) REQUIREMENTS CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.4) and the linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators. SR 3.3.1.9 SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.4) and the linear subchannel gain check (SR 3.3.1.6). RPS Instrumentation ~ Operating B 3.3.1 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-48 REVISION 56 BASES SURVEILLANCE SR 3.3.1.10 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.11 The three excore detectors used by each CPC channel for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using the predetermined shape annealing matrix elements in the CPC software. After refueling, it is necessary to re-establish or verify the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary because refueling could possibly produce a significant change in the shape annealing matrix coefficients. Incore detectors are inaccurate at low power levels. THERMAL POWER should be significant but < 70% to perform an accurate axial shape calculation used to derive the shape annealing matrix elements. By restricting power to 70% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided. Operating experience has shown this Frequency to be acceptable. RPS Instrumentation ~ Operating B 3.3.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-49 REVISION 56 BASES SURVEILLANCE SR 3.3.1.12 REQUIREMENTS (continued) SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is applicable only to operating bypass functions and is performed once within 92 days prior to each startup. Proper operation of operating bypass permissives is critical during plant startup because the operating bypasses must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify operating bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.7. Therefore, further testing of the operating bypass function after startup is unnecessary. SR 3.3.1.13 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RPS Instrumentation ~ Operating B 3.3.1 _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.1-50 REVISION 53 BASES SURVEILLANCE SR 3.3.1.13 (continued) REQUIREMENTS Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from the records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements." (Ref. 12) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time. A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) REFERENCES 1. 10 CFR 50, Appendix A, GDC 21 2. 10 CFR 100. 3. NRC Safety Evaluation Report, July 15, 1994.

4. UFSAR, Chapter 7

5. UFSAR, Chapters 6 and 15.

6. 10 CFR 50.49.

7. "Calculation of Trip Setpoint Values, Plant Protection System". CEN-286(v), or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip function. 8. UFSAR, Section 7.2, Tables 7.2-1 and 7.3-11A.

RPS Instrumentation ~ Operating B 3.3.1 PALO VERDE UNITS 1,2,3 B 3.3.1-51 REVISION 53 BASES REFERENCES 9. CEN-327, June 2, 1986, including Supplement 1, (continued) March 3, 1989, and Calculation 13-JC-SB-200. 10. CEN-305-P, "Functional Design Requirements for a Core Protection Calculator." 11. CEN-304-P, "Functional Design Requirements for a Control Element Assembly Calculator." 12. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements." 13. CEN-323-P-A, "Reload Data Block Constant Installation Guidelines", Combustion Engineering, Inc., September, 1986. 14. UFSAR Section 1.8, "Regulatory Guide 1.105: Instrument Setpoints (Revision 1, November 1976) This page intentionally blank RPS Instrumentation Shutdown B 3.3.2 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-1 REVISION 50 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Instrumentation Shutdown BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and reactor coolant pressure boundary (RCPB) integrity during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features systems in mitigating accidents. The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. Except for trip Functions 2 and 3, the LSSS defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs). For Trip Functions 2 and 3, the UFSAR Trip Setpoint is the LSSS. During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are: The departure from nucleate boiling ratio shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; Fuel centerline melting shall not occur; and The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded. Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs. Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-2 REVISION 0 BACKGROUND (continued) The RPS is segmented into four interconnected modules. These modules are: Measurement channels; Bistable trip units; RPS Logic; and Reactor trip circuit breakers (RTCBs). This LCO applies to the Logarithmic Power Level High trip in MODES 3, 4, and 5 with the RTCBs closed and the CEAs capable of withdrawal. In MODES 1 and 2, this trip function is addressed in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation Operating." LCO 3.3.12, "Boron Dilution Alarm System (BDAS)," applies when the RTCBs are open. This LCO applies to the Steam Generator #1 and the Steam Generator #2 Pressure-Low trip in MODE 3, with the RTCBs closed and the CEAs capable of withdrawal. In MODES 1 and 2, this trip function is addressed in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation-Operating." RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-3 REVISION 1 BACKGROUND Measurement Channels and Bistable Trip Units (continued) The measurement channels providing input to the Logarithmic Power Level High trip consist of the four logarithmic nuclear instrumentation channels detecting neutron flux leakage from the reactor vessel. Other aspects of the Logarithmic Power Level High trip are similar to the other measurement channels and bistables. These are addressed in the Background section of LCO 3.3.1. Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation can be similarly tested. UFSAR, Section 7.2 (Ref. 3), provides more detail on RPS testing. ______________________________________________________________________________ APPLICABLE The RPS functions to maintain the SLs during AOOs and SAFETY ANALYSES mitigates the consequence of DBAs in all MODES in which the RTCBs are closed. Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. Noncredited Functions include the Steam Generator Water Level - High Trip. The Steam Generator Water Level - High Trip is purely equipment protective, and its use minimizes the potential for equipment damage. The Logarithmic Power Level High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition. The Steam Generator Pressure-Low trip function provides shutdown margin to prevent or minimize the return to power, following a large Main Steam Line Break (MSLB) in MODE 3. With less than 4 RCPs running the trip setpoint for the Logarithmic Power Level-High trip is reduced to 10-4% NRTP. The lower setpoint is required for a bank CEA withdrawal with less than 4 RCPs running. RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.2-4 REVISION 35 APPLICABLE In MODES 2, 3, 4, and 5, with the RTCBs closed, and the SAFETY ANALYSES Control Element Assembly (CEA) Drive System capable of CEA (continued) withdrawal, protection is required for CEA withdrawal events, and excessive cooldown due to a MSLB originating when logarithmic power is < 1E-4% NRTP. For events originating above this power level, other trips provide adequate protection. MODES 3, 4, and 5, with the RTCBs closed, are addressed in this LCO. MODE 2 is addressed in LCO 3.3.1. In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level High trip does not have to be OPERABLE. The indication and alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12 "Boron Dilution Alarm System (BDAS)". Interlock/Bypasses The operating bypasses and their Allowable Values are addressed in footnotes to Table 3.3.2-1. They are not otherwise addressed as specific Table entries. The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The basis for the Logarithmic Power Level -High operating bypass is discussed under individual trips in the LCO section. The RPS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). The LCO requires the Logarithmic Power Level High, the Steam Generator #1 Pressure-Low, and the Steam Generator #2 Pressure-Low, RPS Functions to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Function. RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-5 REVISION 35 LCO Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions. Only the Allowable Values (AVs) are specified for this RPS trip Function in the LCO. The AV is considered an operability limit for the channel. If the as-found instrument setting is found to be non-conservative with respect to the AV, or the as-left instrument setting cannot be returned to a setting within As-Left Tolerance (ALT), or the instrument is not functioning as required; then the instrument channel shall be declared inoperable. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoint is selected to ensure the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 4). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. This LCO requires all four channels of the Logarithmic Power Level High to be OPERABLE MODES in 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal. A CEA is considered capable of withdrawal when power is applied to the Control Element Drive Mechanisms (CEDMs). There are several methods used to remove power from the CEDMs, such as de-energizing the CEDM MGs, opening the CEDM MG output breakers, opening the Control Element Assembly Control System (CEDMCS) CEA breakers, opening the RTCBs, or disconnecting the power cables from the CEDMs. Any method RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-6 REVISION 51 LCO that removes power from the CEDMs may be used. The CEAs are (continued) still capable of withdrawal if the CEDMCS withdrawal circuits are disabled with power applied to the CEDMs because failures in the CEDMCS could result in CEA withdrawal. This LCO requires all four channels of Steam Generator #1 Pressure-Low, and Steam Generator #2 Pressure-Low, to be OPERABLE in MODE 3, when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal. These RPS functions are not required in MODES 4 and 5 because the Steam Generator temperature is low, therefore the energy release and resulting cooldown following a large MSLB in MODES 4 and 5 is not significant. Footnote (e), which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments is outside its As-Found Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability. Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends. Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint. The specified field installed trip setpoint is termed as the Design Setpoint (DSp) and is equal to or more conservative than the UFSAR Trip Setpoint. The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-7 REVISION 35 LCO equal to or more conservative than the LSp and is specified (continued) in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within the ALT, or the instrument is not functioning as required; then the instrument channel shall be declared inoperable. The Allowable Values are high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level High reactor trips during normal plant operations. The Allowable Values are low enough for the system to maintain a safety margin for unacceptable fuel cladding damage should a CEA withdrawal or MSLB event occur. The Logarithmic Power Level High trip may be bypassed when logarithmic power is above 1E-4% NRTP to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when logarithmic power decreases below 1E-4% NRTP. Above 1E-4% NRTP, the Variable Over Power High and Pressurizer Pressure High trips provide protection for reactivity transients. The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE. RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-8 REVISION 35 LCO When a Log channel is INOPERABLE, both the Hi-Log power and (continued) DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met. _______________________________________________________________________________ APPLICABILITY This LCO is applicable to the RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal. LCO 3.3.1 is applicable to the RPS Instrumentation in MODES 1 and 2. The requirements for the CEACs in MODES 1 and 2 are addressed in LCO 3.3.3. The RPS Matrix Logic, Initiation Logic, RTCBs, and Manual Trips in MODES 1, 2, 3, 4, and 5 are addressed in LCO 3.3.4. Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, which maintains the SLs during AOOs and assists the Engineered Safety Features Actuation System (ESFAS) in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are: The Logarithmic Power Level High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. The Logarithmic Power Level High trip in these lower MODES is addressed in this LCO. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.4, "Reactor Protective System (RPS) Logic and Trip Initiation." RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-9 REVISION 50 APPLICABILITY (continued) The Steam Generator #1 Pressure-Low, and the Steam Generator #2 Pressure-Low trips, RPS Logic, RTCBs, and Manual Trip are required in MODE 3 with the RTCBs closed, to provide protection for large MSLB events in MODE 3. The Steam Generator Pressure-Low trip in this lower MODE is addressed in this LCO. The RPS Logic in MODES 1,2,3,4, and 5 is addressed in LCO 3.3.4, Reactor Protective System (RPS) Logic and Trip Initiation. The applicability for the Logarithmic Power Level-High function is modified by a Note that allows the trip to be bypassed when logarithmic power is > 1E-4% NRTP, and the bypass is automatically removed when logarithmic power is 1E-4% NRTP. ______________________________________________________________________________ ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less conservative than the Allowable Value stated in the LCO, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately. In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the excore logarithmic power channel or RPS bistable trip unit is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the unit must enter the Condition for the particular protection Function affected. RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-10 REVISION 38 ACTIONS With a channel process measurement circuit that affects (continued) multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below: PROCESS MEASUREMENT CIRCUIT FUNCTIONAL UNIT (Bypassed or Tripped) Steam Generator Pressure-Low Steam Generator Pressure - Low (RPS) Steam Generator #1 Level - Low (ESF) Steam Generator #2 Level - Low (ESF) When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered, if applicable in the current MODE of operation. A.1, and A.2 Condition A applies to the failure of a single trip channel or associated instrument channel inoperable in any RPS function. The RPS coincidence logic is two-out-of-four. If one channel is inoperable, operation in MODES 3, 4, and 5 is allowed to continue, providing the inoperable channel is placed in bypass or trip in 1 hour (Required Action A.1). The 1 hour allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel while ensuring that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is now in a two-out-of-three configuration. The Completion Time is based on adequate channel to channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip. The intent of this requirement is that should a failure occur that cannot be repaired during power operation, then continued operation is allowed without requiring a plant shutdown. However, the failure needs to be repaired during the next MODE 5 outage. Allowing the unit to exit MODE 5 is acceptable, as the appropriate retest may not be possible until normal operating pressures and temperatures are achieved. If the failure occurs while in MODE 5, then the problem needs to be resolved during that shutdown, and OPERABILITY restored prior to the subsequent MODE 2 entry. RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-11 REVISION 42 ACTIONS B.1 (continued) Condition B applies to the failure of two trip channels or associated instrument channels, in any RPS automatic trip function. Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels and still ensures the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip. One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3. C.1, C.2.1, and C.2.2 Condition C applies to one automatic operating bypass removal channel inoperable. If the operating bypass removal channel for the high logarithmic power level operating bypass cannot be restored to OPERABLE status within 1 hour, RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-12 REVISION 42 ACTIONS C.1, C.2.1 and C.2.2 (continued) the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the operating bypass either removed or the affected automatic channel placed in trip or maintenance (trip channel) bypass. Both the operating bypass removal channel and the associated automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A. D.1 and D.2 Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour, the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the operating bypass either removed or one automatic trip channel placed in maintenance (trip channel) bypass and the other in trip within 1 hour. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST or the plant must shut down per LCO 3.0.3, as explained in Condition B. Completion Times are consistent with Condition B. E.1 Condition E is entered when the Required Actions and associated Completion Times of Condition A, B, C, or D are not met. RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-13 REVISION 56 ACTIONS E.1 (continued) If Required Actions associated with these Conditions cannot be completed within the required Completion Time, all RTCBs must be opened, placing the plant in a condition where the RPS trip channels are not required to be OPERABLE. A Completion Time of 1 hour is a reasonable time to perform the Required Action, which maintains the risk at an acceptable level while having one or two channels inoperable. ______________________________________________________________________________ SURVEILLANCE The SR's for any particular RPS function are found in the SR REQUIREMENTS column of Table 3.3.2-1 for that function. The SRs are an extension of those listed in LCO 3.3.1, listed here because of their Applicability in these MODES. SR 3.3.2.1 SR 3.3.2.1 is the performance of a CHANNEL CHECK of each RPS channel. This SR is identical to SR 3.3.1.1. Only the Applicability differs. Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limits. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-14 REVISION 56 SURVEILLANCE SR 3.3.2.1 (continued) REQUIREMENTS be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on each channel, except power range neutron flux, is performed to ensure the entire channel will perform its intended function when needed. This SR is identical to SR 3.3.1.7. Only the Applicability differs. The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in the UFSAR, Section 7.2 (Ref. 3). These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include: Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 6. RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-15 REVISION 56 SURVEILLANCE Matrix Logic Tests REQUIREMENTS (continued) Matrix Logic Tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. Trip Path Test Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.3 SR 3.3.2.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.2.2, except SR 3.3.2.3 is applicable only to operating bypass functions and is performed once within 92 days prior to each startup. This SR is identical to SR 3.3.1.12. Only the Applicability differs. Proper operation of operating bypass permissives is critical during plant startup because the operating bypasses must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify operating bypass removal function RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-16 REVISION 56 SURVEILLANCE SR 3.3.2.3 (continued) REQUIREMENTS OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 6). Once the operating bypasses are removed, the operating bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.2.2. Therefore, further testing of the operating bypass function after startup is unnecessary. SR 3.3.2.4 This SR is identical to SR 3.3.1.9. Only the Applicability differs. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor (the sensor is excluded for the Logarithmic Power Level Function). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 6. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and RPS Instrumentation Shutdown B 3.3.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-17 REVISION 56 SURVEILLANCE SR 3.3.2.4 (continued) REQUIREMENTS because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4). SR 3.3.2.5 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements," (Ref. 7) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time. RPS Instrumentation Shutdown B 3.3.2 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.2-18 REVISION 35 A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4). _______________________________________________________________________________ REFERENCES 1. 10 CFR 50. 2. 10 CFR 100. 3. UFSAR, Section 7.2 Tables 7.2-1 and 7.3-11A.

4. "Calculation of Trip Setpoint Values Plant Protection System, CEN-286(v)", or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip Function. 5. NRC Safety Evaluation Report, July 15, 1994. 6. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989, and Calculation 13-JC-SB-200. 7. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

CEACs B 3.3.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-1 REVISION 53 B 3.3 INSTRUMENTATION B 3.3.3 Control Element Assembly Calculators (CEACs) BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core Specified Acceptable Fuel Design Limits (SAFDLs) and breaching the Reactor Coolant Pressure Boundary (RCPB) during Anticipated Operational Occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features Systems in mitigating accidents. The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying Limiting Safety System Settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS (defined in this Specification as the Allowable Value), in conjunction with the LCOs, establish the thresholds for protective system action to prevent exceeding acceptable limits during Design Basis Accidents. During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are: The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; Fuel centerline melting shall not occur; and The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded. Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-2 REVISION 53 BACKGROUND Accidents are events that are analyzed even though they are (continued) not expected to occur during the plant life. The acceptable Limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. The RPS is segmented into four interconnected modules. These modules are: Measurement channels; Bistable trip units; RPS Logic; and Reactor Trip Circuit Breakers (RTCBs). This LCO addresses the CEACs. LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation - Operating," provides a description of this equipment in the RPS. The excore nuclear instrumentation, the Core Protection Calculators (CPCs), and the CEACs are considered components in the measurement channels of the Variable Over Power-High, Logarithmic Power Level - High, DNBR - Low, and Local Power Density (LPD) - High trips. The CEACs are addressed by this Specification. Each CPC receives Control Element Assembly (CEA) deviation penalty factors from both CEACs in that channel and uses the larger of the penalty factors from the two CEACs in the calculation of DNBR and LPD. CPCs are further described in the Background section of LCO 3.3.1. The CEACs perform the calculations required to determine the position of CEAs within their subgroups for the CPCs. Two independent CEACs in each CPC channel compare the position of each CEA to its subgroup position. If a deviation is detected by either CEAC, an annunciator sounds and CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-3 REVISION 53 BACKGROUND appropriate "penalty factors" are transmitted to the CPC (continued) Processor in that channel. These penalty factors conservatively adjust the effective operating margins to the DNBR - Low and LPD - High trips. Each CEA has two separate reed switch position transmitter (RSPT) assemblies mounted outside the Reactor Coolant Pressure Boundary (RCPB), designated RSPT 1 and RSPT 2. CEA position from the RSPTs is processed by CEA Position Processors (CPPs) located in each CPC channel. The CPPs transmit CEA position to the appropriate CEAC in all four CPC channels over optically isolated datalinks, such that CEAC 1 in all channels receives the position of all CEAs based upon RSPT 1, and CEAC 2 receives the position of all CEAs based upon RSPT 2. Thus, the position of all CEAs is independently monitored by both CEACs in each CPC channel. The CPCs display the position of each CEA to the operator on a separate single CEA Position Flat Panel Display. Each CPC channel is connected to the display by means of an optically isolated data link. The operator may select the channel for display. Selecting channel A or B will display CEA position based upon RSPT 1 on each CEA, whereas selecting channel C or D will display CEA position based upon RSPT 2 on each CEA. Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. CPC and CEAC functional testing is performed on a Refueling interval basis. UFSAR, Section 7.2 (Ref. 3), provides more detail on RPS testing. Process transmitter calibration is normally performed on a refueling basis. ______________________________________________________________________________ APPLICABLE Each of the analyzed transients and accidents can be SAFETY ANALYSIS detected by one or more RPS Functions. CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-4 REVISION 53 APPLICABLE The effect of any misoperated CEA within a subgroup on the SAFETY ANALYSIS core power distribution is assessed by the CEACs, and an (continued) appropriately augmented power distribution penalty factor will be supplied as input to the CPCs. As the reactor core responds to the reactivity changes caused by the misoperated CEA and the ensuing reactor coolant and doppler feedback effects, the CPCs will initiate a DNBR - Low or LPD - High trip signal if SAFDLs are approached. Each CPC also directly monitors one "target CEA" from each subgroup and uses this information to account for excessive radial peaking factors for events involving CEA groups out of sequence and subgroup deviations within a group, without the need for CEACs. Therefore, although the CEACs do not provide a direct reactor trip Function, their input to the CPCs is taken credit for in the CEA misoperation analysis. The CEACs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO This LCO on the CEACs ensures that the CPCs are either informed of individual CEA position within each subgroup, using one or both CEACs in each channel, or that appropriate conservatism is included in the CPC calculations to account for the anticipated CEA deviations. CEAC 1 in all four CPC channels monitors CEA position based upon RSPT 1 on all CEAs. CEAC 2 in all four channels monitors CEA position based upon RSPT 2 on all CEAs. Each CPC uses the higher of the two deviation penalty factors transmitted by the channel CEACs. Thus only one OPERABLE CEAC is required in each channel to provide CEA deviation CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-5 REVISION 53 LCO protection. Because a single RSPT is used to provide RSPT (continued) input to one CEAC in all four channels, this LCO requires both CEACs to be OPERABLE in each channel so that no sensor failure resulting in CEAC failure in multiple channels can prevent a required trip from occurring. To increase reliability each CPC channel contains two CEA Position Processors (CPPs), which redundantly monitor the channel RSPT inputs, perform analog to digital conversion, and transmit the CEA position to the appropriate CEAC in all four CPC channels over separate one-way fiber optically isolated data links. The receiving CEAC will automatically switch to the backup CPP and associated data link upon failure of the preferred CPP or associated data link. CPPs in CPC channels A and B together process all RSPT 1 CEA position inputs, and transmit them to CEAC 1 in all four CPC channels. Similarly, CPPs in channels C and D together process all RSPT 2 position inputs, and transmit them to CEAC 2 in all four CPC channels. Operation of at least one CPP and associated data links in each CPC channel is therefore required for both CEACs in all CPC channels to receive CEA position information. Failure of both redundant CPPs in a channel or failure of redundant RSPT power supplies in that channel will cause the associated receiving CEACs in all channels to lose CEA position input on multiple CEAs. Failure of individual RSPTs will result in a subset of CEAs being identified as failed in the associated CEAC in multiple channels. This LCO therefore addresses both individual channel and multiple channel CEAC inoperabilities. ______________________________________________________________________________ APPLICABILITY This LCO is applicable to the CEACs in MODES 1 and 2. The RPS Instrumentation in MODES 1 and 2 is addressed in LCO 3.3.1. The RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal is addressed in LCO 3.3.2. The RPS Matrix Logic, Initiation Logic, RTCB, and Manual Trips in Modes 1, 2, 3, 4, and 5 are addressed in LCO 3.3.4. CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-6 REVISION 53 APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 (continued) because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, which maintains the SLs during AOOs and assists the Engineered Safety Features Actuation System in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Because CEACs provide the inputs to the DNBR - Low and LPD - High trips, they are required to be OPERABLE in MODES 1 and 2 for the same reasons. ______________________________________________________________________________ ACTIONS One Note has been added to the ACTIONS. Note 1 has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each CPC channel. The completion Times of each inoperable Channel will be tracked separately, starting from the time the Condition was entered for that Channel. A.1, A.2.1 and A.2.2 Condition A applies to the failure of one CEAC in one or more CPC channels. A CEAC failure affecting a single channel could result from failure within a CEAC processor module, whereas a CEAC failure in multiple channels could be caused by failure of redundant CPPs within a CPC channel. Thus, Required Actions address both possibilities. A.1 Required Action A.1 provides for immediate declaration of affected CPC channel inoperability, and entry into Required Actions associated with LCO 3.3.1 for the DNBR-Low and LPD-High trip functions. This Required Action treats single CEAC failures in one or more channels in a manner consistent with other RPS failures in one or more channels, and might be the preferred action if only one CPC channel is affected. If the failure affects more than two CPC channels, required Actions A.2.1 and A.2.2 would be preferable. CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-7 REVISION 53 ACTIONS A.2.1 and A.2.2 (continued) Actions A.2.1 and A.2.2 accommodate a loss of CEA position monitoring capability by one CEAC in up to all four CPC channels. There are two CEACs per CPC channel, each providing CEA deviation input to the associated channel CPC. The CEACs and CPPs providing CEA position input to the CEACs include complex diagnostic software making it unlikely that a CEAC will fail without informing the CPC of its failed status. With one failed CEAC in one or more channels, the CPC in the affected channels will receive CEA deviation penalty factors from the remaining OPERABLE channel CEAC. If the second CEAC should fail (Condition B), the CPC will use large preassigned penalty factors. The specific Required Actions are as follows: With one CEAC inoperable in one or more channels, the second CEAC still provides a comprehensive set of comparison checks on individual CEAs within subgroups, as well as outputs to the affected CPCs, CEA deviation alarms, and position indication for display. Verification every 4 hours that each CEA is within 6.6 inches of the other CEAs in its group provides a check on the position of all CEAs and provides verification of the proper operation of the remaining CEAC. An OPERABLE CEAC will not generate penalty factors until deviations of > 9.0 inches within a subgroup are encountered. The Completion Time of once per 4 hours is adequate based on operating experience, considering the low probability of an undetected CEA deviation coincident with an undetected failure in the remaining CEAC within this limited time frame. As long as Required Action A.2.1 is accomplished as specified, the inoperable CEAC can be restored to OPERABLE status within 7 days. The Completion Time of 7 days is adequate for most repairs, while minimizing risk, considering that dropped CEAs are detectable by the redundant CEAC, and other LCOs specify Required Actions necessary to maintain DNBR and LPD margin. CEACs B 3.3.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-8 REVISION 53 ACTIONS B.1, B.2.1, B.2.2, B.2.3, B.2.4, B.2.5, and B.2.6 (continued) Condition B applies if the Required Action and associated Completion Time of Condition A are not met, or if both CEACs are inoperable in one or more CPC channels. Actions associated with this Condition involve two choices: Action B.1 immediately renders the affected CPC channels inoperable, thus requiring entry into the Required Actions associated with LCO 3.3.1. Action B.2.1 through B.2.6 disable the Control Element Drive Mechanism Control System (CEDMCS), while providing increased assurance that CEA deviations are not occurring and informing all OPERABLE CPC channels, via a software flag, that both CEACs are failed. This will ensure that the large penalty factor associated with two CEAC failures will be applied to the CPC calculations. The penalty factor for two failed CEACs is sufficiently large that power must be maintained significantly < 100% RTP if CPC generated reactor trips are to be avoided. The Completion Time of 4 hours is adequate to accomplish these actions while minimizing risks. The Required Actions are as follows: B.1 Required Action B.1 provides for immediate declaration of affected CPC channel inoperability, and entry into Required Actions associated with LCO 3.3.1 for the DNBR-Low and LPD-High trip functions. This Required Action treats failure of both CEACs in one or more channels in a manner consistent with other RPS failures in one or more channels. Similarly, this Required Action permits immediate declaration of channel inoperability and entry in the Required Actions of LCO 3.3.1 if the Required Actions and associated Completion Times of Condition A are not met. Required Action B.1 might be the preferred action if only one CPC channel is affected. If the failure affects more than two CPC channels, required Actions B.2.1 through B2.6 would be preferable. B.2.1 Meeting the DNBR margin requirements of LCO 3.2.4, "DNBR" ensures that power level is within a conservative region of operation based on actual core conditions. CEACs B 3.3.3 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.3-9 REVISION 53 ACTIONS B.2.2 (continued) This Action requires that the CEAs are maintained fully withdrawn (all CEAs meet the requirements of LCO 3.1.6 and 3.1.7), except as required for specified testing or flux control via group #5. This verification ensures that undesired perturbations in local fuel burnup are prevented. The Upper Electrical Limit (UEL) CEA reed switches provide an acceptable indication of CEA position. B.2.3 The "RSPT/CEAC Inoperable" addressable constant in each of the OPERABLE CPCs is set to indicate that both CEACs are inoperable. This provides a conservative penalty factor to ensure that a conservative effective margin is maintained by the CPCs in the computation of DNBR and LPD trips. B.2.4 The CEDMCS is placed and maintained in "STANDBY MODE," except during CEA motion permitted by Required Action B.2, to prevent inadvertent motion and possible misalignment of the CEAs. B.2.5 A comprehensive set of comparison checks on individual CEAs within groups must be made within 4 hours. Verification that each CEA is within 6.6 inches of other CEAs in its group provides a check that no CEA has deviated from its proper position within the group. B.2.6 The Reactor Power Cutback (RPCB) System must be disabled. This ensures that CEA position will not be affected by RPCB operation. C.1 Condition C is entered when the Required Action and associated Completion Time of Condition B is not met. If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the reactor must be brought to a MODE where the Required Actions do not apply. The Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. CEACs B 3.3.3 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-10 REVISION 56 SURVEILLANCE SR 3.3.3.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limits. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.3.2 Deleted CEACs B 3.3.3 BASES ______________________________________________________________________________ continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-11 REVISION 56 SURVEILLANCE SR 3.3.3.3 REQUIREMENTS (continued) CHANNEL FUNCTIONAL TEST on each CEAC channel is performed to ensure the entire channel will perform its intended function when needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.3.4 SR 3.3.3.4 is the performance of a CHANNEL CALIBRATION. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillance. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 5. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.3.5 A CHANNEL FUNCTIONAL TEST is performed on the CEACs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY, including alarm and trip Functions. CEACs B 3.3.3 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.3-12 REVISION 56 SURVEILLANCE SR 3.3.3.5 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50. 2. 10 CFR 100. 3. UFSAR, Section 7.2. 4. NRC Safety Evaluation Report, July 15, 1994

5. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989, and Calculation 13-JC-SB-200.

RPS Logic and Trip Initiation B 3.3.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.4 Reactor Protective System (RPS) Logic and Trip Initiation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents. The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents. During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are: The departure from nucleate boiling ratio shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; Fuel centerline melting shall not occur; and The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded. Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs. Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-2 REVISION 0 BACKGROUND occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event. The RPS is segmented into four interconnected modules. These modules are: Measurement channels; Bistable trip units; RPS Logic; and Reactor trip circuit breakers (RTCBs). This LCO addresses the RPS Logic and RTCBs, including Manual Trip capability. LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation - Operating," provides a description of the role of this equipment in the RPS. This is summarized below: RPS Logic The RPS Logic, consisting of Matrix and Initiation Logic, employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize. The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths. Each trip path RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-3 REVISION 0 BACKGROUND RPS Logic (continued) provides power to one of the four normally energized RTCB Initiation relays. The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition. Each trip path is responsible for opening one of the four RTCBs. The RTCB Initiation relays, when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the breakers. Actuation of either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs). When a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four initiation relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all four RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel. The Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, and initiation relays and the initiation relay contacts in the RTCB control circuitry. RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-4 REVISION 0 BACKGROUND RPS Logic (continued) It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Reactor Trip Circuit Breakers (RTCBs) The reactor trip switchgear consists of four RTCBs. Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that the loss of either MG set does not de-energize the CEDMs. Power is supplied from the MG sets to the CEDMS via two redundant paths (trip legs). Trip legs 1 and 3 are in parallel with Trip legs 2 and 4. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses. Each of the two trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-5 REVISION 0 BACKGROUND Reactor Trip Circuit Breakers (RTCBs) (continued) Each RTCB is operated by either a Manual Trip push button, a Supplementary Protection System (SPS) Trip relay, or an RPS actuated Initiation relay. There are four Manual Trip push buttons, each of the pushbuttons operates one of the RTCBs. Depressing either of the push buttons in both trip legs will result in a reactor trip. When a Manual Trip is initiated using the control room push buttons, the RPS trip paths and Initiation relays are not utilized and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS. Manual Trip circuitry includes the push button and interconnecting wiring to the RTCBs necessary to actuate both the undervoltage and shunt trip attachments, but excludes the Initiation relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic. Functional testing of the entire RPS, from bistable input through the opening of the individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. UFSAR, Section 7.2 (Ref. 3), explains RPS testing in more detail. ______________________________________________________________________________ APPLICABLE Reactor Protective System (RPS) Logic SAFETY ANALYSES The RPS Logic provides for automatic trip initiation to maintain the SLs during AOOs and assist the ESF systems in ensuring acceptable consequences during accidents. All transients and accidents that call for a reactor trip assume the RPS Logic is functioning as designed. Reactor Trip Circuit Breakers (RTCBs) All of the transient and accident analyses that call for a reactor trip assume that the RTCBs operate and interrupt power to the CEDMs. RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-6 REVISION 31 APPLICABLE Manual Trip SAFETY ANALYSES (continued) The Manual Trip is part of the RPS circuitry and can be used by the operator to perform a controlled reactor shutdown. It is also used by the operator to shut down the reactor whenever any parameter is rapidly trending toward its trip setpoint. A Manual Trip accomplishes the same results as any one of the automatic trip Functions. The RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Reactor Protective System (RPS) Logic The LCO on the RPS Logic channels ensures that each of the following requirements are met: A reactor trip will be initiated when necessary; The required protection system coincidence logic is maintained (minimum two-out-of-three, normal two-out-of-four); and Sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance. Failures of individual bistable relays and their contacts, are addressed in LCO 3.3.1. This Specification addresses failures of the Matrix Logic not addressed in the above, such as the failure of matrix relay power supplies, or the failure of the trip channel bypass contact in the bypass condition. A matrix logic is considered inoperable if a coincident trip in the same function in the two OPERABLE channels monitored by the Logic Matrix will not remove power from the coils of all four matrix relays. The OPERABILITY of the Matrix Logic is not affected by bypassed or inoperable measurement channels. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-7 REVISION 0 LCO Reactor Protective System (RPS) Logic (continued) Loss of a single vital bus will de-energize one of the two power supplies in each of three matrices. This will result in two RTCBs opening; however, the remaining two closed RTCBs will prevent a reactor trip. For the purposes of this LCO, de-energizing up to three matrix power supplies due to a single failure is to be treated as a single channel failure, providing the affected matrix relays de-energize as designed, opening the affected RTCBs. Each of the four Initiation Logic channels opens one RTCB if any of the six coincidence matrices de-energize their associated matrix relays. They thus perform a logical OR function. Each Initiation Logic channel has its own power supply and is independent of the others. An Initiation Logic channel includes the matrix relay through to the Initiation relay contacts, which open the RTCB. An Initiation Logic is considered inoperable if the contacts on the initiation relay will not operate when power is removed from the coils of any of the six matrix relays in the trip paths. It is possible for two Initiation Logic channels affecting the same trip leg to de-energize if a matrix power supply or vital instrument bus fails. This will result in opening the two affected RTCBs. If one RTCB has been opened in response to a single RTCB channel, Initiation Logic channel, or Manual Trip channel failure, the affected RTCB may be closed for up to 1 hour for Surveillance on the OPERABLE Initiation Logic, RTCB, and Manual Trip channels. In this case, the redundant RTCB will provide protection if a trip should be required. It is unlikely that a trip will be required during the Surveillance, coincident with a failure of the remaining series RTCB channel. If a single matrix power supply or vital bus failure has opened two RTCBs, Manual Trip and RTCB testing on the closed breakers cannot be performed without causing a trip. 1. Matrix Logic This LCO requires six channels of Matrix Logic to be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any RTCBs are closed and any CEA is capable of being withdrawn. RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-8 REVISION 0 LCO 2. Initiation Logic (continued) This LCO requires four channels of Initiation Logic to be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when the RTCBs are closed and any CEA is capable of being withdrawn. 3. Reactor Trip Circuit Breakers The LCO requires four RTCB channels to be OPERABLE in MODES 1 and 2, as well as in MODES 3, 4, and 5 when the RTCBs are closed and any CEA is capable of being withdrawn. Each channel consists of a breaker operated by the Initiation Logic or Manual Trip circuitry. Without reliable RTCBs and associated support circuitry, a reactor trip cannot occur whether initiated automatically or manually. Each channel of RTCBs starts after the contacts that are actuated by the Initiation relay and the Manual Trip for each set of breakers. The Initiation relay actuated contacts and the upstream circuitry are considered to be RPS Logic. Manual Trip contacts and upstream circuitry are considered to be Manual Trip circuitry. A Note associated with the ACTIONS states that if one RTCB has been opened in response to a single RTCB channel, Initiation Logic channel, or Manual Trip channel failure, the affected RTCB may be closed for up to 1 hour for Surveillance on the OPERABLE Initiation Logic, RTCB, and Manual Trip channels. In this case the redundant RTCB will provide protection. If a single matrix power supply or vital bus failure has opened two RTCBs, Manual Trip and RTCB testing on the closed breakers cannot be performed without causing a trip. 4. Manual Trip The LCO requires all four Manual Trip channels to be OPERABLE in MODES 1 and 2, and MODES 3, 4, and 5 when the RTCBs are closed and any CEA is capable of being withdrawn. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.4-9 REVISION 0 LCO 4. Manual Trip (continued) Four independent push buttons are provided. Each push button is considered a channel and operates one of the four RTCBs. Depressing either of the two pushbuttons in both trip legs will cause an interruption of power to the CEDMs, allowing the CEAs to fall into the core. This design ensures that no single failure in any push button circuit can either cause or prevent a reactor trip. Manual Trip push buttons are also provided at the reactor trip switchgear (locally) in case the control room push buttons become inoperable or the control room becomes uninhabitable. These are not part of the RPS and cannot be credited in fulfilling the LCO OPERABILITY requirements. Furthermore, LCO ACTIONS need not be entered due to failure of a local Manual Trip. ______________________________________________________________________________ APPLICABILITY This LCO is applicable to the RPS Matrix Logic, Initiation Logic, RTCB, and Manual Trips in MODES 1, 2, 3, 4, and 5. The RPS Instrumentation in MODES 1 and 2 is addressed in LCO 3.3.1. The RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal is addressed in LCO 3.3.2. The requirement for the CEACs in MODES 1 and 2 are addressed in LCO 3.3.3. The RPS Logic, RTCBs, and Manual Trip are required to be OPERABLE in any MODE when the CEAs are capable of being withdrawn off the bottom of the core (i.e., RTCBs closed and power available to the CEDMs). This ensures that the reactor can be tripped when necessary, but allows for maintenance and testing when the reactor trip is not needed. In MODES 3, 4, and 5 with the RTCBs open, the CEAs are not capable of withdrawal and these functions do not have to be OPERABLE. The indication alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12, "Boron Dilution Alarm System (BDAS)". RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-10 REVISION 0 ACTIONS A.1 Condition A applies if one Matrix Logic channel is inoperable or three Matrix Logic channels inoperable due to a common power source failure de-energizing three matrix power supplies in any applicable MODE. Loss of a single vital instrument bus will de-energize one of the two matrix power supplies in up to three matrices. This is considered a single matrix failure, providing the matrix relays associated with the failed power supplies de-energize as required. The channel must be restored to OPERABLE status within 48 hours. The Completion Time of 48 hours provides the operator time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a second Matrix Logic channel is low during any given 48 hour interval. If the channel cannot be restored to OPERABLE status within 48 hours, Condition E is entered. B.1, B.2.1, and B.2.2 Condition B applies to one Initiation Logic channel, RTCB channel, or Manual Trip channel in MODES 1 and 2, since they have the same actions. MODES 3, 4, and 5, with the RTCBs shut, are addressed in Condition C. These Required Actions require opening of the affected RTCB, or the redundant RTCB in the affected Trip Leg. This removes the need for the affected Trip Leg by performing its associated safety function. With an RTCB open, the affected Functions are in one-out-of-two logic, which meets redundancy requirements, but testing on the OPERABLE channels cannot be performed without causing a reactor trip unless the RTCBs in the inoperable channels are closed to permit testing. Therefore, a Note has been added specifying that the RTCBs associated with one inoperable channel may be closed for up to 1 hour for the performance of an RPS CHANNEL FUNCTIONAL TEST. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-11 REVISION 0 ACTIONS B.1, B.2.1, and B.2.2 (continued) Required Action B.1 provides for opening the RTCB associated with the inoperable Trip Leg within a Completion Time of 1 hour. This Required Action is conservative, since depressing the Manual Trip push button associated with either breaker in the other trip leg will cause a reactor trip. With this configuration, a single channel failure will not prevent a reactor trip. The allotted Completion Time is adequate for opening the affected RTCB while maintaining the risk of having it closed at an acceptable level. Required Actions B.2.1 and B.2.2 provide for opening one of the redundant RTCB in the affected Trip leg within 1 hour and opening the affected RTCB within 48 hours. These actions allow a RTCB that fails to open to remain undisturbed for 48 hours for failure analysis, while placing the plant in a conservative condition. Opening either RTCB in the affected Trip leg ensures that opening either of the RTCBs in the other Trip leg will cause a reactor trip. This places the affected functions in one-out-of-two logic, which meets redundancy requirements. The allotted Completion Time to open one of the RTCBs in the affected Trip leg is adequate for opening the affected RTCB while maintaining the risk of having it closed at an acceptable level. The allotted action time to open the affected RTCB is adequate to preserve the failure information. C.1 Condition C applies to the failure of one Initiation Logic channel, RTCB channel, or Manual Trip channel affecting the same trip leg in MODE 3, 4, or 5 with the RTCBs closed. The channel must be restored to OPERABLE status within 48 hours. If the inoperable channel cannot be restored to OPERABLE status within 48 hours, the affected RTCB must be opened. This removes the need for the affected channel by performing its associated safety function. With a RTCB open, the affected functions are in one-out-of-two logic, which meets redundancy requirements. The Completion Time of 48 hours is consistent with that of other RPS instrumentation and should be adequate to repair most failures. RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-12 REVISION 0 ACTIONS C.1 (continued) Testing on the OPERABLE channels cannot be performed without causing a reactor trip unless the RTCB in the inoperable channels is closed to permit testing. Therefore, a Note has been added specifying that the RTCB associated with one inoperable channel may be closed for up to 1 hour for the performance of an RPS CHANNEL FUNCTIONAL TEST. D.1 Condition D applies to the failure of both Initiation Logic channels or manual trips affecting the same trip leg. Since this will open two channels of RTCBs, this Condition is also applicable to RTCB channels in the same trip leg. This will open both sets of RTCBs in the affected trip leg, satisfying the Required Action of opening the affected RTCBs. Of greater concern is the failure of the initiation circuit in a nontrip condition (e.g., due to two initiation relay failures). With only one Initiation Logic channel failed in a nontrip condition, there is still the redundant RTCB in the trip leg. With both failed in a nontrip condition, the reactor will not trip automatically when required. In either case the affected RTCBs must be opened immediately by using the appropriate Manual Trip push buttons, since each of the four push buttons opens one of RTCB, independent of the initiation circuitry. Caution must be exercised, since depressing the wrong push buttons may result in a reactor trip. If the affected RTCBs cannot be opened, Required Action E is entered. This would only occur if there is a failure in the Manual Trip circuitry or the RTCB(s). E.1 and E.2 Condition E is entered if Required Actions associated with Condition A, B, or D are not met within the required Completion Time or, if for one or more Functions, more than one Manual Trip, Matrix Logic, Initiation Logic, or RTCB channel is inoperable for reasons other than Condition A or D. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-13 REVISION 56 ACTIONS E.1 and E.2 (continued) If the RTCB associated with the inoperable channel, or the redundant RTCB in the affected Trip Leg cannot be opened, the reactor must be shut down within 6 hours and all the RTCBs opened. A Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required plant conditions from full power conditions in an orderly manner and without challenging plant systems and for opening RTCBs. All RTCBs should then be opened, placing the plant in a MODE where the LCO does not apply and ensuring no CEA withdrawal occurs. ______________________________________________________________________________ SURVEILLANCE SR 3.3.4.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST on each RPS Logic channel and Manual Trip channel is performed to ensure the entire channel will perform its intended function when needed. The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 3. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. The first test, the bistable test, is addressed by SR 3.3.1.7 in LCO 3.3.1. This SR addresses the two tests associated with the RPS Logic: Matrix Logic and Trip Path. Matrix Logic Tests These tests are performed one matrix at a time. They verify that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. The Matrix Logic tests will detect any short circuits around the bistable contacts in the coincidence logic such as may be caused by faulty bistable relay or trip channel bypass contacts. RPS Logic and Trip Initiation B 3.3.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-14 REVISION 56 SURVEILLANCE Trip Path Tests REQUIREMENTS (continued) These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected RTCB. The RTCB must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. During the Matrix Logic and Initiation Logic tests, power is applied to the Matrix relay tests coils. The test coils prevent an actuation during testing by preventing the Matrix relay contacts in the Initiation Logic from changing state during the test. This does not affect the Operability of the Initiation Logic since only one of the six logic combinations that are available to trip the Initiation Logic are affected during the test because only one Matrix Logic combination can be tested at any time. The remaining five matrix combinations available ensure that a trip in any three channels will de-energize all four Initiation paths. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.2 Each RTCB is actuated by an undervoltage coil and a shunt trip coil. The system is designed so that either de-energizing the undervoltage coil or energizing the shunt trip coil will cause the circuit breaker to open. When an RTCB is opened, either during an automatic reactor trip or by using the manual push buttons in the control room, the undervoltage coil is de-energized and the shunt trip coil is energized. This makes it impossible to determine if one of the coils or associated circuitry is defective. Therefore, following maintenance or adjustment of the reactor trip breakers, a CHANNEL FUNCTIONAL TEST is performed that individually tests all four undervoltage coils and all four shunt trip coils. During undervoltage coil testing, the shunt trip coils must remain de-energized, preventing their operation. Conversely, during shunt trip coil testing, the undervoltage coils must remain energized, preventing their operation. RPS Logic and Trip Initiation B 3.3.4 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.4-15 REVISION 56 SURVEILLANCE SR 3.3.4.2 (continued) REQUIREMENTS This Surveillance ensures that every undervoltage coil and every shunt trip coil is capable of performing its intended function and that no single active failure of any RTCB component will prevent a reactor trip. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.3 A CHANNEL FUNCTIONAL TEST on each RTCB is performed to verify proper operation of each RTCB. The RTCB must then be closed prior to testing the other three initiation circuits, or a Reactor Trip may result. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A. 2. 10 CFR 100. 3. UFSAR, Section 7.2. 4. NRC Safety Evaluation Report, July 15, 1994. 5. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989, and Calculation 13-JC-SB-200. This page intentionally blank ESFAS Instrumentation B 3.3.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safety Features Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and ensures acceptable consequences during accidents. The ESFAS contains devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action: 1. Safety Injection Actuation Signal (SIAS); 2. Containment Spray Actuation Signal (CSAS); 3. Containment Isolation Actuation Signal (CIAS); 4. Main Steam Isolation Signal (MSIS); 5. Recirculation Actuation Signal (RAS); and 6, 7. Auxiliary Feedwater Actuation Signal (AFAS). Equipment actuated by each of the above signals is identified in the UFSAR (Ref. 1). Each of the above ESFAS instrumentation systems is segmented into three interconnected modules. These modules are: Measurement channels; Bistable trip units; and ESFAS Logic: - Matrix Logic, - Initiation Logic (trip paths), and - Actuation Logic. ESFAS Instrumentation B 3.3.5 BASES ________________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-2 REVISION 0 BACKGROUND This LCO addresses measurement channels and bistables. (continued) Logic is addressed in LCO 3.3.6, "Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip." The role of each of these modules in the ESFAS, including the logic of LCO 3.3.6, is discussed below. Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured. Four identical measurement channels with electrical and physical separation are provided for each parameter used in the generation of trip signals. These channels are designated A through D. Measurement channels provide input to ESFAS bistables within the same ESFAS channel. In addition, some measurement channels are used as inputs to Reactor Protective System (RPS) bistables, and most provide indication in the control room. Measurement channels used as an input to the RPS or ESFAS are not used for control Functions. When a channel monitoring a parameter indicates an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping two or more channels of bistables monitoring the same parameter will de-energize Matrix Logic, which in turn de-energizes the Initiation Logic. This causes both channels of Actuation Logic to de-energize. Each channel of Actuation Logic controls one train of the associated Engineered Safety Features (ESF) equipment. Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of GDC 21 in Appendix A to 10 CFR 50 (Ref. 2). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-3 REVISION 0 BACKGROUND Measurement Channels (continued) Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4). Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic for each ESFAS Function. They also provide local trip indication and remote annunciation. There are four channels of bistables, designated A through D, for each ESFAS Function, one for each measurement channel. In cases where two ESF Functions share the same input and trip setpoint (e.g., containment pressure input to CIAS and SIAS), the same bistable may be used to satisfy both Functions. Similarly, bistables may be shared between the RPS and ESFAS (e.g., Pressurizer Pressure - Low input to the RPS and SIAS). Bistable output relays de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks. The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate an ESF actuation (two-out-of-four logic). ESFAS Instrumentation B 3.3.5 BASES ________________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-4 REVISION 35 BACKGROUND Bistable Trip Units (continued) The trip setpoints and Allowable Values used in the bistables are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment effects, for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.5-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. The UFSAR Trip Setpoints are based on the calculated total loop uncertainty consistent with the methodology as documented in the UFSAR (RG 1.05, Revision 1, November 1976) (Ref. 11). The general relationship among the PVNGS trip setpoint terms is as follows: The calculated Limiting Setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety limit is maintained. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). A channel is inoperable if its actual trip setpoint is non-conservative with respect to its required Allowable Value. Setpoints in accordance with the Allowable Value will ensure that Safety Limits of LCO Section 2.0, "Safety Limits," are not violated during AOOs and the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed. Functional testing of the ESFAS, from the bistable input through the opening of initiation relay contacts in the ESFAS Actuation Logic, can be performed either at power or at shutdown and is normally performed on a quarterly basis. UFSAR, Section 7.2 (Ref. 8), provides more detail on ESFAS testing. Process transmitter calibration is normally performed on a refueling basis. SRs for the channels are specified in the Surveillance Requirements section. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-5 REVISION 0 BACKGROUND ESFAS Logic (continued) The ESFAS Logic, consisting of Matrix, Initiation and Actuation Logic, employs a scheme that provides an ESF actuation of both trains when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected in the two channels being monitored by the logic matrix, all four matrix relays de-energize. The matrix relay contacts are arranged into trip paths, with one relay contact from each matrix relay in each of the four trip paths. Each trip path controls two initiation relays. Each of the two initiation relays in each trip path controls contacts in the Actuation Logic for one train of ESF. Each of the two channels of Actuation Logic, mounted in the Auxiliary Relay Cabinet (ARCs), is responsible for actuating one train of ESF equipment. Each ESF Function has separate Actuation Logic in each ARC. The contacts from the Initiation Logic are configured in a selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the RTCBs. This logic controls ARC mounted subgroup relays, which are normally energized. Contacts from these relays, when de-energized, actuate specific ESF equipment. When a coincidence occurs in two ESFAS channels, all four matrix relays in the affected matrix will de-energize. This in turn will de-energize all eight initiation relays, four used in each Actuation Logic. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards, ESFAS Instrumentation B 3.3.5 BASES ________________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-6 REVISION 0 BACKGROUND ESFAS Logic (continued) are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel. Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, and the initiation relays. Actuation Logic consists of all circuitry housed within the ARCs used to actuate the ESF Function, excluding the subgroup relays, and interconnecting wiring to the initiation relay contacts mounted in the PPS cabinet. The subgroup relays are actuated by the ESFAS logic. Each ESFAS Function typically employs several subgroup relays, with each subgroup relay responsible for actuating one or more components in the ESFAS Function. Subgroup relays and their contacts are considered part of the actuated equipment and are addressed under the applicable LCO for this equipment. Initiation and Actuation Logic up to the subgroup relays is addressed in LCO 3.3.6. It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.5-7 REVISION 0 BACKGROUND ESFAS Logic (continued) of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the bypassed channel is effectively removed from the coincidence logic. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. In addition to the trip channel bypasses, there are also operating bypasses on select ESFAS actuation trips. These bypasses are enabled manually in all four channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied. Operating bypasses normally are implemented in the bistable, so that normal trip indication is also disabled. The Pressurizer Pressure - Low input to the SIAS shares an operating bypass with the Pressurizer Pressure - Low reactor trip. Manual ESFAS initiation capability is provided to permit the operator to manually actuate an ESF System when necessary. Four handswitches (located in the control room) for each ESF Function are provided, and each handswitch actuates both trains. Each Manual Trip handswitch opens one trip path, de-energizing one set of two initiation relays, one affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four configuration in the Actuation Logic. Operating either handswitch in both trip legs will result in an ESFAS Actuation. This arrangement ensures that Manual actuation will not be prevented in the event of a single random failure. Each handswitch is designated a single channel in LCO 3.3.6. ESFAS Instrumentation B 3.3.5 BASES ________________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-8 REVISION 31 APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be the secondary, or backup, actuation signal for one or more other accidents. ESFAS protective Functions are as follows: 1. Safety Injection Actuation Signal SIAS ensures acceptable consequences during large break loss of coolant accidents (LOCAs), small break LOCAs, control element assembly ejection accidents, steam generator tube ruptures, and main steam line breaks (MSLBs) inside containment. To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. SIAS initiates the Emergency Core Cooling Systems (ECCS) and performs several other functions such as initiating control room filtration, and starting the diesel generators. 2. Containment Spray Actuation Signal CSAS actuates containment spray, preventing containment overpressurization during large break LOCAs, small break LOCAs, and MSLBs or feedwater line breaks (FWLBs) inside containment. CSAS is initiated by high high containment pressure. 3. Containment Isolation Actuation Signal CIAS ensures acceptable mitigating actions during large and small break LOCAs, and MSLBs either inside or outside containment, and FWLBs inside containment. CIAS is initiated by low pressurizer pressure or high containment pressure. 4. Main Steam Isolation Signal MSIS ensures acceptable consequences during an MSLB or FWLB (between the steam generator and the main feedwater check valve), either inside or outside containment. MSIS isolates both steam generators if either generator indicates a low pressure condition, a ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-9 REVISION 54 APPLICABLE 4. Main Steam Isolation Signal (continued) SAFETY ANALYSES (continued) high level condition or if a high containment pressure condition exists. This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events. 5. Recirculation Actuation Signal At the end of the injection phase of a LOCA, the Refueling Water Tank (RWT) will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWT to containment sump must occur before the RWT empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction. Furthermore, early switchover must not occur to ensure sufficient borated water is injected from the RWT to ensure the reactor remains shut down in the recirculation mode. An RWT Level - Low signal initiates the RAS. Once a RAS has occurred, timely operator action is required to close the RWT isolation valves (CH-531 and CH-530) to preclude air entrainment in the suction from the RWT during switchover to recirculation. The volume remaining in the RWT after the RAS provides enough time for this operator action and closure of the valves. 6, 7. Auxiliary Feedwater Actuation Signal AFAS consists of two steam generator (SG) specific signals (AFAS-1 and AFAS-2). AFAS-1 initiates auxiliary feed to SG #1, and AFAS-2 initiates auxiliary feed to SG #2. AFAS maintains a steam generator heat sink during a steam generator tube rupture event and an MSLB or FWLB event either inside or outside containment. Low steam generator water level initiates auxiliary feed to the affected steam generator, providing the generator is not identified (by the rupture detection circuitry) as faulted (a steam or FWLB). ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-10 REVISION 54 APPLICABLE 6, 7. Auxiliary Feedwater Actuation Signal SAFETY ANALYSES (continued) AFAS logic includes steam generator specific inputs from the SG Pressure Difference - High (SG #1 > SG #2 or SG #2 > SG #1, bistable comparators) to determine if a fault in either generator has occurred. Not feeding a faulted generator prevents containment overpressurization during the analyzed events. The ESFAS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The LCO requires all channel components necessary to provide an ESFAS actuation to be OPERABLE. The Bases for the LCOs on ESFAS Functions are: 1. Safety Injection Actuation Signal a. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1, 2 and

3. The Containment Pressure - High signal is shared among the SIAS (Function 1), CIAS (Function 3),

and MSIS (Function 4). The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-11 REVISION 54 LCO b. Pressurizer Pressure-Low (continued) This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1, 2 and 3. The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS and CIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that, with the specified accidents, the ESF systems will actuate to perform as expected, mitigating the consequences of the accident. The Pressurizer Pressure - Low trip setpoint, which provides SIAS, CIAS, and RPS trip, may be manually decreased to a floor value of 100 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, CIAS, or SIAS. The margin between actual pressurizer pressure and the trip setpoint must be maintained less than or equal to the specified value (400 psia) to ensure a reactor trip, CIAS, and SIAS will occur if required during RCS cooldown and depressurization. When the RCS cold leg temperature is 485°F the setpoint must be 140 psia greater than the saturation pressure of the RCS cold leg. This is required to ensure a SIAS prior to reactor vessel upper head void formation in the event of RCS depressurization caused by a steam line break. From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS pressure until the trip setpoint is reached. When the trip setpoint has been lowered below the bypass permissive setpoint of 400 psia, the Pressurizer Pressure - Low reactor trip, CIAS, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the bypass removal setpoint, the bypass is removed. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-12 REVISION 1 LCO Bypass Removal (continued) This LCO requires four channels of operating bypass removal for Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2 and 3. Each of the four channels enables and disables the operating bypass capability for a single channel. Therefore, this LCO applies to the operating bypass removal feature only. If the bypass enable function is failed so as to prevent entering an operating bypass condition, operation may continue. Because the trip setpoint has a floor value of 100 psia, a channel trip will result if pressure is decreased below this setpoint without bypassing. The operating bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity than that which can be compensated for by required SDM. 2. Containment Spray Actuation Signal a. Containment Pressure - High High This LCO requires four channels of Containment Pressure - High High to be OPERABLE in MODES 1, 2, and 3. The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e. plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate CSAS in time to prevent containment pressure from exceeding design. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-13 REVISION 0 LCO 3. Containment Isolation Actuation Signal (continued) The SIAS and CIAS are actuated on Pressurizer Pressure - Low or Containment Pressure - High, the SIAS and CIAS share the same input channels, bistables, and matrices and matrix relays. The remainder of the initiation channels, the manual channels, and the Actuation Logic are separate and are addressed in LCO 3.3.6. a. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1, 2, and 3. The Containment Pressure - High signal is shared among the SIAS (Function 1), CIAS (Function 3), and MSIS (Function 4). The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents. b. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1, 2, and 3. The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS and CIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that, with the specified accident, the ESF systems will actuate to perform as expected, mitigating the consequences of the accidents. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-14 REVISION 0 LCO b. Pressurizer Pressure-Low (continued) The Pressurizer Pressure - Low trip setpoint, which provides an SIAS, CIAS, and RPS trip, may be manually decreased to a floor Allowable Value of 100 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, CIAS or SIAS. The safety margin between actual pressurizer pressure and the trip setpoint must be maintained less than or equal to the specified value (400 psi) to ensure a reactor trip, CIAS, and SIAS will occur if required during RCS cooldown and depressurization. From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS pressure until the trip setpoint is reached. When the trip setpoint has been lowered below the operating bypass permissive setpoint of 400 psia, the Pressurizer Pressure - Low reactor trip, CIAS, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the bypass removal, the bypass is removed. Bypass Removal This LCO requires four channels of operating bypass removal for Pressurizer Pressure - Low to be OPERABLE in MODES 1, 2, and 3. Each of the four channels enables and disables the operating bypass capability for a single channel. Therefore all four operating bypass removal channels must be OPERABLE to ensure that none of the four channels are inadvertently bypassed. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-15 REVISION 35 LCO Bypass Removal (continued) This LCO applies to the operating bypass removal feature only. If the operating bypass enable function is failed so as to prevent entering a operating bypass condition, operation may continue. Because the trip setpoint has a floor value of 100 psia, a channel trip will result if pressure is decreased below this setpoint without bypassing. The operating bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity than that which can be compensated for by required SDM. 4. Main Steam Isolation Signal The LCO is applicable to the MSIS in MODES 1, 2 and 3 except when all associated valves are closed. a. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator Pressure - Low to be OPERABLE in MODES 1, 2 and 3. The UFSAR Trip Setpoint for this trip is set below the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the setting is high enough to provide an MSIS (Function 4) during an excessive steam demand event. An excessive steam demand event causes the RCS to cool down, resulting in a positive reactivity addition to the core. MSIS limits this cooldown by isolating both steam generators if the pressure in either drops below the trip setpoint. An RPS trip on Steam Generator Pressure - Low is initiated simultaneously, using the same bistable. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-16 REVISION 51 LCO a. Steam Generator Pressure - Low (continued) The Steam Generator Pressure - Low trip setpoint may be manually decreased as steam generator pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual steam generator pressure and the trip setpoint must be maintained less than or equal to the specified value of 200 psia to ensure a reactor trip and MSIS will occur when required. Footnote (d), which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments is outside its As-Found Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability. Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends. Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint. The specified field installed trip setpoint is termed as the Design Setpoint (DSp) and is equal to or more ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-17 REVISION 35 LCO conservative than the UFSAR Trip Setpoint. The (continued) general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within the ALT, or the instrument is not functioning as required; then the instrument channel shall be declared inoperable. b. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1, 2 and

3. The Containment Pressure - High signal is shared among the SIAS (Function 1), CIAS (Function 3), and MSIS (Function 4). The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents. c. Steam Generator Level-High This LCO requires four channels of Steam Generator Level-High to be OPERABLE in MODES 1, 2 and 3. The allowable value for this trip is set high enough to ensure it does not interfere with ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-18 REVISION 54 LCO c. Steam Generator Level-High (continued) normal plant operation. The setting is low enough to prevent moisture damage to secondary plant components in the case of a steam generator overfill event. 5. Recirculation Actuation Signal a. Refueling Water Tank Level - Low This LCO requires four channels of RWT Level - Low to be OPERABLE in MODES 1, 2, and 3. The upper limit on the Allowable Value for this trip is set low enough to ensure RAS does not initiate before sufficient water is transferred to the containment sump. Premature recirculation could impair the reactivity control function of safety injection by limiting the amount of boron injection.

Premature recirculation could also damage or disable the recirculation system if recirculation begins before the sump has enough water to prevent air entrainment in the suction. The lower limit on the RWT Level - Low trip Allowable Value is high enough to transfer suction to the containment sump prior to emptying the RWT. Once a RAS has occurred timely operator action is required to close the RWT isolation valves (CH-531 and CH-530) to preclude air entrainment in the suction from the RWT during switchover to recirculation. The volume remaining in the RWT after the RAS provides enough time for this operator action and closure of the valves. 6, 7. Auxiliary Feedwater Actuation Signal SG #1 and SG #2 (AFAS-1 and AFAS-2) AFAS-1 is initiated to SG #1 by either a low steam generator level coincident with no differential pressure trip present or by a low steam generator level coincident with a differential pressure between the two generators with the higher pressure in SG #1. AFAS-2 is similarly configured to feed SG #2. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-19 REVISION 54 LCO 6, 7. Auxiliary Feedwater Actuation Signal SG #1 and SG #2 continued) (AFAS-1 and AFAS-2) The steam generator secondary differential pressure is used, as an input of the AFAS logic where it is used to determine if a generator is intact. The AFAS logic inhibits feeding a steam generator if the pressure in that steam generator is less than the pressure in the other steam generator by the Steam Generator Pressure Difference (SGPD) - High setpoint. The SGPD setpoint is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation. The following LCO description applies to both AFAS signals. a. Steam Generator Level - Low This LCO requires four channels of Steam Generator Level - Low to be OPERABLE for each AFAS in MODES 1, 2, and 3. The Steam Generator Level - Low AFAS input is shared with the Steam Generator Level-Low RPS function. The Steam Generator Level-Low AFAS and RPS use separate bistables. This allows the AFAS setpoint to be set lower than the RPS setpoint. The allowable value is high enough to ensure the steam generator is available as a heat sink. The setting is low enough to prevent inadvertent AFAS actuations during plant transients. This setpoint provides allowance that there will be sufficient inventory in the steam generator at the time of the RPS trip to provide a margin of at least 10 minutes before auxiliary feedwater is required to prevent degraded core cooling. b. SG Pressure Difference - High (SG #1 > SG #2) or (SG #2 > SG #1) This LCO requires four channels of SG Pressure Difference - High to be OPERABLE for each AFAS in MODES 1, 2, and 3. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.5-20 REVISION 54 LCO b. SG Pressure Difference-High (SG #1 > SG #2) or (continued) (SG #2 > SG #1) The Allowable Value for this trip is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation without an actuation. The setting is low enough to detect and inhibit feeding of a faulted (MSLB or FWLB) steam generator in the event of an MSLB or FWLB, while permitting the feeding of the intact steam generator. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2 and 3 there is sufficient energy in the primary and secondary systems to warrant automatic ESF System responses to: Close the main steam isolation valves to preclude a positive reactivity addition; Actuate auxiliary feedwater to preclude the loss of the steam generators as a heat sink (in the event the normal feedwater system is not available); Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and Actuate ESF systems to ensure sufficient borated water inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident. In MODES 4, 5 and 6 automatic actuation of these Functions is not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required, as addressed by LCO 3.3.6. Several trips have operating bypasses, discussed in the preceding LCO section. The interlocks that allow these bypasses shall be OPERABLE whenever the RPS Function they support is OPERABLE. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-21 REVISION 35 ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. Determination of setpoint drift is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESFAS bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition entered for the particular protection Function affected. With a channel process measurement circuit that affects multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below. Process Measurement Circuit 1. Steam Generator Pressure-Low Steam Generator Pressure-Low Steam Generator Level 1-Low (ESF) Steam Generator Level 2-Low (ESF) 2. Steam Generator Level Steam Generator Level-Low (RPS) (Wide Range) Steam Generator Level 1-Low (ESF) Steam Generator Level 2-Low (ESF) With a Steam Generator Pressure Difference-High channel inoperable or in test, bypass or trip the associated Steam Generator Level-Low (ESF) function. When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be entered immediately, if applicable in the current MODE of operation. A Note has been added to the ACTIONS. The Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-22 REVISION 35 ACTIONS A.1 and A.2 (continued) Condition A applies to the failure of a single channel of one or more input parameters in the following ESFAS Functions: 1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low 2. Containment Spray Actuation Signal Containment Pressure - High High 3. Containment Isolation Actuation Signal Containment Pressure - High Pressurizer Pressure - Low 4. Main Steam Isolation Signal Steam Generator #1 Pressure - Low Steam Generator #2 Pressure - Low Steam Generator #1 Level-High Steam Generator #2 Level-High Containment Pressure - High 5. Recirculation Actuation Signal Refueling Water Storage Tank Level - Low 6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1) Steam Generator #1 Level - Low SG Pressure Difference (SG #2 > SG #1) - High 7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2) Steam Generator #2 Level - Low SG Pressure Difference (SG #1 > SG #2) - High ESFAS coincidence logic is normally two-out-of-four. If one ESFAS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip within 1 hour (Required Action A.1). ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-23 REVISION 52 ACTIONS A.1 and A.2 (continued) The Completion Time of 1 hour allotted to restore, bypass, or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is now in a two-out-of-three configuration. The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation, since no single failure will cause or prevent an ESF actuation. The intent of this requirement is that should a failure occur that cannot be repaired during power operation, then continued operation is allowed without requiring a plant shutdown. However, the failure needs to be repaired during the next MODE 5 outage. Allowing the unit to exit MODE 5 is acceptable, as the appropriate retest may not be possible until normal operating pressures and temperatures are achieved. If the failure occurs while in MODE 5, then the problem needs to be resolved during that shutdown, and OPERABILITY restored prior to the subsequent MODE 2 entry. B.1 Condition B applies to the failure of two channels of one or more input parameters in the following ESFAS automatic trip Functions: 1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low 2. Containment Spray Actuation Signal Containment Pressure - High High ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-24 REVISION 38 ACTIONS B.1 (continued) 3. Containment Isolation Actuation Signal Containment Pressure - High Pressurizer Pressure - Low 4. Main Steam Isolation Signal Steam Generator #1 Pressure - Low Steam Generator #2 Pressure - Low Steam Generator #1 Level-High Steam Generator #2 Level-High Containment Pressure-High 5. Recirculation Actuation Signal Refueling Water Storage Tank Level - Low 6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1) Steam Generator #1 Level - Low SG Pressure Difference (SG #2 > SG #1) - High 7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2) Steam Generator #2 Level - Low SG Pressure Difference (SG #1 > SG #2) - High With two inoperable channels, power operation may continue, provided one inoperable channel is placed in bypass and the other channel is placed in trip within 1 hour. With one channel of protective instrumentation bypassed, the ESFAS Function is in two-out-of-three logic in the bypassed input parameter, but with another channel failed, the ESFAS may be operating with a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the ESFAS Function in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, ESFAS actuation will occur. One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one ESFAS channel, and placing a second channel in trip will result in an ESFAS actuation. Therefore, if one ESFAS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-25 REVISION 42 ACTIONS C.1, C.2.1, and C.2.2 (continued) Condition C applies to one automatic operating bypass removal channel inoperable. The only automatic operating bypass removal on an ESFAS is on the Pressurizer Pressure - Low signal. This operating bypass removal is shared with the RPS Pressurizer Pressure - Low bypass removal. If the bypass removal channel for any operating bypass cannot be restored to OPERABLE status, the associated ESFAS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected ESFAS channel must be declared inoperable, as in Condition A, and the operating bypass either removed or the bypass removal channel repaired. The Bases for the Required Actions and required Completion Times are consistent with Condition A. D.1 and D.2 Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status, the associated ESFAS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected ESFAS channels must be declared inoperable, as in Condition B, and either the operating bypass removed or the bypass removal channel repaired. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST or the plant must shut down per LCO 3.0.3, as explained in Condition B. Completion Times are consistent with Condition B. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-26 REVISION 56 ACTIONS (continued) E.1 and E.2 If the Required Actions and associated Completion Times of Condition A, B, C, or D cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.3.5.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-27 REVISION 56 SURVEILLANCE SR 3.3.5.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed to ensure the entire channel will perform its intended function when needed. The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed in LCO 3.3.6. SR 3.3.5.2 includes bistable tests. A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9. ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-28 REVISION 56 SURVEILLANCE SR 3.3.5.3 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.5.4 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety analyses. Response time testing acceptance criteria are included in Reference 1. Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time ESFAS Instrumentation B 3.3.5 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.5-29 REVISION 56 SURVEILLANCE SR 3.3.5.4 (continued) REQUIREMENTS Testing Requirements," (Ref. 10) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and re-verified after maintenance that may adversely affect the sensor response time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.5.5 SR 3.3.5.5 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2, except SR 3.3.5.5 is performed within 92 days prior to startup and is only applicable to operating bypass functions. Since the Pressurizer Pressure - Low operating bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13. The CHANNEL FUNCTIONAL TEST for proper operation of the operating bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function. Consequently, just prior to startup is the appropriate time to verify operating bypass function OPERABILITY. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2. The allowance to conduct this test with 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9). ESFAS Instrumentation B 3.3.5 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.5-30 REVISION 35 REFERENCES 1. UFSAR, Section 7.3. 2. 10 CFR 50, Appendix A. 3. NRC Safety Evaluation Report, July 15, 1994 4. IEEE Standard 279-1971. 5. UFSAR, Chapter 15. 6. 10 CFR 50.49. 7. "Calculation of Trip Setpoint Valves Plant Protection System", CEN-286(v), or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip Function. 8. UFSAR, Section 7.2, Tables 7.2-1 and 7.3-11A 9. CEN-327, May 1986, including Supplement 1, March 1989, and Calculation 13-JC-SB-200. 10. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements." 11. UFSAR Section 1.8, "Regulatory Guide 1.105: Instrument Setpoints (Revision 1, November 1976)" ESFAS Logic and Manual Trip B 3.3.6 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and ensures acceptable consequences during accidents. The ESFAS contains devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action: 1. Safety Injection Actuation Signal (SIAS); 2. Containment Isolation Actuation Signal (CIAS); 3. Recirculation Actuation Signal (RAS); 4. Containment Spray Actuation Signal (CSAS); 5. Main Steam Isolation Signal (MSIS); 6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1); and 7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2). Equipment actuated by each of the above signals is identified in the UFSAR (Ref. 1). Each of the above ESFAS instrumentation systems is segmented into three interconnected modules. These modules are: Measurement channels; Bistable trip units; and ESFAS Logic: ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-2 REVISION 0 BACKGROUND - Matrix Logic, (continued) - Initiation Logic (trip paths), and - Actuation Logic. This LCO addresses ESFAS Logic. Bistables and measurement channels are addressed in LCO 3.3.5, "Engineered Safety Features Actuation System (ESFAS) Instrumentation." The role of the measurement channels and bistables is described in LCO 3.3.5. The role of the ESFAS Logic is described below. ESFAS Logic The ESFAS Logic, consisting of Matrix, Initiation and Actuation Logic, employs a scheme that provides an ESF actuation of both trains when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. Bistable relay contact outputs from the four channels are configured into six Matrix Logics. Each Matrix Logic checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices, to reflect the bistable channels being monitored. Each Matrix Logic contains four normally energized matrix relays. When a coincidence is detected in the two channels being monitored by the Matrix Logic, all four matrix relays de-energize. The matrix relay contacts are arranged into trip paths, with one relay contact from each matrix relay in each of the four trip paths. Each trip path controls two initiation relays. Each of the two initiation relays in each trip path controls contacts in the Actuation Logic for one train of ESF. Each of the two channels of Actuation Logic, mounted in the Auxiliary Relay Cabinets (ARCs), is responsible for actuating one train of ESF equipment. Each ESF Function has separate Actuation Logic in each ARC. The contacts from the Initiation Logic are configured in a selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the RTCBs. This logic controls ARC mounted subgroup relays, ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-3 REVISION 0 BACKGROUND ESFAS Logic (continued) which are normally energized. Contacts from these relays, when de-energized, actuate specific ESF equipment. When a coincidence occurs in two ESFAS channels, all four matrix relays in the affected matrix will de-energize. This, in turn, will de-energize all eight initiation relays, four used in each Actuation Logic. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel. Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, and the initiation relays. Actuation Logic consists of all circuitry housed within the ARCs used to actuate the ESF Function, excluding the subgroup relays, and interconnecting wiring to the initiation relay contacts mounted in the PPS cabinet. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.6-4 REVISION 0 BACKGROUND ESFAS Logic (continued) The subgroup relays are actuated by the ESFAS Logic. Each ESFAS Function typically employs several subgroup relays, with each subgroup relay responsible for actuating one or more components in the ESFAS Function. Subgroup relays and their contacts are considered part of the actuated equipment and are addressed under the applicable LCO for this equipment. It is possible to change the two-out-of-four ESFAS Logic to two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the bypassed channel is effectively removed from the coincidence logic. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Trip channel bypassing is addressed in LCO 3.3.5. Manual ESFAS initiation capability is provided to permit the operator to manually actuate an ESF System when necessary. Four handswitches (located in the control room) for each ESF Function are provided, and each handswitch actuates both trains. Each Manual Trip handswitch opens one trip path, de-energizing one set of two initiation relays, one affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four configuration in the Actuation Logic. Operating either handswitch in both Trip Legs will result in an ESFAS Actuation. This arrangement ensures that Manual Actuation will not be prevented in the event of a single random failure. Each handswitch is designated a single channel in this LCO. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-5 REVISION 31 APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. ESFAS Functions are as follows: 1. Safety Injection Actuation Signal SIAS ensures acceptable consequences during large break loss of coolant accidents (LOCAs), small break LOCAs, control element assembly ejection accidents, steam generator tube ruptures, and main steam line breaks (MSLBs) inside containment. To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. SIAS initiates the Emergency Core Cooling Systems (ECCS) and performs several other Functions, such as initiating control room filtration and starting the diesel generators. 2. Containment Isolation Actuation Signal CIAS ensures acceptable mitigating actions during large and small break LOCAs and during MSLBs either inside or outside containment and feedwater line breaks (FWLBs) inside containment. CIAS is initiated by low pressurizer pressure or high containment pressure. 3. Recirculation Actuation Signal At the end of the injection phase of a LOCA, the Refueling Water Tank (RWT) will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWT to containment sump must occur before the RWT empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-6 REVISION 0 APPLICABLE 3. Recirculation Actuation Signal (continued) SAFETY ANALYSES Furthermore, early switchover must not occur to ensure sufficient borated water is injected from the RWT to ensure the reactor remains shut down in the recirculation mode. An RWT Level - Low signal initiates the RAS. 4. Containment Spray Actuation Signal CSAS actuates containment spray, preventing containment overpressurization during large break LOCAs, small break LOCAs, and MSLBs or FWLBs inside containment. CSAS is initiated by high high containment pressure. 5. Main Steam Isolation Signal MSIS ensures acceptable consequences during an MSLB or FWLB (between the steam generator and the main feedwater check valve) either inside or outside containment. MSIS isolates both steam generators if either generator indicates a low pressure condition or a high level condition or if a high containment pressure condition exists. This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events. 6, 7. Auxiliary Feedwater Actuation Signal AFAS consists of two Steam Generator (SG) specific signals AFAS-1 and AFAS-2. AFAS-1 initiates auxiliary feed to SG #1, and AFAS-2 initiates auxiliary feed to SG #2. AFAS maintains a steam generator heat sink during a steam generator tube rupture event and an MSLB or FWLB event either inside or outside containment. Low steam generator water level initiates auxiliary feed to the affected steam generator, providing the generator is not identified (by the rupture detection circuitry) as faulted (an MSLB or FWLB). ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-7 REVISION 27 APPLICABLE 6, 7. Auxiliary Feedwater Actuation Signal (continued) SAFETY ANALYSES AFAS logic includes steam generator specific inputs from the SG Pressure Difference - High (SG #1 > SG #2 or SG #2 > SG #1, bistable comparators) to determine if a fault in either generator has occurred. Not feeding a faulted generator prevents containment overpressurization during the analyzed events. The ESFAS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The LCO on the ESFAS Logic channels ensures that each of the following requirements are met: An ESFAS Actuation Signal will be initiated when necessary; The required protection system coincidence logic is maintained (minimum two-out-of-three, normal two-out-of-four); and Sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance. Failures of individual bistable relays and their contacts are addressed in LCO 3.3.5. This Specification addresses failures of the Matrix Logic not addressed in the above, such as the failure of matrix relay power supplies or the failure of the trip channel bypass contact in the bypass condition. A Matrix Logic is considered inoperable if a coincident trip in the same Function in the two OPERABLE channels monitored by the Matrix Logic will not remove power from the coils of all four Matrix relays. The OPERABILITY of the Matrix Logic is not affected by inoperable measurement channels. Loss of a single vital bus will de-energize one of the two power supplies in each of the three matrices. This will result in two trip path contacts opening in each ESFAS Actuation Logic channel; however, the remaining two contacts in each ESFAS Actuation Logic channel will remain ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-8 REVISION 27 closed, preventing an ESFAS Actuation. For the purposes of this LCO, de-energizing up to three matrix power supplies due to a single failure is to be treated as a single channel failure, providing the affected matrix relays de-energize as designed, opening the affected trip path contacts in each ESFAS Actuation Logic channel. Each of the four Initiation Logic channels controls two Initiation relays, each Initiation relay opens a contact in its Actuation Logic channel if any of the six coincidence matrices de-energize their associated matrix relays. They thus form a logical OR function. Each Initiation Logic channel has its own power supply and is independent of the others. An Initiation Logic channel includes the matrix relay through to the Initiation relay contacts, and the interconnecting wiring to the Actuation Logic channels. An Initiation Logic is considered inoperable if the contacts on both Initiation relays will not operate when power is removed from the coils of any of the six matrix relays in the trip path. It is possible for two Initiation Logic channels affecting the same trip leg to de-energize if a matrix power supply or vital instrument bus fails. This will result in opening two contacts in each of the ESFAS Actuation Logic channels. An Actuation Logic channel is inoperable if a selective two-out-of-four trip signal is received from the Initiation Logic for any ESFAS Function, and power is not removed from the coils of all of the subgroup relays actuated by that function. The requirements for each Function are listed below. The reasons for the applicable MODES for each Function are addressed under APPLICABILITY. 1. Safety Injection Actuation Signal Automatic SIAS occurs in Pressurizer Pressure - Low or Containment Pressure - High and is explained in Bases 3.3.5. a. Manual Trip This LCO requires four channels of SIAS Manual Trip to be OPERABLE in MODES 1, 2, 3, and 4. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-9 REVISION 0 LCO b. Matrix Logic (continued) This LCO requires six channels of SIAS Matrix Logic to be OPERABLE in MODES 1, 2 and 3. c. Initiation Logic This LCO requires four channels of SIAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4. d. Actuation Logic This LCO requires two channels of SIAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4. 2. Containment Isolation Actuation Signal The SIAS and CIAS are actuated on Pressurizer Pressure - Low or Containment Pressure - High, the SIAS and CIAS share the same input channels, bistables, and matrices and matrix relays. The remainder of the initiation channels, the manual channels, and the Actuation Logic are separate. Since their applicability is also the same, they have identical actions. a. Manual Trip This LCO requires four channels of CIAS Manual Trip to be OPERABLE in MODES 1, 2, 3, and 4. b. Matrix Logic This LCO requires six channels of CIAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3. c. Initiation Logic This LCO requires four channels of CIAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4. d. Actuation Logic This LCO requires two channels of CIAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-10 REVISION 0 LCO 3. Recirculation Actuation Signal (continued) a. Manual Trip This LCO requires four channels of RAS Manual Trip to be OPERABLE in MODES 1, 2, 3, and 4. b. Matrix Logic This LCO requires six channels of RAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3. c. Initiation Logic This LCO requires four channels of RAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4. d. Actuation Logic This LCO requires two channels of RAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4. 4. Containment Spray Actuation Signal a. Manual Trip This LCO requires four channels of CSAS Manual Trip to be OPERABLE in MODES 1, 2, and 3. b. Matrix Logic This LCO requires six channels of CSAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3. c. Initiation Logic This LCO requires four channels of CSAS Initiation Logic to be OPERABLE in MODES 1, 2, and 3. d. Actuation Logic This LCO requires two channels of CSAS Actuation Logic to be OPERABLE in MODES 1, 2, and 3. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-11 REVISION 0 LCO (continued) 5. Main Steam Isolation Signal a. Manual Trip This LCO requires four channels of MSIS Manual Trip to be OPERABLE in MODES 1, 2 and 3, except when all associated valves are closed. b. Matrix Logic This LCO requires six channels of MSIS Matrix Logic to be OPERABLE in MODES 1, 2 and 3, except when all associated valves are closed. c. Initiation Logic This LCO requires four channels of MSIS Initiation Logic to be OPERABLE in MODES 1, 2 and 3, except when all associated valves are closed. d. Actuation Logic This LCO requires two channels of MSIS Actuation Logic to be OPERABLE in MODES 1, 2 and 3, except when all associated valves are closed. 6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1) AFAS-1 is initiated either by a low steam generator level coincident with no differential pressure trip present or by a low steam generator level coincident with a differential pressure between the two generators with the higher pressure in SG #1. The steam generator secondary differential pressure is used, as an input of the AFAS logic where it is used to determine if a generator is intact. The AFAS logic inhibits feeding a steam generator if the pressure in that steam generator is less than the Steam Generator Pressure Difference (SGPD) - High setpoint pressure. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-12 REVISION 0 LCO 6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1) (continued) The setpoint is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation. a. Manual Trip This LCO requires four channels of Manual Trip to be OPERABLE in MODES 1, 2, and 3. b. Matrix Logic This LCO requires six channels of Matrix Logic to be OPERABLE in MODES 1, 2, and 3. c. Initiation Logic This LCO requires four channels of Initiation Logic to be OPERABLE in MODES 1, 2, and 3. d. Actuation Logic This LCO requires two channels of Actuation Logic to be OPERABLE in MODES 1, 2, and 3. 7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2) AFAS-2 is initiated either by a low steam generator level coincident with no differential pressure trip present or by a low steam generator level coincident with a differential pressure between the two generators with the higher pressure in SG #2. The steam generator secondary differential pressure is used, as an input of the AFAS Logic where it is used to determine if a generator is intact. The AFAS Logic inhibits feeding a steam generator if the pressure in that steam generator is less than the SGPD - High setpoint pressure. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-13 REVISION 0 LCO 7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2) The setpoint is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation. a. Manual Trip This LCO requires four channels of Manual Trip to be OPERABLE in MODES 1, 2, and 3. b. Matrix Logic This LCO requires six channels of Matrix Logic to be OPERABLE in MODES 1, 2, and 3. c. Initiation Logic This LCO requires four channels of Initiation Logic to be OPERABLE in MODES 1, 2, and 3. d. Actuation Logic This LCO requires two channels of Actuation Logic to be OPERABLE in MODES 1, 2, and 3. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2 and 3, there is sufficient energy in the primary and secondary systems to warrant automatic ESF System responses to: Close the main steam isolation valves to preclude a positive reactivity addition; Actuate auxiliary feedwater to preclude the loss of the steam generators as a heat sink (in the event the normal feedwater system is not available); Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.6-14 REVISION 0 APPLICABILITY Actuate ESF systems to ensure sufficient borated water inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident. In MODES 4, 5, and 6, automatic actuation of these Functions is not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required. ESFAS Manual Trip capability is required in MODE 4 for SIAS, CIAS, and RAS even though automatic actuation is not required. Because of the large number of components actuated by these Functions, ESFAS actuation is simplified by the use of the Manual Trip. CSAS, MSIS, and AFAS have relatively few components, which can be actuated individually if required in MODE 4, and the systems may be disabled or reconfigured, making system level Manual Trip impossible and unnecessary. The ESFAS logic must be OPERABLE in the same MODES as the automatic and Manual Trip. In MODE 4, only the portion of the ESFAS logic responsible for the required Manual Trip must be OPERABLE. In MODES 5 and 6, the systems initiated by ESFAS are either reconfigured or disabled for shutdown cooling operation. Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-15 REVISION 0 ACTIONS When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be entered immediately, if applicable in the current MODE of operation. A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function. A.1 Condition A applies if one Matrix Logic channel is inoperable. Since matrix power supplies in a given matrix (e.g., AB, BC, etc.) are common to all ESFAS Functions, a single power supply failure may affect more than one matrix. Failures of individual bistables, their relays, and the trip channel bypass relays and their contacts are considered measurement channel failures. This section describes failures of the Matrix Logic not addressed in the above, such as the failure of matrix relay power supplies. Loss of a single vital bus will de-energize one of the two power supplies in each of three matrices. This will result in two initiation circuits de-energizing, reducing the ESFAS Actuation Logic to a one-out-of-two logic in both trains. Condition A also applies when de-energizing up to three matrix power supplies due to a single failure, such as loss of a vital instrument bus. This is to be treated as a single matrix channel failure, providing the affected matrix relays de-energize as designed. Although each of the six matrices within an ESFAS Function uses separate power supplies, the matrices for the different ESFAS Functions share power supplies. Thus, failure of a matrix power supply may force entry into the Condition specified for each of the affected ESFAS Functions. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-16 REVISION 0 ACTIONS A.1 (continued) The channel must be restored to OPERABLE status within 48 hours. This provides the operator with time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a second Matrix Logic channel is low during any given 48 hour period. If the channel cannot be restored to OPERABLE status with 48 hours, Condition E is entered. B.1 Condition B applies to one Manual Trip or Initiation Logic channel inoperable. The channel must be restored to OPERABLE status within 48 hours. Operating experience has demonstrated that the probability of a random failure in a second channel is low during any given 48 hour period. Failure of a single Initiation Logic channel may open one contact affecting both Actuation Logic channels. For the purposes of this Specification, the Actuation Logic is not inoperable. This prevents the need to enter LCO 3.0.3 in the event of an Initiation Logic channel failure. The Actions differ from those involving one RPS manual channel inoperable, because in the case of the RPS, opening RTCBs can be easily performed and verified. Opening an initiation relay contact is more difficult to verify, and subsequent shorting of the contact is always possible. C.1 and C.2 Condition C applies to the failure of both Initiation Logic channels affecting the same trip leg. In this case, the Actuation Logic channels are not inoperable, since they are in one-out-of-two logic and capable of performing as required. This obviates the need to enter LCO 3.0.3 in the event of a matrix or vital bus power failure. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-17 REVISION 27 ACTIONS C.1 and C.2 (continued) Both Initiation Logic channels in the same trip leg will de-energize if a matrix power supply or vital instrument bus is lost. This will open the Actuation Logic contacts, satisfying the Required Action to open at least one set of contacts in the affected trip leg. Indefinite operation in this condition is prohibited because of the difficulty of ensuring the contacts remain open under all conditions. Thus, the channel must be restored to OPERABLE status within 48 hours. This provides the operator with time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a second channel is low during any given 48 hour period. If the channel cannot be restored to OPERABLE status with 48 hours, Condition E is entered. Of greater concern is the failure of the initiation circuit in a nontrip condition (e.g., due to two initiation relay failures). With one failed, there is still the redundant contact in the trip leg of each Actuation Logic. With both failed in a nontrip condition, the ESFAS Function is lost in the affected train. To prevent this, immediate opening of at least one contact in the affected trip leg is required. If the required contact has not opened, as indicated by annunciation or trip leg current lamps, Manual Trip of the affected trip leg contacts may be attempted. Caution must be exercised, since operating the wrong ESFAS handswitch may result in an ESFAS actuation. D.1 Condition D applies to Actuation Logic. With one Actuation Logic channel inoperable, automatic actuation of one train of ESF may be inhibited. The remaining train provides adequate protection in the event of Design Basis Accidents, but the single failure criterion may be violated. For this reason operation in this condition is restricted. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-18 REVISION 0 ACTIONS D.1 (continued) The channel must be restored to OPERABLE status within 48 hours. Operating experience has demonstrated that the probability of a random failure in the Actuation Logic of the second train is low during a given 48 hour period. Failure of a single Initiation Logic channel, matrix channel power supply, or vital instrument bus may open one or both contacts in the same trip leg in both Actuation Logic channels. For the purposes of this Specification, the Actuation Logic is not inoperable. This obviates the need to enter LCO 3.0.3 in the event of a vital bus, matrix, or initiation channel failure. Each Actuation Logic channel has two sets of redundant power supplies. The power supplies in each set are powered from different vital instrument buses. Failure of a single power supply or a set of power supplies due to the loss of a vital instrument bus, does not affect the operation of the Actuation Logic because the redundant power supplies can supply the full system load. For the purposes of this specification, the Actuation Logic is not inoperable. Required Action D.1 is modified by a Note to indicate that one channel of Actuation Logic may be bypassed for up to 1 hour for Surveillance, provided the other channel is OPERABLE. This allows performance of a PPS CHANNEL FUNCTIONAL TEST on an OPERABLE ESFAS train without generating an ESFAS actuation in the inoperable train. E.1 and E.2 If the Required Actions and associated Completion Times of Conditions for CSAS, MSIS or AFAS cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-19 REVISION 56 ACTIONS F.1 and F.2 (continued) If the Required Actions and associated Completion Times for SIAS, CIAS, or RAS are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. If the Required Actions and associated Completion Times for SIAS, CIAS, or RAS Matrix Logic are not met this Action may be exited when the plant is brought to MODE 4 since the LCO does not apply in MODE 4. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.3.6.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed to ensure the entire channel will perform its intended function when needed. The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SR 3.3.5.2 is addressed in LCO 3.3.5. SR 3.3.6.1 includes Matrix Logic tests and trip path (Initiation Logic) tests, and Manual Actuation Tests. ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-20 REVISION 0 SURVEILLANCE Matrix Logic Tests REQUIREMENTS (continued) These tests are performed one matrix at a time. They verify that a coincidence in the two input channels for each function removes power to the matrix relays. During testing, power is applied to the matrix relay test coils, preventing the matrix relay contacts from assuming their de-energized state. The Matrix Logic tests will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. Trip Path (Initiation Logic) Tests These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening one contact in each Actuation Logic channel. The initiation circuit lockout relay must be reset (except for AFAS, which lacks initiation circuit lockout relays) prior to testing the other three initiation circuits, or an ESFAS actuation may result. Automatic Actuation Logic operation is verified during Initiation Logic testing by verifying that current is interrupted in each trip leg in the selective two-out-of-four actuation circuit logic whenever the initiation relay is de-energized. A Note is added to indicate that testing of Actuation Logic shall include verification of the proper operation of each initiation relay. ESFAS Logic and Manual Trip B 3.3.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-21 REVISION 56 SURVEILLANCE Trip Path (Initiation Logic) Tests (continued) During the Matrix Logic and Initiation Logic test, power is applied to the Matrix relay test coils. The test coils prevent an actuation during testing by preventing the Matrix relay contacts in the Initiation Logic from changing state during the test. This does not affect the Operability of the Initiation Logic since only one of the six logic combinations that are available to trip the Initiation Logic are affected during the test because only one Matrix Logic combination can be tested at any time. The remaining five matrix combinations available ensure that a trip in any three channels will de-energize all four Initiation paths. Manual Trip Tests This test verifies that the manual trip handswitches are capable of opening contacts in the Actuation Logic as designed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.2 Individual ESFAS subgroup relays must also be tested, one at a time, to verify the individual ESFAS components will actuate when required. Proper operation of the individual subgroup relays is verified by de-energizing these relays one at a time using an ARC mounted test circuit. Proper operation of each component actuated by the individual relays is thus verified without the need to actuate the entire ESFAS function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If two or more ESFAS subgroup relays fail per Unit in a 12-month period, an evaluation should be performed to determine the adequacy of the surveillance interval. The evaluation should consider the design, maintenance, and ESFAS Logic and Manual Trip B 3.3.6 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.6-22 REVISION 46 SURVEILLANCE SR 3.3.6.2 (continued) REQUIREMENTS testing of all ESFAS subgroup relays. If it is determined that the surveillance interval is inadequate for detecting a single relay failure, the surveillance interval should be decreased. The revised surveillance interval should be such that an ESFAS subgroup relay failure can be detected prior to the occurrence of a second failure. Some components cannot be tested at power since their actuation might lead to a plant transient, equipment damage, unjustifiable exposure or an unnecessary burden on plant personnel relative to the safety significance of the surveillance. Reference 1 lists similar criteria, from reference 4, for those relays and actuated equipment exempted from testing at power. Relays not tested at power must be tested in accordance with the Note to this SR. The above guidance for reevaluating ESFAS subgroup relay surveillance test intervals is based on the Safety Evaluation by the Office of Nuclear Reactor Regulation, "Review of CE Owners Group Topical Report CEN-403, Rev. 1, 'ESFAS Subgroup Relay Test Interval Extension'" (Ref. 4). CEN-403, Rev. 1 was later replaced with Rev. 1-A which contains the NRC safety evaluation. It should be noted that this report (CEN-403) identifies that Palo Verde Units 1, 2, and 3 replaced the pre-1990 ESFAS subgroup relays with a newer prototype model. CEN-403 states that the failure rates for the new model relays will be comparable to the rates for the new style relays pioneered and installed at Palo Verde in late 1989 to resolve the failure mode of the older style relays. Therefore, the ESFAS subgroup relays identified as being replaced at the end of 1989 are acceptable. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 7.3. 2. CEN-327, May 1986, including Supplement 1, March 1989, and Calculation 13-JC-SB-200. 3. CEN-403, "ESFAS Subgroup Relay Test Interval Extension, Revision 1". 4. Safety Evaluation by the Office of Nuclear Reactor Regulation, Review of CE Owners Group Topical Report CEN-403, Rev. 1, "ESFAS Subgroup Relay Test Interval Extension", February 27, 1996. DG - LOVS B 3.3.7 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-1 REVISION 2 B 3.3 INSTRUMENTATION B 3.3.7 Diesel Generator (DG) - Loss of Voltage Start (LOVS) BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or insufficiently stable to allow safe unit operation. Undervoltage protection will generate a LOVS in the event a Loss of Voltage (LOV) or Degraded Voltage (DV) condition occurs. Four solid-state relays and four induction disk relays are provided on each 4.16 kV Class 1E bus for the purpose of detecting a sustained degraded voltage or a loss of bus voltage condition, respectively. The protective function of the Degraded Voltage Relays is maintained by assuring that they always actuate when voltage is 3697 V. To prevent spurious actuations, the Degraded Voltage Relays will not actuate when voltage is 3786 V. The time delay for the Degraded Voltage Relays is a maximum of 35 seconds and is not affected by the voltage level at which they are actuated. The Loss of Voltage Relays actuate at a lower voltage. Their time delay varies depending on the voltage level, the lower the voltage, the shorter the time delay. The primary function of the Loss of Voltage Relays is to trip in 2.4 seconds or less for a complete loss of voltage condition. The Balance of Plant Engineered Safety Features Activation System (BOP ESFAS) Loss of Power/Load Shed (LOP/LS) module receives inputs from the LOV and DV relays. The LOP/LS module has four channels, each of the channels has one LOV input and one DV input. If either a LOV or DV signal is received in that channel, the channel trips. If any 2 of the 4 channels trip, a signal is sent to the BOP ESFAS Diesel Generator Start Signal (DGSS) module starting the diesel. The LOVS initiated actions are described in "Onsite Power Systems" (Ref. 1). Trip Setpoints and Allowable Values Based on the trip setpoint, Calculation 13-EC-PB-202 (Ref. 5) establishes allowable minimum dropout and maximum reset values for the Degraded Voltage Relays, taking into account calibration tolerances, instrumentation uncertainties, and instrument drift. Maintaining the minimum dropout voltage (3697 V and 3786 V) ensures protection during sustained degraded voltage conditions. DG - LOVS B 3.3.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-2 REVISION 2 BACKGROUND Trip Setpoints and Allowable Values (continued) Maintaining the maximum reset voltage (approximately 3805 V, Ref. 6) prevents spurious actuation during analyzed conditions. Calculations 01, 02, 03-EC-MA-221 (Ref. 6) verify that the voltage will recover above the maximum reset value following the most adverse accident loading scenario, and that the relays will not actuate during the transient period of automatic load sequencing. Setpoints in accordance with the Allowable Values will ensure that the consequences of accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the accident and the equipment functions as designed. The undervoltage protection scheme has been designed to protect the plant from spurious trips caused by the offsite power source. A complete loss of offsite power will result in approximately a 2 second delay in LOVS actuation. The DG starts and is available to accept loads within a 10 second time interval on the Engineered Safety Features Actuation System (ESFAS) or LOVS. Emergency power is established within the maximum time delay assumed for each event analyzed in the accident analysis (Ref. 2). Since there are four protective channels in a two-out-of-four trip logic for each division of the 4.16 kV power supply, no single sensor failure will cause or prevent protective system actuation. _______________________________________________________________________________ APPLICABLE The DG - LOVS is required for Engineered Safety Features SAFETY ANALYSES (ESF) systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS. DG - LOVS B 3.3.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-3 REVISION 0 APPLICABLE Accident analyses credit the loading of the DG based on a SAFETY ANALYSES loss of offsite power during a loss of coolant accident.

(continued) The actual DG start has historically been associated with the ESFAS actuation. The diesel loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The analysis assumes a nonmechanistic DG loading, which does not explicitly account for each individual component of the loss of power detection and subsequent actions. This delay time includes contributions from the DG start, DG loading, and Safety Injection System component actuation. The response of the DG to a loss of power must be demonstrated to fall within this analysis response time when including the contributions of all portions of the delay. The required channels of LOVS, in conjunction with the ESF systems powered from the DGs, provide plant protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed.

LOVS channels are required to meet the redundancy and testability requirements of GDC 21 in 10 CFR 50, Appendix A (Ref. 4). The delay times assumed in the safety analysis for the ESF equipment include the 10 second DG start delay and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO 3.3.5, "Engineered Safety Features Actuation System (ESFAS) Instrumentation," include the appropriate DG loading and sequencing delay. The DG - LOVS channels satisfy Criterion 3 of 10 CFR 50.36(C)(2)(ii). ______________________________________________________________________________ LCO The LCO for the LOVS requires that four channels per bus of LOVS instrumentation be OPERABLE in MODES 1, 2, 3, and 4 and when the associated DG is required to be OPERABLE by LCO 3.8.2, "AC Sources - Shutdown." The LOVS supports safety systems associated with the ESFAS. In MODES 5 and 6, the four channels must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed. DG - LOVS B 3.3.7 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.7-4 REVISION 0 LCO Actions allow maintenance (trip channel) bypass of (continued) individual channels. Loss of LOVS Function could result in the delay of safety system initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power, which is an anticipated operational occurrence, the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only the one turbine driven pump as well as an increased potential for a loss of decay heat removal through the secondary system. Only Allowable Values are specified for each Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable, provided that operation and testing is consistent with the assumptions of the plant specific setpoint calculation. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. _______________________________________________________________________________ APPLICABILITY The DG - LOVS actuation Function is required in MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5 or 6 is required whenever the required DG must be OPERABLE, so that it can perform its function on a loss of power or degraded power to the vital bus. DG - LOVS B 3.3.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-5 REVISION 0 ACTIONS A LOVS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. Determination of setpoint drift is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the instrument is set up for adjustment to bring it within specification. If the actual trip setpoint is not within the Allowable Value, the channel is inoperable and the appropriate Conditions must be entered. In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition entered. The required channels are specified on a per DG basis. A.1 and A.2 Condition A applies if one channel per DG bus is inoperable. If the channel cannot be restored to OPERABLE status, the affected channel should either be bypassed or tripped within 1 hour (Required Action A.1). DG - LOVS B 3.3.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-6 REVISION 42 ACTIONS A.1 and A.2 (continued) Placing this channel in either Condition ensures that logic is in a known configuration. In trip, the LOVS Logic is one-out-of-three. In bypass, the LOVS Logic is two-out-of-three. The 1 hour Completion Time is sufficient to perform these Required Actions. Once Required Action A.1 has been complied with, Required Action A.2 allows prior to entering MODE 2 following the next MODE 5 entry to repair the inoperable channel. If the channel cannot be restored to OPERABLE status, the plant cannot enter MODE 2 following the next MODE 5 entry. The time allowed to repair or trip the channel is reasonable to repair the affected channel while ensuring that the risk involved in operating with the inoperable channel is acceptable. The prior to entering MODE 2 following the next MODE 5 entry Completion Time is based on adequate channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a system actuation. B.1 and B.2 Condition B applies if two channels per DG bus are inoperable. If the channel cannot be placed in bypass or trip within 1 hour, the Conditions and Required Actions for the associated DG made inoperable by DG - LOVS instrumentation are required to be entered. Alternatively, one affected channel is required to be bypassed and the other is tripped, in accordance with Required Action B.2. This places the Function in one-out-of-two logic. The 1 hour Completion Time is sufficient to perform the Required Actions. DG - LOVS B 3.3.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-7 REVISION 0 ACTIONS B.1 and B.2 (continued) One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not permitted to bypass more than one DG-LOVS channel, and placing a second channel in trip will result in a loss of voltage diesel start signal. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. C.1 Condition C.1 applies when more than two channels on a single bus are inoperable. Required Action C.1 requires all but two channels to be restored to OPERABLE status within 1 hour. With more than two channels inoperable, the logic is not capable of providing the DG - LOVS signal for valid Loss of Voltage or degraded voltage condition. The 1 hour Completion Time is reasonable to evaluate and take action to correct the degraded condition in an orderly manner and takes into account the low probability of an event requiring LOVS occurring during this interval. D.1 Condition D.1 applies if the Required Actions and associated Completion Times are not met. Required Action D.1 ensures that Required Actions for the affected DG inoperabilities are initiated. Depending upon plant MODE, the ACTIONS specified in LCO 3.8.1, "AC Sources - Operating," or LCO 3.8.2 are required immediately. DG - LOVS B 3.3.7 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-8 REVISION 56 SURVEILLANCE The following SRs apply to each DG - LOVS Function. REQUIREMENTS SR 3.3.7.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination shall include, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. A CHANNEL CHECK consists of verifying all relay status lights on the control board are lit. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff. If the channels are within the criteria, it is an indication that the channels are OPERABLE. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.7.2 A CHANNEL FUNCTIONAL TEST is performed to ensure that the entire channel will perform its intended function when needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The as found and as left values must also be recorded and reviewed for consistency. DG - LOVS B 3.3.7 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.7-9 REVISION 56 SURVEILLANCE SR 3.3.7.3 REQUIREMENTS (continued) SR 3.3.7.3 is the performance of a CHANNEL CALIBRATION. The CHANNEL CALIBRATION verifies the accuracy of each component within the instrument channel. This includes calibration of the Loss of Voltage and Degraded Voltage relays and demonstrates that the equipment falls within the specified operating characteristics defined by the manufacturer. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive surveillances to ensure the instrument channel remains operational. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis. The as found and as left values must also be recorded and reviewed for consistency. The setpoints, as well as the response to a Loss of Voltage and Degraded Voltage test, shall include a single point verification that the trip occurs within the required delay time, as shown in Reference 1. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 8.3 2. UFSAR, Chapter 15. 3. Controlled Dwg. Relay Setpoint Sheets.

4. 10 CFR 50, Appendix A, GDC 21. 5. Calculation 13-EC-PB-202 6. Calculations 01, 02, 03-EC-MA-221 This page intentionally blank CPIAS B 3.3.8 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.8 Containment Purge Isolation Actuation Signal (CPIAS) BASES BACKGROUND This LCO encompasses the CPIAS, which is an instrumentation channel that performs an actuation function required for plant protection but is not otherwise included in LCO 3.3.6, "Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip," or LCO 3.3.7, "Diesel Generator (DG) - Loss of Voltage Start (LOVS)." The CPIAS provides protection from radioactive contamination in the containment in the event a fuel assembly should be severely damaged during handling. It also closes the purge valves during plant operation in response to a Reactor Coolant System (RCS) leak. The CPIAS will detect any abnormal amounts of radioactive material in the power access and refueling purge exhaust ducts and will initiate purge valve closure to limit the release of radioactivity to the environment. Both the power access purge and refueling purge supply and exhaust valves are closed on a CPIAS when a high radiation level in the power access and refueling purge exhaust ducts is detected. The CPIAS includes two independent, redundant logic subsystems, including actuation trains. Each train employs a Gamma (area) sensor. If either sensor exceeds the trip setpoint, both of the CPIAS trains will be actuated (one-out-of-two logic). Each train actuates a separate series valve in the containment purge supply and return lines. Either train controls sufficient equipment to perform the isolation function. These valves are also isolated on a Containment Isolation Actuation Signal (CIAS).

CPIAS B 3.3.8 BASES _______________________________________________________________________________ ________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.8-2 REVISION 44 BACKGROUND Trip Setpoints and Allowable Values (continued) Trip setpoints used in the bistables are based on the analytical limits (Ref. 1). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. The trip setpoints are digitally generated by the radiation monitors. These trips values are not subject to drifts common to trips generated by analog type equipment. The allowable value for this trip is therefore the same as the Trip Setpoints. Setpoints in accordance with the Allowable Value will ensure that the consequences of Design Basis Accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or accident and the equipment functions as designed. _______________________________________________________________________________ APPLICABLE The CPIAS is a backup to the CIAS Systems in MODES 1, 2, 3, SAFETY ANALYSES and 4 and will close the containment purge valves in the event of high radiation levels resulting from a primary leak in the containment. Branch Technical Position CSB 6-4 (Containment Purging During Normal Plant Operations) requires isolation of the power access purge lines in the event of a loss-of-coolant accident to minimize radiation releases and ensure the radiological consequences will not exceed 10 CFR Part 100 guideline values. The CPIAS will close the containment purge valves (if open) in the event of all large and small break LOCA (CEA ejection is a type of small break LOCA) accidents in containment, as described in Reference 1. The CPIAS however, is not required to function during a fuel handling accident to ensure the offsite consequences of radiation accidents in containment are within 10 CFR 100 limits (Ref. 2) as described in the Safety Analysis (Ref. 1). The CPIAS satisfies the requirements of Criterion 3 of 10 CFR 50.36 (c)(2)(ii). CPIAS B 3.3.8 BASES ______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-3 REVISION 0 LCO LCO 3.3.8 requires one CPIAS channel to be OPERABLE. The required channel consists of an area radiation monitor; Actuation Logic; and Manual Trip. The specific trip setpoints for the CPIAS are listed in the SRs. Each trip setpoint specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the trip function. The Bases for the LCO on CPIAS are discussed below for each Function: a. Manual Trip The LCO on Manual Trip backs up the automatic trip and ensures operators have the capability to rapidly initiate the CPIAS Function if any parameter is trending toward its setpoint. One manual channel of CPIAS is required in MODES 1, 2, 3, and 4, since the CPIAS is redundant with the CIAS and there are additional means of closing the containment purge valves. Only one manual channel of CPIAS is required during CORE ALTERATIONS and movement of irradiated fuel assemblies, since there are additional means of closing the containment purge valves in the event of a channel failure. b. Power Access and Refueling Purge Exhaust Duct Radiation One channel of radiation monitoring is required during in MODES 1, 2, 3, and 4 or during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment. CPIAS B 3.3.8 BASES _______________________________________________________________________________ (continued) ________________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-4 REVISION 0 LCO c. Actuation Logic (continued) One channel of Actuation Logic is required since the valves can be shut independently of the CPIAS signal either manually from the control room or using the CIAS pushbutton. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the power access purge valves may be open. In these MODES, it is necessary to ensure the valves will shut in the event of a primary leak in containment whenever any of the containment purge valves are open. With the purge valves open during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, there is the possibility of a fuel handling accident requiring CPIAS on high radiation in the power access purge and refueling purge exhaust ducts. The Applicability is modified by a Note, which states that the CPIAS specification is only required when the penetration is not isolated by at least one closed automatic valve, closed manual valve, or blind flange. _______________________________________________________________________________ ACTIONS A CPIAS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure. A.1 Condition A applies to the failure of CPIAS Manual Trip, Actuation Logic, and area radiation monitor in MODES 1, 2, 3, and 4. The Required Action is to place and maintain containment purge and exhaust valves in closed position. The Completion Time accounts for the condition that the capability to isolate containment on valid high radiation levels in the power access and refueling purge exhaust ducts or manual signals is degraded during power operation or shutdown modes. CPIAS B 3.3.8 BASES ______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.8-5 REVISION 0 ACTIONS B.1 (continued) Condition B applies when the Required Action and associated Completion Time of Condition A are not met in MODES 1, 2, 3, or 4. If Required Action A cannot be met within the required Completion Time, entry into LCO 3.6.3 "Containment Isolation Valves" is required. The Completion Time accounts for the fact that the inability to close and maintain the purge and exhaust valves closed may affect the ability of the valves to automatically close on a Containment Isolation Actuation Signal (CIAS) C.1, C.2.1, and C.2.2. Condition C applies to two channels of radiation monitor, Manual Trip, or Actuation Logic inoperable, the applicability is during CORE ALTERATIONS or during the movement of irradiated fuel assemblies within containment. Required Action C.1 is to place the containment purge and exhaust isolation valves in the closed position. The Required Action immediately performs the isolation function of the CPIAS. Required Actions C.2.1 and C.2.2 may be performed in lieu of Required Action C.1. Required Action C.2.1 requires the suspension of CORE ALTERATIONS and Required Action C.2.2 requires suspension of movement of irradiated fuel in containment immediately. The Completion Time accounts for the fact that the automatic capability to isolate containment on valid power access and refueling purge exhaust duct high radiation signals is degraded during conditions in which a fuel handling accident is possible and CPIAS provides the only automatic mitigation of radiation release. CPIAS B 3.3.8 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-6 REVISION 56 SURVEILLANCE SR 3.3.8.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred on the required radiation monitor channels used in the CPIAS. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.2 A CHANNEL FUNCTIONAL TEST is performed on each required containment radiation monitoring channel (RU-37 and RU-38) to ensure the entire channel will perform its intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CPIAS B 3.3.8 BASES ______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-7 REVISION 56 SURVEILLANCE SR 3.3.8.3 REQUIREMENTS (continued) Proper operation of the individual actuation relays is verified by actuating these relays during the CHANNEL FUNCTIONAL TEST of the Actuation Logic. This will actuate the Function, operating all associated equipment. Proper operation of the equipment actuated by each train is thus verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A Note to the SR indicates that this surveillance includes verification of operation for each actuation relay. SR 3.3.8.4 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CPIAS B 3.3.8 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.8-8 REVISION 56 SURVEILLANCE SR 3.3.8.5 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on the CPIAS Manual Trip channel. This test verifies that the trip handswitches are capable of opening contacts in the Actuation Logic as designed, de-energizing the initiation relays and providing manual actuation of the Function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 15. 2. 10 CFR 100. 3. "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," NUREG-75/087, Revision 1, 1978, Section 6.2.4, Branch Technical Position CSB 6-4, "Containment Purging During Normal Plant Operation." CREFAS B 3.3.9 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-1 REVISION 48 B 3.3 INSTRUMENTATION B 3.3.9 Control Room Essential Filtration Actuation Signal (CREFAS) BASES BACKGROUND This LCO encompasses CREFAS actuation, which is an instrumentation channel that performs an actuation Function required for plant protection but is not otherwise included in LCO 3.3.6, "Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip," or LCO 3.3.7, "Diesel Generator (DG) - Loss of Voltage Start (LOVS)." This is a BOP ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LCO 3.3.6 and LCO 3.3.7. The CREFAS initiates actuation of the Control Room Essential Filtration System to minimize operator radiation exposure. The CREFAS includes two independent, redundant subsystems, including actuation trains. Each train has a gaseous activity radiation monitor for the control room air intake activity. If either train radiation monitor indicates an unsafe condition, both CREFAS trains will be actuated (one-out-of-two logic). The two trains actuate separate equipment. Actuating either train will perform the intended function. A CREFAS is also initiated by a Containment Purge Isolation Actuation Signal (CPIAS) from either of the two CPIAS channels or by a Fuel Building Essential Ventilation Actuation Signal (FBEVAS) from either of the two FBEVAS channels. Control room filtration also occurs on a Safety Injection Actuation Signal (SIAS). A cross-train trip function is provided as a defense-in-depth function that is not required for CREFAS operability. Trip Setpoints and Allowable Values Trip setpoints used in the bistables are based on the analytical limits (Ref. 1). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. The trip setpoints are digitally generated by the radiation monitors. These trip values are not subject to drifts common to analog type equipment. The allowable value for this trip is therefore the same as the trip setpoint. CREFAS B 3.3.9 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-2 REVISION 48 BACKGROUND Trip Setpoints and Allowable Values (continued) Setpoints in accordance with the Allowable Value will ensure that the consequences of Design Basis Accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or accident and the equipment functions as designed. _______________________________________________________________________________ APPLICABLE The CREFAS maintains the control room atmosphere within SAFETY ANALYSES conditions suitable for prolonged occupancy throughout the duration of any one of the accidents discussed in Reference 1. The radiation exposure of control room personnel, through the duration of any one of the postulated accidents discussed in "Accident Analysis," FSAR, Chapter 15 (Ref. 1), does not exceed the limits set by 10 CFR 50, Appendix A, GDC 19 (Ref. 2). The CREFAS satisfies the requirements of Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO LCO 3.3.9 requires one channel of CREFAS to be OPERABLE. The required channel consists of Actuation Logic, Manual Trip, and a gaseous radiation monitor. The specific trip setpoint for the CREFAS is listed in the SR. Each trip setpoint specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the trip Function. A channel is inoperable if its actual trip setpoint is not set to the value specified in SR 3.3.9.2. The Bases for the LCO on the CREFAS are discussed below for each Function: CREFAS B 3.3.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-3 REVISION 55 LCO a. Manual Trip (continued) The LCO on Manual Trip backs up the automatic trips and ensures operators have the capability to rapidly initiate the CREFAS Function if any parameter is trending toward its setpoint. One channel must be OPERABLE. This considers that the Manual Trip capability is a backup and that other means are available to actuate the redundant train if required, including manual SIAS, FBEVAS, or CPIAS. b. Radiation Monitors One channel of radiation monitor is required to be OPERABLE to ensure the control room filtration actuates on high gaseous activity. c. Actuation Logic One train of Actuation Logic must be OPERABLE, since there are alternate means available to actuate the redundant train, including SIAS. ______________________________________________________________________________ APPLICABILITY The CREFAS Functions must be OPERABLE in MODES 1, 2, 3, 4, 5, and 6 and during movement of irradiated fuel assemblies in either the fuel building or the containment building, to ensure a habitable environment for the control room operators. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. ______________________________________________________________________________ ACTIONS A CREFAS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure. CREFAS B 3.3.9 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.9-4 REVISION 55 ACTIONS A.1, B.1, B.2, C.1, C.2.1, C.2.2, and C.2.3 (continued) Conditions A, B, and C are applicable to manual and automatic actuation of the CREFAS. Condition A applies to the failure of the CREFAS Manual Trip, Actuation Logic, and radiation monitor channel in MODE 1, 2, 3, or 4. Entry into this Condition requires action to either restore the failed channel or manually perform the CREFS safety function. Required Action A.1 - place one train of CREFS in the essential filtration mode (e.g., emergency or pressurization mode of operation - fan running, valves/dampers aligned to the post-CREFAS mode). The Completion Time of 1 hour is sufficient to complete the Required Actions and accounts for the fact that CREFAS supplements control room filtration by other Functions (e.g., SIAS) in MODES 1, 2, 3, and 4. If Required Action A.1 and the associated completion time are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours (Required Action B.1) and to MODE 5 within 36 hours (Required Action B.2). The Completion Times of 6 hours and 36 hours for reaching MODES 3 and 5 from MODE 1 are reasonable, based on operating experience and normal cooldown rates, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant safety systems or operators. Condition C applies to the failure of CREFAS Manual Trip, Actuation Logic, and radiation monitor channel in MODE 5 or 6, or when moving irradiated fuel assemblies. The Required Actions are immediately taken to place one OPERABLE CREFS train in the essential filtration mode (e.g., emergency or pressurization mode of operation-fan running, valves/dampers aligned to the post-CREFAS mode), or to suspend CORE ALTERATIONS, positive reactivity additions, and movement of irradiated fuel assemblies. The Completion Time recognizes the fact that FBEVAS, or CPIAS are available to initiate the control room essential filtration mode in the event of a fuel handling accident. CREFAS B 3.3.9 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-5 REVISION 56 SURVEILLANCE SR 3.3.9.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.9.2 A CHANNEL FUNCTIONAL TEST is performed on each required control room radiation monitoring channel (RU-29 and RU-30) to ensure the entire channel will perform its intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CREFAS B 3.3.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-6 REVISION 56 SURVEILLANCE SR 3.3.9.3 REQUIREMENTS (continued) Proper operation of the individual actuation relays is verified by de-energizing these relays during the CHANNEL FUNCTIONAL TEST of the Actuation Logic. This will actuate the Function, operating all associated equipment. Proper operation of the equipment actuated by each train is thus verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Note 1 indicates this Surveillance includes verification of operation for each actuation relay. Note 2 indicates that relays that cannot be tested at power are excepted from the Surveillance Requirement while at power. These relays must, however, be tested during each entry into MODE 5 exceeding 24 hours unless they have been tested within the previous 6 months. At PVNGS all of the actuation relays can be tested at power. SR 3.3.9.4 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CREFAS B 3.3.9 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.9-7 REVISION 56 SURVEILLANCE SR 3.3.9.5 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on the manual CREFAS actuation circuitry. This test verifies that the trip handswitches are capable of opening contacts in the Actuation Logic as designed, de-energizing the actuation relays and providing Manual Trip of the function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.9.6 This Surveillance ensures that the train actuation response times are less than the maximum times assumed in the analyses. Response time testing criteria are included in Reference 3. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 15. 2. 10 CFR 50, Appendix A, GDC 19. 3. UFSAR, Chapter 7. This page intentionally blank PAM Instrumentation B 3.3.10 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.10 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions for Design Basis Events. The OPERABILITY of PAM instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. The availability of PAM instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by plant specific documents (Ref. 1) addressing the recommendations of Regulatory Guide 1.97 (Ref. 2), as required by Supplement 1 to NUREG-0737, "TMI Action Items" (Ref. 3). Type A variables are included in this LCO because they provide the primary information required to permit the control room operator to take specific manually controlled actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs). Category I variables are the key variables deemed risk significant because they are needed to: Determine whether other systems important to safety are performing their intended functions; Provide information to the operators that will enable them to determine the potential for causing a gross breach of the barriers to radioactivity release; and PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-2 REVISION 0 BACKGROUND Provide information regarding the release of (continued) radioactive materials to allow for early indication of the need to initiate action necessary to protect the public as well as to obtain an estimate of the magnitude of any impending threat. These key variables are identified by plant specific Regulatory Guide 1.97 analyses (Ref. 1). These analyses identified the plant specific Type A variables and provided justification for deviating from the NRC proposed list of Category I variables. _______________________________________________________________________________ APPLICABLE The PAM instrumentation ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97 Type A variables, so that the control room operating staff can: Perform the diagnosis specified in the emergency operating procedures. These variables are restricted to preplanned actions for the primary success path of DBAs; and Take the specified, preplanned, manually controlled actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions. The PAM instrumentation also ensures OPERABILITY of Category I, non-Type A variables. This ensures the control room operating staff can: Determine whether systems important to safety are performing their intended functions; Determine the potential for causing a gross breach of the barriers to radioactivity release; Determine if a gross breach of a barrier has occurred; and Initiate action necessary to protect the public as well as to obtain an estimate of the magnitude of any impending threat. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-3 REVISION 0 APPLICABLE PAM instrumentation that meets the definition of Type A in SAFETY ANALYSES Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36 (continued) (c)(2)(ii). Category I, non-Type A PAM instruments are retained in the Specification because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category I, non-Type A variables are important in reducing public risk. ______________________________________________________________________________ LCO LCO 3.3.10 requires two OPERABLE channels for all but one Function to ensure no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. The exception to the two channel requirement is Containment Isolation Valve Position. In this case, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active containment isolation valve. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of the passive valve or via system boundary status. If a normally active containment isolation valve is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. Listed below are discussions of the specified instrument Functions listed in Table 3.3.10-1. 1. Logarithmic Neutron Flux Logarithmic Neutron Flux indication is provided to verify reactor shutdown. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-4 REVISION 0 LCO 1. Logarithmic Neutron Flux (continued) At PVNGS, the Logarithmic Neutron Flux PAM channels consist of the following: SEA-NE-001A SEB-NE-001B 2, 3. Reactor Coolant System (RCS) Hot and Cold Leg Temperature RCS Hot and Cold Leg Temperatures are Category I variables provided for verification of core cooling and long term surveillance. Reactor outlet temperature inputs to the PAM are provided by two fast response resistance elements and associated transmitters in each loop. Cold Legs 1A and 1B make up one loop and Cold Legs 2A and 2B make up one loop. The channels provide indication over a range of 50°F to 750°F. At PVNGS the Hot Leg Temperature indication consists of: RCA-TT-112H1 RCB-TT-112H2 RCA-TT-122H1 RCB-TT-122H2 The Cold Leg Temperature indication consists of: RCA-TT-112C1 RCB-TT-112C2 RCA-TT-122C1 RCB-TT-122C2 4. Reactor Coolant System Pressure (wide range) RCS Pressure (wide range) is a Category I variable, provided for verification of core cooling and RCS integrity long term surveillance. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-5 REVISION 18 LCO 4. Reactor Coolant System Pressure (wide range) (continued) Wide range RCS loop pressure is measured by pressure transmitters with a span of 0 psig to 4000 psig. Redundant monitoring capability is provided by two trains of instrumentation. Control room indications are provided through the Qualified Safety Parameter Display System (QSPDS) visual display. The QSPDS visual display is the primary indication used by the operator during an accident. Therefore, the PAM instrumentation Specification deals specifically with this portion of the instrument channel. RCS pressure is also a Type A variable because the operator uses this indication to monitor the cooldown of the RCS following a steam generator tube rupture or small break loss of coolant accident (LOCA). Operator actions to maintain a controlled cooldown, such as adjusting steam generator pressure or level, would use this indication. Furthermore, RCS pressure is one factor that may be used in decisions to terminate reactor coolant pump operation. At PVNGS the RCS Pressure (wide range) consists of: RCA-PT-190A RCB-PT-190B 5. Reactor Vessel Water Level Reactor Vessel Water Level is provided for verification and long term surveillance of core cooling. The Reactor Vessel Water Level Monitoring System provides a direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it is a direct indication of the water inventory. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-6 REVISION 0 LCO 5. Reactor Vessel Water Level (continued) The collapsed level is obtained over the same temperature and pressure range as the saturation measurements, thereby encompassing all operating and accident conditions where it must function. Also, it functions during the recovery interval. Therefore, it is designed to survive the high steam temperature that may occur during the preceding core recovery interval. The level range extends from the top of the vessel down to the top of the fuel alignment plate. The response time is short enough to track the level during small break LOCA events. The resolution is sufficient to show the initial level drop, the key locations near the hot leg elevation, and the lowest levels just above the alignment plate. This provides the operator with adequate indication to track the progression of the accident and to detect the consequences of its mitigating actions or the functionality of automatic equipment. At PVNGS the Reactor Vessel Water Level is displayed on QSPDS A and QSPDS B. 6. Containment Sump Water Level (wide range) Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity. At PVNGS, Containment Sump Water Level instrumentation consists of the following: SIA-LT-706 SIB-LT-707 7. Containment Pressure (wide range) Containment Pressure is provided for verification of RCS and containment OPERABILITY. At PVNGS, Containment Pressure instrumentation consists of the following: HCA-PT-353A HCB-PT-353B PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-7 REVISION 0 LCO 8. Containment Isolation Valve Position (continued) Containment Isolation Valve Position is provided for verification of containment OPERABILITY. CIV position is provided for verification of containment integrity. In the case of CIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active CIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the CIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. The PVNGS design uses three indications for each valve that receives an automatic close signal from the ESFAS. Each of these indications use a different contact on the position switch. One contact provides an open/close indication on the valve control handswitch in the main control room. This indication uses the same Class 1E power that is used by the valve control circuit. A second contact is used by the Safety Equipment Status System (SESS). This system receives inputs from each valve and the ESFAS system. After an ESFAS actuation any valve that does not reposition to the fully closed position is indicated and annunciated in the main control room. There are two channels of SESS, one channel receives power from the A Train Class 1E DC Bus and indicates the status of the A Train actuated equipment, and one channel receives power from the B Train Class 1E DC Bus and indicates the status of the B Train actuated equipment. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-8 REVISION 14 LCO 8. Containment Isolation Valve Position (continued) The third contact provides an indication of valve position to the Emergency Response Facility Data Acquisition and Display System (ERFDADS). This signal is Class 1E until it goes through a qualified isolator. The ERFDADS computer and displays are non-Class 1E. For the purpose of this Specification either the SESS indication or the handswitch indication in the main control room may be used. For some solenoid operated Containment Isolation Valves, the SESS and ERFDADS indications are not independent. Although the SESS and ERFDADS indications are driven off of separate field contacts, both contacts are not directly actuated based upon valve position, but instead are actuated by a relay in the solenoid's control circuitry. When the valve is taken from the closed seat or if control power is lost, the relay is de-energized and the SESS and ERFDADS field contacts change state to illuminate the SESS status and indicate open on ERFDADS. Therefore, upon a loss of control power, the valve will fail close with the SESS and ERFDADS indicating the valve to be open. This condition presents a problem when one of the identified solenoid operated valves loses open indication in the control room. In this case, there is no light indication on the control room handswitch, and the SESS status is illuminated (when STATUS DISPLAY is pressed) and ERFDADS indicates the valve is open. So either the open limit reed switch for the solenoid has broken continuity and the valve is open, or the control power has been lost (blown fuse) and the valve is closed. Given proper control power, the SESS and ERFDADS indication will be correct for the valves position. Therefore, if it can be verified that control power is present, the SESS indication can be used to verify valve position. To determine the valve position, the operator will need to verify if control power is present at the valve. The solenoid operated Containment Isolation Valves with relay driven SESS and ERFDADS position indication are denoted by an '*' in the following listing. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-9 REVISION 14 LCO 8. Containment Isolation Valve Position (continued) (continued) At PVNGS the Containment Isolation Valve position instrumentation consist of: CPA-UV-2A Containment Refueling Purge Supply CPA-UV-2B Containment Refueling Purge Exhaust CPB-UV-3A Containment Refueling Purge Supply CPB-UV-3B Containment Refueling Purge Exhaust CPA-UV-4A Containment Power Access Purge Supply CPA-UV-4B Containment Power Access Purge Exhaust CPB-UV-5A Containment Power Access Purge Supply CPB-UV-5B Containment Power Access Purge Exhaust CHB-UV-505 RCP Controlled Bleedoff to VCT CHA-UV-506 RCP Controlled Bleedoff to VCT CHA-UV-516 Letdown to Regen HX CHB-UV-523 Letdown from Regen HX CHA-UV-560 Reactor Drain Tank Outlet CHB-UV-561 Reactor Drain Tank Outlet CHA-UV-580 Make-Up Supply to Reactor Drain Tank CHA-UV-715* Sample Return to Reactor Drain Tank CHB-UV-924* Letdown Line Sample PASS GAA-UV-1 HP Nitrogen to Safety Injection Tanks GAA-UV-2 LP Nitrogen to Containment GRA-UV-1 Waste Gas Header GRB-UV-2 Waste Gas Header HCB-UV-44* Radiation Monitor RU-1 Supply HCA-UV-45* Radiation Monitor RU-1 Supply HCA-UV-46* Radiation Monitor RU-1 Return HCB-UV-47* Radiation Monitor RU-1 Return HPA-UV-1 Containment Hydrogen Control System HPB-UV-2 Containment Hydrogen Control System HPA-UV-3 Hydrogen Recombiner Supply HPB-UV-4 Hydrogen Recombiner Supply HPA-UV-5 Hydrogen Recombiner Return HPB-UV-6 Hydrogen Recombiner Return HPA-UV-23* Hydrogen Monitor Return HPA-UV-24* Hydrogen Monitor Supply IAA-UV-2* Instrument and Service Air PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-10 REVISION 57 LCO 8. Containment Isolation Valve Position (continued) (continued) NCB-UV-401 Nuclear Cooling Water NCA-UV-402 Nuclear Cooling Water NCB-UV-403 Nuclear Cooling Water RDA-UV-23 Containment Sumps RDB-UV-24 Containment Sumps RDB-UV-407* Containment Radwaste Sumps (Unit 1 Only) SGB-HV-200 Steam Generator #1 Chemical Injection SGB-HV-201 Steam Generator #2 Chemical Injection SIA-UV-708 Containment Recirc Sump PASS SSB-UV-200 Hot Leg Sample SSB-UV-201 Surge Line Sample SSB-UV-202 Pressurizer Steam Space Sample SSA-UV-203 Hot Leg Sample SSA-UV-204 Surge Line Sample SSA-UV-205 Pressurizer Steam Space Sample WCB-UV-61 Normal Chilled Water Return Header WCA-UV-62 Normal Chilled Water Return Header WCB-UV-63 Normal Chilled Water Supply Header *-Solenoid operated valves with relay driven SESS/ERFDADS indication. 9. Containment Area Radiation (high range) Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. The alarm setpoints shall be set within the limits specified in the UFSAR. At PVNGS, Containment Area Radiation instrumentation consists of the following: SQA-RU-148 SQB-RU-149 PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-11 REVISION 50 LOC (continued) 10. Pressurizer Level Pressurizer Level is used to determine whether to terminate Safety Injection (SI), if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition. At PVNGS, Pressurizer Level instrumentation consists of the following: RCA-LT-110X RCB-LT-110Y 11. Steam Generator Water Level Steam Generator Water Level is provided to monitor operation of decay heat removal via the steam generators. The Category I indication of steam generator level is the wide range level instrumentation. The wide range level covers a span of 143 inches above the lower tubesheet to 55.5 inches above the steam separator deck. Wide Range Steam Generator Level is a Type A variable because the operator must manually control steam generator level during a Steam Generator Tube Rupture (STGR) event to ensure steam generator tube coverage. At PVNGS wide range Steam Generator Level Instrumentation consists of: SGA-LT-1113A SGB-LT-1113B SGC-LT-1113C SGD-LT-1113D SGA-LT-1123A SGB-LT-1123B SGC-LT-1123C SGD-LT-1123D PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-12 REVISION 50 LCO (continued) 12. Condensate Storage Tank (CST) Level CST Level is provided to ensure water supply for AFW. The CST provides the ensured, safety grade water supply for the AFW System. Inventory is monitored by a 3 ft. to 50 ft. level indication. CST Level is displayed on a control room indicator. At PVNGS CST Level Instrumentation consists of: CTA-LT-35 CTB-LT-36 13, 14, 15, 16. Core Exit Temperature Core Exit Temperature is provided for verification and long term surveillance of core cooling. An evaluation was made of the minimum number of valid core exit thermocouples necessary for inadequate core cooling detection. The evaluation determined the reduced complement of core exit thermocouples necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities including incore effects of the radial decay power distribution and excore effects of condensate runback in the hot legs and nonuniform inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is ensured with two valid core exit thermocouples per quadrant. The design of the Incore Instrumentation System includes a Type K (chromel alumel) thermocouple within each of the 61 incore instrument detector assemblies. The junction of each thermocouple is located a few inches above the fuel assembly, inside a structure that supports and shields the incore instrument detector assembly string from flow forces in the outlet plenum region. These core exit thermocouples monitor the temperature of the reactor coolant as it exits the fuel assemblies. The core exit thermocouples have a usable temperature range from 32°F to 2300°F, although accuracy is reduced at temperatures above 1800°F. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-13 REVISION 50 LCO 17. Steam Generator Pressure (continued) Steam Generator pressure indication is provided for Steam Generator pressure verification. At PVNGS Steam Generator Pressure Instrumentation consists of: SGA-PT-1013A SGB-PT-1013B SGC-PT-1013C SGD-PT-1013D SGA-PT-1023A SGB-PT-1023B SGC-PT-1023C SGD-PT-1023D 18. Reactor Coolant System-Subcooling Margin Monitoring The RCS Subcooling Margin Monitor is a portion of the Inadequate Core Cooling (ICC) Instrumentation required by Item II.F.2 in NUREG-0737, the post-TMI Action Plan. The ICC instrumentation enhances the ability of the Operator to anticipate the approach to, and recovery from, ICC. At PVNGS RCS subcooling Margin Monitoring Instrumentation consists of: QSPDS A QSPDS B Each channel of QSPDS processing equipment will calculate the following saturation margin parameters: a) RCS Saturation Margin - temperature margin based on the difference between saturation temperature and the maximum RTD temperature taken from the hot and cold legs. This algorithm uses the hottest RCS temperature (Thot or Tcold) and pressurizer pressure (PT-102) to complete the calculation. b) CET Saturation Margin - temperature margin based on the difference between the saturation temperature and the representative core exit temperature calculated from the CET's. A representative CET value is first calculated (and displayed on the B02 trend recorder) for the input temperature. This is compared to pressurizer pressure (PT-102) to complete the saturation PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-14 REVISION 50 LCO 18. Reactor Coolant System-Subcooling Margin Monitoring (continued) margin calculation. Minimum requirements for CET operability must be met before the CET Saturation Monitor can be considered operable. c) Upper Head Saturation Margin - temperature margin based on the difference between the saturation temperature and the unheated junction thermocouples (UHJTC) temperature. This algorithm uses the hottest of the three upper unheated thermocouples from RVLMS along with pressurizer pressure (PT-102) to complete the margin calculation. One OPERABLE Subcooling Margin Monitor Channel consists of one RCS Saturation Margin indicator and one CET Saturation margin indicator. These indicators shall be from the same channel. Additionally, for any CET Saturation monitor indicator to be considered OPERABLE, the CET's for that channel must also be operable. 19. Reactor Coolant System Activity The RCS Activity provides an indication of fuel cladding failure. This indicates degradation of the first of three barriers to fission product release to the environment. The three barriers to fission product release are (1) fuel cladding, (2) primary coolant pressure boundary, and (3) containment. At PVNGS the RCS Activity Instrumentation consists of: SQA-RU-150 SQB-RU-151 20, 21. HPSI System Flow HPSI System flow indication is provided for HPSI flow verification. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-15 REVISION 50 LCO 20, 21 HPSI System Flow (continued) HPSI System flow is a Type A variable because the operator must manually balance the HPSI flow between the hot and cold legs when switching from cold leg injection to a combined cold/hot leg injection in support of LOCA Long Term Cooling to prevent boron precipitation in stagnate core areas. Monitoring of these instruments is not required for initial operation of HPSI flow. At PVNGS, HPSI System Cold Leg Flow indication consists of: J-SIB-FT-0311 J-SIB-FT-0321 J-SIA-FT-0331 J-SIA-FT-0341 At PVNGS, HPSI System Hot Leg Flow indication consists of: J-SIA-FT-0390 J-SIB-FT-0391 Two channels are required to be OPERABLE for all but one Function. Two OPERABLE channels ensure that no single failure within the PAM instrumentation or its auxiliary supporting features or power sources, concurrent with failures that are a condition of or result from a specific accident, prevents the operators from being presented the information necessary for them to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following that accident. In Table 3.3.10-1 the exception to the two channel requirement is Containment Isolation Valve Position. Two OPERABLE channels of core exit thermocouples are required for each channel in each quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core. Power distribution symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Plant specific evaluations in response to Item II.F.2 of NUREG-0737 (Ref. 3) have determined that any two thermocouple pairings per quadrant, satisfy these requirements. Two sets of two thermocouples in each quadrant ensure a single failure will not disable the ability to determine the radial temperature gradient. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-16 REVISION 50 LCO For loop and steam generator related variables, the required (continued) information is individual loop temperature and individual steam generator level. In these cases two channels are required to be OPERABLE for each loop of steam generator to redundantly provide the necessary information. In the case of Containment Isolation Valve Position, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active containment isolation valve. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of the passive valve or via system boundary status. If a normally active containment isolation valve is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. _______________________________________________________________________________ APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, plant conditions are such that the likelihood of an event occurring that would require PAM instrumentation is low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES. _______________________________________________________________________________ ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.10-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-17 REVISION 50 ACTIONS A.1 (continued) When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. B.1 This Required Action specifies initiation of actions in accordance with Specification 5.6.6, which requires a written report to be submitted to the Nuclear Regulatory Commission. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative Required Actions. This Required Action is appropriate in lieu of a shutdown requirement, given the likelihood of plant conditions that would require information provided by this instrumentation. Also, alternative Required Actions are identified before a loss of functional capability condition occurs. C.1 When one or more Functions have two required channels inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrumentation operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-18 REVISION 50 ACTIONS C.1 (continued) Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur. D.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.10-1. The applicable Condition referenced in the Table is Function dependent. Each time Required Action C.1 is not met, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition. E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met and Table 3.3.10-1 directs entry into Condition E, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-19 REVISION 56 ACTIONS F.1 (continued) Alternate means of monitoring Reactor Vessel Water Level, RCS Activity, and Containment Area Radiation have been developed and tested. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. The report provided to the NRC should discuss whether the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels. ______________________________________________________________________________ SURVEILLANCE A Note at the beginning of the SR table specifies that REQUIREMENTS the following SRs apply to each PAM instrumentation Function found in Table 3.3.10-1. SR 3.3.10.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. PAM Instrumentation B 3.3.10 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.10-20 REVISION 56 SURVEILLANCE SR 3.3.10.1 (continued) REQUIREMENTS If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Current loop channels are verified to be reading at the bottom of the range and not failed downscale. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.10.2 A CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies the channel responds to the measured parameter within the necessary range and accuracy. A Note excludes the neutron detectors from the CHANNEL CALIBRATION. For the Containment Area Radiation instrumentation, a CHANNEL CALIBRATION as described in UFSAR Sections 18.II.F.1.3 and 11.5.2.1.6.2 will be performed. The calibration of the Containment Isolation Valve (CIV) position indication channels will consist of verification that the position indication changes from not-closed to closed when the valve is actuated to its isolation position by SR 3.6.3.7. The position switch is the sensor for the CIV position indication channels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. PAM Instrumentation B 3.3.10 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.10-21 REVISION 50 REFERENCES 1. UFSAR Section 1.8, Table 1.8-1. 2. Regulatory Guide 1.97, Revision 2. 3. NUREG-0737, Supplement 1. This page intentionally left blank Remote Shutdown System B 3.3.11 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.11 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator safety valves or the steam generator atmospheric dump valves can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allow extended operation in MODE 3. In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the unit in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Some controls and transfer switches will be operated locally at the switchgear, motor control panels, or other local stations. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time. The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to bring the plant to, and maintain it in, MODE 3 should the control room become inaccessible. ______________________________________________________________________________ APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a capability to promptly shut down the plant and maintain it in a safe condition in MODE 3. The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in Remote Shutdown System B 3.3.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-2 REVISION 2 APPLICABLE 10 CFR 50, Appendix A, GDC 19 (Ref. 1) and Appendix R SAFETY ANALYSES (Ref. 2).

 (continued)

The Remote Shutdown System has been identified as an important contributor to the reduction of plant accident risk and, therefore, has been retained in the Technical Specifications, as indicated in 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation required is listed in Table 3.3.11-1 in the accompanying LCO. The disconnect switches and control circuits are listed in PVNGS controlled documents. The controls, instrumentation, and transfer switches are those required for: Reactivity Control (initial and long term); RCS Pressure Control; Decay Heat Removal; RCS Inventory Control; and Safety support systems for the above Functions, as well as the essential spray pond system, essential cooling water system, and onsite power including the diesel generators. A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown Functions are OPERABLE. That is, they are able to place the plant in a safe shutdown condition from a location other than the control room. The intent of this Technical Specification is to provide the requirements for the OPERABILITY of the instrumentation and controls necessary to place the plant in safe shutdown from a location other than the control room, not to govern safe shutdown component OPERABILITY or allowed out of service times. Remote Shutdown System B 3.3.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-3 REVISION 2 LCO The Remote Shutdown System instrumentation and control (continued) circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instrument and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation. The allowed out of service time is controlled via the applicable system LCOs or administrative controls established by approved plant procedures. For the purpose of this specification, equipment that is disabled in its safe shutdown condition is considered OPERABLE, however, Technical Specifications need to be reviewed for the applicable system LCO impacts on disabled equipment. Therefore, LCO 3.3.11 only needs to be entered when the instrumentation and/or control circuit is actually disabled or inoperable such that it can't be used from the RSP or controlled locally. If a control circuit is impacted for the performance of a surveillance test, LCO 3.3.11 need not be entered as long as restoration can reasonably be done within the time frame required to meet Shutdown Cooling entry conditions. However, if a clearance is hung for the performance of maintenance on the equipment/control circuit, then the equipment/control circuit is considered inoperable and LCO 3.3.11 needs to be entered. Additionally, the appropriate system LCO/TLCO also needs to be evaluated to determine if entry is required based on current plant conditions. Refer to the following examples: (NOTE: Entry into the appropriate system LCO/TLCO also needs to be evaluated to determine if entry is required based on current plant conditions.) Charging pump CHBP01 has been isolated for pulsation dampener checks. Entry into 3.3.11 is NOT required because the control circuitry for CHBP01 remains operable. Charging pump CHBP01 has been declared inoperable because the pump will not respond to the controls located on the switchgear. Entry into 3.3.11 IS required because the control circuitry for CHBP01 does not function properly. Remote Shutdown System B 3.3.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-4 REVISION 42 LCO Atmospheric Dump valve SGBHV185 has been isolated via (continued) its block valve to snoop for air leakage. Entry into 3.3.11 is NOT required because the control circuitry for SGBHV185 remains operable. Auxiliary Feedwater pump AFBP01 has been removed from service for maintenance. The supply breaker has been racked out and the control power fuses rolled to off. Entry into 3.3.11 IS required because the control circuitry for AFBP01 has been disabled. "B" Class pressurizer back-up heaters are de-energized for the performance of 36ST-9SA02. Entry into 3.3.11 is NOT required because the control circuitry for the "B" Class heaters remains operable. "B" and "D" PK battery chargers are in service. The "BD" swing charger is tagged out for maintenance. Entry into 3.3.11 IS required because the control circuitry for PKB-H16 has been disabled. APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room. This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the unit is already subcritical and in the condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control become unavailable. _______________________________________________________________________________ ACTIONS A Remote Shutdown System division is inoperable when each Function listed in Table 3.3.11-1 is not accomplished by the required number of channels in Table 3.3.11-1 that satisfies the OPERABILITY criteria for the channel's Function. These criteria are outlined in the LCO section of the Bases. Remote Shutdown System B 3.3.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-5 REVISION 42 ACTIONS A Note has been added in the ACTIONS to clarify the (continued) application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.11-1. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. A.1 Condition A addresses the situation where one or more instrumentation channels of the Remote Shutdown System are inoperable. This includes any Function listed in Table 3.3.11-1. The Required Action is to restore the channels to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room. B.1 and B.2 Condition B addresses the situation where one or more disconnect or control circuits of the Remote Shutdown System are inoperable. The required disconnect and control circuits are listed in PVNGS controlled documents. The required Action is to restore the required switch(s)/circuit(s) to OPERABLE status or issue procedure changes that identify alternate disconnect methods or control circuits. The Completion Time for either of the two Actions is 30 days. Remote Shutdown System B 3.3.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-6 REVISION 56 ACTIONS C.1 and C.2 (continued) If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.3.11.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are offscale in the same direction. Current loop channels are verified to be reading at the bottom of the range and not failed downscale. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Remote Shutdown System B 3.3.11 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.11-7 REVISION 56 SURVEILLANCE SR 3.3.11.2 REQUIREMENTS (continued) SR 3.3.11.2 verifies that each required Remote Shutdown System transfer switch and control circuit performs its intended function. The intended functions are: 1) To isolate the circuit from the control room. 2) To provide the capability to operate the equipment from the remote shutdown location. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be brought to and maintained in MODE 3 from the remote shutdown panel and the local control stations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.11.3 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to the measured parameter within the necessary range and accuracy. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 19. 2. 10 CFR 50, Appendix R. This page intentionally blank Boron Dilution Alarm System (BDAS) B 3.3.12 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.12-1 REVISION 15 B 3.3 INSTRUMENTATION B 3.3.12 Boron Dilution Alarm System (BDAS) BASES BACKGROUND The Boron Dilution Alarm System (BDAS) alerts the operator of a boron dilution event in MODES 3, 4, 5 and 6. The boron dilution alarm is received at least 15 minutes prior to criticality in Modes 3-5 and at least 30 minutes prior to criticality in Mode 6 to allow the operator to terminate the boron dilution. In MODES 1 and 2 protection for a boron dilution event is addressed by LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation-Operating." In MODES 3 and 4 with the CEAs withdrawn, LCO 3.3.2, "Reactor Protective System (RPS) Instrumentation-Shutdown," provides protection. The BDAS utilizes two channels that monitor the startup channel neutron flux indications. If the neutron flux signals increase to the calculated alarm setpoint a control room annunciation is received. The setpoint is automatically lowered to a fixed amount above the current flux level signal. The alarm setpoint will only follow decreasing or constant flux levels, not increasing levels. Two channels of BDAS must be OPERABLE to provide single failure protection and to facilitate detection of channel failure by providing CHANNEL CHECK capability. ______________________________________________________________________________ APPLICABLE The BDAS channels are necessary to monitor core reactivity SAFETY ANALYSES changes. They are the primary means for detecting and triggering operator actions to respond to boron dilution events initiated from conditions in which the RPS is not required to be OPERABLE. The OPERABILITY of BDAS channels is necessary to meet the assumptions of the safety analyses to mitigate the consequences of an inadvertent boron dilution event as described in the UFSAR, Chapter 15 (Ref. 1). The BDAS channels satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). Boron Dilution Alarm System (BDAS) B 3.3.12 BASES (continued) ______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.3.12-2 REVISION 61 LCO The LCO on the BDAS channels ensures that adequate information is available to mitigate the consequences of a boron dilution event. Alarm capability in the "at the controls area" of the Control Room is required for a BDAS channel to be considered operable. Prompt RESET of the alarm is required to maintain operability. A minimum of two BDAS channels are required to be OPERABLE. Because the BDAS utilizes the excore startup channel instrumentation to provide the neutron flux signal, the ability of the excore startup channel to provide the neutron flux signal is also part of the OPERABILITY of the BDAS. (References B3.9.2, Actions A.1 and A.2.) _____________________________________________________________________________ APPLICABILITY The BDAS must be OPERABLE in MODES 3, 4, 5 and 6 because the safety analysis assumes this alarm will be available in these MODES to alert the operator to take action to terminate the boron dilution. In MODES 1 and 2, and in MODES 3, 4, and 5, with the RTCBs shut and the CEAs capable of withdrawal, the logarithmic power monitoring channels are addressed as part of the RPS in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation - Operating" and LCO 3.3.2, "Reactor Protective System (RPS) Instrumentation-Shutdown". The requirements for source range neutron flux monitoring in MODE 6 are addressed in LCO 3.9.2, "Nuclear Instrumentation." The excore startup channels provide neutron flux coverage extending an additional one to two decades below the logarithmic channels for use during shutdown and refueling, when neutron flux may be extremely low. The Applicability is modified by a Note that the BDAS is required in MODE 3 within 1 hour after the neutron flux is within the startup range following a reactor shutdown. This allows the neutron flux level to decay to a level within the range of the excore startup channels and for the operator to initialize the BDAS. Neutron flux is defined to be within the startup range following a reactor shutdown when reactor power is 2E-6% NRTP or less. Boron Dilution Alarm System (BDAS) B 3.3.12 BASES (continued) ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.12-3 REVISION 37 ACTIONS A channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. These criteria are outlined in the LCO section of the Bases. A.1 With one required channel inoperable, Required Action A.1 requires the RCS boron concentration to be determined immediately and at the applicable monitoring Frequency specified in the COLR. The RCS boron concentration is determined by RCS sampling. The RCS sample should be from the hot leg if one or more Reactor Coolant Pumps (RCPs) are running or from the discharge of the operating pump providing shutdown cooling flow with no RCPs running. The monitoring Frequency specified in the COLR ensures that a decrease in the boron concentration during a boron dilution event will be detected. The boron concentration measurement and the OPERABLE BDAS channel provide alternate methods of detection of boron dilution with sufficient time for termination of the event before the reactor achieves criticality. Boron Dilution Alarm System (BDAS) B 3.3.12 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.12-4 REVISION 37 ACTIONS B.1 (continued) With two required channels inoperable Required Action B.1 requires the RCS boron concentration to be determined by a redundant method immediately and at the monitoring Frequency specified in the COLR. The redundant method uses independent collection and analysis of two RCS samples. The RCS sample should be from the hot leg if one or more Reactor Coolant Pumps (RCPs) are running or from the discharge of the operating pump providing shutdown cooling flow with no RCPs running. The use of independent collection and analysis of two RCS samples to monitor the RCS boron concentration provides alternate indications of inadvertent boron dilution. This will allow detection with sufficient time for termination of boron dilution before the reactor achieves criticality. C.1 Condition C is entered when the Required Actions and associated Completion Times of Condition A or B are not met. If the Required Actions associated with these Conditions cannot be completed within the required Completion Time, the neutron flux level monitoring function cannot be reliably performed. The absence of reliable neutron flux level monitoring makes it difficult to ensure SDM is maintained. Required Action C.1 therefore requires that all positive reactivity additions that are under operation control, such as boron dilution or Reactor Coolant System temperature changes, be halted immediately preserving SDM. Boron Dilution Alarm System (BDAS) B 3.3.12 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.12-5 REVISION 56 SURVEILLANCE SR 3.3.12.1 REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based upon the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff and should be based on a combination of the channel instrument uncertainties. If a channel is outside of the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside of its limits. If the channels are within the criteria, it is an indication that the channels are OPERABLE. For clarification, a CHANNEL CHECK is a qualitative assessment of an instrument's behavior. Where possible, a numerical comparison between like instrument channels should be included but is not required for an acceptable CHANNEL CHECK performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that states the CHANNEL CHECK is not required to be performed until 1 hour after neutron flux is within the startup range. Neutron flux is defined to be within the startup range following a reactor shutdown when reactor power is 2E-6% NRTP or less. Boron Dilution Alarm System (BDAS) B 3.3.12 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.3.12-6 REVISION 56 SURVEILLANCE SR 3.3.12.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed to ensure that the BDAS is capable of properly alerting the operator to a boron dilution event. Internal excore startup channel test circuitry is used to feed preadjusted test signals into the excore startup channel to verify the proper neutron flux indication is received at the BDAS. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 72 hours after neutron flux is within the startup range. The 72 hours is based on allowing a reasonable time to perform the testing following a plant shutdown. Neutron flux is defined to be within the startup range following a reactor shutdown when reactor power is 2E-6% NRTP or less. The CHANNEL FUNCTIONAL TEST of the BDAS consists of online tests including verification of the control room alarm. SR 3.3.12.3 SR 3.3.12.3 is the performance of a CHANNEL CALIBRATION. The Surveillance is a complete check and readjustment of the excore startup channel from the input through to the BDAS. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational. This SR is modified by a Note to indicate that it is not necessary to test the detector, because generating a meaningful test signal is difficult; the detectors are of simple construction, and any failures in the detectors will be apparent as a change in channel output. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 7 and Chapter 15. RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.1-1 REVISION 10 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed in the safety analyses. The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope. The limits placed on DNB related parameters ensure that these parameters will not be less conservative than were assumed in the analyses and thereby provide assurance that the minimum Departure from Nucleate Boiling Ratio (DNBR) will meet the required criteria for each of the transients analyzed. The LCO limits for minimum and maximum RCS pressures as measured at the pressurizer are consistent with operation within the nominal operating envelope and are bounded by those used as the initial pressures in the analyses. The LCO limit for minimum and maximum RCS cold leg temperatures are in accordance with the area of acceptable operation shown in Figure 3.4.1-1, are consistent with operation at the indicated power level, and are bounded by those used as the initial temperatures in the analyses. The LCO limit for minimum RCS flow rate is bounded by those used as the initial flow rates in the analyses. The RCS flow rate is not expected to vary during plant operation with all pumps running. ______________________________________________________________________________ APPLICABLE The requirements of LCO 3.4.1 represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the safety analyses (Ref. 1). The safety analyses have shown that transients initiated from the limits of this LCO will meet the DNBR criterion of greater than or equal to the DNBR Safety Limit. This is the acceptance limit for the RCS DNB parameters. Changes to the facility that could impact these parameters must be assessed for their impact on the DNBR criterion. RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.1-2 REVISION 53 APPLICABLE The transients analyzed for include loss of coolant flow SAFETY ANALYSES events and dropped or stuck Control Element Assembly (CEA)

(continued) events. A key assumption for the analysis of these events is that the core power distribution is within the limits of LCO 3.1.7, "Regulating CEA Insertion Limits"; LCO 3.1.8, Part Strength CEA Insertion Limits"; LCO 3.2.3, "AZIMUTHAL POWER TILT (Tq)"; and LCO 3.2.5, "AXIAL SHAPE INDEX (ASI). The RCS DNB limits satisfy Criterion 2 of 10 CFR 50.56(c)(2)(ii). _______________________________________________________________________________ LCO This LCO specifies limits on the monitored process variables - RCS pressurizer pressure, RCS cold leg temperature, and RCS total flow rate - to ensure that the core operates within the limits assumed for the plant safety analyses. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient. The LCO numerical value for minimum flow rate is given for the measurement location but has not been adjusted for instrument error. Plant specific limits of instrument error are established by the plant staff to meet the operational requirements of minimum flow rate. _______________________________________________________________________________ APPLICABILITY In MODE 1 for RCS flow rate, MODES 1 and 2 for RCS pressurizer pressure, Mode 1 for RCS cold leg temperature, and MODE 2 with Keff 1 for RCS cold leg temperature, the limits must be maintained during steady state operation in order to ensure that DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. In all other MODES, the power level is low enough so that DNBR is not a concern.

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.1-3 REVISION 0 APPLICABILITY A Note has been added to indicate the limit on pressurizer (continued) pressure may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP. These conditions represent short term perturbations where actions to control pressure variations might be counterproductive. Also, DNBR margin exists to offset the temporary pressure variations. Another set of limits on DNB related parameters is provided in Safety Limit (SL) 2.1.1, "Reactor Core Safety Limits." Those limits are less restrictive than the limits of this LCO, but violation of SLs merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator should check whether or not an SL may have been exceeded. ______________________________________________________________________________ ACTIONS A.1 RCS flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the flow rate is not within the LCO limit, then power must be reduced, as required by Required Action B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds. The 2 hour Completion Time for restoration of RCS flow rate provides sufficient time to determine the cause of the off normal condition, and to restore the readings within limits. The Completion Time is based on plant operating experience. B.1 If Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours. In MODE 2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.1-4 REVISION 0 ACTIONS B.1 (continued) Six hours is a reasonable time that permits the plant power to be reduced at an orderly rate in conjunction with even control of Steam Generator (SG) heat removal. C.1 Pressurizer pressure and cold leg temperature are controllable and measurable parameter(s). If a parameter is not within the LCO limits, action must be taken to restore the parameter. The 2 hour Completion Time is based on plant operating experience that shows that these parameter(s) can be restored in this time period. D.1 If Required Action C.1 is not met within the associated Completion Time, place the plant in MODE 3. In MODE 3 the potential for violation of the DNB limits is greatly reduced. The 6 hour Completion Time is a reasonable time that permits power reduction at an orderly rate in conjunction with even control of SG heat removal. RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.1-5 REVISION 56 SURVEILLANCE SR 3.4.1.1 REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.1.2 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.1.3 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that only requires performance of this SR in MODE 1. The Note is necessary to allow measurement of RCS flow rate at normal operating conditions at power with all RCPs running. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 15. This page intentionally blank RCS Minimum Temperature for Criticality B 3.4.2 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.2-1 REVISION 7 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND Establishing the value for the minimum temperature for reactor criticality is based upon considerations for: a. Operation within the existing instrumentation ranges and accuracies; b. Operation within the bounds of the existing accident analyses; and c. Operation with the reactor vessel above its minimum nil ductility reference temperature when the reactor is critical. The reactor coolant moderator temperature coefficient used in core operating and accident analysis is typically defined for the normal operating temperature range (550°F to 611°F). Nominal Tcold for making the reactor critical is 565°F. Safety and operating analyses for lower temperature have not been made. ______________________________________________________________________________ APPLICABLE There are no accident analyses that dictate the minimum SAFETY ANALYSES temperature for criticality. The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). ______________________________________________________________________________ LCO The purpose of the LCO is to prevent criticality below the minimum normal operating temperature (550°F) and to prevent operation in an unanalyzed condition. The LCO is only applicable in MODES 1 and 2 with Keff 1.0 and provides a reasonable distance to the limit of 545°F. This allows adequate time to trend its approach and take corrective actions prior to exceeding the limit. RCS Minimum Temperature for Criticality B 3.4.2 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.2-2 REVISION 57 APPLICABILITY The reactor has been designed and analyzed to be critical in MODES 1 and 2 only and in accordance with this specification. Criticality is not permitted in any other MODE. Therefore, this LCO is applicable in MODE 1, and MODE 2 when Keff 1.0. Monitoring is required at or below a Tcold of 550°F. The no load temperature of 565°F is maintained by the Steam Bypass Control System. _______________________________________________________________________________ ACTIONS A.1 If Tcold is below 545°F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time reflects the ability to perform this action and to maintain the plant within the analyzed range. _______________________________________________________________________________ SURVEILLANCE SR 3.4.2.1 REQUIREMENTS Tcold is required to be verified 545°F after any RCS loop Tcold < 550°F. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A Note states the Surveillance is required whenever the reactor is critical and temperature is below 550°F. A second Frequency requires Tcold to be verified within 30 minutes of reaching criticality. This will require repeated performance of SR 3.4.2.1 since a reactor startup takes longer than 30 minutes. The 30 minute time period is frequent enough to prevent inadvertent violation of the LCO. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 15. RCS P/T Limits B 3.4.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-1 REVISION 52 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation. The Pressure and Temperature Limits Report (PTLR) contains P/T limit curves for heatup, cooldown, and inservice leak and hydrostatic (ISLH) testing, and data for the maximum rate of change of reactor coolant temperature (Ref. 1). Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region. The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the Reactor Coolant Pressure Boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristics and operating functions. 10 CFR 50, Appendix G (Ref. 2), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials. Reference 2 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the ASME Code, Section III, Appendix G (Ref. 3). The actual shift in the RTNDT of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 4) and Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 3. RCS P/T Limits B 3.4.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-2 REVISION 52 BACKGROUND The P/T limit curves are composite curves established by (continued) superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions. The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. The criticality limit includes the Reference 2 requirement that the limit be no less than 40°F above the heatup curve or the cooldown curve and not less than the minimum permissible temperature for inservice leak and hydrostatic (ISLH) testing. However, the criticality limit is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality." The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components. The ASME Code, Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits. _______________________________________________________________________________ APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) Analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. RCS P/T Limits B 3.4.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-3 REVISION 0 APPLICABLE Since the P/T limits are not derived from SAFETY ANALYSES any DBA, there are no acceptance limits related to the P/T (continued) limits. Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition. The RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). ______________________________________________________________________________ LCO The two elements of this LCO are: a. The limit curves for heatup, cooldown, and ISLH testing; and b. Limits on the rate of change of temperature. The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure. The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves. Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows: a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature; b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and RCS P/T Limits B 3.4.3 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.3-4 REVISION 52 LCO c. The existences, sizes, and orientations of flaws in (continued) the vessel material. _______________________________________________________________________________ APPLICABILITY The RCS P/T limits Specification provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 3). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times, except when reactor vessel head is fully detensioned such that the RCS cannot be pressurized, in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer. During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit 2.1, "Safety Limits," also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent. The actions of this LCO consider the premise that a violation of the limits occurred during normal plant maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from emergency operating procedures. RCS P/T Limits B 3.4.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-5 REVISION 52 ACTIONS A.1 and A.2 Operation outside the P/T limits must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner. Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. The 72 hour Completion Time is reasonable to accomplish the evaluation. The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate. Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because: a. The RCS remained in an unacceptable P/T region for an extended period of increased stress; or RCS P/T Limits B 3.4.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-6 REVISION 0 ACTIONS B.1 and B.2 (continued) b. A sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased. Pressure and temperature are reduced by placing the plant in MODE 3 within 6 hours and in MODE 5 with RCS pressure < 500 psia within 36 hours. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1 and C.2 The actions of this LCO, anytime other than in MODE 1, 2, 3, or 4, consider the premise that a violation of the limits occurred during normal plant maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from emergency operating procedures. Operation outside the P/T limits must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The Completion Time of "immediately" reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in a short period of time in a controlled manner. RCS P/T Limits B 3.4.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-7 REVISION 56 ACTIONS C.1 and C.2 (continued) Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. The Completion Time of prior to entering MODE 4 forces the evaluation prior to entering a MODE where temperature and pressure can be significantly increased. The evaluation for a mild violation is possible within several days, but more severe violations may require special, event specific stress analyses or inspections. Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. ______________________________________________________________________________ SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within the PTLR limits is required when RCS pressure and temperature conditions are undergoing planned changes. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied. RCS P/T Limits B 3.4.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.3-8 REVISION 52 SURVEILLANCE SR 3.4.3.1 (continued) REQUIREMENTS This SR is modified by a Note that requires this SR be performed only during RCS system heatup, cooldown, and ISLH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement. _______________________________________________________________________________ REFERENCES 1. TRM Appendix TA, Reactor Coolant System Pressure and Temperature Limits Report (PTLR);.(limits determined using methods described in Topical Report CE NPSD-683-A, Revision 6, Development of a RCS Pressure and Temperature Limits Report for the Removal of P-T Limits and LTOP Requirements from the Technical Specifications, April 2001). 2. 10 CFR 50, Appendix G. 3. ASME, Boiler and Pressure Vessel Code, Section III, Appendix G. 4. ASTM E 185-82, July 1982. 5. 10 CFR 50, Appendix H. 6. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix E. RCS Loops - MODES 1 and 2 B 3.4.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.4-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.4 RCS Loops - MODES 1 and 2 BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process and transfer of this heat, via the steam generators (SGs), to the secondary plant. The secondary functions of the RCS include: a. Moderating the neutron energy level to the thermal state, to increase the probability of fission; b. Improving the neutron economy by acting as a reflector; c. Carrying the soluble neutron poison, boric acid; d. Providing a second barrier against fission product release to the environment; and e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown. The RCS configuration for heat transport uses two RCS loops. Each RCS loop contains a SG and two Reactor Coolant Pumps (RCPs). An RCP is located in each of the two SG cold legs. The pump flow rate has been sized to provide core heat removal with appropriate margin to Departure from Nucleate Boiling (DNB) during power operation and for anticipated transients originating from power operation. This Specification requires two RCS loops with both RCPs in operation in each loop. The intent of the Specification is to require core heat removal with forced flow during power operation. Specifying two RCS loops provides the minimum necessary paths (two SGs) for heat removal. ______________________________________________________________________________ APPLICABLE Safety analyses contain various assumptions for the Design SAFETY ANALYSES Bases Accident (DBA) initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints. The important RCS Loops - MODES 1 and 2 B 3.4.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.4-2 REVISION 50 APPLICABLE aspect for this LCO is the reactor coolant forced flow rate, SAFETY ANALYSES which is represented by the number of RCS loops in service.

 (continued)

The reactor coolant pumps provide sufficient forced circulation flow through the reactor coolant system to assure adequate heat removal from the reactor core during power operation. The plant is designed to operate with both reactor coolant loops and associated reactor coolant pumps in operation, and maintain a departure from nucleate boiling ratio (DNBR) above the DNBR Safety Limit during all normal operations and anticipated transients. The safety analyses that are of most importance to RCP operation are the total loss of reactor coolant flow, single pump locked rotor, single pump (broken shaft or coastdown), and rod withdrawal events (Ref. 1). RCS Loops - MODES 1 and 2 satisfy Criteria 2 and 3 of 10 CFR 50.36 (C)(2)(ii). _______________________________________________________________________________ LCO The purpose of this LCO is to require adequate forced flow for core heat removal. Flow is represented by having both RCS loops with both RCPs in each loop in operation for removal of heat by the two SGs. To meet safety analysis acceptance criteria for DNB, four pumps are required at rated power. Each OPERABLE loop consists of two RCPs providing forced flow for heat transport to an SG that is OPERABLE. SG, and hence RCS loop, OPERABILITY with regard to SG water level is ensured by the Reactor Protective System (RPS) in MODES 1 and 2. RCS Loops - MODES 1 and 2 B 3.4.4 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.4-3 REVISION 7 APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage. The decay heat production rate is much lower than the full power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES 3, 4, 5, and 6. Operation in other MODES is covered by: LCO 3.4.5, "RCS Loops MODE 3"; LCO 3.4.6, "RCS Loops MODE 4"; LCO 3.4.7, "RCS Loops MODE 5, Loops Filled"; LCO 3.4.8, "RCS Loops MODE 5, Loops Not Filled"; LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation High Water Level" (MODE 6); and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level" (MODE 6). ______________________________________________________________________________ ACTIONS A.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the plant to MODE 3. This lowers power level and thus reduces the core heat removal needs and minimizes the possibility of violating DNB limits. It should be noted that the reactor will trip and place the plant in MODE 3 as soon as the RPS senses less than four RCPs operating. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging safety systems. RCS Loops - MODES 1 and 2 B 3.4.4 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.4-4 REVISION 56 SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification that the required number of RCS loops are in operation and circulating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help to ensure that forced flow is providing heat removal while maintaining the margin to DNB. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 15. RCS Loops MODE 3 B 3.4.5 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.5-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.5 RCS Loops MODE 3 BASES BACKGROUND The primary function of the reactor coolant in MODE 3 is removal of decay heat and transfer of this heat, via the Steam Generators (SGs), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid. In MODE 3, Reactor Coolant Pumps (RCPs) are used to provide forced circulation heat removal during heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to provide redundant paths for decay heat removal. Only one RCP needs to be OPERABLE to declare the associated RCS loop OPERABLE. Reactor coolant natural circulation is not normally used but is sufficient for core cooling. However, natural circulation does not provide turbulent flow conditions. Therefore, boron reduction in natural circulation is prohibited because mixing to obtain a homogeneous concentration in all portions of the RCS cannot be ensured. ______________________________________________________________________________ APPLICABLE Analyses have shown that the rod withdrawal event from SAFETY ANALYSES MODE 3 with one RCS loop in operation is bounded by the rod withdrawal initiated from MODE 2. Failure to provide heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier. RCS Loops MODE 3 satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). RCS Loops MODE 3 B 3.4.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.5-2 REVISION 38 LCO The purpose of this LCO is to require two RCS loops to be available for heat removal, thus providing redundancy. The LCO requires the two loops to be OPERABLE with the intent of requiring both SGs to be capable ( 25% wide range water level) of transferring heat from the reactor coolant at a controlled rate. Forced reactor coolant flow is the required way to transport heat, although natural circulation flow provides adequate removal. A minimum of one running RCP meets the LCO requirement for one loop in operation. The Note permits a limited period of operation without RCPs. All RCPs may be de-energized for 1 hour per 8 hour period. This means that natural circulation has been established. When in natural circulation, a reduction in boron concentration is prohibited because an even concentration distribution throughout the RCS cannot be ensured. The intent is to stop any known or direct positive reactivity additions to the RCS due to dilution. Core outlet temperature is to be maintained at least 10°F below the saturation temperature so that no vapor bubble may form and possibly cause a natural circulation flow obstruction. The 10 degrees F is considered the actual value of the necessary difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure to be maintained during the time the pumps would be de-energized. The instrument error associated with determining this difference is 27 degrees F. (The only restriction for instrumentation use is with pressurizer pressure less than or equal to 350 psia, and in that situation the narrow range pressurizer pressure instrumentation must be used.) Therefore, the indicated value of the difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure must be greater than or equal to 37 degrees F in order to use the provisions of the Note allowing the pumps to be de-energized. In MODE 3 it is sometimes necessary to stop all RCPs (e.g., to perform surveillance or startup testing, or to avoid operation below the RCP minimum net positive suction head limit). The time period is acceptable because natural circulation is adequate for heat removal, or the reactor coolant temperature can be maintained subcooled and boron stratification affecting reactivity control is not expected. An OPERABLE RCS loop (loop 1 or loop 2) consists of at least one associated OPERABLE RCP and an associated SG that is OPERABLE. RCS Loops MODE 3 B 3.4.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.5-3 REVISION 38 LCO An RCP is OPERABLE if it is capable of being powered and is (continued) able to provide forced flow if required. ______________________________________________________________________________ APPLICABILITY In MODE 3, the heat load is lower than at power; therefore, one RCS loop in operation is adequate for transport and heat removal. A second RCS loop is required to be OPERABLE but not in operation for redundant heat removal capability. Operation in other MODES is covered by: LCO 3.4.4 "RCS Loops-MODES 1 and 2"; LCO 3.4.6, "RCS Loops MODE 4"; LCO 3.4.7, "RCS Loops MODE 5, Loops Filled"; LCO 3.4.8, "RCS Loops MODE 5, Loops Not Filled"; LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation High Water Level" (MODE 6); and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation Low Water Level" (MODE 6). ______________________________________________________________________________ ACTIONS A.1 If one required RCS loop is inoperable, redundancy for forced flow heat removal is lost. The Required Action is restoration of the required RCS loop to OPERABLE status within a Completion Time of 72 hours. This time allowance is a justified period to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat produced in the reactor core. B.1 If restoration is not possible within 72 hours, the unit must be placed in MODE 4 within 12 hours. In MODE 4, the plant may be placed on the SDC System. The Completion Time of 12 hours is compatible with required operation to achieve cooldown and depressurization from the existing plant conditions in an orderly manner and without challenging plant systems. RCS Loops MODE 3 B 3.4.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.5-4 REVISION 56 ACTIONS C.1 and C.2 (continued) If no RCS loop is OPERABLE or in operation, all operations involving a reduction of RCS boron concentration must be immediately suspended. This is necessary because boron dilution requires forced circulation for proper homogenization. Action to restore one RCS loop to OPERABLE status and operation shall be initiated immediately and continued until one RCS loop is restored to OPERABLE status and operation. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. _______________________________________________________________________________ SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification that the required number of RCS loops are in operation and circulating Reactor Coolant. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.5.2 This SR requires verification that the secondary side water level in each SG is 25% wide range. An adequate SG water level is required in order to have a heat sink for removal of the core decay heat from the reactor coolant. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RCS Loops MODE 3 B 3.4.5 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.5-5 REVISION 56 SURVEILLANCE SR 3.4.5.3 REQUIREMENTS (continued) Verification that the required number of RCPs are OPERABLE ensures that the single failure criterion is met and that an additional RCS loop can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCPs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES PVNGS Calculation 13-JC-SH-0200, Section 2.9 This page intentionally blank RCS Loops MODE 4 B 3.4.6 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.6-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.6 RCS Loops MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and transfer of this heat to the Steam Generators (SGs) or Shutdown Cooling (SDC) heat exchangers. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid. In MODE 4, either Reactor Coolant Pumps (RCPs) or SDC trains can be used for coolant circulation. The intent of this LCO is to provide forced flow from at least one RCP or one SDC train for decay heat removal and transport. The flow provided by one RCP loop or SDC train is adequate for heat removal. The other intent of this LCO is to require that two paths be available to provide redundancy for heat removal. ______________________________________________________________________________ APPLICABLE In MODE 4, RCS circulation is considered in the SAFETY ANALYSES determination of the time available for mitigation of the accidental boron dilution event. The RCS loops and SDC trains provide this circulation. RCS Loops MODE 4 have been identified in 10 CFR 50.36 (c)(2)(ii) as important contributors to risk reduction. ______________________________________________________________________________ LCO The purpose of this LCO is to require that at least two loops or trains, RCS or SDC, be OPERABLE in MODE 4 and one of these loops or trains be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS and SDC System loops. Any one loop or train in operation provides enough flow to remove the decay heat from the core with forced circulation. An additional loop or train is required to be OPERABLE to provide redundancy for heat removal. RCS Loops MODE 4 B 3.4.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.6-2 REVISION 6 LCO Note 1 permits all RCPs and SDC pumps to be de-energized (continued) 1 hour per 8 hour period. This means that natural circulation should be established, after the operating RCP or SDC pump is secured, using the SGs. Depending on decay heat and current RCS temperature, it may be difficult to establish verifiable natural circulation. The Note prohibits boron dilution when forced flow is stopped because an even concentration distribution cannot be ensured. The intent is to stop any known or direct positive reactivity additions to the RCS due to dilution. Core outlet temperature is to be maintained at least 10°F below saturation temperature so that no vapor bubble may form and possibly cause a natural circulation flow obstruction. The 10 degrees F is considered the actual value of the necessary difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure to be maintained during the time the pumps would be de-energized. The instrument error associated with determining this difference is 62 degrees F. (The only restriction for instrumentation use is with pressurizer pressure less than or equal to 350 psia, and in that situation the narrow range pressurizer pressure instrumentation must be used.) Therefore, the indicated value of the difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure must be greater than or equal to 72 degrees F in order to use the provisions of the Note allowing the pumps to be de-energized. The response of the RCS without the RCPs or SDC pumps depends on the core decay heat load and the length of time that the pumps are stopped. As decay heat diminishes, the effects on RCS temperature and pressure diminish. Without cooling by forced flow, higher heat loads will cause the reactor coolant temperature and pressure to increase at a rate proportional to the decay heat load. Because pressure can increase, the applicable system pressure limits (Pressure and Temperature (P/T) limits or Low Temperature Overpressure Protection (LTOP) limits) must be observed and forced SDC flow or heat removal via the SGs must be re-established prior to reaching the pressure limit. The circumstances for stopping both RCPs or SDC pumps are to be limited to situations where: a. Pressure and temperature increases can be maintained well within the allowable pressure (P/T limits and LTOP) and 10°F subcooling limits; or b. An alternate heat removal path through the SGs is in operation. RCS Loops MODE 4 B 3.4.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.6-3 REVISION 52 LCO Note 2 requires secondary side water temperature in each (continued) SG is < 100F above each of the RCS cold leg temperatures before an RCP may be started with any RCS cold leg temperature less than or equal to the LTOP enable temperature specified in the PTLR. Satisfying the above condition will preclude a large pressure surge in the RCS when the RCP is started. Note 3 restricts RCP operation to no more than 2 RCPs with RCS cold leg temperature 200°F, and no more than 3 RCPs with RCS cold leg temperature >200°F but 500°F. Satisfying these conditions will maintain the analysis assumptions of the flow induced pressure correction factors due to RCP operation (Ref. 1) An OPERABLE RCS loop consists of at least one OPERABLE RCP and an SG that is OPERABLE and has the minimum water level specified in SR 3.4.6.2. Similarly, for the SDC System, an OPERABLE SDC train is composed of an OPERABLE SDC pump (LPSI) capable of providing flow to the SDC heat exchanger for heat removal. RCPs and SDC pumps are OPERABLE if they are capable of being powered and are able to provide flow, if required. ______________________________________________________________________________ APPLICABILITY In MODE 4, this LCO applies because it is possible to remove core decay heat and to provide proper boron mixing with either the RCS loops and SGs or the SDC System. Operation in other MODES is covered by: LCO 3.4.4 "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops - MODE 3"; RCS Loops MODE 4 B 3.4.6 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.6-4 REVISION 6 APPLICABILITY LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled"; (continued) LCO 3.4.8,"RCS Loops - MODE 5, Loops Not Filled"; LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level" (MODE 6); and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level" (MODE 6). _______________________________________________________________________________ ACTIONS A.1 If only one required RCS loop is OPERABLE and in operation, redundancy for heat removal is lost. Action must be initiated immediately to restore a second loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availability of two paths for decay heat removal. B.1 If only one required SDC train is OPERABLE and in operation, redundancy for heat removal is lost. The plant must be placed in MODE 5 within the next 24 hours. Placing the plant in MODE 5 is a conservative action with regard to decay heat removal. With only one SDC train OPERABLE, redundancy for decay heat removal is lost and, in the event of a loss of the remaining SDC train, it would be safer to initiate that loss from MODE 5 ( 210°F) rather than MODE 4 (210°F to 350°F). The Completion Time of 24 hours is reasonable, based on operating experience, to reach MODE 5 from MODE 4, with only one SDC train operating, in an orderly manner and without challenging plant systems. C.1 and C.2 If no RCS loops or SDC trains are OPERABLE, or in operation, all operations involving reduction of RCS boron concentration must be suspended and action to restore one RCS loop or SDC train to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and the margin to criticality must not be reduced in this type of operation. The immediate Completion Times reflect the importance of decay heat removal. The action to restore must continue until one loop or train is restored to operation. RCS Loops MODE 4 B 3.4.6 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.6-5 REVISION 56 SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification that one required loop or train is in operation and circulating reactor coolant at a flow rate of greater than or equal to 4000 gpm. This ensures forced flow is providing heat removal. Verification includes flow rate, temperature, or pump status monitoring. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.6.2 This SR requires verification of secondary side water level in the required SG(s) 25% wide range. An adequate SG water level is required in order to have a heat sink for removal of the core decay heat from the reactor coolant. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.6.3 Verification that the required pump is OPERABLE ensures that an additional RCS loop or SDC train can be placed in operation, if needed to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pumps. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. PVNGS Operating License Amendments 52, 38 and 24 for Units 1, 2 and 3, respectively, and associated NRC Safety Evaluation dated July 25, 1990. 2. Not used. 3. PVNGS Calculation 13-JC-SH-0200, Section 2.9. This page intentionally blank RCS Loops MODE 5, Loops Filled B 3.4.7 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.7-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.7 RCS Loops - MODE 5, Loops Filled BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the Steam Generator (SG) secondary side coolant or the essential cooling water via the Shutdown Cooling (SDC) heat exchangers. While the principal means for decay heat removal is via the SDC System, the SGs are specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary side water. As long as the SG secondary side water is at a lower temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid. In MODE 5 with RCS loops filled, the SDC trains are the principal means for decay heat removal. The number of trains in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one SDC train for decay heat removal and transport. The flow provided by one SDC train is adequate for decay heat removal. The other intent of this LCO is to require that a second path be available to provide redundancy for decay heat removal. The LCO provides for redundant paths of decay heat removal capability. The first path can be an SDC train that must be OPERABLE and in operation. The second path can be another OPERABLE SDC train, or through the SGs, each having an adequate water level. ______________________________________________________________________________ APPLICABLE In MODE 5, RCS circulation is considered in the SAFETY ANALYSES determination of the time available for mitigation of the accidental boron dilution event. The SDC trains provide this circulation. RCS Loops MODE 5, Loops Filled B 3.4.7 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.7-2 REVISION 6 APPLICABLE RCS Loops MODE 5 (Loops Filled) have been identified in 10 SAFETY ANALYSES CFR 50.36 (c)(2)(ii) as important contributors to risk (continued) reduction. _______________________________________________________________________________ LCO The purpose of this LCO is to require at least one of the SDC trains be OPERABLE and in operation with an additional SDC train OPERABLE or secondary side water level of each SG shall be 25% wide range level. One SDC train provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. The second SDC train is normally maintained OPERABLE as a backup to the operating SDC train to provide redundant paths for decay heat removal. However, if the standby SDC train is not OPERABLE, a sufficient alternate method to provide redundant paths for decay heat removal is two SGs with their secondary side water levels 25% wide range. Should the operating SDC train fail, the SGs could be used to remove the decay heat. Note 1 permits all SDC pumps to be de-energized 1 hour per 8 hour period. The circumstances for stopping both SDC trains are to be limited to situations where pressure and temperature increases can be maintained well within the allowable pressure (pressure and temperature and low temperature overpressure protection) and 10°F subcooling limits, or an alternate heat removal path through the SG(s) is in operation. This LCO is modified by a Note that prohibits boron dilution when SDC forced flow is stopped because an even concentration distribution cannot be ensured. The intent is to stop any known or direct positive reactivity changes to the RCS due to dilution. Core outlet temperature is to be maintained at least 10°F below saturation temperature, so that no vapor bubble would form and possibly cause a natural circulation flow obstruction. The 10 degrees F is considered the actual value of the necessary difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure to be maintained during the time the pumps would be de-energized. The instrument error associated with determining this difference is 10 degrees F. (There are no special restrictions for instrumentation use.) Therefore, the indicated value of the difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure must be greater than or equal to 20 degrees F RCS Loops MODE 5, Loops Filled B 3.4.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.7-3 REVISION 52 LCO in order to use the provisions of the Note allowing the (continued) pumps to be de-energized. In this MODE, the SG(s) can be used as the backup for SDC heat removal. To ensure their availability, the RCS loop flow path is to be maintained with subcooled liquid. In MODE 5, it is sometimes necessary to stop all RCP or SDC forced circulation. This is permitted to change operation from one SDC train to the other, perform surveillance or startup testing, perform the transition to and from the SDC, or to avoid operation below the RCP minimum net positive suction head limit. The time period is acceptable because natural circulation is acceptable for decay heat removal the reactor coolant temperature can be maintained subcooled, and boron stratification affecting reactivity control is not expected. Note 2 allows one SDC train to be inoperable for a period of up to 2 hours provided that the other SDC train is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable train during the only time when such testing is safe and possible. Note 3 requires that secondary side water temperature in each SG is < 100F above each of the RCS cold leg temperatures before an RCP may be started with any RCS cold leg temperature less than or equal to the LTOP enable temperature specified in the PTLR. Satisfying the above condition will preclude a low temperature overpressure event due to a thermal transient when the RCP is started. Note 4 restricts RCP operation to no more than 2 RCPs with RCS cold leg temperature 200°F, and no more than 3 RCPs with RCS cold leg temperature > 200°F but 500°F. Satisfying these conditions will maintain the analysis assumptions of the flow induced pressure correction factors due to RCP operation (Ref. 3). RCS Loops MODE 5, Loops Filled B 3.4.7 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.7-4 REVISION 54 LCO Note 5 provides for an orderly transition from MODE 5 to (continued) MODE 4 during a planned heatup by permitting removal of SDC trains from operation when at least one RCP is in operation. This Note provides for the transition to MODE 4 where an RCP is permitted to be in operation and replaces the RCS circulation function provided by the SDC trains. An OPERABLE SDC train is composed of an OPERABLE SDC pump (CS or LPSI) capable of providing flow to the SDC heat exchanger for heat removal. SDC pumps are OPERABLE if they are capable of being powered and are able to provide flow, if required. A SG can perform as a heat sink when it is OPERABLE and has the minimum water level specified in SR 3.4.7.2. The RCS loops may not be considered filled until two conditions needed for operation of the steam generators are met. First, the RCS must be intact. This means that all removable portions of the primary pressure boundary (e.g., manways, safety valves) are securely fastened. Nozzle dams are removed. All manual drain and vent valves are closed, and any open system penetrations (e.g., letdown, reactor head vents) are capable of remote closure from the control room. An intact primary allows the system to be pressurized as needed to achieve the subcooling margin necessary to establish natural circulation cooling. When the RCS is not intact as described, a loss of SDC flow results in blowdown of coolant through boundary openings that also could prevent adequate natural circulation between the core and steam generators. Secondly, the concentration of dissolved or otherwise entrained gases in the coolant must be limited or other controls established so that gases coming out of solution in the SG U-tubes will not adversely affect natural circulation. With these conditions met, the SGs are a functional method of RCS heat removal upon loss of the operating SDC train. The ability to feed and steam SGs at all times is not required when RCS temperature is less than 210°F because significant loss of SG inventory through boiling will not occur during time anticipated to take corrective action. The required SG level provides sufficient time to either restore the SDC train or implement a method for feeding and steaming the SGs (using non-class components if necessary). RCS Loops MODE 5, Loops Filled B 3.4.7 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.7-5 REVISION 0 APPLICABILITY In MODE 5 with RCS loops filled, this LCO requires forced circulation to remove decay heat from the core and to provide proper boron mixing. One SDC train provides sufficient circulation for these purposes. Operation in other MODES is covered by: LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops - MODE 3"; LCO 3.4.6, "RCS Loops - MODE 4"; LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled"; LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level" (MODE 6); and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level" (MODE 6). ______________________________________________________________________________ ACTIONS A.1 and A.2 If a SDC train is inoperable and any SGs have secondary side water levels < 25% wide range, redundancy for heat removal is lost. Action must be initiated immediately to restore a second SDC train to OPERABLE status or to restore the water level in the required SGs. Either Required Action A.1 or Required Action A.2 will restore redundant decay heat removal paths. The immediate Completion Times reflect the importance of maintaining the availability of two paths for decay heat removal. B.1 and B.2 If the required SDC train is not OPERABLE or no SDC train is in operation, all operations involving the reduction of RCS boron concentration must be suspended. Action to restore one SDC train to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing and the margin to criticality must not be reduced in this type of operation. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. RCS Loops MODE 5, Loops Filled B 3.4.7 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.7-6 REVISION 56 SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This SR requires verification that one SDC train is in operation and circulating reactor coolant at a flow rate of greater than or equal to 3780 gpm. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing decay heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SDC flow is established to ensure that core outlet temperature is maintained sufficiently below saturation to allow time for swapover to the standby SDC train should the operating train be lost. SR 3.4.7.2 Verifying the SGs are OPERABLE by ensuring their secondary side water levels are 25% wide range level ensures that redundant heat removal paths are available if the second SDC train is inoperable. The Surveillance is required to be performed when the LCO requirement is being met by use of the SGs. If both SDC trains are OPERABLE, this SR is not needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.7.3 Verification that the second SDC train is OPERABLE ensures that redundant paths for decay heat removal are available. The requirement also ensures that the additional train can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pumps. The Surveillance is required to be performed when the LCO requirement is being met by one of two SDC trains, e.g., both SGs have < 25% wide range water level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RCS Loops MODE 5, Loops Filled B 3.4.7 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.7-7 REVISION 52 REFERENCES 1. Not Used 2. CE NPSD-770 Analysis for Lower Mode Functional Recovery Guidelines. 3. PVNGS Operating License Amendments 52, 38, and 24 for Units 1, 2 and 3, respectively, and associated NRC Safety Evaluation dated July 25, 1990. 4. Not used. 5. PVNGS Calculation 13-JC-SH-0200, Section 2.9. This page intentionally blank RCS Loops MODE 5, Loops Not Filled B 3.4.8 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.8-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.8 RCS Loops MODE 5, Loops Not Filled BASES BACKGROUND In MODE 5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat and transfer of this heat to the Shutdown Cooling (SDC) heat exchangers. The Steam Generators (SGs) are not available as a heat sink when the loops are not filled. The secondary function of the reactor coolant is to act as a carrier for the soluble neutron poison, boric acid. In MODE 5 with loops not filled, only the SDC System can be used for coolant circulation. The number of trains in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one SDC train for decay heat removal and transport and to require that two paths be available to provide redundancy for heat removal. ______________________________________________________________________________ APPLICABLE In MODE 5, RCS circulation is considered in determining SAFETY ANALYSES the time available for mitigation of the accidental boron dilution event. The SDC trains provide this circulation. The flow provided by one SDC train is adequate for decay heat removal and for boron mixing. RCS loops MODE 5 (loops not filled) have been identified in 10 CFR 50.36 (c)(2)(ii) as important contributors to risk reduction. ______________________________________________________________________________ LCO The purpose of this LCO is to require a minimum of two SDC trains be OPERABLE and one of these trains be in operation. An OPERABLE train is one that is capable of transferring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the SDC System unless forced flow is used. A minimum of one running SDC pump meets the LCO requirement for one train in operation. An additional SDC train is required to be OPERABLE to meet the single failure criterion. RCS Loops MODE 5, Loops Not Filled B 3.4.8 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.8-2 REVISION 58 LCO Note 1 permits all SDC pumps to be de-energized 1 hour per (continued) 8 hour period. The circumstances for stopping both SDC pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained > 10°F below saturation temperature. The 10 degrees F is considered the actual value of the necessary difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure to be maintained during the time the pumps would be de-energized. The instrument error associated with determining this difference is less than 10 degrees F. (There are no special restrictions for instrumentation use.) Therefore, the indicated value of the difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure must be greater than or equal to 20 degrees F in order to use the provisions of the Note allowing the pumps to be de-energized. (Ref. 1) The Note prohibits boron dilution or draining operations when SDC forced flow is stopped. Note 2 allows one SDC train to be inoperable for a period of 2 hours provided that the other train is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable train during the only time when these tests are safe and possible. An OPERABLE SDC train is composed of an OPERABLE SDC pump (CS or LPSI) capable of providing flow to the SDC heat exchanger for heat removal. SDC pumps are OPERABLE if they are capable of being powered and are able to provide flow, if required. Note that the CS pumps shall not be used for normal operations if the water level is at or below the top of the hot-leg pipe (103' - 1") due to concerns of potential air entrainment and gas binding of the CS pump (Ref. 2). _______________________________________________________________________________ APPLICABILITY In MODE 5 with loops not filled, this LCO requires core heat removal and coolant circulation by the SDC System. Operation in other MODES is covered by: LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops - MODE 3"; LCO 3.4.6, "RCS Loops - MODE 4"; LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled"; LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level" (MODE 6); and RCS Loops MODE 5, Loops Not Filled B 3.4.8 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.8-3 REVISION 58 APPLICABILITY LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant (continued) Circulation - Low Water Level" (MODE 6). ______________________________________________________________________________ ACTIONS A.1 If a SDC train is inoperable, redundancy for heat removal is lost. Action must be initiated immediately to restore a second train to OPERABLE status. The Completion Time reflects the importance of maintaining the availability of two paths for heat removal. B.1 and B.2 If no SDC train is OPERABLE or in operation, except as provided in NOTE 1, all operations involving the reduction of RCS boron concentration must be suspended. Action to restore one SDC train to OPERABLE status and operation must be initiated immediately. Boron dilution requires forced circulation for proper mixing and the margin to criticality must not be reduced in this type of operation. The immediate Completion Time reflects the importance of maintaining operation for decay heat removal. ______________________________________________________________________________ SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This SR requires verification that one SDC train is in operation and circulating reactor coolant at a flow rate of greater than or equal to 3780 gpm. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing decay heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.8.2 Verification that the required number of trains are OPERABLE ensures that redundant paths for heat removal are available and that an additional train can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and indicated power available to the required pumps. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RCS Loops MODE 5, Loops Not Filled B 3.4.8 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.8-4 REVISION 58 REFERENCES 1. PVNGS Calculation 13-JC-SH-0200, Section 2.9. 2. PVNGS Calculation 13-MC-SI-0250, Appendix C. Pressurizer B 3.4.9 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-1 REVISION 41 B 3.4 REACTOR COOLANT SYSTEMS (RCS) B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining required primary system pressure during steady state operation and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normal load transients. The pressure control components addressed by this LCO include the pressurizer water level and the required heaters and their backup heater controls. Pressurizer safety valves and pressurizer vents are addressed by LCO 3.4.10 "Pressurizer Safety Valves-MODES 1, 2, and 3," LCO 3.4.11 "Pressurizer Safety Valves-MODE 4," and LCO 3.4.12 "Pressurizer Vents", respectively. The maximum steady state water level limit has been established to ensure that a liquid to vapor interface exists to permit RCS pressure control, using the sprays and heaters during normal operation and proper pressure response for anticipated design basis transients. The maximum and minimum steady state water level limit serves two purposes: a. Pressure control during normal operation maintains subcooled reactor coolant in the loops and thus in the preferred state for heat transport; and b. By restricting the level to a maximum, expected transient reactor coolant volume increases (pressurizer insurge) will not cause excessive level changes that could result in degraded ability for pressure control. The maximum steady state water level limit permits pressure control equipment to function as designed. The limit preserves the steam space during normal operation, thus, both sprays and heaters can operate to maintain the design operating pressure. The level limit also prevents filling the pressurizer (water solid) for anticipated design basis transients, thus ensuring that pressure relief devices Pressurizer B 3.4.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-2 REVISION 31 BACKGROUND (pressurizer safety valves) can control pressure by (continued) steam relief rather than water relief. If the level limits were exceeded prior to a transient that creates a large pressurizer insurge volume leading to water relief, the maximum RCS pressure might exceed the Safety Limit of 2750 psia. The minimum steady state water level in the pressurizer assures pressurizer heaters, which are required to achieve and maintain pressure control, remain covered with water to prevent failure, which could occur if the heaters were energized uncovered. The requirement to have two groups of pressurizer heaters ensures that RCS pressure can be maintained. The pressurizer heaters maintain RCS pressure to keep the reactor coolant subcooled. Inability to control RCS pressure during natural circulation flow could result in loss of single phase flow and decreased capability to remove core decay heat. _______________________________________________________________________________ APPLICABLE In MODES 1, 2, and 3, the LCO requirement for a steam bubble SAFETY ANALYSES is reflected implicitly in the accident analyses. No safety analyses are performed in lower MODES. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of noncondensable gases normally present. An implicit initial condition assumption of the Safety Analyses is that the RCS is operating at normal pressure. The individual UFSAR Accident Analysis Sections must be reviewed to determine the assumed pressurizer heater operation during the transient. Steam generator tube rupture, for example, credits pressurizer class backup heaters to maintain adequate subcooling margin. Pressurizer B 3.4.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-3 REVISION 41 APPLICABLE The Class 1E pressurizer backup heaters are needed SAFETY ANALYSES to maintain subcooling in the long term during loss of (continued) offsite power, as indicated in NUREG-0737 (Ref. 1). The intent is to keep the reactor coolant in a subcooled condition with natural circulation at hot, high pressure conditions for an undefined, but extended, time period after a loss of offsite power. While loss of offsite power is a coincident occurrence assumed in the accident analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses. The pressurizer satisfies Criterion 2 and Criterion 3 of 10 CFR 50.36(c)(2)(ii). ______________________________________________________________________________ LCO The LCO requirement for the pressurizer to be OPERABLE with water level 27% indicated level (425 cubic feet) and 56% indicated level (948 cubic feet) ensures that a steam bubble exists. Limiting the maximum operating water level preserves the steam space for pressure control. The LCO has been established to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions. The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 125 kW. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide subcooling margin to saturation can be obtained in the loops. ______________________________________________________________________________ APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, Applicability has been designated for MODES 1 and 2. The Applicability is also provided for MODE 3. It is assumed pressurizer level is under steady state conditions. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational Pressurizer B 3.4.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-4 REVISION 41 APPLICABILITY perturbation, such as reactor coolant pump startup. The (continued) LCO does not apply to MODE 5 (Loops Filled) because LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP) System," applies. The LCO does not apply to MODES 5 and 6 with partial loop operation. Also, a Note has been added to indicate the limit on pressurizer level may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP. In MODES 1, 2, and 3, the initial conditions of these MODES gives the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODES 4, 5, or 6, it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Shutdown Cooling System is in service and therefore the LCO is not applicable. _______________________________________________________________________________ ACTIONS A.1 and A.2 With pressurizer water level not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to MODE 3, with the reactor trip breakers open, within 6 hours and to MODE 4 within 12 hours. This takes the plant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses. Six hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. Further pressure and temperature reduction to MODE 4 brings the plant to a MODE where the LCO is not applicable. The 12 hour time to reach the nonapplicable MODE is reasonable based on operating experience for that evolution. Pressurizer B 3.4.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-5 REVISION 56 ACTIONS B.1 (continued) If one required group of pressurizer heaters is inoperable, restoration is required within 72 hours. The Completion Time of 72 hours is reasonable considering that a demand caused by loss of offsite power would be unlikely in this period. Pressure control may be maintained during this time using normal station powered heaters. C.1 and C.2 If one required group of pressurizer heaters is inoperable and cannot be restored within the allowed Completion Time of Required Action B.1, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours and to MODE 4 within 12 hours. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging safety systems. Similarly, the Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 4 from full power in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This Surveillance ensures that during steady state operation, pressurizer water level is maintained below the nominal upper limit to provide a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Pressurizer B 3.4.9 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.9-6 REVISION 56 SURVEILLANCE SR 3.4.9.2 REQUIREMENTS (continued) The Surveillance is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer heaters are verified to be at their design rating. (This may be done by testing the power supply output and by performing an electrical check on heater element continuity and resistance.) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. NUREG-0737, November 1980. Pressurizer Safety Valves-MODES 1, 2, and 3 B 3.4.10 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.10-1 REVISION 53 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The purpose of the four spring loaded pressurizer safety valves is to provide RCS overpressure protection. Operating in conjunction with the Reactor Protective System, four valves are used to ensure that the Safety Limit (SL) of 2750 psia is not exceeded for analyzed transients during operation in MODES 1, 2 and 3. One safety valve used for MODE 4. For MODE 5, and MODE 6 with the head on, overpressure protection is provided by operating procedures and the LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP) System." The self actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME, Boiler and Pressure Vessel Code, Section III (Ref. 1). The required lift pressure is 2475 psia +3%, -1%. At this lift pressure plus accumulation, each safety valve is capable of relieving 473,300 lb/hr of saturated steam, which ensures the current safety analysis requirements are met. The safety valves discharge steam from the pressurizer to a quench tank located in the containment. The discharge flow is indicated by an increase in temperature downstream of the safety valves and by an increase in the quench tank temperature and level. The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established. The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure. The consequences of exceeding the ASME pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation. Pressurizer Safety Valves-MODES 1, 2, and 3 B 3.4.10 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.10-2 REVISION 7 APPLICABLE All accident analyses in the UFSAR that require safety valve SAFETY ANALYSES actuation assume operation of four pressurizer safety valves to limit increasing reactor coolant pressure. The overpressure protection analysis is also based on operation of four safety valves and assumes that the valves open at the high range of the setting (2475 psia + 3%). These valves must accommodate pressurizer pressure and volume insurges that could occur during transients due to decrease in heat removal by the secondary systems, reactivity and power distribution anomalies, and increases in RCS inventory. Single failure of a safety valve is neither assumed in the accident analysis nor required to be addressed by the ASME Code. Compliance with this specification is required to ensure that the accident analysis and design basis calculations remain valid. The pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The four pressurizer safety valves are set to open at 25 psia less than RCS design pressure (2475 psia) and within the ASME specified tolerance to avoid exceeding the maximum RCS design pressure SL, to maintain accident analysis assumptions, and to comply with ASME Code requirements. The limit protected by this specification is the Reactor Coolant Pressure Boundary (RCPB) SL of 110% of design pressure. Inoperability of one or more valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, and 3, OPERABILITY of four valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. MODE 3 is conservatively included, although the listed accidents may not require four safety valves for protection. Pressurizer Safety Valves-MODES 1, 2, and 3 B 3.4.10 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.10-3 REVISION 0 APPLICABILITY The requirements for overpressure protection in other MODES (continued) are covered by LCO 3.4.11, "Pressurizer Safety Valves-MODE 4," and LCO 3.4.13, "LTOP System." The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 72 hour exception is based on 18 hour outage time for each of the four valves. The 18 hour period is derived from operating experience that hot testing can be performed within this timeframe. ______________________________________________________________________________ ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS overpressure protection system. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the RCPB. B.1 and B.2 If the Required Action cannot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The 6 hours allowed is reasonable, based on operating experience, to reach MODE 3 from full power without challenging plant systems. Similarly, the 12 hours allowed is reasonable, based on operating experience, to reach MODE 4 without challenging plant systems. Pressurizer Safety Valves-MODES 1, 2, and 3 B 3.4.10 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.10-4 REVISION 54 ACTIONS B.1 and B.2 (continued) The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by four pressurizer safety valves. _______________________________________________________________________________ SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the Inservice Testing Program. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME OM Code (Ref. 3), which provides the activities and the Frequency necessary to satisfy the SRs. No additional requirements are specified. The pressurizer safety valve setpoint is +3%, - 1% for OPERABILITY; however, the valves are reset to +/- 1% during the Surveillance to allow for drift (Ref. 2). The lift setting pressure shall correspond to ambient conditions of the valve at nominal operating temperature and pressure. _______________________________________________________________________________ REFERENCES 1. ASME, Boiler and Pressure Vessel Code, Section III. 2. PVNGS Operating License Amendment Nos. 75, 61, and 47 for Units 1, 2, and 3, respectively, and associated NRC Safety Evaluation dated May 16, 1994. 3. ASME Code for Operation and Maintenance of Nuclear Power Plants. Pressurizer Safety Valves-MODE 4 B 3.4.11 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.11-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.11 Pressurizer Safety Valves-MODE 4 BASES BACKGROUND The purpose of the four spring loaded pressurizer safety valves is to provide RCS overpressure protection. One safety valve is used for portions of MODE 4. For the remainder of MODE 4, MODE 5, and MODE 6 with the head on, overpressure protection is provided by operating procedures and the LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP) System." The self actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME, Boiler and Pressure Vessel Code, Section III (Ref. 1). The required lift pressure is 2475 psia +3%, -1%. The safety valves discharge steam from the pressurizer to a quench tank located in the containment. The discharge flow is indicated by an increase in temperature downstream of the safety valves and by an increase in the quench tank temperature and level. The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established. The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure. The consequences of exceeding the ASME pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation. Pressurizer Safety Valves-MODE 4 B 3.4.11 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.11-2 REVISION 53 BACKGROUND Pressurizer Safety Valve Requirements (continued) The pressurizer code safety valves operate to prevent the RCS from being pressurized above its Safety Limit (SL) of 2750 psia. Each safety valve is capable of relieving 473,300 lb/hr of saturated steam at a setpoint of 2475 psia plus 3% accumulation, which ensures the current safety analysis requirements are met. The relief capacity of a single safety valve is adequate to relieve any overpressure condition which could occur during shutdown above LTOP System temperatures. Shutdown Cooling System Suction Line Relief Valve Requirements A single Shutdown Cooling System suction line relief valve provides overpressure relief capability and will prevent RCS overpressurization in the event that no pressurizer safety valves are OPERABLE. _______________________________________________________________________________ APPLICABLE All accident analyses in the UFSAR that require safety valve SAFETY ANALYSES actuation assume operation of four pressurizer safety valves to limit increasing reactor coolant pressure. The overpressure protection analysis is also based on operation of four safety valves and assumes that the valves open at the high range of the setting (2475 psia + 3%). These valves must accommodate pressurizer pressure and volume insurges that could occur during transients due to decrease in heat removal by the secondary systems, reactivity and power distribution anomalies, and increase in RCS inventory. Single failure of a safety valve is neither assumed in the accident analysis nor required to be addressed by the ASME Code. Compliance with this specification is required to ensure that the accident analysis and design basis calculations remain valid. The pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). Pressurizer Safety Valves-MODE 4 B 3.4.11 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.11-3 REVISION 0 LCO One pressurizer safety valve is required to be OPERABLE in MODE 4 with no Shutdown Cooling System suction line relief valves in service. The four pressurizer safety valves are set to open 25 psia less than RCS design pressure (2475 psia) and within the ASME specified tolerance to avoid exceeding the maximum RCS design pressure SL to maintain accident analysis assumptions, and to comply with ASME Code requirements. The limit protected by this specification is the Reactor Coolant Pressure Boundary (RCPB) SL of 110% of design pressure. Inoperability of all valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation. ______________________________________________________________________________ APPLICABILITY In MODE 4 above the LTOP System temperatures OPERABILITY of one valve is required. MODE 4 is conservatively included, although the listed accidents may not require a safety valve for protection. The requirements for overpressure protection in other MODES and in MODE 4 at or below the LTOP System temperatures are covered by LCOs 3.4.10, "Pressurizer Safety Valves - MODES 1, 2 and 3," and LCO 3.4.13, LTOP System. The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 72 hour exception is based on 18 hour outage time for each of the four valves. The 18 hour period is derived from operating experience that hot testing can be performed within this timeframe. Pressurizer Safety Valves-MODE 4 B 3.4.11 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.11-4 REVISION 52 ACTIONS A.1, A.2, and A.3 If all pressurizer safety valves are inoperable, the plant must be brought to a condition where overpressure protection is provided, then to a MODE in which the requirement does not apply. To achieve this status, one Shutdown Cooling System suction line relief must be placed in service immediately, then the plant must be brought to at least MODE 4 with any RCS cold leg temperature less than or equal to the LTOP enable temperature specified in the PTLR within 8 hours, so that LCO 3.4.13 (LTOP System) would apply. It is reasonable to pursue the ACTION to place a shutdown cooling system suction relief valve in service immediately (without delay) because the plant is already within the shutdown cooling system entry temperature of less than 350°F. The Completion Time of immediately requires that the required action be pursued without delay and in a controlled manner, and reflects the importance of maintaining the RCS overprotection system. The 8 hours allowed to be in MODE 4 with any RCS temperature less than or equal to the LTOP enable temperature specified in the PTLR is reasonable, based on operating experience, to reach this condition without challenging plant systems. For the Shutdown Cooling System suction line relief valve that is required to be in service in accordance with Required Action A.1, SR 3.4.11.2 and SR 3.4.11.3 must be performed or verified performed within 12 hours. This ensures that the required Shutdown Cooling System suction line relief valve is OPERABLE. A Shutdown Cooling System suction line relief valve is OPERABLE when its isolation valves are open, its lift setpoint is set at 467 psig or less, and testing has proven its ability to open at that setpoint. If the Required Actions and associated Completion Times are not met, overpressurization is possible. The 8 hours Completion Time to be in MODE 4 with any RCS cold leg temperature less than or equal to the LTOP enable temperature specified in the PTLR places the unit in a condition where the LCO does not apply. Pressurizer Safety Valves-MODE 4 B 3.4.11 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.11-5 REVISION 56 SURVEILLANCE SR 3.4.11.1 REQUIREMENTS SRs are specified in the Inservice Testing Program. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME OM Code (Ref. 2), which provides the activities and the Frequency necessary to satisfy the SRs. No additional requirements are specified. The pressurizer safety valve setpoint is +3%, -1% for OPERABILITY; however, the valves are reset to +/- 1% during the Surveillance to allow for drift (Ref. 3). The lift setting pressure shall correspond to ambient conditions of the valve at nominal operating temperature and pressure. SR 3.4.11.2 SR 3.4.11.2 requires that the required Shutdown Cooling System suction line relief valve is OPERABLE by verifying its open pathway condition. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR has been modified by a Note that requires performance only if a Shutdown Cooling System suction line relief valve is being used for overpressure protection. The Frequencies consider operating experience with mispositioning of unlocked and locked pathway vent valves. SR 3.4.11.3 SRs are specified in the Inservice Testing Program. Shutdown Cooling System suction line relief valves are to be tested in accordance with the requirements of the ASME OM Code (Ref. 2), which provides the activities and the Frequency necessary to satisfy the SRs. The Shutdown Cooling System suction line relief valve setpoint is 467 psig. Pressurizer Safety Valves-MODE 4 B 3.4.11 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.11-6 REVISION 54 REFERENCES 1. ASME, Boiler and Pressure Vessel Code, Section III. 2. ASME Code for Operations and Maintenance of Nuclear Power Plants. 3. PVNGS Operating License Amendment Nos. 75, 61, and 47 for Units 1, 2, and 3 respectively, and associated NRC Safety Evaluation dated May 16, 1994. Pressurizer Vents B 3.4.12 (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.12-1 REVISION 1 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.12 Pressurizer Vents BASES BACKGROUND The pressurizer vent is part of the reactor coolant gas vent system (RCGVS) as described in UFSAR 18.II.B.1 (Ref. 1). The pressurizer can be vented remotely from the control room through the following four paths (see UFSAR Figure 18.II.B-1): 1. From the pressurizer vent through SOV HV-103, then through SOV HV-105 to the reactor drain tank (RDT). 2. From the pressurizer vent through SOV HV-103, then through SOV HV-106 directly to the containment atmosphere. 3. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-105 to the reactor drain tank (RDT). 4. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-106 directly to the containment atmosphere. The RCGVS also includes the reactor head vent, which can be used along with the pressurizer vent to remotely vent gases that could inhibit natural circulation core cooling during post accident situations. However, this function does not meet the criteria of 10 CFR 50.36(c)(2)(ii) to require a Technical Specification LCO, and therefore the reactor head vent is not included in these Technical Specifications. Pressurizer Vents B 3.4.12 BASES _______________________________________________________________________________ (continued) ________________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.12-2 REVISION 34 APPLICABLE The requirement for the pressurizer vent path to be SAFETY ANALYSES OPERABLE is based on the steam generator tube rupture (SGTR) with loss of offsite power (SGTRLOP) and SGTR with loss of offsite power and single failure (SGTRLOPSF) analysis, as described in UFSAR 15.6.3 (Ref. 4). It is assumed that the auxiliary pressurizer spray system (APSS) is not available for this event. Instead, RCS depressurization is performed by venting the RCS via a pressurizer vent path and throttling HPSI flow. The analysis assumes venting to the containment atmosphere via path 4 as described below. The results of the CENTS based analysis for SGTRLOP and SGTRLOPSF forwarded to the NRC in Reference 2 states that the auxiliary spray was assumed to be unavailable and use of pressurizer head vents was credited for de-pressurization. The staff has reviewed and accepted the results of the analysis. The staff's detailed evaluation has been reported in Amendment No. 149, which increases power to 3990 MWt for Unit 2 and incorporates replacement steam generator (Ref. 3). The pressurizer vent paths satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The LCO requires four pressurizer vent paths be OPERABLE. The four vent paths are: 1. From the pressurizer vent through SOV HV-103, then through SOV HV-105 to the reactor drain tank (RDT). 2. From the pressurizer vent through SOV HV-103, then through SOV HV-106 directly to the containment atmosphere. 3. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-105 to the reactor drain tank (RDT). 4. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-106 directly to the containment atmosphere. Pressurizer Vents B 3.4.12 BASES ______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.12-3 REVISION 48 LCO A vent path is flow capability from the pressurizer to the (continued) RDT or from the pressurizer to containment atmosphere. Loss of any single valve in the pressurizer vent system will cause two flow paths to become inoperable. A pressurizer vent path is required to depressurize the RCS in a SGTR design basis event which assumes LOP and APSS unavailable. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and MODE 4 with RCS pressure 385 psia the four pressurizer vent paths are required to be OPERABLE. The safety analysis for the SGTR with LOP and a Single Failure (loss of APSS) credits a pressurizer vent path to reduce RCS pressure. In MODES 1, 2, 3, and MODE 4 with RCS pressure 385 psia the SGs are the primary means of heat removal in the RCS, until shutdown cooling can be initiated. In MODES 1, 2, 3, and MODE 4 with RCS pressure 385 psia, assuming the APSS is not available, the pressurizer vent paths are the credited means to depressurize the RCS to Shutdown Cooling System entry conditions. Further depressurization into MODE 5 requires use of the pressurizer vent paths. In MODE 5 with the reactor vessel head in place, temperature requirements of MODE 5 (< 210°F) ensure the RCS remains depressurized. In MODE 6 the RCS is depressurized. ______________________________________________________________________________ ACTIONS A.1 If two or three pressurizer vent paths are inoperable, they must be restored to OPERABLE status. Loss of any single valve in the pressurizer vent system will cause two flow paths to become inoperable. Any vent path that provides flow capability from the pressurizer to the RDT or to the containment atmosphere, independent of which train is powering the valves in the flow path, can be considered an operable vent path. The Completion Time of 72 hours is reasonable because there is at least one pressurizer vent path that remains OPERABLE. Pressurizer Vents B 3.4.12 BASES _______________________________________________________________________________ ________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.12-4 REVISION 56 ACTIONS B.1 (continued) If all pressurizer vent paths are inoperable, then restore at least one pressurizer vent path to OPERABLE status. The Completion Time of 6 hours is reasonable to allow time to correct the situation, yet emphasize the importance of restoring at least one pressurizer vent path. If at least one pressurizer vent path is not restored to OPERABLE within the Completion Time, then Action C is entered. C.1 If the required Actions, A and B, cannot be met within the associated Completion Times, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours, and to MODE 4 with RCS pressure < 385 psia within 24 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.4.12.1 REQUIREMENTS SR 3.4.12.1 requires complete cycling of each pressurizer vent path valve. The vent valves must be cycled from the control room to demonstrate their operability. Pressurizer vent path valve cycling demonstrates its function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This surveillance test must be performed in Mode 5 or Mode 6. In any Mode, partial surveillance tests can be performed for post-maintenance testing under site procedural controls that ensure the valve being tested is isolated from RCS pressure. SR 3.4.12.2 SR 3.4.12.2 requires verification of flow through each pressurizer vent path. Verification of pressurizer vent path flow demonstrates its function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This surveillance test must be performed in Mode 5 or Mode 6. Pressurizer Vents B 3.4.12 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.12-5 REVISION 31 REFERENCES 1. UFSAR, Section 18. 2. "Palo Verde Nuclear Generating Station (PVNGS) Unit 2 Docket No. STN 50-529 Request for a License Amendment to Support Replacement of Steam Generators and Uprated Power Operations," Letter 102-046141-CDM/RAB, C, D. Mauldin (APS) to the NRC, December 21, 2001. 3. "Palo Verde Nuclear Generating Station, Unit 2 (PVNGS-2) - Issuance of Amendment on Replacement of Steam Generators and Uprated Power Operations (TAC NO. MB3696", B.M. Pham (NRC) to G. R. Overbeck (APS), September 29, 2003. 4. UFSAR, Section 15. This page intentionally left blank LTOP System B 3.4.13 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.13 Low Temperature Overpressure Protection (LTOP) System BASES BACKGROUND The LTOP System controls RCS pressure at low temperatures so the integrity of the Reactor Coolant Pressure Boundary (RCPB) is not compromised by violating the Pressure and Temperature (P/T) limits of 10 CFR 50, Appendix G (Ref. 1). The reactor vessel is the limiting RCPB component for demonstrating such protection. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," provides the allowable combinations for operational pressure and temperature during cooldown, shutdown, and heatup to keep from violating the Reference 1 requirements during the LTOP MODES. The reactor vessel material is less tough at low temperatures than at normal operating temperatures. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased. The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation can occur more quickly than an operator can react to relieve the condition. Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3 requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the P/T limits. This LCO provides RCS overpressure protection by having adequate pressure relief capacity. The pressure relief capacity requires either two OPERABLE redundant Shutdown Cooling System suction line relief valves or the RCS depressurized and an RCS vent of sufficient size. One Shutdown Cooling System suction line relief valve or the RCS vent is the overpressure protection device that acts to terminate an increasing pressure event. LTOP System B 3.4.13 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-2 REVISION 55 BACKGROUND The LTOP System for pressure relief consists of two Shutdown (continued) Cooling System suction line relief valves or an RCS vent of sufficient size. Two relief valves are required for redundancy. One Shutdown Cooling System suction line relief valve has adequate relieving capability to prevent overpressurization for the required coolant input capability. Shutdown Cooling System Suction Line Relief Valve Requirements As designed for the LTOP System, each Shutdown Cooling System suction line relief valve is designed to lift and relieve RCS pressure if RCS pressure approaches the Shutdown Cooling System suction line relief valve lift setpoint. Each Shutdown Cooling System suction line relief valve is designed to protect the reactor vessel given a single failure in addition to a failure that initiated the pressure transient. No single failure of a Shutdown Cooling System suction line relief valve isolation valve (SI-651, 652, 653, or 654) will prevent one Shutdown Cooling System suction line relief valve from performing its intended function (Ref. 7). The OPERABILITY of two Shutdown Cooling System suction line relief valves, while maintaining the limits imposed on the RCS heatup and cooldown rates, ensures that the RCS will be protected from analyzed pressure transients. Either Shutdown Cooling System suction line relief valve provides overpressure protection for the RCS due to the most limiting transients initiated by a single operator or equipment failure. a. The start of an idle RCP with secondary water temperature of the SG 100°F above RCS cold leg temperatures b. An inadvertent SIAS with two HPSI pumps injecting into a water solid RCS, three charging pumps injecting, and letdown isolated. These events are the most limiting energy and mass addition transients, respectively, when the RCS is at low temperatures (Refs. 7, and 8). LTOP System B 3.4.13 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-3 REVISION 55 BACKGROUND Shutdown Cooling System Suction Line Relief Valve (continued) Requirements (continued) When a Shutdown Cooling System suction line relief valve lifts due to an increasing pressure transient, the release of coolant causes the pressure increase to slow and reverse. As the Shutdown Cooling System suction line relief valve releases coolant, the system pressure decreases until valve reseat pressure is reached and the Shutdown Cooling system suction line relief valve closes. At low temperatures with the Shutdown Cooling System suction line relief valves aligned to the RCS, it is necessary to restrict heatup and cooldown rates to assure that P-T limits are not exceeded. These P-T limits are usually applicable to a finite time period such as one cycle, 5 EFPY, etc. and are based upon irradiation damage prediction by the end of the period. Accordingly, each time P-T limits change, the LTOP System needs to be reanalyzed and modified, if necessary, to continue its function. Once the RCS is depressurized, a vent exposed to the containment atmosphere will maintain the RCS at containment ambient pressure in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path must be capable of relieving the flow resulting from the limiting LTOP mass or heat input transient and maintaining pressure below the P/T limits. The required vent capacity may be provided by one or more vent paths. For an RCS vent to meet the specified flow capacity, it requires removing all pressurizer safety valves, or similarly establishing a vent by opening the pressurizer manway (Ref. 10). The vent path(s) must be above the level of reactor coolant, so as not to drain the RCS when open. LTOP System B 3.4.13 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-4 REVISION 52 APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel SAFETY ANALYSES is adequately protected against exceeding the Reference 1 P/T limits during shutdown. In MODES 1, 2, and 3, and in MODE 4 with any RCS cold leg temperature greater than the LTOP enable temperature specified in the PTLR, the pressurizer safety valves prevent RCS pressure from exceeding the Reference 1 limits. At the LTOP enable temperature specified in the PTLR and below, overpressure prevention falls to the OPERABLE Shutdown Cooling System suction line relief valves or to a depressurized RCS and a sufficient sized RCS vent. Each of these means has a limited overpressure relief capability. The actual temperature at which the pressure in the P/T limit curve falls below the pressurizer safety valve setpoint increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the P/T limit curves are revised, the LTOP System will be re-evaluated to ensure its functional requirements can still be satisfied using the Shutdown Cooling System suction line relief valve method or the depressurized and vented RCS condition. Reference 3 contains the acceptance limits that satisfy the LTOP requirements. Any change to the RCS must be evaluated against these analyses to determine the impact of the change on the LTOP acceptance limits. Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients, examples of which follow: Mass Input Type Transients a. Inadvertent safety injection; or b. Charging/letdown flow mismatch. Heat Input Type Transients a. Inadvertent actuation of pressurizer heaters;

b. Loss of shutdown cooling (SDC); or

c. Reactor coolant pump (RCP) startup with temperature asymmetry within the RCS or between the RCS and steam generators.

LTOP System B 3.4.13 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-5 REVISION 55 APPLICABLE References 3, 7, and 8 analyses demonstrate that either SAFETY ANALYSES one Shutdown Cooling System suction line relief valve or the (continued) RCS vent can maintain RCS pressure below limits for the two most limiting analyzed events: a. The start of an idle RCP with secondary water temperature of the SG 100°F above RCS cold leg temperatures. b. An inadvertent SIAS with two HPSI pumps injecting into a water solid RCS, three charging pumps injecting, and letdown isolated. Fracture mechanics analyses established the temperature of LTOP Applicability at less than or equal to the LTOP enable temperature specified in the PTLR. Above these temperatures, the pressurizer safety valves provide the reactor vessel pressure protection. The vessel materials were assumed to have a neutron irradiation accumulation equal to the effective full power years of operation specified in the PTLR. The consequences of a small break Loss Of Coolant Accident (LOCA) in LTOP MODE 4 conform to 10 CFR 50.46 and 10 CFR 50, Appendix K (Refs. 4 and 5). The fracture mechanics analyses show that the vessel is protected when the Shutdown Cooling System suction line relief valves are set to open at or below 467 psig. The setpoint is derived by modeling the performance of the LTOP System, assuming the limiting allowed LTOP transient. The Shutdown Cooling System suction line relief valves setpoints at or below the derived limit ensure the Reference 1 limits will be met. The Shutdown Cooling System suction line relief valves setpoints will be re-evaluated for compliance when the revised P/T limits conflict with the LTOP analysis limits. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to embrittlement caused by neutron irradiation. Revised P/T limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," discuss these examinations. LTOP System B 3.4.13 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-6 REVISION 55 APPLICABLE The Shutdown Cooling System suction line relief valves are SAFETY ANALYSES considered active components. Thus, the failure of one (continued) Shutdown Cooling System suction line relief valve represents the worst case, single active failure. RCS Vent Performance With the RCS depressurized, analyses show a vent size of 16 square inches is capable of mitigating the limiting allowed LTOP overpressure transient. In that event, this size vent maintains RCS pressure less than the maximum RCS pressure on the P/T limit curve. The RCS vent size will also be re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance. The RCS vent is passive and is not subject to active failure. LTOP System satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO is required to ensure that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference 1 limits as a result of an operational transient. The elements of the LCO that provide overpressure mitigation through pressure relief are: a. Two OPERABLE Shutdown Cooling System suction line relief valves; or b. The depressurized RCS and an RCS vent. A Shutdown Cooling System suction line relief valve is OPERABLE for LTOP when its isolation valves are open, its lift setpoint is set at 467 psig or less and testing has proven its ability to open at that setpoint. An RCS vent is OPERABLE when open with an area 16 square inches. For an RCS vent to meet the specified flow capacity, it requires removing all pressurizer safety valves, or similarly establishing a vent by opening the pressurizer manway (Ref. 10). The vent path(s) must be above the level of reactor coolant, so as not to drain the RCS when open. LTOP System B 3.4.13 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-7 REVISION 52 LCO Each of these methods of overpressure prevention is capable (continued) of mitigating the limiting LTOP transient. The Note requires that, before an RCP may be started, the secondary side water temperature (saturation temperature corresponding to SG pressure) in each SG is 100°F above each of the RCS cold leg temperatures. Satisfying this condition will preclude a large pressure surge in the RCS when the RCP is started. ______________________________________________________________________________ APPLICABILITY This LCO is applicable in MODE 4 when the temperature of any RCS cold leg is less than or equal to the LTOP enable temperature specified in the PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above the LTOP enable temperature. The requirements for overpressure protection in MODES 1, 2 and 3, and in MODE 4 above the LTOP System temperatures are covered by LCO 3.4.10, "Pressurizer Safety Valves - MODES 1, 2, and 3," and LCO 3.4.11, "Pressurizer Safety Valves - MODE 4." When the reactor vessel head is off overpressurization cannot occur. LCO 3.4.3 provides the operational P/T limits for all MODES. Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event. LTOP System B 3.4.13 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.13-8 REVISION 52 ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable LTOP system. There is an increased risk associated with entering MODE 4 from MODE 5 with LTOP inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of the risk assessment addressing inoperable the systems and components, should not be applied in this circumstance. A.1 In MODE 4 when any RCS cold leg temperature is less than or equal to the LTOP enable temperature specified in the PTLR with one Shutdown Cooling System suction line relief valve inoperable, two Shutdown Cooling System suction line relief valves must be restored to OPERABLE status within a Completion Time of 7 days. Two valves are required to meet the LCO requirement and to provide low temperature overpressure mitigation while withstanding a single failure of an active component. The Completion Time is based on the facts that only one Shutdown Cooling System suction line relief valve is required to mitigate an overpressure transient and that the likelihood of an active failure of the remaining valve path during this time period is very low. B.1 The consequences of operational events that will overpressure the RCS are more severe at lower temperature (Ref. 6). Thus, one required Shutdown Cooling System suction line relief valve inoperable in MODE 5 or in MODE 6 with the head on, the Completion Time to restore inoperable valve to OPERABLE status is 24 hours. The 24 hour Completion Time to restore two Shutdown Cooling System suction line relief valves OPERABLE in MODE 5 or in MODE 6 when the vessel head is on is a reasonable amount of time to investigate and repair several types of Shutdown LTOP System B 3.4.13 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-9 REVISION 56 ACTIONS B.1 (continued) Cooling System suction line relief valve failures without exposure to a lengthy period with only one Shutdown Cooling System suction line relief valve OPERABLE to protect against overpressure events. C.1 If two required Shutdown Cooling System suction line relief valves are inoperable, or if a Required Action and the associated Completion Time of Condition A or B are not met, the RCS must be depressurized and a vent established within 8 hours. The vent must be sized at least 16 square inches to ensure the flow capacity is greater than that required for the worst case mass input transient reasonable during the applicable MODES. This action protects the RCPB from a low temperature overpressure event and a possible brittle failure of the reactor vessel. For personnel safety considerations, the RCS cold leg temperature must be reduced to less than 200°F prior to venting. The Completion Time of 8 hours to depressurize and vent the RCS is based on the time required to place the plant in this condition and the relatively low probability of an overpressure event during this time period due to increased operator awareness of administrative control requirements. ______________________________________________________________________________ SURVEILLANCE SR 3.4.13.1 and 3.4.13.2 REQUIREMENTS SR 3.4.13.1 and SR 3.4.13.2 require verifying that the RCS vent is open 16 square inches or that the Shutdown Cooling System suction line relief valves be aligned to provide overpressure protection for the RCS is proven OPERABLE by verifying its open pathway condition. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. LTOP System B 3.4.13 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-10 REVISION 56 SURVEILLANCE SR 3.4.13.1 and 3.4.13.2 (continued) REQUIREMENTS For an RCS vent to meet the specified flow capacity, it requires removing all pressurizer safety valves, or similarly establishing a vent by opening the pressurizer manway (Ref. 10). The vent path(s) must be above the level of reactor coolant, so as not to drain the RCS when open. The passive vent arrangement must only be open (vent pathway exists) to be OPERABLE. These Surveillances need only be performed if the vent or the Shutdown Cooling System suction line relief valves are being used to satisfy the requirements of this LCO. The Frequencies consider operating experience with mispositioning of unlocked and locked pathway vent valves, and passive pathway obstructions. SR 3.4.13.3 SRs are specified in the Inservice Testing Program. Shutdown Cooling System suction line relief valves are to be tested in accordance with the requirements of the ASME OM Code (Ref. 9), which provides the activities and the Frequency necessary to satisfy the SRs. The Shutdown Cooling System suction line relief valve set point is 467 psig. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix G. 2. Generic Letter 88-11. 3. UFSAR, Section 15. 4. 10 CFR 50.46. 5. 10 CFR 50, Appendix K. 6. Generic Letter 90-06. 7. UFSAR, Section 5.2. LTOP System B 3.4.13 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.13-11 REVISION 55 REFERENCES 8. N001-0601-00404. "Palo Verde Nuclear Generating (continued) Station Units 1, 2, and 3 LTOP Evaluation" 9 ASME Code for Operation and Maintenance of Nuclear Power Plants. 10. 13-COO-93-016, Sensitivity Study on Pressurizer Vent Paths vs. Days Post Shutdown. This page intentionally blank RCS Operational LEAKAGE B 3.4.14 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.14-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.14 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS. During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE. 10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems. The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the facility and the public. A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS LEAKAGE detection. This LCO deals with protection of the Reactor Coolant Pressure Boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analysis radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a Loss Of Coolant Accident (LOCA). RCS Operational LEAKAGE B 3.4.14 BASES (continued) _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.14-2 REVISION 34 APPLICABLE The PVNGS safety analyses do not address RCS operational SAFETY ANALYSES LEAKAGE other than primary to secondary LEAKAGE. Analyses for events that result in a steam discharge from the secondary system to the atmosphere assume 1 gallon per minute (gpm) total primary secondary LEAKAGE at the time of event initiation. These analyses include the Inadvertent Opening of a Steam Generator Atmospheric Dump Valve (IOSGADV); Main Steam Line Break (MSLB); Feedwater Line Break (FWLB); Reactor Coolant Pump Sheared Shaft and Seized Rotor (SS/SR); Control Element Assembly Ejection (CEAE); Steam Generator Tube Rupture (SGTR); Small Break Loss of Coolant Accident (SBLOCA); and an Anticipated Operational Occurrence (AOO) in combination with a Single Failure (i.e., a loss of forced RCS flow initiated from the DNBR SAFDL). While some events assume the 1 gpm LEAKAGE is in one steam generator, others assume 0.5 gpm per steam generator (1gpm total) as an initial condition. Therefore, the individual UFSAR event section must be reviewed to determine the assumed primary to secondary LEAKAGE for a specific transient or accident. Although the Large Break Loss of Coolant Accident (LBLOCA) also results in a discharge from the secondary system to the atmosphere, the analysis for that event addresses releases from containment building through a depressurized secondary system, rather than 1 gpm primary to secondary LEAKAGE. Primary to secondary LEAKAGE contaminates the secondary system and is therefore a contributor to radiological dose consequences. For PVNGS, a postulated SGTR in combination with a Loss of Offsite Power (LOP), a stuck open Atmospheric Dump Valve (ADV), and a Pre-accident Iodine Spike (PIS) yields the most severe offsite dose consequences (Ref. 3), whereas a postulated CEAE yields the most severe control room dose consequences (Ref. 4). The consequences resulting from these and other analyzed events, however, remain within the offsite dose limits of 10 CFR Part 100 (Ref. 5); the control room dose limits of 10 CFR 50, Appendix A, GDC19 (Ref. 6); or other NRC-approved, event-specific licensing bases (e.g., a small fraction of 10 CFR 100 limits). The Technical Specification limit of 150 gallons per day (gpd) primary to secondary LEAKAGE through any one steam generator is significantly less than the initial conditions assumed in the safety analyses. The 150 gpd limit is based RCS Operational LEAKAGE B 3.4.14 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.14-3 REVISION 60 APPLICABLE on operating experience as an indication of one or more SAFETY ANALYSES propagating tube leak mechanisms. This leakage rate limit (continued) provides additional assurance against tube rupture at normal and faulted conditions and provides additional assurance that cracks will not propagate to burst prior to detection by leakage monitoring methods and commencement of plant shutdown. RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO RCS operational LEAKAGE shall be limited to: a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary. c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS makeup system. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled Reactor Coolant Pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system. RCS Operational LEAKAGE B 3.4.14 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.14-4 REVISION 38 LCO LCO 3.4.15, "RCS Pressure Isolation Valve (PIV) (continued) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leaktight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE. d. Primary to Secondary LEAKAGE through Any One SG The limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 7). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized. In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE. RCS Operational LEAKAGE B 3.4.14 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.14-5 REVISION 38 ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours. This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB. B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limits, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours, the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. The reactor must be brought to MODE 3 within 6 hours and to MODE 5 within 36 hours. This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary. The allowed Completion Times are reasonable, based on operating experience, to reach the required conditions from full power conditions in an orderly manner and without challenging plant systems. In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely. RCS Operational LEAKAGE B 3.4.14 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.14-6 REVISION 38 SURVEILLANCE SR 3.4.14.1 REQUIREMENTS Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance. The RCS water inventory balance must be performed with the reactor at steady state operating conditions (stable pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows). This surveillance is modified by two notes. Note 1 states that this SR is not required to be performed until 12 hours after establishing steady state operation. This means that once steady state operating conditions are established, 12 hours is allowed for completing the Surveillance. When required by the Frequency, and after steady state operating conditions are established, the surveillance must be completed prior to the end of 12 hours of steady state operation. If steady state operating conditions have not been established for 12 hours, this surveillance is not required until steady state operation is established for 12 hours. This SR is not required to be completed prior to changing MODES if steady state operation has not been established for 12 hours. The 12 hour allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established. Further discussion of SR note format is found in Section 1.4, Frequency. Note 1 allows for SR 3.4.14.1 nonperformance due to planned or unplanned transients. This Note is not intended to allow transients solely for the purpose of avoiding SR 3.4.14.1 performance. Steady state operation is required to perform a proper water inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows. RCS Operational LEAKAGE B 3.4.14 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.14-7 REVISION 56 SURVEILLANCE SR 3.4.14.1 (continued) REQUIREMENTS An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. These leakage detection systems are specified in LCO 3.4.16, "RCS Leakage Detection Instrumentation." Note 2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory balance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.14.2 This SR verifies that primary to secondary LEAKAGE is less than or equal to 150 gallons per day through any one SG. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. If this SR is not met, compliance with LCO 3.4.18, "Steam Generator Tube Integrity," should be evaluated. The 150 gallons per day limit is measured at room temperature as described in Reference 8. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG. The Surveillance is modified by a Note which states that the Surveillance is not required to be performed until 12 hours after establishment of steady state operation. This means that once steady state operating conditions are established, 12 hours is allowed for completing the Surveillance. When required by the Frequency, and after steady state operating conditions are established, the surveillance must be completed prior to the end of 12 hours of steady state operation. If steady state operating conditions have not been established for 12 hours, this surveillance is not required until steady state operation is established for 12 hours. This SR is not required to be completed prior to changing MODES if steady state operation RCS Operational LEAKAGE B 3.4.14 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.14-8 REVISION 56 SURVEILLANCE SR 3.4.14.2 (continued) REQUIREMENTS has not been established for 12 hours. The 12 hour allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established. Further discussion of SR note format is found in Section 1.4, Frequency. The Note allows for SR 3.4.14.2 nonperformance due to planned or unplanned transients. This Note is not intended to allow transients solely for the purpose of avoiding SR 3.4.14.2 performance. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 30. 2. Regulatory Guide 1.45, May 1973. 3. UFSAR, Section 15.6. 4. UFSAR, Section 6.4. 5. 10 CFR Part 100. 6. 10 CFR 50, Appendix A, GDC19. 7. NEI 97-06, "Steam Generator Program Guidelines." 8. EPRI, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines." RCS PIV Leakage B 3.4.15 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-1 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.15 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3), define RCS PIVs as any two normally closed valves in series within the RCS pressure boundary that separate the high pressure RCS from an attached low pressure system. During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV LCO allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety. The PIV leakage limit applies to each individual valve. Leakage through both PIVs in series in a line must be included as part of the identified LEAKAGE, governed by LCO 3.4.14, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through two valves in series is determined by a water inventory balance (SR 3.4.14.1). A known component of the identified LEAKAGE before operation begins is the least of the two individual leakage rates determined for leaking series PIVs during the required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight. Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure piping or components. Failure consequences could be a Loss of Coolant Accident (LOCA) outside of containment, an unanalyzed condition that could degrade the ability for low pressure injection. The basis for this LCO is the 1975 NRC "Reactor Safety Study" (Ref. 4) that identified potential intersystem LOCAs as a significant contributor to the risk of core melt. A subsequent study (Ref. 5) evaluated various PIV configurations to determine the probability of intersystem LOCAs. RCS PIV Leakage B 3.4.15 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-2 REVISION 60 BACKGROUND PIVs are provided to isolate the RCS from the following (continued) typically connected systems: a. Shutdown Cooling (SDC) System; and b. Safety Injection System; The PIVs are listed in UFSAR section 3.9.6.2 (Ref. 6). Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier. _______________________________________________________________________________ APPLICABLE Reference 4 identified potential intersystem LOCAs as a SAFETY ANALYSES significant contributor to the risk of core melt. The dominant accident sequence in the intersystem LOCA category is the failure of the low pressure portion of the SDC System outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the Reactor Coolant Pressure Boundary (RCPB), and the subsequent pressurization of the SDC System downstream of the PIVs from the RCS. Because the low pressure portion of the SDC System is typically designed for 485 psig, overpressurization failure of the SDC low pressure line would result in a LOCA outside containment and subsequent risk of core melt. Reference 5 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA. RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute. Leakage that increases RCS PIV Leakage B 3.4.15 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-3 REVISION 0 LCO significantly suggests that something is operationally wrong (continued) and corrective action must be taken. The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size, with a maximum limit of 5 gpm. The previous criterion of 1 gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing information on potential valve degradation and resulted in higher personnel radiation exposures. A study concluded a leakage rate limit based on valve size was superior to a single allowable value. Reference 7 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall leakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 4, valves in the SDC flow path are not required to meet the requirements of this LCO when in, or during the transition to or from, the SDC mode of operation. In MODES 5 and 6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment. ______________________________________________________________________________ ACTIONS The Actions are modified by two Notes. Note 1 is added to provide clarification that each flow path allows separate entry into a Condition. This is allowed based on the functional independence of the flow path. Note 2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system operability or isolation of a leaking flow path with an alternate valve may . RCS PIV Leakage B 3.4.15 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-4 REVISION 0 ACTIONS have degraded the ability of the interconnected system to (continued) perform its safety function. A.1 and A.2 The flowpath must be isolated by two valves. Required Actions A.1 and A.2 are modified by a Note stating that the valves used for isolation must meet the same leakage requirements as PIVs and must be in the RCPB. Required Action A.1 requires that the isolation with one valve must be performed within 4 hours. Four hours provides time to reduce leakage in excess of the allowable limit and to isolate if leakage cannot be reduced. The 4 hours allows the actions and restricts the operation with leaking isolation valves. The 72 hour Completion Time after exceeding the limit allows for the restoration of the leaking PIV to OPERABLE status. This timeframe considers the time required to complete this Action and the low probability of a second valve failing during this period. B.1 and B.2 If leakage cannot be reduced the system isolated or other Required Actions accomplished, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours and to MODE 5 within 36 hours. This Action reduces the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.4.15.1 REQUIREMENTS Performance of leakage testing on each RCS PIV or isolation valve used to satisfy Required Action A.1 or A.2 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition. RCS PIV Leakage B 3.4.15 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-5 REVISION 56 SURVEILLANCE SR 3.4.15.1 (continued) REQUIREMENTS For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost. Testing is to be performed every 9 months, but may be extended if the plant does not go into MODE 5 for at least 7 days. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, testing must be performed once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance should also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24 hours after the valve has been reseated. Within 24 hours is a reasonable and practical time limit for performing this test after opening or reseating a valve. The SDC PIVs excepted in two of the three FREQUENCIES are UV-651, UV-652, UV-653, and UV-654, due to position indication of the valves in the control room. Although not explicitly required by SR 3.4.15.1, performance of leakage testing to verify leakage is below the specified limit must be performed prior to returning a valve to service following maintenance, repair or replacement work on the valve in order to demonstrate operability. The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES with lower pressures. RCS PIV Leakage B 3.4.15 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.15-6 REVISION 56 SURVEILLANCE SR 3.4.15.1 (continued) REQUIREMENTS Entry into MODES 3 and 4 is allowed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows this provision is complimentary to the Frequency of prior to entry into MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the SDC System when the SDC System is aligned to the RCS in the shutdown cooling mode of operation. PIVs contained in the SDC shutdown cooling flow path must be leakage rate tested after SDC is secured and stable unit conditions and the necessary differential pressures are established. SR 3.4.15.2 Verifying that the SDC open permissive interlocks are OPERABLE, when tested as described in Reference 10, ensures that RCS pressure will not pressurize the SDC system beyond 125% of its design pressure of 485 psig. The interlock setpoint that prevents the valves from being opened is set so the actual RCS pressure must be <410 psia to open the valves. This setpoint ensures the SDC design pressure will not be exceeded and the SDC relief valves (Reference 9) will not lift. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RCS PIV Leakage B 3.4.15 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.15-7 REVISION 54 REFERENCES 1. 10 CFR 50.2. 2. 10 CFR 50.55a(c). 3. 10 CFR 50, Appendix A, Section V, GDC 55. 4. WASH-1400 (NUREG-75/014), Appendix V, October 1975. 5. NUREG-0677, May 1980. 6. UFSAR, Section 3.9.6.2

7. ASME Code for Operation and Maintenance of Nuclear Power Plants. 8. 10 CFR 50.55a(g). 9. T.S. LCO 3.4.13 (LTOP) 10. UFSAR Section 7.6.2.2.1, (4.10).

This page intentionally blank RCS Leakage Detection Instrumentation B 3.4.16 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.16-1 REVISION 2 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.16 RCS Leakage Detection Instrumentation BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems. Leakage detection systems must have the capability to detect significant Reactor Coolant Pressure Boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE. Industry practice has shown that water flow changes of 0.5 gpm to 1.0 gpm can readily be detected in contained volumes by monitoring changes in water level, in flow rate, or in the operating frequency of a pump. The containment sump monitor consists of instrumentation used to monitor containment sump level and flow (pump run time). The containment sump used to collect unidentified LEAKAGE is instrumented to alarm if the rate of level increase corresponds to a sump inflow greater than 1 gpm for 1 hour (Ref. 3). This sensitivity is acceptable for detecting increases in unidentified LEAKAGE. The reactor coolant contains radioactivity that, when released to the containment, can be detected by radiation monitoring instrumentation. Reactor coolant radioactivity levels will be low during initial reactor startup and for a few weeks thereafter until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects. Instrument sensitivities of 10-9 ~Ci/cc radioactivity for particulate monitoring and of 10-6 ~Ci/cc radioactivity for gaseous monitoring are practical for these leakage detection systems. Radioactivity detection systems are included for monitoring both particulate and gaseous activities, because of their sensitivities and responses to RCS LEAKAGE. RCS Leakage Detection Instrumentation B 3.4.16 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.16-2 REVISION 10 BACKGROUND An increase in humidity of the containment atmosphere would (continued) indicate release of water vapor to the containment. Dew point temperature or relative humidity measurements can thus be used to monitor increasing humidity levels of the containment atmosphere as an indicator of potential RCS LEAKAGE. Since the humidity level is influenced by several factors, a quantitative evaluation of an indicated leakage rate by this means may be questionable and should be compared to observed increases in liquid flow into or from the containment sump. Humidity level monitoring is considered most useful as an indirect alarm or indication to alert the operator to a potential problem. Humidity monitors are not required by this LCO. Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containment. Containment temperature and pressure fluctuate slightly during plant operation, but a rise above the normally indicated range of values may indicate RCS LEAKAGE into the containment. The relevance of temperature and pressure measurements are affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing a sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO. _______________________________________________________________________________ APPLICABLE The need to evaluate the severity of an alarm or an SAFETY ANALYSES indication is important to the operators, and the ability to compare and verify with indications from other systems is necessary. The RCS leakage detection instrumentation is described in the UFSAR (Ref. 3). Multiple instrument locations are utilized, if needed, to help identify the location of the LEAKAGE source. RCS Leakage Detection Instrumentation B 3.4.16 BASES ______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.16-3 REVISION 60 APPLICABLE The safety significance of RCS LEAKAGE varies widely SAFETY ANALYSES depending on its source, rate, and duration. Therefore, (continued) detecting and monitoring RCS LEAKAGE into the containment area are necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, allowing them to take corrective action should leakage occur detrimental to the safety of the facility and the public. RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO One method of protecting against large RCS LEAKAGE derives from the ability of instruments to detect extremely small leaks. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that extremely small leaks are detected in time to allow actions to place the plant in a safe condition when RCS LEAKAGE indicates possible RCPB degradation. The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor in combination with a particulate and gaseous radioactivity monitor (RU-1) provides an acceptable minimum. It has been determined that it is acceptable to continue to call the containment sump OPERABLE with one containment sump pump out of service. ______________________________________________________________________________ APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE. In MODE 5 or 6, the temperature is 210°F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and, the likelihood of leakage and crack propagation is much smaller. Therefore, the requirements of this LCO are not applicable in MODES 5 and 6. RCS Leakage Detection Instrumentation B 3.4.16 BASES (continued) _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.16-4 REVISION 42 ACTIONS A.1 and A.2 If the containment sump monitor is inoperable, no other form of sampling can provide the equivalent information. However, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together with the atmosphere monitor, the periodic surveillance for RCS water inventory balance, SR 3.4.14.1, must be performed at an increased frequency of 24 hours to provide information that is adequate to detect leakage. Restoration of the sump monitor to OPERABLE status is required to regain the function in a Completion Time of 30 days after the monitor's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1. B.1.1, B.1.2, and B.2 With either the gaseous or particulate containment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed, or water inventory balances, in accordance with SR 3.4.14.1, must be performed to provide alternate periodic information. With a sample obtained and analyzed or an inventory balance performed every 24 hours, the reactor may be operated for up to 30 days to allow restoration of both of the radioactivity monitors. The 24 hour interval provides periodic information that is adequate to detect leakage. The 30 day Completion Time recognizes at least one other form of leakage detection is available. RCS Leakage Detection Instrumentation B 3.4.16 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.16-5 REVISION 56 ACTIONS C.1 (continued) If any Required Action of Condition A or B cannot be met within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. D.1 If all required monitors are inoperable, no automatic means of monitoring leakage are available and immediate plant shutdown in accordance with LCO 3.0.3 is required. ______________________________________________________________________________ SURVEILLANCE SR 3.4.16.1 REQUIREMENTS SR 3.4.16.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitors. The check gives reasonable confidence the channel is operating properly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.16.2 SR 3.4.16.2 requires the performance of a CHANNEL FUNCTIONAL TEST of the required containment atmosphere radioactivity monitors. The test ensures that the monitor can perform its function in the desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The alarm setpoints for the containment building atmosphere monitor (RU-1) are: particulate 2.3 x 10-6 µCi/cc CS-137 gaseous 6.6 x 10-2 µCi/cc Xe-133 RCS Leakage Detection Instrumentation B 3.4.16 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.16-6 REVISION 56 SURVEILLANCE SR 3.4.16.3, SR 3.4.16.4 REQUIREMENTS (continued) These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, Section IV, GDC 30. 2. Regulatory Guide 1.45. 3. UFSAR, Section 5.2.5. RCS Specific Activity B 3.4.17 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-1 REVISION 59 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.17 RCS Specific Activity BASES BACKGROUND The maximum dose that an individual at the exclusion area boundary can receive for 2 hours following an accident, or at the low population zone outer boundary for the radiological release duration, is specified in 10 CFR 100.11 (Ref. 1). Doses to control room operators must be limited per GDC 19. The limits on specific activity ensure that the offsite and control room doses are appropriately limited during analyzed transients and accidents. The RCS specific activity LCO limits the allowable concentration level of radionuclides in the reactor coolant. The LCO limits are established to minimize the dose consequences in the event of a steam generator tube rupture (SGTR) accident. The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to ensure that offsite and control room doses meet the 10 CFR 100.11 (Ref. 1) and GDC 19 limits respectively. ______________________________________________________________________________ APPLICABLE The LCO limits on the specific activity of the reactor SAFETY ANALYSES coolant ensure that the resulting offsite and control room doses meet the 10 CFR 100.11 (Ref. 1) and GDC 19 limits following a SGTR accident. The safety analysis (Ref. 2) assumes the specific activity of the reactor coolant is at the LCO limits, and an existing reactor coolant steam generator (SG) tube leakage rate of 1.0 gpm exists. The safety analysis assumes the specific activity of the secondary coolant is at its limit of 0.1 µCi/gm DOSE EQUIVALENT I-131 from LCO 3.7.16, "Secondary Specific Activity." RCS Specific Activity B 3.4.17 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-2 REVISION 59 APPLICABLE The analysis for a SGTR accident establishes the acceptance SAFETY ANALYSES limits for RCS specific activity. Reference to this analysis (continued) is used to assess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits. The safety analysis considers two cases of reactor coolant iodine specific activity. One case assumes specific activity at 1.0 µCi/gm DOSE EQUIVALENT I-131 with a concurrent large iodine spike that increases the rate of release of iodine from the fuel rods containing cladding defects to the primary coolant immediately after a SGTR (by a factor of 335). The second case assumes the initial reactor coolant iodine activity at 60.0 µCi/gm DOSE EQUIVALENT I-131 due to an iodine spike caused by a reactor or an RCS transient prior to the accident. In both cases, the noble gas specific activity is assumed to be 550 µCi/gm DOSE EQUIVALENT XE-133. The STGR analysis assumes a rise in pressure in the ruptured SG causes radioactively contaminated steam to discharge to the atmosphere through the atmospheric dump valves or the main steam safety valves. The atmospheric discharge continues through an assumed stuck open atmospheric dump valve. The unaffected SG removes core decay heat by venting steam until the cooldown event ends and the Shutdown Cooling (SDC) system is placed in service. Operation with iodine specific activity levels greater than the LCO limit is permissible, if the activity levels do not exceed 60.0 µCi/gm for more than 48 hours. The limits on RCS specific activity are also used for establishing standardization in radiation shielding and plant personnel radiation protection practices. RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). RCS Specific Activity B 3.4.17 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-3 REVISION 59 LCO The iodine specific activity in the reactor coolant is limited to 1.0 µCi/gm DOSE EQUIVALENT I-131, and the noble gas specific activity in the reactor coolant is limited to 550 µCi/gm DOSE EQUIVALENT XE-133. The limits on specific activity ensure that offsite and control room doses will meet the 10 CFR 100.11 (Ref. 1) and GDC 19 limits. The SGTR accident analysis (Ref. 2) shows that the calculated doses are within acceptable limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of a SGTR, lead to doses that exceed the 10 CFR 100.11 (Ref. 1) and GDC 19 limits. ______________________________________________________________________________ APPLICABILITY In MODES 1,2, 3, and 4, operation within the LCO limits for DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133 is necessary to limit the potential consequences of a SGTR to within the 10 CFR 100.11 (Ref. 1) and GDC 19 limits. In MODES 5 and 6, the steam generators are not being used for decay heat removal, the RCS and steam generators are depressurized, and primary to secondary leakage is minimal. Therefore, the monitoring of RCS specific activity is not required. ______________________________________________________________________________ ACTIONS A.1 and A.2 With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours must be taken to demonstrate that the specific activity is . The Completion Time of 4 hours is required to obtain and analyze a sample. Sampling is continued every 4 hours to provide a trend. The DOSE EQUIVALENT I-131 must be restored to within limit within 48 hours. The Completion Time of 48 hours is acceptable since it is expected that, if there were an iodine spike, the normal coolant iodine concentration would be restored within this time period. Also, there is a low probability of a SGTR occurring during this time period. RCS Specific Activity B 3.4.17 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-4 REVISION 59 ACTIONS A.1 and A.2 (continued) A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S), relying on Required Actions A.1 and A.2 while the DOSE EQUIVALENT 1-131 LCO limit is not met. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to, power operation. B.1 With the DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit within 48 hours. The allowed Completion Time of 48 hours is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas concentration would be restored within this time period. Also, there is a low probability of a SGTR occurring during this time period. A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S), relying on Required Action B.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to, power operation. C.1 and C.2 If the Required Action and associated Completion Time of Condition A or B is not met, or if the DOSE EQUIVALENT I-131 is > 60.0 µCi/gm, the reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. RCS Specific Activity B 3.4.17 BASES (continued) ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-5 REVISION 59 SURVEILLANCE SR 3.4.17.1 REQUIREMENTS SR 3.4.17.1 requires performing a gamma isotopic analysis as a measure of the noble gas specific activity of the reactor coolant. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in the noble gas specific activity. Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at the minimum detectable activity. SR 3.4.17.2 This Surveillance is performed to ensure iodine specific activity remains within limit during normal operation and following fast power changes when iodine spiking is more apt to occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Frequency, between 2 hours and 6 hours after a power change of ~15% RTP within a 1 hour period, is established because the iodine levels peak during this time following iodine spike initiation; samples at other times would provide inaccurate results. If a specific iodine isotope listed in the definition of DOSE EQUIVALENT I-131 is not detected, it should be assumed to be present at the minimum detectable activity. RCS Specific Activity B 3.4.17 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.17-6 REVISION 59 REFERENCES 1. 10 CFR 100.11 2. UFSAR, Section 15.6.3 SG Tube Integrity B 3.4.18 ______________________________________________________________________________________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.18-1 REVISION 38 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.18 Steam Generator (SG) Tube Integrity BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions. SG tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO 3.4.4, "RCS Loops - MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled." SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements. SG tubing is subject to a variety of degradation mechanisms. SG tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation. Specification 5.5.9, "Steam Generator (SG) Program," requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 5.5.9, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 5.5.9. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions. The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Ref. 1). SG Tube Integrity B 3.4.18 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-2 REVISION 40 APPLICABLE The steam generator tube rupture (SGTR) accident is the SAFETY limiting design basis event for SG tubes and avoiding an ANALYSES SGTR is the basis for this Specification. The analysis of a SGTR event assumes a bounding primary to secondary LEAKAGE rate equal to one gallon per minute (1440 gallons per day) in the unaffected SG plus the leakage rate associated with a double-ended rupture of a single tube. The SGTR accident analysis is described in UFSAR Section 15.6.3. The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture). In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE of 0.5 gallon per minute (gpm) from each SG or 1 gpm from both SGs, or is assumed to increase to those levels as a result of accident induced conditions. For accidents that do not involve fuel damage, the primary coolant activity level is assumed to be equal to the LCO 3.4.17, "RCS Specific Activity," limits. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Ref. 2), 10 CFR 100 (Ref. 3) or the NRC approved licensing basis (e.g., a small fraction of these limits). Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). _______________________________________________________________________________ LCO The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the repair criteria be plugged in accordance with the Steam Generator Program. During an SG inspection, any inspected tube that satisfies the Steam Generator Program repair criteria is removed from service by plugging. If a tube was determined to satisfy the repair criteria but was not plugged, the tube may still have tube integrity. In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall between the tube-to-tubesheet weld at the tube inlet and the SG Tube Integrity B 3.4.18 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-3 REVISION 38 LCO tube-to-tubesheet weld at the tube outlet. The tube-to- (continued) tubesheet weld is not considered part of the tube. An SG tube has tube integrity when it satisfies the SG performance criteria. The SG performance criteria are defined in Specification 5.5.9, "Steam Generator Program," and describe acceptable SG tube performance. The Steam Generator Program also provides the evaluation process for determining conformance with the SG performance criteria. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. Failure to meet any one of these criteria is considered failure to meet the LCO. The structural integrity performance criterion provides a margin of safety against tube burst or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube burst is defined as, "The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation." Tube collapse is defined as, "For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero." The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term "significantly" is defined as "An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting burst/collapse condition to be established." For tube integrity evaluations, except for circumferential degradation, axial thermal loads are SG Tube Integrity B 3.4.18 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-4 REVISION 38 LCO classified as secondary loads. For circumferential (continued) degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis. The division between primary and secondary classifications will be based on detailed analysis and/or testing. Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for all ASME Code, Section III, Service Level A (normal operating conditions) and Service Level B (upset or abnormal conditions) transients included in the design specification. This includes safety factors and applicable design basis loads based on ASME Code, Section III, Subsection NB (Ref. 4) and Draft Regulatory Guide 1.121 (Ref.5). The accident induced leakage performance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions. The accident analysis assumes that accident induced leakage does not exceed 0.5 gpm from each SG or 1 gpm total from both SGs. The accident induced leakage rate includes any primary to secondary LEAKAGE existing prior to the accident in addition to primary to secondary LEAKAGE induced during the accident. The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during plant operation. The limit on operational LEAKAGE is contained in LCO 3.4.14, "RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTR under the stress conditions of a LOCA or main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative. _______________________________________________________________________________ APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced in MODE 1, 2, 3, or 4. SG Tube Integrity B 3.4.18 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-5 REVISION 38 APPLICABILITY RCS conditions are far less challenging in MODES 5 and 6 (continued) than during MODES 1, 2, 3, and 4. In MODES 5 and 6, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE. ______________________________________________________________________________ ACTIONS The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and application of associated Required Actions. A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube repair criteria but were not plugged in accordance with the Steam Generator Program as required by SR 3.4.18.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG repair criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies. A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity. If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows plant operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected SG Tube Integrity B 3.4.18 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-6 REVISION 38 ACTIONS A.1 and A.2 (continued) tube(s). However, the affected tube(s) must be plugged prior to entering MODE 4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment. B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.4.18.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices. During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the "as found" condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period. The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube repair criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation. Inspection methods are a SG Tube Integrity B 3.4.18 BASES ______________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.4.18-7 REVISION 38 SURVEILLANCE SR 3.4.18.1 (continued) REQUIREMENTS function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations. The Steam Generator Program defines the Frequency of SR 3.4.18.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 6). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.9 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections. SR 3.4.18.2 During an SG inspection, any inspected tube that satisfies the Steam Generator Program repair criteria is removed from service by plugging. The tube repair criteria delineated in Specification 5.5.9 are intended to ensure that the tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube repair criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria. The Frequency of prior to entering MODE 4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the repair criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential. SG Tube Integrity B 3.4.18 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.4.18-8 REVISION 38 REFERENCES 1. NEI 97-06, "Steam Generator Program Guidelines." 2. 10 CFR 50 Appendix A, GDC 19.

3. 10 CFR 100.

4. ASME Boiler and Pressure Vessel Code, Section III, Subsection NB. 5. Draft Regulatory Guide 1.121, "Basis for Plugging Degraded Steam Generator Tubes," August 1976. 6. EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."

SITs-Operating B 3.5.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.1 Safety Injection Tanks (SITs) - Operating BASES BACKGROUND The functions of the four SITs are to supply water to the reactor vessel during the blowdown phase of a Loss of Coolant Accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA. The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere. The refill phase of a LOCA follows immediately where reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of the SITs' inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of Safety Injection (SI) water. The SITs are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The SITs are passive components, since no operator or control action is required for them to perform their function. Internal tank pressure is sufficient to discharge the contents to the RCS, if RCS pressure decreases below the SIT pressure. Each SIT is piped into one RCS cold leg via the injection lines utilized by the High Pressure Safety Injection and Low Pressure Safety Injection (HPSI and LPSI) Systems. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The motor operated isolation valves are normally open, with power removed from the valve motor to prevent inadvertent closure prior to or during an accident. SITs-Operating B 3.5.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-2 REVISION 53 BACKGROUND Additionally, the isolation valves are interlocked with the (continued) pressurizer pressure instrumentation channels to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. The valves also receive a Safety Injection Actuation Signal (SIAS) to open. These features ensure that the valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 (Ref. 1) for "operating bypasses" and that the SITs will be available for injection without reliance on operator action. During operations at RCS pressure greater than 430 psia the SIT isolation valves are procedurally locked open and motive power is removed with the breakers locked open, which is conservative with respect to SR 3.5.2.5. The open and closure interlocks are tested as described in UFSAR 7.6.2.2.2 (Reference 7). The open interlock is functionally tested per Reference 8 (TRM, T3.5 (ECCS); TSR 3.5.200.4). The SIAS function to open these valves is tested per Reference 8 using the method described in Reference 7. The SIT gas and water volumes, gas pressure, and outlet pipe size are selected to allow three of the four SITs to partially recover the core before significant clad melting or zirconium water reaction can occur following a LOCA. The need to ensure that three SITs are adequate for this function is consistent with the LOCA assumption that the entire contents of one SIT will be lost via the break during the blowdown phase of a LOCA. APPLICABLE The SITs are taken credit for in both the large and small SAFETY ANALYSES break LOCA analyses at full power (Ref. 2). These are the Design Basis Accidents (DBAs) that establish the acceptance limits for the SITs. Reference to the analyses for these DBAs is used to assess changes to the SITs as they relate to the acceptance limits. In performing the LOCA calculations, conservative assumptions are made concerning the availability of SI flow. These assumptions include signal generation time, equipment starting times, and delivery time due to system piping. In the early stages of a LOCA with a loss of offsite power, the SITs provide the sole source of makeup water to the RCS. (The assumption of a loss of offsite power is required by regulations.) This is because the LPSI pumps and HPSI pumps cannot deliver flow until the Diesel Generators (DGs) start, come to rated speed, and go through their timed loading sequence. In cold leg breaks, the entire contents of one SIT are assumed to be lost through the break during the blowdown and reflood phases. The limiting large break LOCA is a double ended guillotine cold leg break at the discharge of the reactor coolant pump. SITs-Operating B 3.5.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-3 REVISION 7 APPLICABLE During this event, the SITs discharge to the RCS as soon as SAFETY ANALYSES RCS pressure decreases to below SIT pressure. As a (continued) conservative estimate, the LBLOCA analysis does not take credit for the SI pump flow until the SITs are empty. The actual delay from the time that the pressurizer pressure reaches the SIAS setpoint to the time that the SI flow is delivered to the RCS does not exceed 30 seconds. No operator action is assumed during the blowdown stage of a large break LOCA. The worst case small break LOCA also assumes a time delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the SITs, with pumped flow then providing continued cooling. As break size decreases, the SITs and HPSI pumps both play a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the SITs continues to decrease until they are not required, and the HPSI pumps become solely responsible for terminating the temperature increase. This LCO helps to ensure that the following acceptance criteria, established by 10 CFR 50.46 (Ref. 3) for the ECCS, will be met following a LOCA: a. Maximum fuel element cladding temperature is 2200°F; b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation; c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and d. The core is maintained in a coolable geometry. Since the SITs discharge during the blowdown phase of a LOCA, they do not contribute to the long term cooling requirements of 10 CFR 50.46. Since the SITs are passive components, single active failures are not applicable to their operation. The SIT isolation valves and SIT nitrogen vent valves, however, are not single failure proof; SITs-Operating B 3.5.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-4 REVISION 0 APPLICABLE therefore, whenever the SIT motor operated isolation valves SAFETY ANALYSES are open, power is removed from their operators and the (continued) switch is key locked open. Whenever the SIT vent valves are closed, power is removed with a keylock switch. These precautions ensure that the SITs are available during an accident (Ref. 4). With power supplied to the valves, a single active failure could result in a valve failure, which would render one SIT unavailable for injection. If a second SIT is lost through the break, only two SITs would reach the core. Active failures that could affect the SITs would be the closure of a motor operated outlet valve or opening of a solenoid operated nitrogen vent valve, the requirement to remove power from these eliminates this failure mode. The minimum volume requirement for the SITs ensures that three SITs can provide adequate inventory to reflood the core and downcomer following a LOCA. The downcomer then remains flooded until the HPSI and LPSI systems start to deliver flow. The maximum volume limit is based on maintaining an adequate gas volume to ensure proper injection and the ability of the SITs to fully discharge, as well as limiting the maximum amount of boron inventory in the SITs. A minimum of 1750 cubic feet of borated water, and a maximum of 1950 cubic feet of borated water are used in the safety analyses as the volume in the SITs. To allow for instrument inaccuracy, a 28% narrow range (corresponding to 1802 cubic feet) and a 72% narrow range (corresponding to 1914 cubic feet) are specified. The analyses are based upon the cubic feet requirements; the percentage figures are provided in the LCO for operator use because the level indicator provided in the control room is marked in percentages, not in cubic feet. The minimum nitrogen cover pressure requirement ensures that the contained gas volume will generate discharge flow rates during injection that are consistent with those assumed in the safety analyses. The maximum nitrogen cover pressure limit ensures that excessive amounts of gas will not be injected into the RCS after the SITs have emptied. SITs-Operating B 3.5.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-5 REVISION 0 APPLICABLE A minimum pressure of 588 psig and a maximum pressure of SAFETY ANALYSES 637 psig are used in the analyses. To allow for (continued) instrument accuracy, a 600 psig minimum and 625 psig maximum are specified. The maximum allowable boron concentration of 4400 ppm is based upon boron precipitation limits in the core following a LOCA. Establishing a maximum limit for boron is necessary since the time at which boron precipitation would occur in the core following a LOCA is a function of break location, break size, the amount of boron injected into the core, and the point of ECCS injection. Post LOCA emergency procedures directing the operator to establish simultaneous hot and cold leg injection are based on the worst case minimum boron precipitation time. Maintaining the maximum SIT boron concentration within the upper limit ensures that the SITs do not invalidate this calculation. An excessive boron concentration in any of the borated water sources used for injection during a LOCA could result in boron precipitation earlier than predicted. The 2300 ppm minimum boron concentration in the SITs assures that the back leakage from the RCS will not dilute the SITs below the minimum boron concentration in the safety analysis. The minimum safety analysis boron requirements of 2000 ppm are based on beginning of life reactivity values and are selected to ensure that the reactor will remain subcritical during the reflood stage of a large break LOCA. During a large break LOCA, all Control Element Assemblies (CEAs) are assumed not to insert into the core, and the initial reactor shutdown is accomplished by void formation during blowdown. Sufficient boron concentration must be maintained in the SITs to prevent a return to criticality during reflood. Although this requirement is similar to the basis for the minimum boron concentration of the Refueling Water Tank (RWT), the minimum SIT concentration is lower than that of the RWT since the SITs need not account for dilution by the RCS during a large break LOCA. The SITs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The LCO establishes the minimum conditions required to ensure that the SITs are available to accomplish their core cooling safety function following a LOCA. Four SITs are required to be OPERABLE to ensure that 100% of the contents of three of the SITs will reach the core during a LOCA. SITs-Operating B 3.5.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-6 REVISION 0 LCO This is consistent with the assumption that the contents of (continued) one tank spill through the break. If the contents of fewer than three tanks are injected during the blowdown phase of a LOCA, the ECCS acceptance criteria of 10 CFR 50.46 (Ref. 3) could be violated. For a SIT to be considered OPERABLE, the motor operated isolation valve must be fully open, power removed and the limits established in the SR for contained volume, boron concentration, and nitrogen cover pressure must be met. _______________________________________________________________________________ APPLICABILITY In MODES 1 and 2, and MODES 3 and 4 with pressurizer pressure 1837 psia, the SIT OPERABILITY requirements are based on an assumption of full power operation. Although cooling requirements decrease as power decreases, the SITs are still required to provide core cooling as long as elevated RCS pressures and temperatures exist. The SIT functional requirements in MODES 3 and 4 with pressurizer pressure < 1837 psia are described in LCO 3.5.2, "SIT - Shutdown". In MODE 4 with pressurizer pressure < 430 psia, the SIT motor operated isolation valves may be closed to isolate the SITs from the RCS but must remain energized. This allows RCS cooldown and depressurization without discharging the SITs into the RCS or requiring depressurization of the SITs. In this situation, manual actions would be required to open the SIT motor operated isolation valves (i.e., a manually initiated SIAS). In MODES 5 and 6, the SITs are not required and the SIT motor operated isolation valves are closed as required to isolate the SITs from the RCS. SITs-Operating B 3.5.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-7 REVISION 1 ACTIONS A.1 If the boron concentration of one SIT is not within limits, the SIT must be returned to OPERABLE status within 72 hours. If the boron concentration is not within limits, ability to maintain subcriticality or minimum boron precipitation time may be reduced, but the reduced concentration effects on core subcriticality during reflood are minor. Boiling of the ECCS water in the core during reflood concentrates the boron in the saturated liquid that remains in the core. In addition, the volume of the SIT is still available for injection. Since the boron requirements are based on the average boron concentration of the total volume of three SITs, the consequences are less severe than they would be if a SIT were not available for injection. Thus, 72 hours is allowed to return the boron concentration to within limits. If one SIT is inoperable due to the inability to verify level or pressure, the SIT must be returned to operable status within 72 hours. Section 7.4 of NUREG-1366 (Ref. 5) discusses surveillance requirements in technical specifications for the instrument channels used in the measurement of water level and pressure in SITs. The following statement is made in Section 7.4 of NUREG-1366 (Ref. 5): "The combination of redundant level and pressure instrumentation [for any single SIT] may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument [with resulting radiation exposures during entry into containment] if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them. The [NRC] staff, therefore, recommends that an additional condition be established for the specific case, where 'One accumulator [SIT] is inoperable due to the inoperability of water level and pressure channels,' in which the completion time to restore the accumulator to operable status will be 72 hours. While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase in risk." SITs-Operating B 3.5.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-8 REVISION 1 ACTIONS B.1 If one SIT is inoperable for a reason other than boron concentration or the inability to verify level or pressure, the SIT must be returned to OPERABLE status within 24 hours. In this Condition, the required contents of three SITs cannot be assumed to reach the core during a LOCA. CE NPSD-994 (Ref. 6) provides a series of deterministic and probabilistic findings that support 24 hours as being either "risk beneficial" or "risk neutral" in comparison to shorter periods for restoring the SIT to OPERABLE status. CE NPSD-994 (Ref. 6) discusses best-estimate analysis for a typical PWR that confirmed that, during large-break LOCA scenarios, core melt can be prevented by either operation of one low pressure safety injection (LPSI) pump or the operation of one high pressure safety injection (HPSI) pump and a single SIT. CE NPSD-994 (Ref. 6) also discusses plant-specific probabilistic analysis that evaluated the risk-impact of the 24 hour recovery period in comparison to shorter recovery periods. ACTIONS C.1 and C.2 If the SIT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and pressurizer pressure reduced to < 1837 psia within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Specification 3.5.2, "SITs - Shutdown", further requires the plant to be in Mode 5 within 24 hours if the SIT inoperability was discovered but not restored while in the applicability of Specification 3.5.1, "SITs - Operating". D.1 If more than one SIT is inoperable, the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. SITs-Operating B 3.5.1 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-9 REVISION 57 SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITs are available for injection and ensures timely discovery if a valve should be partially closed. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.1.2 and SR 3.5.1.3 SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits in order to ensure adequate injection during a LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.1.4 Frequency is reasonable for verification to determine that each SIT's boron concentration is within the required limits, because the static design of the SITs limits the ways in which the concentration can be changed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SITs-Operating B 3.5.1 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.1-10 REVISION 56 SURVEILLANCE SR 3.5.1.5 REQUIREMENTS (continued) Verification that power is removed from each SIT isolation valve operator ensures that an active failure could not result in the undetected closure of a SIT motor operated isolation valve. If this were to occur, only two SITs would be available for injection, given a single failure coincident with a LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.2.5 allows power to be supplied to the motor operated isolation valves when RCS pressure is < 1500 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA. At RCS pressures above the valve auto-open interlock, the maximum pressure at which the SIAS open signal will open the valves is limited by the valve operator differential pressure design capability. _______________________________________________________________________________ REFERENCES 1. IEEE Standard 279-1971. 2. UFSAR, Section 6. 3. 10 CFR 50.46. 4. UFSAR, Chapter 15.

5. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements," December 1992. 6. CE NPSD-994, "CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," May 1995. 7. UFSAR Section 7.6.2.2.2. 8. TRM T3.5 (ECCS); TSR 3.5.200.4 SITs Shutdown B 3.5.2 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.2 SITs - Shutdown BASES The functions of the four SITs are to supply water to the reactor vessel during the blowdown phase of a Loss of Coolant Accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA. The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere. The refill phase of a LOCA follows immediately where reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of the SITs' inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of Safety Injection (SI) water. The SITs are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The SITs are passive components, since no operator or control action is required for them to perform their function. Internal tank pressure is sufficient to discharge the contents to the RCS, if RCS pressure decreases below the SIT pressure.

SITs Shutdown B 3.5.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-2 REVISION 53 BACKGROUND Each SIT is piped into one RCS cold leg via the injection (continued) lines utilized by the High Pressure Safety Injection and Low Pressure Safety Injection (HPSI and LPSI) Systems. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The motor operated isolation valves are normally open, with power removed from the valve motor to prevent inadvertent closure prior to or during an accident. Additionally, the SIT motor operated isolation valves are interlocked with the pressurizer pressure instrumentation channels to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. The valves also receive a Safety Injection Actuation Signal (SIAS) to open. These features ensure that the valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 (Ref. 1) for "operating bypasses" and that the SITs will be available for injection without reliance on operator action. During operations at RCS Pressure greater than 430 psia the SIT isolation valves are procedurally locked open and motive power is removed with the breakers locked open, which is conservative with respect to SR 3.5.2.5. The open and closure interlocks are tested as described in UFSAR 7.6.2.2.2 (Reference 6). The open interlock is tested per TRM T3.5 (ECCS); TSR 3.5.200.4 (Reference 7). The SIAS function to open these valves is tested by Reference 7 using the method described in Reference 6. The SIT gas and water volumes, gas pressure, and outlet pipe size are selected to allow one less than the required SITs to partially recover the core before significant clad melting or zirconium water reaction can occur following a LOCA. The need to ensure that one less than the required SITs are adequate for this function is consistent with the LOCA assumption that the entire contents of one SIT will be lost via the break during the blowdown phase of a LOCA. _______________________________________________________________________________ APPLICABLE Due to the reduced decay heat removal requirements in MODES SAFETY 3 and 4, and the reduced probability of a Design Basis ANALYSES Accident (DBA), the SITS operational requirements are reduced. The operational requirement allows either three or four SITs to be OPERABLE with a reduced borated water volume. SITs Shutdown B 3.5.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-3 REVISION 53 APPLICABLE Since the SITs are passive components, single active SAFETY failures are not applicable to their operation. The SIT ANALYSES isolation valves and SIT nitrogen vent valves, however, are (continued) not single failure proof; therefore, whenever the SIT motor operated isolation valves are open, power is removed from their operators, and the switch is key locked open. Whenever the SIT vent valves are closed, power is removed with a keylock switch. These precautions ensure that the SITs are available during an accident (Ref. 3). With power supplied to the valves, a single active failure could result in a valve failure, which would render one of the required SITs unavailable for injection. If a second required SIT is lost through the break, only the remaining required SIT(s) would reach the core. Active failures that could affect the SITs would be the closure of a motor operated outlet valve or opening of a solenoid operated nitrogen vent valve, the requirement to remove power from these eliminates this failure mode. Power is removed from the SIT isolation valves and nitrogen vent valves when pressurizer pressure is 1500 psia. This is consistent with the minimum LOCA analysis pressure of 1600 psia. During operations at RCS pressure greater than 430 psia, the SIT isolation valves are procedurally locked open and motive power is removed with the breakers locked open, which is conservative with respect to SR 3.5.2.5. The minimum volume requirement for the required SITs, assuming one SIT is not available, ensures that the SITs can provide adequate inventory to reflood the core and downcomer following a LOCA. The downcomer then remains flooded until the HPSI and LPSI systems start to deliver flow. The maximum volume limit is based on maintaining an adequate gas volume to ensure proper injection and the ability of the SITs to fully discharge, as well as limiting the maximum amount of boron inventory in the SITs. SITs Shutdown B 3.5.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-4 REVISION 0 APPLICABLE For three OPERABLE SITs, the safety analysis uses a minimum SAFETY of 1361 cubic feet of borated water and a maximum of 2000 ANALYSES cubic feet of borated water. To allow for instrument (continued) inaccuracy, a 60% wide range level (corresponding to 1451.5 cubic feet) and a 83% wide range level (corresponding to 1914 cubic feet) are specified. For four OPERABLE SITs, the safety analysis uses a minimum of 908 cubic feet of borated water and a maximum of 2000 cubic feet of borated water. To allow for instrument inaccuracy, a 39% wide range level (corresponding to 1029.2 cubic feet) and a 83% wide range level (corresponding to 1914 cubic feet) are specified. The percentage figures are provided in the LCO for operator use because the level indicator provided in the control room is marked in percentage, not in cubic feet. The minimum nitrogen cover pressure requirement ensures that the contained gas volume will generate discharge flow rates during injection that are consistent with those assumed in the safety analyses. The maximum nitrogen cover pressure limit ensures that excessive amounts of gas will not be injected into the RCS after the SITs have emptied. A minimum pressure of 235 psig and a maximum pressure of 637 psig are used in the analyses. To allow for instrument accuracy, a 260 psig minimum and 625 psig maximum are specified. The maximum allowable boron concentration of 4400 ppm is based upon boron precipitation limits in the core following a LOCA. Establishing a maximum limit for boron is necessary since the time at which boron precipitation would occur in the core following a LOCA is a function of break location, break size, the amount of boron injected into the core, and the point of ECCS injection. Post LOCA emergency procedures directing the operator to establish simultaneous hot and cold leg injection are based on the worst case minimum boron precipitation time. Maintaining the maximum SIT boron concentration within the upper limit ensures that the SITs do not invalidate this calculation. An excessive boron concentration in any of the borated water sources used for injection during a LOCA could result in boron precipitation earlier than predicted. SITs Shutdown B 3.5.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-5 REVISION 0 APPLICABLE The 2300 ppm minimum boron concentration in the SITs assures SAFETY that the back leakage from the RCS will not dilute the SITs ANALYSES below the minimum boron concentration in the safety (continued) analysis. The minimum safety analysis boron requirements of 2000 ppm are based on beginning of life reactivity values and are selected to ensure that the reactor will remain subcritical during the reflood stage of a large break LOCA. Sufficient boron concentration must be maintained in the SITs to prevent a return to criticality during reflood. Although this requirement is similar to the basis for the minimum boron concentration of the Refueling Water Tank (RWT), the minimum SIT concentration is lower than that of the RWT since the SITs need not account for dilution by the RCS. SIT-Shutdown satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO In MODES 3 and 4 with pressurizer pressure less than 1837 psia, the LCO establishes the minimum conditions required to ensure that the required SITs are available to accomplish their core cooling safety function following a LOCA. The number of SITs required to be OPERABLE is based on the minimum required volume that will reach the core during a LOCA, assuming a single failure. This is consistent with the assumption that the contents of one tank spill through the break. If the contents of less than the remaining required tanks are injected during the blowdown phase of a LOCA, the ECCS acceptance criteria of 10 CFR 50.46 (Ref. 2) could be violated. For a required SIT to be considered OPERABLE, the motor operated isolation valve must be fully open when pressurizer pressure is 430 psia, power removed when pressurizer pressure is 1500 psia, and the limits established in the SR for contained volume, boron concentration, and nitrogen cover pressure must be met. SITs Shutdown B 3.5.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-6 REVISION 0 APPLICABILITY In MODES 1 and 2, and MODES 3 and 4 with pressurizer pressure 1837 psia, the OPERABILITY requirements for SITs are covered by LCO 3.5.1. In MODES 3 and 4 with pressurizer pressure < 1837 psia, the reduced borated water volume requirement is acceptable, based on the stable reactivity condition of the reactor and the limited core cooling requirements. In MODE 4 with pressurizer pressure < 430 psia, the SIT motor operated isolation valves may be closed to isolate the SITs from the RCS but must remain energized. This allows RCS cooldown and depressurization without discharging the SITs into the RCS or requiring depressurization of the SITs. In this situation manual actions would be required to open the SIT motor operated isolation valves (i.e., manually initiated SIAS). In MODES 5 and 6 the SITs are not required and the SIT motor operated isolation valves are closed as required to isolate the SITs from the RCS. _______________________________________________________________________________ ACTIONS A.1 If the boron concentration of one of the required SITs is not within limits, it must be returned to within the limits within 72 hours. In this condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced, but the reduced concentration effects on core subcriticality during reflood are minor. Boiling of the ECCS water in the core during reflood concentrates the boron in the saturated liquid that remains in the core. In addition, the volume of the SIT is still available for injection. Since the boron requirements are based on the average boron concentration of the total volume of the required SITs assuming a single failure, the consequences are less severe than they would be if a SIT were not available for injection. Thus, 72 hours is allowed to return the boron concentration to within limits. SITs Shutdown B 3.5.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-7 REVISION 1 ACTIONS A.1 (continued) If one of the required SITs is inoperable due to the inability to verify level or pressure, the SIT must be returned to operable status within 72 hours. Section 7.4 of NUREG-1366 (Ref. 4) discusses surveillance requirements in technical specifications for the instrument channels used in the measurement of water level and pressure in SITs. The following statement is made in Section 7.4 of NUREG-1366 (Ref. 4): "The combination of redundant level and pressure instrumentation [for any single SIT] may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument [with resulting radiation exposures during entry into containment] if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them. The [NRC] staff, therefore, recommends that an additional condition be established for the specific case, where 'One accumulator [SIT] is inoperable due to the inoperability of water level and pressure channels,' in which the completion time to restore the accumulator to operable status will be 72 hours. While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase in risk." SITs Shutdown B 3.5.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-8 REVISION 22 ACTIONS B.1 If one SIT is inoperable for a reason other than boron concentration or the inability to verify level or pressure, the SIT must be returned to OPERABLE status within 24 hours. In this Condition, the required contents of three SITs cannot be assumed to reach the core during a LOCA. CE NPSD-994 (Ref. 5) provides a series of deterministic and probabilistic findings that support 24 hours as being either "risk beneficial" or "risk neutral" in comparison to shorter periods for restoring the SIT to OPERABLE status. CE NPSD-994 (Ref. 5) discusses best-estimate analysis for a typical PWR that confirmed that, during large-break LOCA scenarios, core melt can be prevented by either operation of one low pressure safety injection (LPSI) pump or the operation of one high pressure safety injection (HPSI) pump and a single SIT. CE NPSD-994 (Ref. 5) also discusses plant-specific probabilistic analysis that evaluated the risk-impact of the 24 hour recovery period in comparison to shorter recovery periods. C.1 If the inoperability of the required SIT was discovered but not restored while the plant was within the applicability of specification 3.5.1, "SITs - Operating", the plant must be brought to a MODE in which the LCO does not apply. The time allowed for restoration in specification 3.5.1 is adequate and may not be duplicated, for the same condition, when in specification 3.5.2, "SITs - Shutdown". If the required SIT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 5 within 24 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions in an orderly manner and without challenging plant systems. D.1 If more than one of the required SITs is inoperable, the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. SITs Shutdown B 3.5.2 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-9 REVISION 57 SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification that each required SIT isolation valve is fully open when pressurizer pressure is 430 psia as indicated in the control room, ensures that the required SITs are available for injection and ensures timely discovery if a valve should be partially closed. If a required isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.2.2 and SR 3.5.2.3 Borated water volume and nitrogen cover pressure for the required SITs should be verified to be within specified limits in order to ensure adequate injection during a LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.2.4 Frequency is reasonable for verification to determine that each required SIT's boron concentration is within the required limits, because the static design of the SITs limits the ways in which the concentration can be changed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program, SITs Shutdown B 3.5.2 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.2-10 REVISION 56 SURVEILLANCE SR 3.5.2.5 REQUIREMENTS (continued) Verification that power is removed from each required SIT isolation valve operator when the pressurizer pressure is 1500 psia ensures that an active failure could not result in the undetected closure of a SIT motor operated isolation valve. If this were to occur, two less than the required SITs would be available for injection, given a single failure coincident with a LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR allows power to be supplied to the motor operated isolation valves when pressurizer pressure is < 1500 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA. At RCS pressures above the valve auto-open interlock, the maximum pressure at which the SIAS open signal will open the valves is limited by the valve operator differential pressure design capability. _______________________________________________________________________________ REFERENCES 1. IEEE Standard 279-1971. 2. 10 CFR 50.46. 3. UFSAR, Chapter 15. 4. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements," December 1992. 5. CE NPSD-994, "CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," May 1995. 6. UFSAR Section 7.6.2.2.2 7. TRM T3.5 (ECCS); TSR 3.5.200.4 ECCS - Operating B 3.5.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.3 ECCS - Operating BASES BACKGROUND The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents: a. Loss of Coolant Accident (LOCA); b. Control Element Assembly (CEA) ejection accident; c. Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater; and d. Steam Generator Tube Rupture (SGTR). The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power. There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs. After the blowdown stage of the LOCA stabilizes, injection flow is split equally between the hot and cold legs. After the Refueling Water Tank (RWT) has been depleted, the ECCS recirculation phase is entered as the ECCS suction is automatically transferred to the containment sump. Two redundant, 100% capacity trains are provided. In MODES 1, 2, and 3, with pressurizer pressure 1837 psia or with RCS Tc 485°F each train consists of High Pressure Safety Injection (HPSI) and Low Pressure Safety Injection (LPSI) subsystems. In MODES 1, 2, and 3, with pressurizer pressure 1837 psia or with RCS Tc 485°F both trains must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided in the event of a single active failure. ECCS - Operating B 3.5.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-2 REVISION 48 BACKGROUND A suction header supplies water from the RWT or the (continued) containment sump to the ECCS pumps. Separate piping supplies each train. The discharge headers from each HPSI pump divide into four supply lines. Both HPSI trains feed into each of the four injection lines. The discharge header from each LPSI pump divides into two supply lines, each feeding the injection line to two RCS cold legs. Control valves or orifices are set to balance the flow to the RCS. This flow balance directs sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs. The Safety Injection (SI) systems are actuated upon receipt of an SIAS. The actuation of safeguard loads is accomplished in a programmed time sequence. If offsite power is available, the safeguard loads start immediately in the programmed sequence. If offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are connected to the Diesel Generators (DGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading, and pump starting determines the time required before pumped flow is available to the core following a LOCA. The active ECCS components, along with the passive Safety Injection Tanks (SITs) and the RWT, covered in LCO 3.5.1, "Safety Injection Tanks (SITs)-Operating"; LCO 3.5.2, "SITs-Shutdown"; and LCO 3.5.5, "Refueling Water Tank (RWT)," provide the cooling water necessary to meet GDC 35 (Ref. 1). _______________________________________________________________________________ APPLICABLE The LCO helps to ensure that the following acceptance SAFETY ANALYSES criteria, established by 10 CFR 50.46 (Ref. 2) for ECCSs, will be met following a LOCA: a. Maximum fuel element cladding temperature is 2200°F; b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation; ECCS - Operating B 3.5.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-3 REVISION 0 APPLICABLE c. Maximum hydrogen generation from a zirconium water SAFETY ANALYSES reaction is 0.01 times the hypothetical amount (continued) generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; d. Core is maintained in a coolable geometry; and e. Adequate long term core cooling capability is maintained. The LCO also limits the potential for a post trip return to power following a Steam Line Break (SLB) and ensures that containment temperature limits are met. Both HPSI and LPSI subsystems are assumed to be OPERABLE in the large break LOCA analysis at full power (Ref. 3). This analysis establishes a minimum required runout flow for the HPSI and LPSI pumps, as well as the maximum required response time for their actuation. The HPSI pumps are credited in the small break LOCA analysis. This analysis establishes the flow and discharge head requirements at the design point for the HPSI pump. The SGTR and SLB analyses also credit the HPSI pumps, but are not limiting in their design. The large break LOCA event with a loss of offsite power and a single failure (disabling one ECCS train) establishes the OPERABILITY requirements for the ECCS. During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large breaks or CEA insertion during small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower plenum, and refloods the core. On smaller breaks, RCS pressure will stabilize at a value dependent upon break size, heat load, and injection flow. The smaller the break, the higher this equilibrium pressure. In all LOCA analyses, injection flow is not credited until RCS pressure drops below the shutoff head of the HPSI pumps. ECCS - Operating B 3.5.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-4 REVISION 0 APPLICABLE The LCO ensures that an ECCS train will deliver sufficient SAFETY ANALYSES water to match decay heat boiloff rates soon enough to (continued) minimize core uncovery for a large LOCA. It also ensures that the HPSI pump will deliver sufficient water during a small break LOCA and provide sufficient boron to maintain the core subcritical following an SLB. ECCS - Operating satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO In MODES 1, 2, and 3, with pressurizer pressure 1837 psia or with RCS Tc 485°F two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming there is a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents. In MODES 1 and 2, and in MODE 3 with pressurizer pressure 1837 psia or with RCS Tc 485°F an ECCS train consists of a HPSI subsystem and a LPSI subsystem. Each train includes the piping, instruments, valves, and controls to ensure the availability of an OPERABLE flow path capable of taking suction from the RWT on a SIAS and automatically transferring suction to the containment sump upon a Recirculation Actuation Signal (RAS). During an event requiring ECCS actuation, a flow path is provided to ensure an abundant supply of water from the RWT to the RCS, via the HPSI and LPSI pumps and their respective supply headers, to each of the four cold leg injection nozzles. In the long term (post RAS), this flow path is manually switched two to three hours after a LOCA to supply part of its HPSI flow to the RCS hot legs via the HPSI hot leg injection valves which connect to the Shutdown Cooling (SDC) suction nozzles. ECCS - Operating B 3.5.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-5 REVISION 0 LCO Simultaneous hot and cold leg injection will maintain core (continued) cooling and boric acid flushing following a large break LOCA. The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains. ______________________________________________________________________________ APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure 1837 psia or with RCS Tc 485°F the ECCS OPERABILITY requirements for the limiting Design Basis Accident (DBA) large break LOCA are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling requirements in the lower MODES. The HPSI pump performance is based on the small break LOCA, which establishes the pump performance curve and has less dependence on plant power. The minimum Tc is based on the ECCS OPERABILITY requirements for a MODE 3 steam line break with a stuck rod and a single HPSI failure to prevent a return to power. The requirements of MODES 2 and 3, with RCS pressure 1837 psia or with RCS Tc 485°F, are bounded by the MODE 1 analysis. The ECCS functional requirements of MODE 3, with RCS pressure < 1837 psia and with RCS Tc < 485°F, and MODE 4 are described in LCO 3.5.4, "ECCS - Shutdown." In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level." ECCS - Operating B 3.5.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-6 REVISION 2 ACTIONS A.1 Condition A addresses the specific condition where the only affected ECCS subsystem is a single LPSI subsystem. The availability of at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is implicit in the definition of Condition A. If LCO 3.5.3 requirements are not met due only to the existence of Condition A, then the inoperable LPSI subsystem components must be returned to OPERABLE status within 7 days of discovery of Condition A. This 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis that are discussed in Reference 6. Seven days is a reasonable amount of time to perform many corrective and preventative maintenance items on the affected LPSI subsystem. Reference 6 concluded that the overall risk impact of this Completion Time was either risk-beneficial or risk-neutral. The Configuration Risk Management Program (CRMP) in TRM Section 5.0.500.19 applies when Condition A is entered. B.1 If one or more ECCS trains are inoperable, except for reasons other than Condition A (one LPSI subsystem inoperable), and at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is available, the inoperable components must be returned to OPERABLE status within 72 hours. The 72 hour Completion Time is based on an NRC study (Ref. 4) using a reliability evaluation and is a reasonable amount of time to effect many repairs. An ECCS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of performing their design function, or if supporting systems are not available. ECCS - Operating B 3.5.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-7 REVISION 2 ACTIONS B.1 (continued) The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS. The intent of this Condition is to maintain a combination of OPERABLE equipment such that 100% of the ECCS flow equivalent to 100% of a single OPERABLE train remains available. This allows increased flexibility in plant operations when components in opposite trains are inoperable. An event accompanied by a loss of offsite power and the failure of an emergency DG can disable one ECCS train until power is restored. A reliability analysis (Ref. 4) has shown that the impact with one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours. With one or more components inoperable, such that 100% of the equivalent flow to a single OPERABLE ECCS train is not available, the facility is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be immediately entered. C.1, C.2, and C.2 If the inoperable train cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and pressurizer pressure reduced to < 1837 psia and RCS Tc reduced to < 485°F within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. ECCS - Operating B 3.5.3 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-8 REVISION 56 SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.3.2 With the exception of systems in operation, the ECCS pumps are normally in a standby, nonoperating mode. As such, flow path piping has the potential to develop voids and pockets of entrained gases. The method of ensuring that any voids or pockets of gases are removed from the ECCS piping is to vent the accessible discharge piping high points, which is controlled by PVNGS procedures. Maintaining the piping from the ECCS pumps to the RCS full of water ensures that the system will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent water hammer, pump cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an SIAS or during SDC. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ECCS - Operating B 3.5.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-9 REVISION 56 SURVEILLANCE SR 3.5.3.3 REQUIREMENTS (continued) Periodic surveillance testing of ECCS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME OM Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the unit safety analysis. SRs are specified in the Inservice Testing Program, which encompasses the ASME OM Code (Ref. 7). The frequency of this SR is in accordance with the Inservice Testing Program. SR 3.5.3.4, SR 3.5.3.5, and SR 3.5.3.6 These SRs demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SIAS and on an RAS, that each ECCS pump starts on receipt of an actual or simulated SIAS, and that the LPSI pumps stop on receipt of an actual or simulated RAS. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The following valve actuations must be verified: on an actual or simulated recirculation actuation signal, the containment sump isolation valves open, and the HPSI, LPSI and CS minimum bypass recirculation flow line isolation valves and combined SI mini flow valve close. ECCS - Operating B 3.5.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.3-10 REVISION 56 SURVEILLANCE SR 3.5.3.7 REQUIREMENTS (continued) Realignment of valves in the flow path on an SIAS is necessary for proper ECCS performance. The safety injection valves have stops to position them properly so that flow is restricted to a ruptured cold leg, ensuring that the other cold legs receive at least the required minimum flow. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. These valves are also monitored in accordance with the requirements of 10 CFR 50.65 (Ref. 5). SR 3.5.3.8 Periodic inspection of the containment sump ensures that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 35. 2. 10 CFR 50.46. 3. UFSAR, Chapter 6. 4. NRC Memorandum to V. Stello, Jr., from R. L. Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975. 5. 10 CFR 50.65. 6. Combustion Engineering Owners Group Joint Applications Report for Low Pressure Safety Injection System AOT Extension, CE NPSD-995, dated May 1995, as submitted to NRC in APS letter no. 102-03392, dated June 13, 1995, with updates described in letter no. 102-04250 dated February 26, 1999. Also see TS amendment no. 124 dated February 1, 2000. 7. ASME Code for Operation and Maintenance of Nuclear Power Plants. ECCS - Shutdown B 3.5.4 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.4-1 REVISION 15 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.4 ECCS - Shutdown BASES BACKGROUND The Background section for Bases B 3.5.3, "ECCS Operating," is applicable to these Bases, with the following modifications. In MODE 3 with pressurizer pressure < 1837 psia and RCS Tc < 485°F, and in MODE 4, an ECCS train is defined as one High Pressure Safety Injection (HPSI) subsystem. The HPSI flow path consists of piping, valves, and pumps that enable water from the Refueling Water Tank (RWT) on a SIAS signal to be injected into the Reactor Coolant System (RCS) and automatically transferring HPSI suction to the containment sump on a Recirculation Actuation Signal (RAS) following the accidents described in Bases 3.5.3. ______________________________________________________________________________ APPLICABLE The Applicable Safety Analyses section of Bases 3.5.3 is SAFETY ANALYSES applicable to these Bases. Due to the stable conditions associated with operation in MODE 3 with pressurizer pressure <1837 psia and with RCS Tc < 485°F and in MODE 4, and the reduced probability of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. In this MODE, sufficient time exists for manual actuation of the required ECCS to mitigate the complete severance of the largest line connected to the RCS, i.e., a Safety Injection inlet line. Only one train of ECCS is required for MODE 4. Protection against single failures is not relied on for this MODE of operation. ECCS Shutdown satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ECCS - Shutdown B 3.5.4 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.4-2 REVISION 0 LCO In MODE 3 with pressurizer pressure < 1837 psia and with RCS Tc < 485°F and in MODE 4 an ECCS subsystem is composed of a single HPSI subsystem. Each HPSI subsystem includes the piping, instruments, valves, and controls to ensure an OPERABLE flow path capable of taking suction from the RWT and transferring suction to the containment sump. During an event requiring ECCS actuation, a flow path is required to supply water from the RWT to the RCS via the HPSI pumps and their respective supply headers to each of the four cold leg injection nozzles. In the long term post (RAS), this flow path is manually switched 2 to 3 hours after a LOCA to supply part of its HPSI flow to the RCS hot legs via the HPSI hot leg injection valves which connect to the Shutdown Cooling (SDC) suction nozzles. With RCS pressure < 1837 psia and with RCS Tc < 485°F, one HPSI pump is acceptable without single failure consideration, based on the stable reactivity condition of the reactor and the limited core cooling requirements. The Low Pressure Safety Injection (LPSI) pumps may therefore be released from the ECCS train for use in SDC. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, and 3 with RCS pressure 1837 psia or with RCS Tc 485°F, the OPERABILITY requirements for ECCS are covered by LCO 3.5.3. In MODE 3 with RCS pressure < 1837 psia and with RCS Tc < 485°F and in MODE 4, one OPERABLE ECCS train is acceptable without single failure consideration, based on the stable reactivity condition of the reactor and the limited core cooling requirements. In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation High Water Level," and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level." ECCS - Shutdown B 3.5.4 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.4-3 REVISION 42 A note prohibits the application of LCO 3.0.4.b to an inoperable ECCS high pressure safety injection subsystem. There is an increased risk associated with entering MODE 4 from MODE 5 with an inoperable ECCS high pressure safety injection subsystem and the provisions of LCO 3.0.4.b which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. ACTIONS A.1 With no HPSI pump OPERABLE, the unit is not prepared to respond to a loss of coolant accident. The 1 hour Completion Time to restore at least one HPSI train to OPERABLE status ensures that prompt action is taken to restore the required cooling capacity or to initiate actions to place the unit in MODE 5, where an ECCS train is not required. B.1 When the Required Action cannot be completed within the required Completion Time, a controlled shutdown should be initiated. Twenty-four hours is reasonable, based on operating experience, to reach MODE 5 in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.5.4.1REQUIREMENTS The applicable Surveillance descriptions from Bases 3.5.3 apply as they pertain to the required HPSI train. ______________________________________________________________________________ REFERENCES The applicable references from Bases 3.5.3 apply as they pertain to the required HPSI train. This page intentionally blank RWT B 3.5.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-1 REVISION 54 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.5 Refueling Water Tank (RWT) BASES BACKGROUND The RWT supports the ECCS and the Containment Spray System by providing a source of borated water for Engineered Safety Feature (ESF) pump operation. The RWT supplies two ECCS trains by separate, redundant supply headers. Each header also supplies one train of the Containment Spray System. A motor operated isolation valve is provided in each header to allow the operator to isolate the usable volume of the RWT from the ECCS after the ESF pump suction has been transferred to the containment sump following depletion of the RWT during a Loss of Coolant Accident (LOCA). A separate header is used to supply the Chemical and Volume Control System (CVCS) from the RWT. Use of a single RWT to supply both trains of the ECCS is acceptable since the RWT is a passive component, and passive failures are not assumed to occur coincidently with the Design Basis Event during the injection phase of an accident. Not all the water stored in the RWT is available for injection following a LOCA; the location of the ECCS suction piping in the RWT will result in some portion of the stored volume being unavailable. The High Pressure Safety Injection (HPSI), Low Pressure Safety Injection (LPSI), and containment spray pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at shutoff head conditions. These lines discharge back to the RWT. The RWT vents to the Fuel Building Ventilation System. When the suction for the HPSI and containment spray pumps is transferred to the containment sump, this flow path must be isolated to prevent a release of the containment sump contents to the RWT. If not isolated, this flow path could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ESF pumps. This LCO ensures that:

a. The RWT contains sufficient borated water to support the ECCS and Containment Spray System during the injection phase; RWT B 3.5.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-2 REVISION 54 BACKGROUND b. Sufficient water volume exists in the containment sump (continued) to support continued operation of the ESF pumps at the time of transfer to the recirculation mode of cooling; and c. The reactor remains subcritical following a LOCA. Insufficient water inventory in the RWT could result in (1) insufficient cooling capacity of the ECCS and Containment Spray System, or (2) insufficient water level to support continued ESF pump operation when the transfer to the recirculation mode occurs. Improper boron concentrations could result in a reduction of SDM or excessive boric acid precipitation in the core following a LOCA, as well as excessive caustic stress corrosion of mechanical components and systems inside containment. The RWT also provides a source of borated water to the charging system for makeup to the RCS to compensate for contraction of the RCS coolant during plant cooldown while maintaining adequate shutdown margin. Although this charging system boration function is not required to be in a Technical Specification LCO per 10 CFR 50.36(c)(2)(ii) criteria, the RWT volume requirements of Figure 3.5.5-1 include this function in order to provide the plant operators with a single requirement for RWT volume.

RWT B 3.5.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-3 REVISION 55 BACKGROUND The table below provides the required RWT level at selected (continued) RCS average temperature values, corresponding to Figure 3.5.5-1. The RWT volume is the total volume of water in the RWT above the vortex breaker. This volume includes the volumes required to be transferred, as discussed below, an allowance for instrument uncertainty, and the volume that will remain in the RWT after the switch over to the recirculation mode. RWT Required Level at RCS Temperatures RCS Temperature (F) average RWT Required Level Indicated (%) RWT Volume * (Gallons) 210 81.2 611,000 250 81.4 613,000 300 81.8 615,000 350 82.1 618,000 400 82.5 621,000 450 83.0 624,000 500 83.5 628,000 565 84.3 634,000 600 84.3 634,000

The volumes include instrument uncertainty and have been rounded up or down to the nearest 1,000 gallons.

RWT B 3.5.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-4 REVISION 54 APPLICABLE During accident conditions, the RWT provides a source of SAFETY ANALYSES borated water to the HPSI, LPSI and containment spray pumps. As such, it provides containment cooling and depressurization, core cooling, and replacement inventory and is a source of negative reactivity for reactor shutdown (Ref. 1). The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of Bases B 3.5.3, "ECCS Operating," and B 3.6.6, "Containment Spray." These analyses are used to assess changes to the RWT in order to evaluate their effects in relation to the acceptance limits. The level limit of Figure 3.5.5-1 for the ESF function is based on the largest of the following four factors: a. A volume of borated water must be transferred to containment via the ESF pumps prior to reaching a low level switchover to the containment sump for recirculation. This ESF Reserve Volume ensures that the ESF pump suction will not be aligned to the containment sump until the point at which 75% of the minimum design flow of one HPSI pump is capable of meeting or exceeding the decay heat boil-off rate. b. A volume of borated water must be transferred to the RCS and containment for flooding of sump strainers to prevent vortexing and to ensure adequate net positive suction head to support continued ESF pump operation after the switchover to recirculation occurs. c. A volume of borated water must be available for Containment Spray System operation as credited in the containment pressure and temperature analyses. d. A volume of borated water is needed during ECCS functions to ensure shut down margin (SDM) is maintained. The volume required is similar to that needed for the charging system function of compensating for contraction of the RCS coolant during plant cooldown. The volume required will vary depending upon the event and is bounded by the volume RWT B 3.5.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-5 REVISION 51 APPLICABLE needed for a LOCA. The volume needed for boration SAFETY ANALYSES purposes for a LOCA is smaller than the volumes (continued) discussed in a, b, and c above. The quantities specified above are transfer volumes to be available for delivery to the ESF pumps. They are located between the required level of Figure 3.5.5-1 and the low level switchover to the containment sump for recirculation (RAS). The required level of Figure 3.5.5-1 also considers applicable instrument uncertainty for the indicators used to verify level, the switch that actuates the recirculation actuation signal, and the indicators for average RCS temperature. The level required by Figure 3.5.5-1 ensures that adequate water volume exists in the tank to provide the transfer volumes discussed above. The temperatures of note on the Figure are (1) 600F which bounds the highest expected average RCS temperature, (2) 565F, which corresponds to hot zero power, and (3) 210F, which is the lowest temperature for Mode 4, when this LCO is applicable. Between 600F and 565F the required level is constant for ease of use by operators to have a single value for all hot conditions. Between 565F and 210F the required level decreases as the volume required to makeup for RCS coolant contraction decreases. By time of recirculation, the water level in the containment sump must be sufficient to provide adequate Net Positive Suction Head (NPSH) for both trains of HPSI, LPSI, and containment spray pumps operating at runout conditions. Accounting for LPSI pump operation is conservative because these pumps trip automatically upon RAS and are not required during recirculation. The minimum containment sump level can be achieved considering only the inventory specified in the RWT with no contributions from safety injection tanks and the reactor coolant. The resultant containment water inventory is further reduced due to the effects of evaporation and flashing of post-accident fluid; holdup in containment atmosphere, subcompartments, and reservoirs due to containment spray operation; and diversions of RWT to the CVCS via the high suction nozzle. Leakages from injection and recirculation RWT B 3.5.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-6 REVISION 51 APPLICABLE equipment to areas outside the containment during the first SAFETY ANALYSES 24 hours of the event are expected to be small in (continued) comparison with the overall conservatism in the analysis and are therefore neglected. Consistent with the positions in Regulatory Guides 1.1 and 1.82, no credit was taken for containment pressure in calculating available NPSH. The 4000 ppm limit for minimum boron concentration was established to ensure that, following a LOCA with a minimum level in the RWT, the reactor will remain subcritical in the cold condition following mixing of the RWT and RCS water volumes. Small break LOCAs assume that all control rods are inserted, except for the Control Element Assembly (CEA) of highest worth, which is withdrawn from the core. Large break LOCAs assume that all CEAs remain withdrawn from the core. The most limiting case occurs at beginning of core life. The maximum boron limit of 4400 ppm in the RWT is based on boron precipitation in the core following a LOCA. With the reactor vessel at saturated conditions, the core dissipates heat by pool nucleate boiling. Because of this boiling phenomenon in the core, the boric acid concentration will increase in this region. If allowed to proceed in this manner, a point will be reached where boron precipitation will occur in the core. Post LOCA emergency procedures direct the operator to establish simultaneous hot and cold leg injection to prevent this condition by establishing a forced flow path through the core regardless of break location. These procedures are based on the minimum time in which precipitation could occur, assuming that maximum boron concentrations exist in the borated water sources used for injection following a LOCA. Boron concentrations in the RWT in excess of the limit could result in precipitation earlier than assumed in the analysis. The upper limit of 120°F and the lower limit of 60°F on RWT temperature are the limits assumed in the accident analysis. Although RWT temperature affects the outcome of several analyses, the upper and lower limits established by the LCO are not limited by any of these analyses. The RWT ESF function satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). RWT B 3.5.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-7 REVISION 51 LCO The RWT ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a Design Basis Accident (DBA) and to cool and cover the core in the event of a LOCA, that the reactor remains subcritical following a DBA, and that an adequate level exists in the containment sump to support ESF pump operation in the recirculation mode. To be considered OPERABLE, the RWT must meet the limits established in the SRs for water volume, boron concentration, and temperature. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the RWT OPERABILITY requirements are dictated by the ECCS and Containment Spray System OPERABILITY requirements. Since both the ECCS and the Containment Spray System must be OPERABLE in MODES 1, 2, 3, and 4, the RWT must be OPERABLE to support their operation. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation High Water Level," and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation Low Water Level." ______________________________________________________________________________ ACTIONS A.1 With RWT boron concentration or borated water temperature not within limits, it must be returned to within limits within 8 hours. In this condition neither the ECCS nor the Containment Spray System can perform their design functions; therefore, prompt action must be taken to restore the tank to OPERABLE condition. The allowed Completion Time of 8 hours to restore the RWT to within limits was developed considering the time required to change boron concentration or temperature and that the contents of the tank are still available for injection and core cooling. RWT B 3.5.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-8 REVISION 56 ACTIONS B.1 (continued) With RWT borated water volume not within limits, it must be returned to within limits within 1 hour. In this condition, neither the ECCS nor Containment Spray System can perform their design functions; therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the unit in a MODE in which these systems are not required. The allowed Completion Time of 1 hour to restore the RWT to OPERABLE status is based on this condition since the contents of the tank are not available for injection and core cooling. C.1 and C.2 If the RWT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.5.5.1 REQUIREMENTS RWT borated water temperature shall be verified to be within the limits assumed in the accident analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that eliminates the requirement to perform this Surveillance when ambient air temperatures are within the operating temperature limits of the RWT. With ambient temperatures within this range, the RWT temperature should not exceed the limits. RWT B 3.5.5 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.5-9 REVISION 56 SURVEILLANCE SR 3.5.5.2 REQUIREMENTS (continued) The RWT water volume level shall be verified in accordance with Figure 3.5.5-1. This Frequency ensures that a sufficient initial water supply is available for injection and to support continued ESF pump operation on recirculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.5.3 Boron concentration of the RWT shall be verified to be within the required range. This Frequency ensures that the reactor will remain subcritical following a LOCA and the boron precipitation in the core will not occur earlier than predicted. Further, it ensures that the resulting sump pH will be maintained in an acceptable range such that the effect of chloride and caustic stress corrosion on mechanical systems and components will be minimized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 6 and Chapter 15. 2. Engineering Calculation 13-JC-CH-0209 This page intentionally blank TSP B 3.5.6 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.6-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) B 3.5.6 Trisodium Phosphate (TSP) BASES BACKGROUND Anhydrous Trisodium Phosphate (TSP) is placed on the floor of the containment building to ensure that iodine, which may be dissolved in the recirculated reactor cooling water following a Loss of Coolant Accident (LOCA), remains in solution. TSP also helps inhibit Stress Corrosion Cracking (SCC) of austenitic stainless steel components in containment during the recirculation phase following an accident. Fuel that is damaged during a LOCA will release iodine in several chemical forms to the reactor coolant and to the containment atmosphere. A portion of the iodine in the containment atmosphere is washed to the sump by containment sprays. The emergency core cooling water is borated for reactivity control. This borated water causes the sump solution to be acidic. In a low pH (acidic) solution, dissolved iodine will be converted to a volatile form. The volatile iodine will evolve out of solution into the containment atmosphere, significantly increasing the levels of airborne iodine. The increased levels of airborne iodine in containment contribute to the radiological releases and increase the consequences from the accident due to containment atmosphere leakage. After a LOCA, the components of the core cooling and Containment Spray Systems will be exposed to high temperature borated water. Prolonged exposure to the core cooling water combined with stresses imposed on the components can cause SCC. The SCC is a function of stress, oxygen and chloride concentrations, pH, temperature, and alloy composition of the components. High temperatures and low pH, which would be present after a LOCA, tend to promote SCC. This can lead to the failure of necessary safety systems or components. TSP B 3.5.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.6-2 REVISION 1 BACKGROUND Adjusting the pH of the recirculation solution to levels at (continued) or above 7.0 prevents a significant fraction of the dissolved iodine from converting to a volatile form. The higher pH thus decreases the level of airborne iodine in containment and reduces the radiological consequences from containment atmosphere leakage following a LOCA. Maintaining the solution pH at or above 7.0 also reduces the occurrence of SCC of austenitic stainless steel components in containment. Reducing SCC reduces the probability of failure of components. Granular anhydrous TSP is employed as a passive form of pH control for post LOCA containment spray and core cooling water. Baskets of TSP are placed on the floor of the containment building to dissolve from released reactor coolant water and containment sprays after a LOCA. Recirculation of the water for core cooling and containment sprays then provides mixing to achieve a uniform solution pH. _______________________________________________________________________________ APPLICABLE The LOCA radiological consequences analysis takes credit for SAFETY ANALYSES iodine retention in the sump solution based on the recirculation water pH being 7.0. The radionuclide releases from the containment atmosphere and the consequences of a LOCA would be increased if the pH of the recirculation water were not adjusted to 7.0 or above. _______________________________________________________________________________ LCO The TSP is required to adjust the pH of the recirculation water to 7.0 after a LOCA. A pH 7.0 is necessary to prevent significant amounts of iodine released from fuel failures and dissolved in the recirculation water from converting to a volatile form and evolving into the containment atmosphere. Higher levels of airborne iodine in containment may increase the release of radionuclides and the consequences of the accident. A pH 7.0 is also necessary to prevent SCC of austenitic stainless steel components in containment. SCC increases the probability of failure of components. TSP B 3.5.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.6-3 REVISION 0 LCO The required amount of TSP is based upon the extreme cases (continued) of water volume and pH possible in the containment sump after a large break LOCA. The minimum required volume is the volume of TSP that will achieve a sump solution pH of 7.0 when taking into consideration the maximum possible sump water volume and the minimum possible pH. The amount of TSP needed in the containment building is based on the mass of TSP required to achieve the desired pH. However, a required volume is specified, rather than mass, since it is not feasible to weigh the entire amount of TSP in containment. The minimum required volume is based on the design basis value for density of anhydrous TSP. Since TSP can have a tendency to agglomerate from high humidity in the containment building, the density may increase and the volume decrease during normal plant operation. Due to possible agglomeration and increase in density, estimating the minimum volume of TSP in containment is conservative with respect to achieving a minimum required pH. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, and 3, the RCS is at elevated temperature and pressure, providing an energy potential for a LOCA. The potential for a LOCA results in a need for the ability to control the pH of the recirculated coolant. In MODES 4, 5, and 6, the potential for a LOCA is reduced and TSP is not required. ______________________________________________________________________________ ACTIONS A.1 If it is discovered that the TSP in the containment building is not within limits, action must be taken to restore the TSP to within limits. The Completion Time of 72 hours is allowed for restoring the TSP within limits, where possible, because 72 hours is the same time allowed for restoration of other ECCS components. TSP B 3.5.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.6-4 REVISION 56 ACTIONS B.1 and B.2 (continued) If the TSP cannot be restored within limits within the Completion Time of Required Action A.1, the plant must be brought to a MODE in which the LCO does not apply. The specified Completion Times for reaching MODES 3 and 4 are those used throughout the Technical Specifications; they were chosen to allow reaching the specified conditions from full power in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.5.6.1 REQUIREMENTS Periodic determination of the volume of TSP in containment must be performed due to the possibility of leaking valves and components in the containment building that could cause dissolution of the TSP during normal operation. A verification is required to determine visually that a minimum of 524 cubic feet is contained in the TSP baskets (Ref. 1). This requirement ensures that there is an adequate volume of TSP to adjust the pH of the post LOCA sump solution to a value 7.0. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.6.2 Testing ensures that the solubility and buffering ability of the TSP is not degraded after exposure to the containment environment. A representative sample of 3.36 grams 0.005 grams of anhydrous TSP (corrected for moisture content) is collected from one or more of the baskets in containment. The sample is submerged in 1.0 0.005 liter (total volume) of 4280 to 4400 ppm boric acid solution at a temperature of 135F 9F. Without agitation, the solution pH should rise to greater than or equal to 7.0 within 4 hours. Solution pH is measured at 77F 9F and rounded to the nearest tenth of a pH unit. TSP B 3.5.6 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.5.6-5 REVISION 56 SURVEILLANCE SR 3.5.6.2 (continued) REQUIREMENTS The sample weight and volume correspond to the design minimum concentration of TSP expected post LOCA in the containment sump. The limiting concentration occurs when the LCO minimum TSP volume of 524 cubic feet, weighing about 25,325 pounds at the installed bulk density, is dissolved into the maximum recirculation fluid mass of approximately 7,690,750 pounds, which is about 920,000 gallons at room temperature. The boron concentration of the test water is the highest possible with the maximum expected recirculation sump volume. Agitation of the test solution is prohibited since an adequate standard for the agitation intensity cannot be specified. The test time of 4 hours is necessary to allow time for the dissolved TSP to naturally diffuse through the sample solution. In the post LOCA containment sump, rapid mixing would occur, significantly decreasing the actual amount of time before the required pH is achieved. This ensures compliance with UFSAR Section 6.1.1.2 which requires containment sump pH to be greater than or equal to 7.0 and less than or equal to 8.5 within 4 hours after a Recirculation Actuation Signal (RAS). The temperature of 135 9F was chosen for the borated water solution because that is the minimum temperature expected at the inlet of the shutdown cooling heat exchangers during the initial phase of this accident when the TSP is dissolved into solution. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. PVNGS operating license amendment numbers 110, 102 and 82 for Units 1, 2 and 3, respectively, and associated NRC Safety Evaluation dated December 10, 1996. This page intentionally blank Containment B 3.6.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.1-1 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment consists of the concrete Containment Building (CB), its steel liner, and the penetrations through this structure. The structure is designed to contain radioactive material that may be released from the reactor core following a design basis Loss of Coolant Accident. Additionally, this structure provides shielding from the fission products that may be present in the containment atmosphere following accident conditions. The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof. The cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed utilizing a two way pattern of tendons, which are an extension of the continuous vertical tendons. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions. The concrete CB is required for structural integrity of the containment under Design Basis Accident (DBA) conditions. The steel liner and its penetrations establish the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B (Ref. 1), as modified by approved exemptions. The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier: a. All penetrations required to be closed during accident conditions are either: 1. capable of being closed by an OPERABLE automatic containment isolation system, or Containment B 3.6.1 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.1-2 REVISION 53 BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.3, "Containment Isolation Valves"; b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks"; and c. All equipment hatches are closed. : _______________________________________________________________________________ APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate. The limiting DBAs that result in a release of radioactive material within containment are a Loss Of Coolant Accident (LOCA), a Main Steam Line Break (MSLB), a feedwater line break, and a control element assembly ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.1% of containment air mass per day (Ref. 3). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La; the maximum allowable containment leakage rate at the calculated maximum peak containment pressure (Pa) of 58.0 psig which results from the limiting design basis LOCA. Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY. The containment satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Containment OPERABILITY is maintained by limiting leakage to 1.0 La, except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met. Containment B 3.6.1 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.1-3 REVISION 0 LCO Type A leakage rate testing measures the overall leakage (continued) rate of the containment. Type B leakage rate testing measures the local leakage rate of blind flanges, air locks and other devices which employ resilient seals. Type C leakage rate testing measures the local leakage rate of valves. Refer to reference 1 for a more detailed definition. Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis. Individual leakage rates specified for the containment air lock (LCO 3.6.2) and purge valves with resilient seals (LCO 3.6.3) are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J, Option B. Therefore, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0 La. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations." ______________________________________________________________________________ ACTIONS A.1 In the event containment is inoperable, containment must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and 4. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal. Containment B 3.6.1 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.1-4 REVISION 29 ACTIONS B.1 and B.2 (continued) If containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. _______________________________________________________________________________ SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. The containment concrete visual examinations may be performed during either power operation, e.g., performed concurrently with other containment inspection-related activities such as tendon testing, or during a maintenance/refueling outage. The visual examinations of the steel liner plate inside containment are performed during maintenance or refueling outages since this is the only time the liner plate is fully accessible. Failure to meet air lock and purge valve with resilient seal leakage limits specified in LCO 3.6.2 and LCO 3.6.3 does not invalidate the acceptability of these overall leakage determinations unless their contribution to overall Type A, B, and C leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test is required to be < 0.6 La for combined Type B and C leakage and 0.75 La for overall Type A leakage. At all other times between required leakage rate tests, the acceptance criteria is based on an overall Type A leakage limit of 1.0 La. At 1.0 La the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis. Containment B 3.6.1 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.1-5 REVISION 29 SURVEILLANCE SR 3.6.1.2 REQUIREMENTS (continued) For ungrouted, post tensioned tendons, this SR ensures that the structural integrity of the containment will be maintained in accordance with the provisions of the Containment Tendon Surveillance Program. Testing and Frequency are in accordance with ASME Code Section XI, Subsection IWL (Ref. 4) and applicable addenda as required by 10 CFR 50.55a, except where an exemption or relief has been authorized by the NRC. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix J, Option B. 2. UFSAR, Section 3.8. 3. UFSAR, Section 6.2. 4. ASME Code Section XI, Subsection IWL. This page intentionally blank Containment Air Locks B 3.6.2 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.2-1 REVISION 45 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation. Each air lock is nominally a right circular cylinder, 9 ft.-6 inches in diameter, with a door at each end. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in containment internal pressure results in increased sealing force on each door). The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis. Containment Air Locks B 3.6.2 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.2-2 REVISION 53 APPLICABLE The limiting DBAs that result in a large release of SAFETY ANALYSES radioactive material within containment are a Loss Of Coolant Accident (LOCA), a Main Steam Line Break (MSLB), a feedwater line break, and a control element assembly (CEA) ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.1% of containment air mass per day (Ref. 3). This leakage rate is defined in 10 CFR 50, Appendix J, Option B, as the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa [58.0 psig], following a design basis LOCA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock. The containment air locks satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event. Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or exit from containment. Containment Air Locks B 3.6.2 BASES (continued) ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.2-3 REVISION 0 APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations." ______________________________________________________________________________ ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is inoperable, then it may be easily accessed for most repairs. If the inner door is inoperable, or if repairs on either door must be performed from the barrel side of the door then it is permissible to enter the air lock through the OPERABLE door, which means there is a short time during which the containment boundary is not intact (during access through the OPERABLE door). The ability to open the OPERABLE door, even if it means the containment boundary is temporarily not intact, is acceptable because of the low probability of an event that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be immediately closed. A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associated Required Actions. A third Note has been included that requires entry into the applicable Conditions and Required Actions of LCO 3.6.1, "Containment," when leakage results in exceeding the overall containment leakage limit. Containment Air Locks B 3.6.2 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.2-4 REVISION 0 ACTIONS A.1, A.2, and A.3 (continued) With one air lock door inoperable in one or more containment air locks, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock. This ensures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires containment be restored to OPERABLE status within 1 hour. Action A applies to any condition which affects only one side of the air lock such that closure of the opposite door maintains containment OPERABILITY. Examples of an inoperable air lock door are cracked viewglass, equalizing valve leaking, or door seals leaking. In addition, the affected air lock penetration must be isolated by locking closed an OPERABLE air lock door within the 24 hour Completion Time. The 24 hour Completion Time is considered reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is being maintained closed. Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. Containment Air Locks B 3.6.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.2-5 REVISION 0 ACTIONS A.1, A.2, and A.3 (continued) The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls if both air locks have an inoperable door. This 7 day restriction begins when the second air lock is discovered inoperable. Containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-required activities) if the containment was entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance is acceptable due to the low probability of an event that could pressurize the containment during the short time that the OPERABLE door is expected to be open. B.1, B.2, and B.3 With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in Condition A. Containment Air Locks B 3.6.2 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.2-6 REVISION 0 ACTIONS B.1, B.2, and B.3 (continued) The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock). Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. C.1, C.2, and C.3 With one or more air locks inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be initiated immediately to evaluate previous combined leakage rates using current air lock test results. An evaluation is acceptable since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), containment remains OPERABLE, yet only 1 hour (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits. Containment Air Locks B 3.6.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.2-7 REVISION 0 ACTIONS C.1, C.2, and C.3 (continued) Required Action C.2 requires that one door in the affected containment air lock must be verified to be closed. This action must be completed within the 1 hour Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be restored to OPERABLE status within 1 hour. Additionally, the affected air lock(s) must be restored to OPERABLE status within the 24 hour Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE status, assuming that at least one door is maintained closed in each affected air lock. D.1 and D.2 If the inoperable containment air lock cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.6.2.1 REQUIREMENTS Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment leakage rate. The Frequency is required by the Containment Leakage Rate Testing Program and includes testing of the airlock doors following each closing, as specified. Containment Air Locks B 3.6.2 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.2-8 REVISION 57 SURVEILLANCE SR 3.6.2.1 (continued) REQUIREMENTS The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria which is applicable to SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the combined Type Band C containment leakage rate. SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit into and out of containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of the inner and outer doors will not inadvertently occur. Due to the purely mechanical nature of this interlock, and given that the interlock mechanism is not normally challenged when containment is used for entry and exit (procedures require strict adherence to single door opening), this test is only required to be performed periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix J, Option B. 2. UFSAR, Section 3.8. 3. UFSAR, Section 6.2. 4. UFSAR, Section 15.6 Containment Isolation Valves B 3.6.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-1 REVISION 36 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment Isolation Valves BASES BACKGROUND The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on an automatic isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analysis. One of these barriers may be a closed system. The containment penetration consists of the containment isolation valves and all piping and the associated vent, drain, and test valves located between the containment isolation valves (Ref. 7). All manual vent, drain, and test valves within a Containment Penetration (i.e., between the Containment Isolation Valves) will be maintained locked closed per the locked valve administrative program or surveilled closed per Technical Specification SR 3.6.3.3 or SR 3.6.3.4. Containment penetration isolation criteria are governed by 10 CFR 50, Appendix A, General Design Criteria 54 through 57 (Ref. 6). The applicable GDC for each penetration can be found in UFSAR Table 6.2.4-1 (Ref. 1). Containment isolation occurs upon receipt of a high containment pressure signal or a low pressurizer pressure signal. The containment isolation signal closes automatic containment isolation valves in fluid penetrations not required for operation of Engineered Safety Feature Systems in order to prevent leakage of radioactive material. Upon actuation of safety injection, automatic containment isolation valves also isolate systems not required for containment or RCS heat removal. Other penetrations are isolated by the use of valves in the closed position or blind flanges. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated in the event of a release of radioactive material to containment atmosphere from the RCS following a Design Basis Accident (DBA). Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-2 REVISION 43 BACKGROUND The OPERABILITY requirements for containment isolation (continued) valves help ensure that containment is isolated within the time limits assumed in the safety analysis. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the accident analysis will be maintained. All containment isolation valves are considered to be required except for each 42 inch refueling purge valve when its flow path is isolated with a blind flange as allowed by Note 5 under LCO 3.6.3. The purge valves were designed for intermittent operation, providing a means of removing airborne radioactivity caused by minor RCS leakage prior to personnel entry into containment. There are two sets of purge valves: refueling purge valves and power access purge valves. The refueling and power access supply and exhaust lines are each supplied with inside and outside containment isolation valves but share common supply and exhaust headers. The refueling purge valves are designed for purging the containment atmosphere to the unit stack while introducing filtered makeup from the outside to provide adequate ventilation for personnel comfort when the unit is shut down during refueling operations and maintenance. Motor operated isolation valves are provided inside and outside the containment. The valves are operated manually from the control room. The valves will close automatically upon receipt of a containment purge isolation actuation signal and a containment isolation actuation signal. Because of their large size, the refueling purge valves are not qualified for automatic closure from their open position under DBA conditions. Therefore, the refueling purge valves are maintained closed in MODES 1, 2, 3, and 4 or the flow paths of the refueling purge valves are isolated with blind flanges to ensure the containment boundary is maintained. Open refueling purge valves, or a failure of the power access purge valves to close, following an accident that releases contamination to the containment atmosphere would cause a significant increase in the containment leakage rate. Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-3 REVISION 49 APPLICABLE The containment isolation valve LCO was derived from the SAFETY ANALYSES assumptions related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO. The DBAs that result in a release of radioactive material within containment are documented in UFSAR Chapters 6 and 15. In the analysis for each of these accidents, it is assumed that containment isolation valves are either closed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analysis assumes that the refueling purge valves are closed at event initiation. The DBA analysis assumes that, within 60 seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate, La. The power access purge valves are assumed to close within 12 seconds of the DBA. The containment isolation response time includes signal delay, diesel generator startup (for loss of offsite power), and containment isolation valve stroke times. The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred. The inboard and outboard isolation valves on each line are provided with diverse power sources. The refueling purge valves may be unable to close in the environment following a LOCA. Therefore, each of the refueling purge valves is required to remain sealed closed during MODES 1, 2, 3, and 4 or the flow paths of the refueling purge valves are required to be isolated with blind flanges. In this case, the single failure criterion remains applicable to the containment refueling purge valves due to failure in the control circuit associated with each valve. Again, the purge system valve design precludes a single failure from compromising the containment boundary as long as the system is operated in accordance with the subject LCO. Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-4 REVISION 43 APPLICABLE The power access purge valves are capable of closing under SAFETY ANALYSES accident conditions. Therefore, they are allowed to be open (continued) for limited periods during power operation. The OPERABILITY of main steam safety valves, main steam isolation valves, main feedwater isolation valves, and main steam atmospheric dump valves is covered by Specifications 3.7.1, 3.7.2, 3.7.3 and 3.7.4 respectively. The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Required containment isolation valves, (CIVs) form a part of the containment boundary. A containment penetration is considered to be the area bounded by the inboard and outboard CIVs and includes all valves, piping, and connections within this boundary (e.g., vents, drains, and test connections) (Ref. 7). The containment isolation valve safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA. The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The refueling purge valves must be maintained sealed closed. All manual vent, drain, and test valves within a Containment Penetration (i.e., between the Containment Isolation Valves) will be maintained locked closed per the locked valve administrative program or surveilled closed per Technical Specification SR 3.6.3.3 or SR 3.6.3.4. The valves covered by this LCO are listed with their associated stroke times in the UFSAR (Ref. 1). The analyses assume the containment is isolated within 60 seconds following an isolation signal (CIAS). All containment isolation valves are considered to be required except for each 42 inch refueling purge valve when its flow path is isolated with a blind flange tested in accordance with SR 3.6.1.1 as allowed by Note 5 under LCO 3.6.3. This is allowed because the blind flange, instead of the valve, provides the function of the containment boundary. Required CIVs are considered OPERABLE for LCO 3.6.3 when they are closed (i.e., manual valves are closed, automatic valves are de-activated and secured in their closed position), blind flanges are in place, and closed systems are intact. The Steam Generating System and the Containment Pressure Monitoring System are the only credited closed systems at PVNGS. Placement of CIVs in this configuration may impact the operability of the associated system. If the required valve surveillances have lapsed for a CIV secured in its closed Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-5 REVISION 43 LCO position, the CIV is considered OPERABLE for LCO 3.6.3 because (continued) it was OPERABLE when it isolated the penetration and it continues to perform its isolation function (Ref. 9). The passive isolation valves or devices are those listed in Reference 2. The general actions for an inoperable CIV are to isolate the associated penetration with a component that is not susceptible to an active failure (i.e., a passive component). The appropriate LCO 3.6.3 Condition for each CIV is listed in TRM Table 7.0.300. In addition, isolation of an inoperable CIV should be made with a valve(s) having similar leakage criteria to preserve the overall containment leakage rate. For example, if a Type C tested CIV becomes inoperable, a Type C tested valve should be used for isolation purposes. If an inoperable Type C tested CIV cannot be isolated with another Type C tested valve, then another valve may be used to isolate the penetration per LCO 3.6.3, but engineering shall evaluate this condition to ensure the overall CONTAINMENT leakage rate remains valid per the requirements of LCO 3.6.1 (Ref. 8). Check valves used to isolate a containment penetration are considered secured in their actuated position when flow through the valve is secured and prevented from unintentional operation (i.e., all upstream flow paths are isolated and administratively controlled). This administrative control process will be via use of a permit or the locked valve program for those upstream sources. Certain containment penetrations with multiple piping connections require isolating the upstream source in lieu of crediting the inboard check valve when the CIV outside containment becomes inoperable. The following penetrations are provided as examples:

AFA-V079 and AFB-V080 - AFW - Pen 75 and 76
SIE-V113, -V123, -V133, and -V143 - HPSI - Pen 13 through 16 For the above examples, preventing flow through, and unintentional operation of, the inboard check valve would impact multiple trains of equipment; therefore, this condition is undesirable. In that case, the inoperable CIV is isolated using an upstream passive device, the associated train is declared inoperable, the applicable LCO Condition is entered, and the Required Actions performed. Manual containment isolation valves include those specified in TRM Table 7.0.300, manual valves used to isolate a penetration (including a deactivated, non-automatic valve), and all vents, drains, and test connections located within a containment penetration. Manual containment isolation valves may be opened intermittently under administrative controls. These Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-6 REVISION 43 LCO administrative controls consist of stationing a dedicated (continued) operator at the valve controls, who is in continuous communication with the control room. This operator may have other concurrent duties as long as those duties do not impact the ability to close the valve within 60 seconds when containment isolation is required. The Shift Manager/CRS determines the allowable concurrent duties. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Manual vent, drain and test connection valves within a penetration may be opened under administrative control on only one side of the containment wall. The opening of a manual vent, drain and test connection valve on both sides of the containment wall provides a direct bypass of the containment barrier and would necessitate declaring the penetration inoperable per LCO 3.6.3 and could impact containment operability per LCO 3.6.1. Containment Isolation Valves (CIVs) required open during accident conditions are considered "dual function" valves and may be secured in the closed position to conservatively comply with LCO 3.6.3. However, a closed CIV would result in entry into the applicable system LCO. When a CIV required OPEN during accident conditions becomes inoperable, and there is only one CIV in the penetration, and plant and/or equipment conditions do not support securing the CIV in the closed position to restore operability per LCO 3.6.3, an alternate valve (including a non-automatic, non-manual valve) in the piping connected to the affected penetration may be used as an isolation valve to satisfy the requirement of LCO 3.6.3. The alternate valve must be secured in the closed position and prevented from unintentional operation (via PVNGS administrative controls such as the locked valve or clearance and tagging program or the removal of motive power, as appropriate), and any vent/drain valve and test connection within the new boundary must be closed and capped.

To ensure penetration integrity, it is only allowable to use an alternate valve as the isolation valve in the affected penetration if the piping between the inoperable CIV and the valve used for penetration isolation have both of the following characteristics:

A pressure rating equivalent to the containment design pressure (i.e., 60 psig) AND
The inoperable CIV does not require Type "C" testing (reference the list of CIVs in the Technical Requirements Manual).

Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-7 REVISION 43 LCO Alternatively, some "dual function" CIVs may be (continued) administratively controlled in their ESF actuated open position (to prevent unintentional operation) to comply with both LCO 3.6.3 and the associated system LCO. When placed in the OPEN position and OPERABLE pursuant to LCO 3.6.3, the control room's ability to remote-manually close the valve for containment isolation must be maintained (i.e., actuating and control power must be retained). The administrative controls prevent a valve from unintentional operation. This position ensures compliance with containment isolation functions specified by General Design Criteria 54 through 57. The valve is inoperable and entry into the applicable action statement of LCO 3.6.3 will be required until the administrative controls are in place. If, for any reason, a CIV is placed in the administratively controlled OPEN position to remain OPERABLE pursuant to LCO 3.6.3, the cause of the condition will be identified and corrected at the earliest opportunity. Although system limitations preclude placing a number of "dual function" CIVs in the open position, the following valves are subject to being placed in the OPEN position and remaining OPERABLE pursuant to LCO 3.6.3 with administrative controls to prevent unintentional operation and retain the control room's remote-manual closure capability:

Containment Hydrogen Monitoring CIVs: HPA-HV-007A, HPA-HV-007B, HPB-HV-008A, and HPB-HV-008B
HPSI Injection Valves: SIB-UV-616, SIA-UV-617, SIB-UV-626, SIA-UV-627, SIB-UV-636, SIA-UV-637, SIB-UV-646, and SIA-UV-647
LPSI Flow Control Valves: SIB-UV-615, SIB-UV-625, SIA-UV-635, and SIA-UV-645
RCP Seal Injection Isolation Valve: CHB-HV-255 The following valves are normally OPEN and considered OPERABLE pursuant to LCO 3.6.3 with no additional actions required (i.e., Control Room remote-manual closure capability need not be maintained):
Containment Pressure Monitoring CIVs: HCA-HV-074, HCB-HV-075, HCC-HV-076, and HCD-HV-077
Normal Charging Line Isolation Valve: CHA-HV-524 For inoperable Appendix R credited valves secured in the closed position, actions must be taken per PVNGS Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-8 REVISION 43 LCO Administrative Controls to ensure time limitations are not (continued) exceeded. Required purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing. Each required containment isolation valve shall be demonstrated OPERABLE prior to returning the valve to service after maintenance, repair, or replacement work is performed on the valve or its associated actuator, control, or power circuit. This LCO provides assurance that the required containment isolation valves and purge valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Therefore, the containment isolation valves are not required to be OPERABLE in MODE 5. The requirements for containment isolation valves during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations." _______________________________________________________________________________ ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for 42 inch purge valve penetration flow paths, to be unisolated intermittently under administrative controls. This note is also applicable to those penetrations isolated due to an inoperable containment isolation valve and to the operation of manual vents, drains, and test connections within a containment penetration boundary (including those within the 42" purge valve penetrations, but excluding the 42" purge valves themselves). Furthermore, this note is applicable to manual vents, drains, and test connections within the expanded boundaries of a penetration. Manual valves used to isolate a penetration and/or vent, drain and test connection valves within a penetration may be opened under administrative control on only one side of the containment wall. Opening manual valves on both sides of the containment wall such that the containment atmosphere is in direct communication with outside is not permitted. These administrative controls consist of stationing an operator at each opened valve control, who is in continuous communication with the control room, and can close the specified valve within 60 Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-9 REVISION 43 ACTIONS seconds; concurrent duties (as determined by the Shift (continued) Manager/CRS) do not adversely impact the 60-second criterion. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the size of the containment refueling purge line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, these valves may not be opened under administrative controls. As allowed per SR 3.6.3.1, this restriction does not preclude opening a single refueling purge valve such that the penetration remains isolated. A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation valve. Complying with the Required Actions may allow for continued operation. A subsequent inoperable containment isolation valve in a different containment penetration is governed by subsequent Condition entry and application of the associated Required Actions. This Note is not applicable for a second problem identified in a penetration flow path that is already inoperable (i.e., a containment penetration had previously been identified as having an inoperable component); in that case, the initial time constraints are predicated on the first, initial inoperability of the applicable penetration. The ACTIONS are further modified by a third Note, which ensures that appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation valve. A fourth Note has been added that requires entry into the applicable Conditions and Required Actions of LCO 3.6.1 when leakage results in exceeding the overall containment leakage limit. A fifth note has been added specifying that when the flow path of a 42 inch purge valve is isolated with a blind flange tested in accordance with SR 3.6.1.1, the valve is not a required containment isolation valve. This is allowed because the blind flange, instead of the valve, provides the function of the containment boundary. Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-10 REVISION 43 ACTIONS A.1 and A.2 (continued) In the event one required containment isolation valve in one or more penetration flow paths is inoperable except for purge valve leakage not within limit (refer to Action D),the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve (including a de-activated non-automatic valve), a blind flange, and a check valve with flow through the valve secured. Compliance with this Action is established via:

1) Administrative controls (i.e., permit) on the de-activated automatic valve, closed manual valve, blind flange, or check valve, and 2) Administrative controls (i.e., permit or Locked Valve/Breaker/Component Control lock) on vents, drains, and test connections located within the containment penetration. Instruments (i.e., flow/pressure transmitters) located within the penetration that are not removed from service for maintenance nor open to the atmosphere are considered a closed loop portion of the associated penetration; therefore, isolation valves associated with instruments meeting this criteria need not be isolated nor otherwise administratively controlled to comply with the requirements of this Action. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 4 hour Completion Time. The 4 hour Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4. For affected penetration flow paths that cannot be restored to OPERABLE status within the 4 hour Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-11 REVISION 43 ACTIONS A.1 and A.2 (continued) should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification, through a system walkdown, that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the devices are operated under administrative controls and the probability of their misalignment is low. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility. Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves. For penetration flow paths with only one containment isolation valve and a closed system, Condition C provides appropriate actions. Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these devices, once they have been verified to be in the proper position, is small.

Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-12 REVISION 43 ACTIONS B.1 (continued) With two required containment isolation valves in one or more penetration flow paths inoperable except for purge valve leakage not within limit (refer to Action D), the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve (including a de-activated non-automatic valve), and a blind flange. Compliance with this Action is established via: 1) Administrative controls (i.e., permit) on the de-activated automatic valve, closed manual valve, or blind flange, and 2) Administrative controls (i.e., permit or Locked Valve/Breaker/Component Control lock) on vents, drains, and test connections located within the containment penetration. Instruments (i.e., flow/pressure transmitters) located within the penetration that are not removed from service for maintenance nor open to the atmosphere are considered a closed loop portion of the associated penetration; therefore, isolation valves associated with instruments meeting this criteria need not be isolated nor otherwise administratively controlled to comply with the requirements of this Action. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative controls and the probability of their misalignment is low. Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two containment isolation valves. Condition A of this LCO addresses the condition of one containment isolation valve inoperable in this type of penetration flow path. Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-13 REVISION 43 ACTIONS C.1 and C.2 (continued) With one or more required penetration flow paths with one containment isolation valve inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve (including a de-activated non-automatic valve), and a blind flange. Compliance with this Action is established via: 1) Administrative controls (i.e., permit) on the de-activated automatic valve, closed manual valve, or blind flange and 2) Administrative controls (i.e., permit or Locked Valve/Breaker/Component Control lock) on vents, drains, and test connections located within the containment penetration. Instruments (i.e., flow/pressure transmitters) located within the penetration that are not removed from service for maintenance nor open to the atmosphere are considered a closed loop portion of the associated penetration; therefore, isolation valves associated with instruments meeting this criteria need not be isolated nor otherwise administratively controlled to comply with the requirements of this Action. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 4 hour Completion Time. The specified time period is reasonable, considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4. In the event the affected penetration is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to assure leak tightness of containment and that containment penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying that each affected penetration flow path is isolated is appropriate considering the valves are operated under administrative controls and the probability of their misalignment is low. Condition C is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with only one containment isolation valve and a closed system. The only credited closed systems are the Steam Generating and the Containment Pressure Monitoring Systems. This Note is necessary since this Condition is Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-14 REVISION 43 ACTIONS C.1 and C.2 (continued) written to specifically address those penetration flow paths which are neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere (10 CFR 50, APP. A, GDC 57). Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is small. D.1, D.2, and D.3 In the event one or more required containment purge valves in one or more penetration flow paths are not within the purge valve leakage limits, purge valve leakage must be restored to within limits, or the affected penetration must be isolated. The method of isolation must be by the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve with resilient seals, or a blind flange. A purge valve with resilient seals utilized to satisfy Required Action D.1 must have been demonstrated to meet the leakage requirements of SR 3.6.3.6. Compliance with this Action is established via: 1) Administrative controls (i.e., permit) on the de-activated automatic valve with resilient seals or blind flange, and 2) Administrative controls (i.e., permit or Locked Valve/Breaker/Component Control lock) on vents, drains, and test connections located within the containment penetration. Instruments (i.e., flow/pressure transmitters) located within the penetration that are not removed from service for maintenance nor open to the atmosphere are considered a closed loop portion of the associated penetration; therefore, isolation valves associated with instruments meeting this criteria need not be isolated nor otherwise administratively controlled to comply with the requirements of this Action. The specified Completion Time is reasonable, considering that one containment purge valve remains closed so that a gross breach of containment does not exist. Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-15 REVISION 43 ACTIONS D.1, D.2 and D.3 (continued) In accordance with Required Action D.2, this penetration flow path must be verified to be isolated on a periodic basis. The periodic verification is necessary to ensure that containment penetrations required to be isolated following an accident, which are no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those isolation devices outside containment capable of being mispositioned are in the correct position. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility. For the required containment purge valve with a resilient seal that is isolated in accordance with Required Action D.1, SR 3.6.3.6 must be performed at least once every 92 days. This assures that degradation of the resilient seal is detected and confirms that the leakage rate of the containment purge valve does not increase during the time the penetration is isolated. The normal Frequency for SR 3.6.3.6, 184 days, is based on an NRC initiative, Generic Issue B-20 (Ref. 3). Since more reliance is placed on a single valve while in this Condition, it is prudent to perform the SR more often. Therefore, a Frequency of once per 92 days was chosen and has been shown to be acceptable based on operating experience. E.1 and E.2 If the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Containment Isolation Valves B 3.6.3 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-16 REVISION 56 SURVEILLANCE SR 3.6.3.1 REQUIREMENTS This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious opening of a 42 inch containment purge valve. Detailed analysis of the refueling purge valves failed to conclusively demonstrate their ability to close during a LOCA in time to limit offsite doses. Therefore, these valves are required to be in the sealed closed position during MODES 1, 2, 3, and 4. A required containment purge valve that is sealed closed must have motive power to the valve operator removed. This can be accomplished by de-energizing the source of electric power. In this application, the term "sealed" has no connotation of leak tightness. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is not required to be met while in Condition D of this LCO. This is reasonable since the penetration flow path would be isolated. SR 3.6.3.2 This SR ensures that the power access purge valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable. If the inoperable valve is not otherwise known to have excessive leakage when closed, it is not considered to have leakage outside of limits. The SR is not required to be met when the purge valves are open for pressure control, ALARA or air quality considerations for personnel entry, or for Surveillances that require the valves to be open. The power access purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-17 REVISION 56 SURVEILLANCE SR 3.6.3.3 REQUIREMENTS (continued) This SR requires verification that each containment isolation manual valve and blind flange located outside containment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those containment isolation valves outside containment and capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment isolation valves that are open under administrative controls are not required to meet the SR during the time the valves are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing or securing. The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3, 4 and for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in the proper position, is small. SR 3.6.3.4 This SR requires verification that each containment isolation manual valve and blind flange located inside containment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is appropriate, since these containment isolation valves are operated under Containment Isolation Valves B 3.6.3 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-18 REVISION 56 SURVEILLANCE SR 3.6.3.4 (continued) REQUIREMENTS administrative controls and the probability of their misalignment is low. Containment isolation valves that are open under administrative controls are not required to meet the SR during the time that they are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing or securing. The Note allows valves and blind flanges located in high radiation areas to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in their proper position, is small. SR 3.6.3.5 Verifying that the isolation time of each required automatic power operated containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program. SR 3.6.3.6 For required containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10 CFR 50, Appendix J, Option B (Ref. 5), is required to ensure OPERABILITY. Industry operating experience has demonstrated that this type of seal has the potential to degrade in a shorter time period than do other seal types. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment Isolation Valves B 3.6.3 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.3-19 REVISION 56 SURVEILLANCE SR 3.6.3.6 (continued) REQUIREMENTS Additionally, this SR must be performed within 92 days after opening the valve. The 92 day Frequency was chosen recognizing that cycling the valve could introduce additional seal degradation (beyond that occurring to a valve that has not been opened). Thus, decreasing the interval is a prudent measure after a valve has been opened. SR 3.6.3.7 Required automatic containment isolation valves close on a containment isolation signal to prevent leakage of radioactive material from containment following a DBA. This SR ensures each required automatic containment isolation valve will actuate to its isolation position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 6.2.4. 2. UFSAR, Section 6.2.6. 3. Generic Issue B-20. 4. Generic Issue B-24.

5. 10 CFR 50, Appendix J, Option B. 6. 10 CFR 50, Appendix A 7. CL Design Basis Manual 8. CRDR 106542 9. CRDR 2326591 This page intentionally blank Containment Pressure B 3.6.4 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.4-1 REVISION 53 B 3.6 CONTAINMENT SYSTEMS B 3.6.4 Containment Pressure BASES BACKGROUND The containment pressure is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a Loss Of Coolant Accident (LOCA) or Main Steam Line Break (MSLB). These limits also prevent the containment pressure from exceeding the containment design negative pressure differential with respect to the outside atmosphere in the event of inadvertent actuation of the Containment Spray System. Containment pressure is a process variable that is monitored and controlled. The containment pressure limits are derived from the input conditions used in the containment functional analyses and the containment structure external pressure analysis. Should operation occur outside these limits coincident with a Design Basis Accident (DBA), post accident containment pressures could exceed calculated values. _______________________________________________________________________________ APPLICABLE Containment internal pressure is an initial condition used SAFETY ANALYSES in the DBA analyses to establish the maximum peak containment internal pressure. The limiting DBAs considered for determining the maximum containment internal pressure (Pa) are the LOCA and MSLB. A double ended discharge line break LOCA with maximum ECCS results in the highest calculated internal containment pressure of 58.0, which is below the internal design pressure of 60 psig. The postulated DBAs are analyzed assuming degraded containment Engineered Safety Feature (ESF) Systems (i.e.,

assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train of the Containment Spray System being rendered inoperable). It is this maximum containment pressure that is used to ensure that the licensing basis dose limitations are met. The initial pressure condition used in the containment analysis bounds the containment pressure allowed during normal operation. The LCO limit of 2.5 psig ensures that, in the event of an accident, the maximum peak containment internal pressure, 58.0 psig, and the maximum accident design pressure for containment, 60 psig, are not exceeded. Containment Pressure B 3.6.4 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.4-2 REVISION 38 APPLICABLE The containment was also designed for an excess external SAFETY ANALYSES pressure of 4.0 psig to withstand the resultant pressure (continued) drop from an accidental actuation of the Containment Spray System. The maximum external pressure loading that would occur as a result of this transient is when the minimum internal pressure of -3.5 psig is reached. This is based on an initial containment pressure of -1.0 psig (The lower technical specification limit plus instrument uncertainty) and the calculated pressure drop of 2.5 psi. The upper LCO limit of 2.5 psig does not compensate for any instrument inaccuracies. Use of an indicated limit of 1.8 psig ensures that the actual limit of 2.5 psig will not be exceeded. The lower LCO limit of -0.3 psig has been derived to account for instrument inaccuracies. The indicated limit of -0.3 psig ensures that the actual limit of -1.0 psig will not be exceeded.(Ref. 3) Containment pressure satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Maintaining containment pressure less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will remain below the containment design pressure. Maintaining containment pressure greater than or equal to the LCO lower pressure limit ensures that the containment will not exceed the design negative pressure differential following the inadvertent actuation of the Containment Spray System. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure within limits is essential to ensure initial conditions assumed in the accident analysis are maintained, the LCO is applicable in MODES 1, 2, 3, and 4. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment pressure within the limits of the LCO is not required in MODE 5 or 6. Containment Pressure B 3.6.4 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.4-3 REVISION 56 ACTIONS A.1 When containment pressure is not within the limits of the LCO, containment pressure must be restored to within these limits within 1 hour. The Required Action is necessary to return operation to within the bounds of the containment analysis. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1, "Containment," which requires that containment be restored to OPERABLE status within 1 hour. B.1 and B.2 If containment pressure cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.6.4.1 REQUIREMENTS Verifying that containment pressure is within limits ensures that operation remains within the limits assumed in the accident analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 6.2.1 2. UFSAR, Section 7.2 3. Calculation 13-JC-HC-201 This page intentionally blank Containment Air Temperature B 3.6.5 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.5-1 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Containment Air Temperature BASES BACKGROUND The containment structure serves to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a Loss Of Coolant Accident (LOCA) or Main Steam Line Break (MSLB). The containment average air temperature limit is derived from the input conditions used in the containment functional analyses and the containment structure external pressure analyses. This LCO ensures that initial conditions assumed in the analysis of containment response to a DBA are not violated during unit operations. The total amount of energy to be removed from containment by the Containment Spray System during post accident conditions is dependent on the energy released to the containment due to the event, as well as the initial containment temperature and pressure. The higher the initial temperature, the more energy that must be removed, resulting in a higher peak containment pressure and temperature. Exceeding containment design pressure may result in leakage greater than that assumed in the accident analysis (Ref. 1). Operation with containment temperature in excess of the LCO limit violates an initial condition assumed in the accident analysis. ______________________________________________________________________________ APPLICABLE Containment average air temperature is an initial condition SAFETY ANALYSES used in the DBA analyses that establishes the containment environmental qualification operating envelope for both pressure and temperature. The limit for containment average air temperature ensures that operation is maintained within the assumptions used in the DBA analysis for containment. The accident analyses and evaluations considered both LOCAs and MSLBs for determining the maximum peak containment pressures and temperatures. The worst case LOCA generates larger mass and energy releases than the worst case MSLB; however, the MSLB event results in a higher peak temperature than the LOCA event. The initial pre-accident temperature inside containment was assumed to be 120°F (Ref. 2). Containment Air Temperature B 3.6.5 BASES _______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.5-2 REVISION 1 APPLICABLE The initial containment average air temperature condition of SAFETY ANALYSES 120°F resulted in a maximum vapor temperature in containment (continued) of 405.65°F. The temperature of the containment steel liner reached approximately 244°F. The containment average air temperature limit of 120°F ensures that, in the event of an accident, the maximum design temperature for the containment steel liner, 300°F, is not exceeded. The consequence of exceeding this design temperature may be the potential for degradation of the containment structure under accident loads. The LCO limit of 117°F has been derived to account for instrument inaccuracies. The indicated limit of 117°F ensures that the actual limit of 120°F will not be exceeded. Containment average air temperature satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO During a DBA, with an initial containment average air temperature less than or equal to the LCO temperature limit, the resultant peak accident temperature is maintained below the containment design temperature. As a result, the ability of containment to perform its function is ensured. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the limit is not required in MODE 5 or 6. Containment Air Temperature B 3.6.5 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.5-3 REVISION 56 ACTIONS A.1 When containment average air temperature is not within the limit of the LCO, it must be restored to within limit within 8 hours. This Required Action is necessary to return operation to within the bounds of the containment analysis. The 8 hour Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems. B.1 and B.2 If the containment average air temperature cannot be restored to within its limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ______________________________________________________________________________ SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying that containment average air temperature is within the LCO limit ensures that containment operation remains within the limit assumed for the containment analyses. In order to determine the containment average air temperature, an arithmetic average is calculated using measurements taken at locations within the containment selected to provide a representative sample of the overall containment atmosphere. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment Air Temperature B 3.6.5 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.5-4 REVISION 0 SURVEILLANCE SR 3.6.5.1 (continued) REQUIREMENTS The Primary containment average air temperature is determined by taking the arithmetical average of the temperatures at any five of the following locations: a. Nominal Elevation 85'- 0" e. Nominal Elevation 145' - 0" b. Nominal Elevation 85'- 0" f. Nominal Elevation 188' - 0"

c. Nominal Elevation 126'- 0" g. Nominal Elevation 188' - 0"

d. Nominal Elevation 126'- 0" _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 6.2 2. UFSAR, Section 9.4 Containment Spray System B 3.6.6 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-1 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.6 Containment Spray System BASES BACKGROUND The Containment Spray System provides containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduce the release of fission product radioactivity from containment to the environment, in the event of a Design Basis Accident (DBA), to within limits.

The Containment Spray System is designed to the requirements of 10 CFR 50, Appendix A, GDC 38, "Containment Heat Removal," GDC 39, "Inspection of Containment Heat Removal Systems," GDC 40, "Testing of Containment Heat Removal Systems," GDC 41, "Containment Atmosphere Cleanup," GDC 42, "Inspection of Containment Atmosphere Cleanup Systems," and GDC 43, "Testing of Containment Atmosphere Cleanup Systems" (Ref. 1). The Containment Spray System is an Engineered Safety Feature (ESF) System. It is designed to ensure that the heat removal capability required during the post accident period can be attained. The Containment Spray System consists of two separate trains of equal capacity, each capable of meeting the design bases. Each train includes a containment spray pump, a shutdown cooling heat exchanger, spray headers, nozzles, valves, and piping. Each train is powered from a separate ESF bus. The Refueling Water Tank (RWT) supplies borated water to the containment spray during the injection phase of operation. In the recirculation mode of operation, containment spray pump suction is transferred from the RWT to the containment sump(s). The Containment Spray System provides a spray of cold borated water into the upper regions of containment to reduce containment pressure and temperature, to provide hydrogen mixing, and to reduce the concentration of fission products in the containment atmosphere during a DBA. The RWT solution temperature is an important factor in determining the heat removal capability of the Containment Spray System during the injection phase. In both the Containment Spray System B 3.6.6 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-2 REVISION 0 BACKGROUND injection phase and the recirculation mode of operation, (continued) heat is removed from the spray water by the shutdown cooling heat exchangers. Each train of the Containment Spray System provides adequate spray coverage to meet 100% of the system design requirements for containment heat removal and 100% of the iodine removal design bases. The Containment Spray System is actuated either automatically by a containment High-High pressure signal or manually. An automatic actuation starts the two Containment Spray System pumps, opens the containment spray header isolation valves and begins the injection phase. A manual actuation of the Containment Spray System is available on the main control board to begin the same sequence. The injection phase continues until an RWT level Low signal is received. The Low level for the RWT generates a recirculation actuation signal that aligns valves from the containment spray pump suction to the containment sump. The Containment Spray System in recirculation mode maintains an equilibrium temperature between the containment atmosphere and the recirculated sump water. Operation of the Containment Spray System in the recirculation mode is controlled by the operator in accordance with the emergency operating procedures. Hydrogen mixing within the containment is accomplished by the Containment Spray System and the containment internal structure design, which permits convective mixing and prevents entrapment. The Containment Spray System prevents localized accumulations of hydrogen. The Containment Spray System reduces the potential for breach of containment due to a hydrogen oxygen reaction by providing a uniformly mixed post accident containment atmosphere, thereby minimizing the potential for local hydrogen burns due to a local pocket of hydrogen above the flammable concentration and giving the operator the capability of preventing the occurrence of a bulk hydrogen burn inside containment per 10 CFR 50.44, "Standards for Combustible Gas Control Systems in Light- Water-Cooled Reactors" (Ref. 7), and 10 CFR 50, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). Containment Spray System B 3.6.6 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-3 REVISION 53 BACKGROUND The Containment Spray System accelerates the air mixing (continued) process between the upper dome space of the containment atmosphere during LOCA operations. It also prevents any hot spot air pockets during the containment cooling mode and avoids any hydrogen concentration in pocket areas. ______________________________________________________________________________ APPLICABLE The Containment Spray System limits the temperature and SAFETY ANALYSES pressure that could be experienced following a DBA. The Containment Spray System is required to be capable of reducing containment pressure to 1/2 the peak pressure within 24 hours following a DBA. The limiting DBAs considered relative to containment temperature and pressure are the Loss Of Coolant Accident (LOCA) and the Main Steam Line Break (MSLB). The DBA LOCA and MSLB are analyzed using computer codes designed to predict the resultant containment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed with regard to containment ESF systems, assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train of the Containment Spray System being rendered inoperable. The analysis and evaluation show that under the worst case scenario, the highest peak containment pressure is 58.0 psig (experienced during a LOCA). The analysis shows that the peak containment vapor temperature is 405.65°F (experienced during a MSLB). Both results are within the design. (See the Bases for Specifications 3.6.4, "Containment Pressure," and 3.6.5, "Containment Air Temperature," for a detailed discussion.) The analyses and evaluations assume a power level of 102% RTP, one containment spray train operating, and initial (pre-accident) conditions of 120°F and 16.7 psia (LOCA) and 13.22 psia (MSLB). The analyses also assume a response time delayed initiation in order to provide a conservative calculation of peak containment pressure and temperature responses. The effect of an inadvertent containment spray actuation has been analyzed and is discussed in the Bases for Specification 3.6.4. Containment Spray System B 3.6.6 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-4 REVISION 7 APPLICABLE The modeled Containment Spray System actuation from the SAFETY ANALYSES containment analysis is based upon a response time (continued) associated with exceeding the containment High-High pressure setpoint to achieve full flow through the containment spray nozzles. The Containment Spray System total response time includes diesel generator startup (for loss of offsite power), block loading of equipment, containment spray pump startup, and spray line filling (Ref. 2). The Containment Spray System mixes the containment atmosphere to provide a uniform hydrogen concentration. Hydrogen may accumulate in containment following a LOCA as a result of: a. A metal steam reaction between the zirconium fuel rod cladding and the reactor coolant; b. Radiolytic decomposition of water in the Reactor Coolant System (RCS) and the containment sump; c. Hydrogen in the RCS at the time of the LOCA (i.e., hydrogen dissolved in the reactor coolant and hydrogen gas in the pressurizer vapor space); or d. Corrosion of metals exposed to Containment Spray System and Emergency Core Cooling Systems solution. To evaluate the potential for hydrogen accumulation in containment following a LOCA, the hydrogen generation as a function of time following the initiation of the accident is calculated. Conservative assumptions recommended by Reference 8 are used to maximize the amount of hydrogen calculated. The Containment Spray System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO During a DBA, one containment spray train is required to maintain the containment peak pressure and temperature below the design limits (Ref. 5), to remove iodine from the containment atmosphere to maintain concentrations below those assumed in the safety analysis, and provide hydrogen mixing. To ensure that these requirements are met, two containment spray trains must be OPERABLE. Each spray train must be capable of taking suction from the RWT on a Containment Spray System B 3.6.6 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-5 REVISION 1 LCO containment spray actuation signal and automatically (continued) transferring suction to the containment sump on a recirculation actuation signal. Each spray train flow path from the containment sump shall be via an OPERABLE shutdown cooling heat exchanger. Therefore, in the event of an accident, the minimum requirements are met, assuming that the worst case single active failure occurs. Each Containment Spray System typically includes a spray pump, a shutdown cooling heat exchanger, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWT upon an ESF actuation signal and automatically transferring suction to the containment sump. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, and 3, and Mode 4 with RCS pressure 385 psia, a DBA could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the containment spray trains. In MODE 4 with RCS pressure < 385 psia and MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Thus, the Containment Spray System is not required to be OPERABLE in these MODES. ______________________________________________________________________________ ACTIONS A.1 With one containment spray train inoperable, the inoperable containment spray train must be restored to OPERABLE status within 72 hours. In this Condition, the remaining OPERABLE spray train is adequate to perform the iodine removal, hydrogen mixing, and containment cooling functions. The 72 hour Completion Time takes into account the redundant heat removal capability afforded by the Containment Spray System, reasonable time for repairs, and the low probability of a DBA occurring during this period. Containment Spray System B 3.6.6 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-6 REVISION 56 ACTIONS B.1 and B2 (continued) If the inoperable containment spray train cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 with RCS pressure < 385 psia within 84 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. The extended interval to reach MODE 4 with RCS pressure < 385 psia allows additional time for the restoration of the containment spray train and is reasonable when considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE 3. C.1 With two containment spray trains inoperable, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately. _______________________________________________________________________________ SURVEILLANCE SR 3.6.6.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the containment spray flow path provides assurance that the proper flow paths will exist for Containment Spray System operation (positioned to take suction from the RWT on a containment spray actuation test signal [CSAS]). This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to being secured. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation. Rather, it involves verifying, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment Spray System B 3.6.6 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-7 REVISION 56 SURVEILLANCE SR 3.6.6.2 REQUIREMENTS (continued) Verifying that the containment spray header piping is full of water to the 113 ft level minimizes the time required to fill the header. This ensures that spray flow will be admitted to the containment atmosphere within the time frame assumed in the containment analysis. The analyses shows that the header may be filled with unborated water which helps to reduce boron plate out due to evaporation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The value of 113 ft is an indicated value which accounts for instrument uncertainty. SR 3.6.6.3 Verifying that each containment spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by the ASME OM Code (Ref. 6). Since the containment spray pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow (either full flow or miniflow as conditions permit). This test is indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program. Containment Spray System B 3.6.6 BASES _______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.6.6-8 REVISION 56 SURVEILLANCE SR 3.6.6.4 and SR 3.6.6.5 REQUIREMENTS (continued) These SRs verify that each automatic containment spray valve actuates to its correct position and that each containment spray pump starts upon receipt of an actual or simulated safety injection actuation signal, recirculation actuation signal and containment spray actuation signal as applicable. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The surveillance of containment sump isolation valves is also required by SR 3.5.3.5. A single surveillance may be used to satisfy both requirements. SR 3.6.6.6 Unobstructed flow headers and nozzles are determined by either flow testing or visual inspection. With the containment spray inlet valves closed and the spray header drained of any solution, low pressure air or smoke can be blown through test connections. Performance of this SR demonstrates that each spray nozzle is unobstructed and provides assurance that spray coverage of the containment during an accident is not degraded. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Containment Spray System B 3.6.6 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.6.6-9 REVISION 54 REFERENCES 1. 10 CFR 50, Appendix A, GDC 38, GDC 39, GDC 40, GDC 41, GDC 42, and GDC 43. 2. UFSAR, Section 6.2. 3. UFSAR, Section 6.5. 4. UFSAR, Section 7.3. 5. UFSAR, Section 3.1.34 6. ASME Code for Operation and Maintenance of Nuclear Power Plants. 7. 10 CFR 50.44. 8. Regulatory Guide 1.7, Revision 0. This page intentionally blank MSSVs B 3.7.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-1 REVISION 28 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Safety Valves (MSSVs) BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSVs also provide protection against overpressurizing the Reactor Coolant Pressure Boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available. Five MSSVs are located on each of the four main steam lines, outside containment, upstream of the main steam isolation valves, as described in the UFSAR, Section 5.2 (Ref. 1). The MSSV rated capacity passes the full steam flow at 102% RTP (100% + 2% for instrument error) with the valves full open. This meets the requirements of the ASME Code, Section III (Ref. 2). The MSSV design includes staggered setpoints, according to Table 3.7.1-2, in the accompanying LCO, so that only the number of valves needed will actuate. Staggered setpoints reduce the potential for valve chattering if there is insufficient steam pressure to fully open all valves. ______________________________________________________________________________ APPLICABLE The design basis for the MSSVs comes from Reference 2; its SAFETY ANALYSES purpose is to limit secondary system pressure to 110% of design pressure when passing 100% of design steam flow. This design basis is sufficient to cope with any Anticipated Operational Occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis. The events that challenge the MSSV relieving capacity, and thus RCS pressure, are those characterized as decreased heat removal events, and are presented in the FSAR, Section 15.2 (Ref. 3). Of these, the full power Loss Of Condenser Vacuum (LOCV) event is the limiting AOO. An LOCV isolates the turbine and condenser, and terminates normal feedwater flow to the steam generators. Peak Main Steam System and Reactor Coolant System (RCS) pressure occur before delivery of auxiliary feedwater to the steam generators. The peak pressures become high enough to actuate both the Main Steam Safety Valves (MSSVs) and Pressurizer Safety Valves, but remain less than 110% of the design (1397 and 2750 psia for main steam system and RCS, respectively). The LOCV Secondary Peak Pressure event is the limiting decrease in heat removal transient for determining the maximum allowed thermal power with inoperable MSSVs. MSSVs B 3.7.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-2 REVISION 50 APPLICABLE SAFETY ANALYSES The limiting accident for peak RCS pressure is the full (continued) power feedwater line break (FWLB), inside containment, with the failure of the backflow check valve in the feedwater line from the affected steam generator. Water from the affected steam generator is assumed to be lost through the break with minimal additional heat transfer from the RCS. With heat removal limited to the unaffected steam generator, the reduced heat transfer causes an increase in RCS temperature, and the resulting RCS fluid expansion causes an increase in pressure. The increase in Main Steam and Reactor Coolant System pressure is mitigated by the relief capacity of the Main Steam Safety Valves (MSSVs) and pressurizer safety valves. The peak pressures do not exceed 120% of the design pressure (1524 psia and 3000 psia for main steam and RCS, respectively). These results were found acceptable by the NRC based on the low probability of the event. In MODE 3, one MSSV per steam generator (two total) have sufficient relieving capacity to dissipate core decay heat and reactor coolant pump heat to limit secondary system pressure to less than or equal to 110% of design pressure, as required by ASME Code, Section III (Ref. 2). A minimum of two MSSVs per steam generator are required to be operable in Mode 3 in case of a single failure of one of the valves in either steam generator. The MSSVs satisfy Criterion 3 of 10CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO requires all MSSVs to be OPERABLE in compliance with Reference 2, even though this is not a requirement of the DBA analysis. This is because operation with less than the full number of MSSVs requires limitations on allowable THERMAL POWER (to meet Reference 2 requirements), and adjustment to the Reactor Protective System trip setpoints in Modes 1 and 2. These limitations are according to those shown in Table 3.7.1-1 and Required Action A.2 in the accompanying LCO. Since the VOPT is not required to be operable in MODE 3 according to TSs 3.3.1 and 3.3.2, a note has been added to Table 3.7.1-1 stating that the VOPT setpoint is not required to be reset in MODE 3. An MSSV is considered inoperable if it fails to open upon demand. The OPERABILITY of the MSSVs is defined as the ability to open within the setpoint tolerances, relieve steam generator MSSVs B 3.7.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-3 REVISION 34 LCO overpressure, and reseat when pressure has been reduced. (continued) The OPERABILITY of the MSSVs is determined by periodic surveillance testing in accordance with the Inservice Testing Program. The lift settings, according to Table 3.7.1-2 in the accompanying LCO, correspond to ambient conditions of the valve at nominal operating temperature and pressure. This LCO provides assurance that the MSSVs will perform their designed safety function to mitigate the consequences of accidents that could result in a challenge to the RCPB. ______________________________________________________________________________ APPLICABILITY In MODES 1 and 2, a minimum of six MSSVs per steam generator are required to be OPERABLE (up to four allowed inoperable), according to Table 3.7.1-1 in the accompanying LCO, which is limiting and bounds all lower MODES. In MODE 3, a minimum of two MSSVs per steam generator are required to be operable (up to eight allowed inoperable) according to Table 3.7.1-1 in the accompanying LCO. In MODES 4 and 5, there are no credible transients requiring the MSSVs. The steam generators are not normally used for heat removal in MODES 5 and 6, and thus cannot be overpressurized; there is no requirement for the MSSVs to be OPERABLE in these MODES. ______________________________________________________________________________ ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV. A.1 and A.2 When 10 MSSVs are OPERABLE per steam generator (none inoperable), THERMAL POWER is limited to 100% RTP per the Operating Licenses, and the VOPT allowable trip setpoint is limited to 111.0% RTP per TS Table 3.3.1-1. When one to four MSSVs per steam generator are inoperable in MODES 1 or 2, an alternative to restoring inoperable MSSVs B 3.7.1 BASES _______________________________________________________________________________ ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-4 REVISION 34 ACTIONS A.1 and A.2 (continued) (continued) MSSV(s) to OPERABLE status is to reduce power in accordance with Table 3.7.1-1. These reduced power levels, derived from the transient analysis, compensate for degraded relieving capacity and ensure that the results of the transient analysis are acceptable. The operator should limit the maximum steady state power level to the value determined from Table 3.7.1-1 to avoid an inadvertent overpower trip. The Completion Time of 36 hours for Required Action A.2 is based on a reasonable time to correct the MSSV inoperability, the time required to perform power reduction, operating experience in resetting all channels of a protective function and on the low probability of the occurrence of a transient that could result in steam generator overpressure during this period. B.1 When one to four required MSSVs per steam generator are inoperable in MODES 1 or 2 and reactor power and the VOPT setpoint are not reduced to within the required values within the required Completion Times, or when five to eight MSSVs per steam generator are inoperable in MODES 1 or 2 an alternative to restoring inoperable MSSV(s) to OPERABLE status is to place the plant in MODE 3 within 6 hours so that the available MSSV relieving capacity meets Code requirements. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. C.1 If the plant is not placed in MODE 3 within the Completion Time for Required Action B.1, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 4 within 6 hours. The allowed Completion Time, in conjunction with the Completion Time for Required Action B.1, is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. MSSVs B 3.7.1 BASES ______________________________________________________________________________ ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-5 REVISION 54 ACTIONS D.1 (continued) When more than eight required MSSVs per steam generator are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. ______________________________________________________________________________ SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSSVs by the verification of each MSSV lift setpoints in accordance with the Inservice Testing Program. The ASME OM Code (Ref. 4), requires the following tests for MSSVs: a. Visual examination;

b. Seat tightness determination;

c. Setpoint pressure determination (lift setting);

d. Compliance with owner's seat tightness criteria; and

e. Verification of the balancing device integrity on balanced valves. The ASME OM Code requires that all valves be tested every 5 years, and a minimum of 20% of the valves tested every 24 months. The ASME OM Code specifies the activities and frequencies necessary to satisfy the requirements.

Table 3.7.1-2 allows a 3% setpoint tolerance for OPERABILITY; however, the valves are reset to 1% during the Surveillance to allow for drift. MSSVs B 3.7.1 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.1-6 REVISION 54 SURVEILLANCE SR 3.7.1.1 (continued) REQUIREMENTS (continued) This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This is to allow testing of the MSSVs at hot conditions. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 5.2. 2. ASME, Boiler and Pressure Vessel Code, Section III, Article NC-7000, Class 2 Components. 3. UFSAR, Section 15.2. 4. ASME Code for Operation and Maintenance of Nuclear Power Plants. MSIVs B 3.7.2 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.2-1 REVISION 40 B 3.7 PLANT SYSTEMS B 3.7.2 Main Steam Isolation Valves (MSIVs) BASES BACKGROUND The MSIVs isolate steam flow from the secondary side of the steam generators following a High Energy Line Break (HELB). MSIV closure terminates flow from the unaffected (intact) steam generator. One MSIV is located in each main steam line outside, but close to, containment. The MSIVs are downstream from the Main Steam Safety Valves (MSSVs), atmospheric dump valves, and auxiliary feedwater pump turbine steam supplies to prevent their being isolated from the steam generators by MSIV closure. Closing the MSIVs isolates each steam generator from the other, and isolates the turbine, Steam Bypass Control System, and other auxiliary steam supplies from the steam generators. The MSIV is a 28-inch gate valve with redundant hydraulic actuator trains. The actuation system is composed of redundant trains A and B. The instrumentation and controls of the train A valve actuator trains are physically and electrically separate and independent of the instrumentation and control of the train B valve actuator trains. Either actuator train can independently perform the safety function to fast-close the MSIV on demand. Each actuator train consists of a hydraulic accumulator controlled by solenoid valves on the associated MSIV. The MSIVs close on a main steam isolation signal generated by either low steam generator pressure, high steam generator level or high containment pressure. The MSIVs fail closed on loss of control or actuation power. The MSIS also actuates the Main Feedwater Isolation Valves (MFIVs) to close. The MSIVs may also be actuated manually. A description of the MSIVs is found in the FSAR, Section 10.3 (Ref. 1). MSIVs B 3.7.2 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-2 REVISION 42 APPLICABLE The design basis of the MSIVs is established by the SAFETY ANALYSES containment analysis for the large steam line break (SLB) inside containment, as discussed in the CESSAR, Section 6.2 (Ref. 2). It is also influenced by the accident analysis of the SLB events presented in the UFSAR, Section 15.1.5 (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand). The limiting case for the containment analysis is the hot zero power SLB inside containment with a loss of offsite power following turbine trip, and failure of the MSIV on the affected steam line to close. At zero power, the steam generator inventory and temperature are at their maximum, maximizing the analyzed mass and energy release to the containment. Due to reverse flow, failure of the MSIV to close contributes to the total release of the additional mass and energy in the steam headers, which are downstream of the other MSIVs. With the most reactive control element assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the borated water injection delivered by the Emergency Core Cooling System. Other failures considered are the failure of an MFIV to close, and failure of an emergency diesel generator to start. The accident analysis compares several different SLB events against different acceptance criteria. The large SLB outside containment upstream of the MSIV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The large SLB inside containment at hot full power is the limiting case for a post trip return to power. The analysis includes scenarios with offsite power available and with a loss of offsite power following turbine trip. With offsite power available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing the Reactor Coolant System (RCS) cooldown. With a loss of offsite power, the response of mitigating systems, such as the High Pressure Safety Injection (HPSI) pumps, is delayed. Significant single failures considered include: failure of a MSIV to close, failure of an emergency diesel generator, and failure of a HPSI pump. MSIVs B 3.7.2 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.2-3 REVISION 40 APPLICABLE The MSIVs serve only a safety function and remain open SAFETY ANALYSES during power operation. These valves operate under (continued) the following situations: a. An HELB inside containment. In order to maximize the mass and energy release into the containment, the analysis assumes that the MSIV in the affected steam line remains open. For this accident scenario, steam is discharged into containment from both steam generators until closure of the MSIVs in the intact steam generator occurs. After MSIV closure, steam is discharged into containment only from the affected steam generator, and from the residual steam in the main steam header downstream of the closed MSIVs in the intact loops. b. A break outside of containment and upstream from the MSIVs. This scenario is not a containment pressurization concern. The uncontrolled blowdown of more than one steam generator must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity addition. Closure of the MSIVs isolates the break, and limits the blowdown to a single steam generator. c. A break downstream of the MSIVs. This type of break will be isolated by the closure of the MSIVs. Events such as increased steam flow through the turbine or the steam bypass valves will also terminate on closure of the MSIVs. d. A steam generator tube rupture. For this scenario, closure of the MSIVs isolates the affected steam generator from the intact steam generator. In addition to minimizing radiological releases, this enables the operator to maintain the pressure of the steam generator with the ruptured tube high enough to allow flow isolation while remaining below the MSSV setpoints, a necessary step toward isolating the flow through the rupture. e. The MSIVs are also utilized during other events such as a feedwater line break. These events are less limiting so far as MSIV OPERABILITY is concerned. The MSIVs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). MSIVs B 3.7.2 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-4 REVISION 40 LCO This LCO requires that the MSIV and its associated actuator trains in each of the four steam lines be OPERABLE. The MSIVs are considered OPERABLE when the isolation times are within limits, and they close on an isolation actuation signal. An MSIV actuator train is considered OPERABLE when it is capable of fast-closing the associated MSIV on demand and within the required isolation time. This includes having adequate accumulator pressure to support fast-closure of the MSIV within the required isolation time and adequate air pressure available to fast close the MSIV. This LCO provides assurance that the MSIVs will perform their design safety function to mitigate the consequences of accidents that could result in offsite exposures comparable to the 10 CFR 100 (Ref. 4) limits. _______________________________________________________________________________ APPLICABILITY The MSIVs must be OPERABLE in MODE 1 and in MODES 2, 3 and 4 except when all MSIVs are closed and deactivated when there is significant mass and energy in the RCS and steam generators. When the MSIVs are closed, they are already performing their safety function. The MSIV actuator trains must be OPERABLE in MODES 1, 2, 3 and 4 to support operation of the MSIV. In MODES 5 and 6, the steam generators do not contain much energy because their temperature is below the boiling point of water; therefore, the MSIVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES. _______________________________________________________________________________ ACTIONS The LCO specifies OPERABILITY requirements for the MSIVs as well as for their associated actuator trains. The Conditions and Required Actions for TS 3.7.2 separately address inoperability of the MSIV actuator trains and inoperability of the MSIVs themselves. MSIVs B 3.7.2 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-5 REVISION 40 ACTIONS A.1 (continued) With one MSIV with a single actuator train inoperable (i.e., one Train A or one Train B), action must be taken to restore the inoperable actuator train to OPERABLE status within 7 days. The 7-day Completion Time is reasonable in light of the redundant actuator train design such that with one actuator train inoperable, the affected MSIV is still capable of closing on demand via the remaining OPERABLE actuator train. The 7-day Completion Time takes into account the redundant OPERABLE actuator train to the MSIV, reasonable time for repairs, and the low probability of an event occurring that requires the inoperable actuator train to the affected MSIV. B.1 With two MSIVs each with a single actuator train inoperable such that the inoperable actuator trains are not in the same train (i.e., one Train A and one Train B), action must be taken to restore one of the inoperable actuator trains to OPERABLE status within 72 hours. With two actuator trains inoperable on two MSIVs, there is an increased likelihood that an additional failure (such as the failure of an actuation logic train) could cause one MSIV to fail to close. The 72-hour Completion Time is reasonable since the redundant actuator train design ensures that with only one actuator train on each of two affected MSIVs inoperable, each MSIV is still capable of closing on demand. C.1 With two MSIVs each with a single actuator train inoperable and the inoperable actuator trains are both in the same train (i.e., both Train A, or both Train B), action must be taken to restore one of the inoperable actuator trains to OPERABLE status within 48 hours. The 48-hour Completion Time provides a reasonable amount of time for restoring at least one actuator train since the redundant actuator train design for each MSIV ensures that a single inoperable actuator train cannot prevent the affected MSIV(s) from closing on demand. With two actuator trains inoperable in the same separation group, an additional failure (such as the failure of an actuation logic train in the other separation group) could cause both affected MSIVs to fail MSIVs B 3.7.2 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-6 REVISION 40 ACTIONS C.1 (continued) (continued) to close on demand. The 48 hour Completion Time takes into the redundant OPERABLE actuator trains to the affected MSIVs and the low probability of an event occurring that requires the inoperable actuator trains to the affected MSIVs. D.1 With two actuator trains for one MSIV inoperable, Required Action D.1 provides assurance that the appropriate Action is entered for one MSIV inoperable. Failure of both actuator trains for a single MSIV results in the inability to fast close the affected MSIV on demand. E.1 With three or more MSIV actuator trains inoperable or when Required Action A.1, B.1, or C.1 cannot be completed within the required Completion Time; the affected MSIVs may be incapable of closing on demand and must be immediately declared inoperable. Having three actuator trains inoperable could involve two inoperable actuator trains on one MSIV and one inoperable actuator train on another MSIV, or an inoperable actuator train on each of three MSIVs, for which the inoperable actuator trains could all be in the same separation group or be staggered among the two separation groups. Depending on which of these conditions or combinations is in effect, the condition or combination could mean that all of the affected MSIVs remain capable of closing on demand (due to the redundant actuator train design), or that at least one MSIV is inoperable, or that with an additional single failure up to three MSIVs could be incapable of closing on demand. Therefore, in some cases, immediately declaring the affected MSIVs inoperable is conservative (when some or all of the affected MSIVs may still be capable of closing on demand even with a single additional failure), while in other cases it is appropriate (when at least one of the MSIVs would be inoperable, or up to three could be rendered inoperable by an additional single failure). Required Action E.1 is conservatively based on the worst-case condition and therefore requires immediately declaring all the affected MSIVs inoperable. Declaring two MSIVs B 3.7.2 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-7 REVISION 59 ACTIONS E.1 (continued) (continued) or more MSIVs inoperable while in MODE 1 requires entry into LCO 3.0.3. F.1 With one MSIV inoperable in MODE 1, time is allowed to restore the component to OPERABLE status. Some repairs can be made to the MSIV with the unit hot. The 4 hour Completion Time is reasonable, considering the probability of an accident occurring during the time period that would require closure of the MSIVs. Condition F is entered when one MSIV is inoperable in MODE 1, including when both actuator trains for one MSIV are inoperable. When only one actuator train is inoperable on one MSIV, Condition A applies. The 4 hour Completion Time is consistent with that normally allowed for containment isolation valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides an additional means for containment isolation. G.1 If the MSIV cannot be restored to OPERABLE within 4 hours, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in MODE 2 within 6 hours and Condition H would be entered. The Completion Time is reasonable, based on operating experience, to reach MODE 2, and close the MSIVs in an orderly manner and without challenging unit systems. H.1 and H.2 Condition H is modified by a Note indicating that separate Condition entry is allowed for each MSIV. Since the MSIVs are required to be OPERABLE in MODES 2 and 3, the inoperable MSIVs may either be restored to OPERABLE status or closed. When closed, the MSIVs are already in the position required by the assumptions in the safety analysis. MSIVs B 3.7.2 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-8 REVISION 54 ACTIONS H.1 and H.2 (continued) (continued) The 4 hour Completion Time is consistent with that allowed in Condition F. Inoperable MSIVs that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, MSIV status indications available in the control room, and other administrative controls, to ensure these valves are in the closed position. I.1 and I.2 If the MSIVs cannot be restored to OPERABLE status, or closed, within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from MODE 2 conditions in an orderly manner and without challenging unit systems. _______________________________________________________________________________ SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies that the closure time of each MSIV is within the limit given in Reference 5 with each actuator train on an actual or simulated actuation signal and is within that assumed in the accident and containment analyses. This SR also verifies the valve closure time is in accordance with the Inservice Testing Program. This SR is normally performed upon returning the unit to operation following a refueling outage. The MSIVs should not be full stroke tested at power. The Frequency for this SR is in accordance with the Inservice Testing Program. This Frequency demonstrates the valve closure time at least once per refueling cycle. MSIVs B 3.7.2 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.2-9 REVISION 54 SURVEILLANCE SR 3.7.2.1 (continued) REQUIREMENTS (continued) This test is conducted in MODE 3, with the unit at operating temperature and pressure, as discussed in the Reference 6 exercising requirements. This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This allows a delay of testing until MODE 3, in order to establish conditions consistent with those under which the acceptance criterion was generated. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 10.3. 2. CESSAR, Section 6.2. 3. UFSAR, Section 15.1.5.

4. 10 CFR 100.11.

5. UFSAR, Section 5.1.5

6. ASME Code for Operation and Maintenance of Nuclear Power Plants.

This page intentionally blank MFIVs B 3.7.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.3-1 REVISION 1 B 3.7 PLANT SYSTEMS B 3.7.3 Main Feedwater Isolation Valves (MFIVs) BASES BACKGROUND The MFIVs isolate Main Feedwater (MFW) flow to the secondary side of the steam generators following a High Energy Line Break (HELB). Closure of the MFIVs terminates flow to both steam generators, terminating the event for Feedwater Line Breaks (FWLBs) occurring upstream of the MFIVs. The consequences of events occurring in the main steam lines or in the MFW lines downstream of the MFIVs will be mitigated by their closure. Closure of the MFIVs effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for Steam Line Breaks (SLBs) or FWLBs inside containment, and reducing the cooldown effects for SLBs. The MFIVs isolate the nonsafety related portions from the safety related portion of the system. In the event of a secondary side pipe rupture inside containment, the valves limit the quantity of high energy fluid that enters containment through the break, and provide an additional pressure boundary for the controlled addition of Auxiliary Feedwater (AFW) to the intact loop. Two MFIVs are located on each economizer and downcomer line, outside, but close to, containment. The downcomer MFIVs are located upstream of the train A and B AFW injection points so that AFW may be supplied to a steam generator following MFIV closure. The piping volume from the downcomer MFIVs to the steam generator must be accounted for in calculating mass and energy releases, and refilled prior to AFW reaching the steam generator following either an SLB or FWLB. The MFIVs close on receipt of a Main Steam Isolation Signal (MSIS) generated by either low steam generator pressure, high steam generator level, or high containment pressure. The MSIS also actuates the Main Steam Isolation Valves (MSIVs) to close. The MFIVs may also be actuated manually. In addition to the MFIVs, check valves are available to isolate the feedwater line penetrating containment, and to ensure that the consequences of events do not exceed the capacity of the containment heat removal systems. A description of the MFIVs is found in the UFSAR, Section 10.4.7 (Ref. 1). MFIVs B 3.7.3 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.3-2 REVISION 1 APPLICABLE The design basis of the MFIVs is established by the SAFETY ANALYSES analysis for the large SLB. It is also influenced by the accident analysis for the large FWLB. Closure of the MFIVs may also be relied on to terminate a steam break for core response analysis and an excess feedwater flow event upon receipt of a MSIS on high steam generator level. Failure of an MFIV to close following an SLB, FWLB, or excess feedwater flow event can result in additional mass and energy to the steam generators contributing to cooldown. This failure also results in additional mass and energy releases following an SLB or FWLB event. The MFIVs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO This LCO ensures that the MFIVs will isolate MFW flow to the steam generators. Following an FWLB or SLB, these valves will also isolate the nonsafety related portions from the safety related portions of the system. This LCO requires that two MFIVs in each feedwater line be OPERABLE. The MFIVs are considered OPERABLE when the isolation times are within limits, and are closed on an isolation actuation signal. Failure to meet the LCO requirements can result in additional mass and energy being released to containment following an SLB or FWLB inside containment. If an MSIS on high steam generator level is relied on to terminate an excess feedwater flow event, failure to meet the LCO may result in the introduction of water into the main steam lines. The four economizer MFIVs are: SGA-UV 174# SGB-UV 132# SGB-UV 137# SGA-UV 177# The four downcomer MFIVs are: SGB-UV 130# SGA-UV 172# SGB-UV 135# SGA-UV 175# MFIVs B 3.7.3 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.3-3 REVISION 37 APPLICABILITY The MFIVs must be OPERABLE whenever there is significant mass and energy in the Reactor Coolant System and steam generators. This ensures that, in the event of an HELB, a single failure cannot result in the blowdown of more than one steam generator. In MODES 1, 2, 3, and 4, the MFIVs are required to be OPERABLE, except when they are closed and deactivated or isolated by a deactivated and closed power operated valve, in order to limit the amount of available fluid that could be added to containment in the case of a secondary system pipe break inside containment. When the valves are closed or isolated by a closed power operated valve, they are already performing their safety function. In MODES 5 and 6, steam generator energy is low. Therefore, the MFIVs are not required. ______________________________________________________________________________ ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each penetration flow path. A.1 and A.2 With one MFIV inoperable, action must be taken to close or isolate the inoperable valves within 72 hours. When these valves are closed or isolated, they are performing their required safety function (e.g., to isolate the line). The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves, and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. Inoperable MFIVs that are closed to comply with Required Action A.1 must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remain valid. The seven day completion time is responsible, based on engineering judgement, MFIV status indications available in the control room, and other administrative controls, to ensure these valves are in the closed position. MFIVs B 3.7.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.3-4 REVISION 0 ACTIONS B.1 and B.2 (continued) If more than one MFIV in the same flow path cannot be restored to OPERABLE status, then there may be no system to operate automatically and perform the required safety function. Under these conditions, valves in each flow path must be restored to OPERABLE status, closed, or the flow path isolated within 8 hours. This action returns the system to the condition where at least one valve in each flow path is performing the required safety function. The 8 hour Completion Time is reasonable to close an MFIV or otherwise isolate the affected flow path. Inoperable MFIVs that cannot be restored to OPERABLE status within the Completion Time, but are closed or isolated, must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls to ensure that these valves are closed or isolated. C.1 and C.2 If the MFIVs cannot be restored to OPERABLE status, closed, or isolated in the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. MFIVs B 3.7.3 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.3-5 REVISION 54 SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that closure time of each MFIV is within the limit given in Reference 2 on an actual or simulated actuation signal and is within that assumed in the accident and containment analyses. This SR also verifies the valve closure time is in accordance with the Inservice Testing Program. This SR is normally performed upon returning the unit to operation following a refueling outage. The MFIVs should not be full stroke tested at power. The Frequency is in accordance with the Inservice Testing Program. The Frequency for valve closure time is based on the refueling cycle. Operating experience has shown that these components usually pass the SR when performed at the specified Frequency. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 10.4.7. 2. UFSAR, Section 5.1.5. This page intentionally blank ADVs B 3.7.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-1 REVISION 58 B 3.7 PLANT SYSTEMS B 3.7.4 Atmospheric Dump Valves (ADVs) BASES BACKGROUND The ADVs provide a safety grade method for cooling the unit to Shutdown Cooling (SDC) System entry conditions, should the preferred heat sink via the Steam Bypass Control System (SBCS) to the condenser and/or atmosphere not be available, as discussed in the UFSAR, Section 10.3 (Ref. 1). The ADVs have the capacity to achieve and maintain safe shutdown conditions following design basis accidents involving a loss of offsite power and/or closure of the Main Steam Isolation Valves (MSIVs) following receipt of a Main Steam Isolation Signal (MSIS). This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the Condensate Storage Tank (CST). The ADVs may also be required to meet the design cooldown rate during a normal cooldown. Four ADV lines are provided. Each ADV line consists of one normally closed ADV and an associated, normally open block valve. Two ADV lines per steam generator are required to meet the single failure assumptions following a design basis accident that may render one steam generator (SG) unavailable for heat removal. The ADV block valves permit testing of the ADVs while a unit is at power. The safety analyses, however, do not credit block valve operation as a means of isolation of a failed open ADV. The ADVs are equipped with pneumatic controllers to permit control of the cooldown rate. The ADVs are provided with a pressurized gas supply of bottled nitrogen that, on a loss of pressure in the normal instrument air supply, automatically supplies nitrogen to operate the ADVs. The nitrogen supply is sized to provide sufficient pressurized gas to operate the ADVs for the time required for Reactor Coolant System (RCS) cooldown to the Shutdown Cooling (SDC) System entry conditions, as described in UFSAR Appendix 5C, "Natural Circulation Cooldown Analysis." The Appendix 5C analysis is based on the assumptions and conditions in the NRC's Branch Technical Position (BTP) RSB 5-1, "Design Requirements of the Residual Heat Removal System." RSB 5-1 is an attachment ADVs B 3.7.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-2 REVISION 58 BACKGROUND (continued) to Standard Review Plan (SRP) 5.4.7, "Residual Heat Removal (RHR) System," and identifies RHR System requirements that ensure conformance with General Design Criteria (GDC) 34, "Residual Heat Removal." The PVNGS RSB 5-1 cooldown scenario described in UFSAR Appendix 5C is based on a natural circulation cooldown with both steam generators (SGs) available, using safety-grade equipment, assuming a loss of offsite power, a limiting single failure (assumed to be a diesel generator failure), and with minimal operator actions outside the control room, as approved by the NRC. The RSB 5-1 cooldown duration was established during actual testing performed in January 1986, and was confirmed through subsequent analyses to address steam generator replacement and power uprates. A description of the ADVs is found in Reference 1. The ADVs require both Direct Current (DC) sources and class Alternating Current (AC) instrument power to be considered OPERABLE. In addition, non-safety related hand wheels are provided for local manual operations although hand wheels are not required for ADV OPERABILITY or credited in the accident analysis. _______________________________________________________________________________ APPLICABLE The design basis of the ADVs is established by the SAFETY ANALYSES capability to cool the unit to SDC System entry conditions. The design must also accommodate credible single failures that may render as many as two ADVs (i.e., one on each steam generator) incapable of opening on demand. This design is adequate to cool the unit to SDC System entry conditions with only one ADV and one SG, utilizing the cooling water supply available in the CST. Cooldown scenarios using a single ADV may require a combination of the available nitrogen supply and local manual operation or other actions. Alternatives for cooldown and for ADV operation beyond the RSB 5-1 scenario have been evaluated using probabilistic risk analysis (PRA) as part of the resolution of Unresolved Safety Issue (USI) A-45, "Shutdown Decay Heat Removal Requirements." USI A-45 was subsumed into the Individual Plant Examination (IPE) which used PRA techniques and was submitted to the NRC in response to Generic Letter 88-20. The IPE considered various operator actions and the use of non-safety related equipment, and concluded that there are no significant heat removal vulnerabilities at PVNGS. ADVs B 3.7.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-3 REVISION 58 APPLICABLE SAFETY ANALYSES Operator actions to locally operate the ADVs are not credited (continued) in the UFSAR Chapter 15 accident analyses but are described in the EOPs; non-safety related equipment such as the supplemental nitrogen supply could also be used during extended cooldown situations. The design basis accident analyses also account for a single failure that may render one ADV incapable of being closed remotely, after it is opened by control room operators. This type of postulated failure yields more adverse radiological consequences for certain analyses, because it creates a pathway for radioisotope discharges to the environment. For accident mitigation the safety analyses do not credit isolation of a failed open ADV by either local manual hand wheel operation or closure of its associated block valve. The safety analyses in the UFSAR assume that plant operators will use the ADVs to cool down an affected unit to SDC System entry conditions, following accidents accompanied by a loss of offsite power and/or closure of the MSIVs. Initiation of operator action is typically assumed to occur 30 minutes following the initiation of an event; however, to conservatively bound maximum potential dose consequences for Steam Generator Tube Rupture (SGTR) events, initiation of this operator action is assumed to occur two minutes following reactor trip. Prior to the operator action, the Main Steam Safety Valves (MSSVs) are credited in the analyses to maintain SG pressure and temperature near the MSSV setpoints. The limiting design basis event for nitrogen supply capacity is the RSB 5-1 natural circulation cooldown scenario described above. This scenario includes an initial period of 4 hours at hot standby conditions followed by natural circulation cooldown for 9.3 hours until SDC entry conditions are achieved. Each ADV is required to have a nitrogen supply that supports ADV operation for a total of 13.3 hours. Limiting design basis accidents with respect to RCS heat removal and ADV steam flow capacity include those that may render one SG unavailable, with a coincident loss of offsite power and a single active component failure (i.e., main steam line breaks upstream of the MSIVs, and feedwaterline breaks). ADVs B 3.7.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-4 REVISION 58 APPLICABLE SAFETY ANALYSES The limiting design basis event with respect to offsite (continued) radiological consequences is a SGTR with a coincident loss of offsite power, a coincident RCS iodine spike, and a single failed open ADV on the affected SG (SGTRLOPSF). To determine bounding radiological consequences, an ADV is assumed to stick open during operator action that occurs two minutes after trip, and remains open for the duration of the cooldown. For this SGTRLOPSF case, plant operators will direct auxiliary feedwater flow to the affected SG after the accident has occurred. The steam released through the ADVs is contaminated, however, because of primary-to-secondary leakage that transports radioisotopes from the RCS to the SG. The ADVs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Four ADV lines are required to be OPERABLE, two on each SG to ensure a design basis accident that renders one SG unavailable for heat removal (in combination with a coincident loss of offsite power and a single active component failure) would not prevent control room operators from remotely opening an ADV on the unaffected SG. Failure to meet the LCO can result in an inability to cool the affected unit to SDC System entry conditions when the SBCS is unavailable. An ADV is considered OPERABLE when it is capable of providing a controlled relief of the main steam flow, and is capable of fully opening and closing on demand. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when a SG is being relied upon for heat removal, the ADVs are required to be OPERABLE. In MODES 5 and 6, there is insufficient heat available to produce steam that could be released through the ADVs, and design basis accidents such as main steam line breaks, feedwater line breaks, and SGTRs are not credible events. ADVs B 3.7.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-5 REVISION 58 ACTIONS A.1 The condition for this ACTION is modified by a Note that states separate Condition entry is allowed for each SG. This is acceptable because only one SG is required for RCS heat removal after a design basis accident, and because this Condition provides the appropriate Required Action and Completion Time for one inoperable ADV line on each SG. With one ADV line on a SG inoperable, action must be taken to restore that ADV line to OPERABLE status within 7 days to meet the LCO for each SG that has entered this Condition. The 7-day Completion Time takes into consideration the redundant capability afforded by the remaining OPERABLE ADV lines, the safety grade MSSVs, and the non-safety grade backup of the SBCS. B.1 With two or more ADV lines inoperable with both ADV lines inoperable on one or more SGs, action must be taken to restore one ADV line on each SG to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable to repair inoperable ADV lines, based on the availability of the Steam Bypass Control System and MSSVs, and the low probability of an event occurring during this period that requires the ADV lines. NOTE: Entry into Condition B for all four ADV lines simultaneously inoperable is not intended for voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. ADVs B 3.7.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.4-6 REVISION 58 ACTIONS C.1 and C.2 (continued) If the ADV lines cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4, without reliance on the SG for heat removal, within 24 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. _______________________________________________________________________________ SURVEILLANCE SR 3.7.4.1 REQUIREMENTS To perform a controlled cooldown of the RCS, the ADVs must be able to be opened and throttled through their full range. This SR ensures the ADVs are tested through a full control cycle. Performance of inservice testing or use of an ADV during a unit cooldown may satisfy this requirement. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 10.3. AFW System B 3.7.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-1 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.5 Auxiliary Feedwater (AFW) System BASES BACKGROUND The AFW System automatically supplies feedwater to the steam generators to remove decay heat from the Reactor Coolant System upon the loss of normal feedwater supply. The AFW pumps take suction through separate and independent suction lines from the Condensate Storage Tank (CST) (LCO 3.7.6, "Condensate Storage Tank (CST)") and pump to the steam generator secondary side via the main feedwater (MFW) piping. The discharge piping from the two essential AFW pumps is cross connected outside containment. The AFW lines then penetrate containment and connect to the downcomer piping. The non-essential AFW pump discharge piping splits with a line connecting with each downcomer line outside containment. The steam generators function as a heat sink for core decay heat. The heat load is dissipated by releasing steam to the atmosphere from the steam generators via the Main Steam Safety Valves (MSSVs) (LCO 3.7.1, "Main Steam Safety Valves (MSSVs)") or Atmospheric Dump Valves (ADVs) (LCO 3.7.4, "Atmospheric Dump Valves (ADVs)"). If the main condenser is available, steam may be released via the steam bypass valves and recirculated to the CST. The AFW System consists of one essential motor driven AFW pump, one non-essential motor driven AFW pump, and one essential steam turbine driven pump configured into three trains. Each essential pump provides 100% of AFW flow capacity to the steam generators as assumed in the accident analysis. The non-essential pump is not capable of providing 100% capacity with the recirc line open. All three pumps are equipped with independent recirculation lines to prevent pump operation against a closed system. The essential motor driven AFW pump is powered from an independent Class 1E power supply, and has the capability to be realigned from the control room to feed either steam generator. The non-essential motor driven AFW pump is powered from a Class 1E power supply and can be aligned to feed either steam generator. This pump is manually activated. One essential pump provides sufficient flow to remove decay heat and cool the unit to Shutdown Cooling (SDC) System entry conditions. AFW System B 3.7.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-2 REVISION 0 BACKGROUND (continued) The steam turbine driven AFW pump receives steam from either main steam header upstream of the main steam isolation valve (MSIV). Each of the steam feed lines is capable of supplying 100% of the requirements of the turbine driven AFW pump. The turbine driven AFW pump is capable of feeding either steam generator, with DC powered control valves actuated to the appropriate steam generator by the Auxiliary Feedwater Actuation Signal (AFAS). The non-essential AFW train supplies feedwater to the steam generators during normal unit startup, shutdown, and hot standby conditions. For the normal plant conditions stated above, the non-essential AFW train is designed to supply sufficient water to the steam generator(s) to remove decay heat with steam generator pressure at no load conditions ( 1170 psia). Subsequently, the non-essential AFW train supplies sufficient water to cool the unit to SDC entry conditions. The AFW System actuates automatically on low steam generator level by the AFAS as described in LCO 3.3.5, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation." The AFAS logic is designed to feed either or both steam generators with low levels, but will isolate the AFW System from a steam generator having a significantly lower steam pressure than the other steam generator. The AFAS automatically actuates the AFW turbine driven pump and associated DC operated valves and controls when required, to ensure an adequate feedwater supply to the steam generators. DC operated valves are provided for each AFW line to control the AFW flow to each steam generator. The AFW System is discussed in the FSAR, Section 10.4.9 (Ref. 1). _______________________________________________________________________________ APPLICABLE The AFW System mitigates the consequences of any event with SAFETY ANALYSES a loss of normal feedwater. AFW System B 3.7.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-3 REVISION 40 APPLICABLE The design basis of the essential AFW trains is to supply SAFETY ANALYSES water to the steam generator to remove decay heat and other (continued) residual heat, by delivering at least the minimum required flow rate to the steam generators at pressures corresponding to 1270 psia at the entrance to the steam generators. The limiting Design Basis Accidents (DBAs) and transients for the AFW System are as follows: a. Feedwater Line Break (FWLB); and b. Main Steam Line Break (MSLB). In addition, the minimum available AFW flow and system characteristics are serious considerations in the analysis of a small break loss of coolant accident. The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valve and containment, combined with a loss of offsite power following turbine trip, and a single active failure of the steam turbine driven AFW pump. In such a case, the AFAS logic might not detect the affected steam generator if the backflow check valve to the affected MFW header worked properly. The non-essential motor driven AFW pump, if started manually, would deliver to the broken down comer header at the pump runout flow until the problem was detected, and flow was terminated by the operator. Sufficient flow would be delivered to the intact steam generator by the essential motor driven AFW pump. The AFW System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). AFW System B 3.7.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-4 REVISION 27 LCO This LCO requires that three AFW trains be OPERABLE to ensure that the AFW System will perform the design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Two essential and one non-essential AFW pumps, in two diverse trains, ensure availability of residual heat removal capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering the essential motor driven AFW pump from an emergency bus. The non-essential motor driven AFW pump can be manually loaded on its emergency bus. The third AFW pump is powered by a diverse means, a steam driven turbine supplied with steam from a source not isolated by the closure of the MSIVs. The AFW System is considered to be OPERABLE when the components and flow paths required to provide AFW flow to the steam generators are OPERABLE. This requires that the two motor driven AFW pumps be OPERABLE in two diverse paths, each capable of supplying AFW to either steam generator. The turbine driven AFW pump shall be OPERABLE with redundant steam supplies from each of the two main steam lines upstream of the MSIVs and capable of supplying AFW flow to either of the two steam generators. The piping, valves, instrumentation, and controls in the required flow paths shall also be OPERABLE. Although the operability of the non-essential motor driven AFW pump is important from a risk perspective, this pump is not credited in the PVNGS Accident Analyses. The LCO is modified by a Note indicating that only one AFW train, which includes a motor driven pump, is required to be OPERABLE in MODE 4. This is because of reduced heat removal requirements, the short period of time in MODE 4 during which AFW is required, and the insufficient steam supply available in MODE 4 to power the turbine driven AFW pump. AFW System B 3.7.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-5 REVISION 42 APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE and to function in the event that the MFW System is lost. In addition, the AFW System is required to supply enough makeup water to replace steam generator secondary inventory, lost as the unit cools to MODE 4 conditions. In MODE 4, the AFW System may be used for heat removal via the steam generator. In MODES 5 and 6, the steam generators are not normally used for decay heat removal, and the AFW System is not required. ______________________________________________________________________________ A note prohibits the application of LCO 3.0.4.b to an inoperable AFW Train. There is an increased risk associated with entering a MODE or other specified condition in the applicability with an AFW train inoperable and the provisions of LCO 3.0.4.b which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. ACTIONS A.1 If one of the two steam supplies to the turbine driven AFW pumps is inoperable, or if a turbine driven pump is inoperable while in MODE 3 immediately following refueling (prior to MODE 2), action must be taken to restore OPERABLE status within 7 days. The 7 day Completion Time is reasonable based on the following reasons: a. For the inoperability of a steam supply to the turbine-driven AFW pump, the 7 day Completion time is reasonable since there is a redundant steam supply line for the turbine driven pump. b. For the inoperability of a turbine-driven AFW pump while in MODE 3 immediately subsequent to a refueling outage, the 7 day Completion time is reasonable due to the minimal decay heat levels in this situation. c. For both the inoperability of a steam supply line to the turbine-driven pump and an inoperable turbine-driven AFW pump while in MODE 3 immediately following a refueling outage, the 7 day Completion time is reasonable due to the availability of redundant OPERABLE motor driven AFW pumps. AFW System B 3.7.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-6 REVISION 42 ACTIONS A.1 (continued) The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO. The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The AND connector between 7 days and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met. Condition A is modified by a Note which limits the applicability of the Condition to when the unit has not entered MODE 2 following a refueling. Condition A allows the turbine-driven AFW pump to be inoperable for 7 days vice the 72 hour Completion Time in Condition B. This longer Completion Time is based on the reduced decay heat following refueling and prior to the reactor being critical. It should be noted that when in this Condition with one steam supply to the turbine driven AFW pump inoperable, that the AFA train of AFW is considered to be inoperable. B.1 With one of the required AFW trains (pump or flow path) inoperable, action must be taken to restore OPERABLE status within 72 hours. This Condition includes the loss of two steam supply lines to the turbine driven AFW pump. The 72 hour Completion Time is reasonable, based on the redundant capabilities afforded by the AFW System, the time needed for repairs, and the low probability of a DBA event occurring during this period. Two AFW pumps and flow paths remain to supply feedwater to the steam generators. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO. The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The AND connector between 72 hours and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met. AFW System B 3.7.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-7 REVISION 9 ACTIONS C.1 and C.2 (continued) When either Required Action A.1 or B.1 cannot be completed within the required Completion Time, or if two AFW trains are inoperable in MODES 1, 2, and 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. This Condition includes the loss of 2 AFW pumps. This Condition also includes the situation where one steam supply to the turbine driven AFW pump is inoperable, coincident with another ("B" or "N") AFW train inoperable. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, with two AFW trains inoperable, operation is allowed to continue because only one motor driven AFW pump (either the essential or the non-essential pump) is required in accordance with the Note that modifies the LCO. Although it is not required, the unit may continue to cool down and start the SDC. D.1 Required Action D.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until one AFW train is restored to OPERABLE status. Completion Times are also suspended at the time the conditions is entered. The Completion Time is resumed with the time remaining when the Condition was entered upon restoration of one AFW train to OPERABLE status. With all three AFW trains inoperable in MODES 1, 2, and 3, the unit is in a seriously degraded condition with no TS related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety grade equipment. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this condition requires that action be started immediately to restore one AFW train to OPERABLE status. LCO 3.0.3 is not applicable, as it could force the unit into a less safe condition. AFW System B 3.7.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-8 REVISION 56 ACTIONS E.1 (continued) Required Action E.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until one AFW train is restored to OPERABLE status. Completion Times are also suspended at the time the Condition is entered. The Completion Time is resumed with the time remaining when the Condition was entered upon restoration of one AFW train to OPERABLE status. With one AFW train inoperable, action must be taken to immediately restore the inoperable train to OPERABLE status or to immediately verify, by administrative means, the OPERABILITY of a second train. LCO 3.0.3 is not applicable, as it could force the unit into a less safe condition. In MODE 4, either the reactor coolant pumps or the SDC loops can be used to provide forced circulation as discussed in LCO 3.4.6, "RCS Loops - MODE 4." _______________________________________________________________________________ SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the AFW water and steam supply flow paths provides assurance that the proper flow paths exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulations; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.5.2 Verifying that each AFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that AFW pump performance has not degraded during the cycle. Flow and differential head are AFW System B 3.7.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-9 REVISION 56 SURVEILLANCE SR 3.7.5.2 (continued) REQUIREMENTS normal tests of pump performance required by the ASME OM Code (Ref. 2). Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing may be performed on recirculation flow. This test confirms one point on the pump design curve and can be indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. Performance of inservice testing, discussed in the ASME OM Code, (Ref. 2), at 3 month intervals satisfies this requirement. This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established. Normal operating pressure is established in the steam generators when RCS temperature reaches 532°F, this corresponds to a Psat of 900 psia. This deferral is required because there is an insufficient steam pressure to perform the test. SR 3.7.5.3 This SR ensures that AFW can be delivered to the appropriate steam generator, in the event of any accident or transient that generates an AFAS signal, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. This SR is not required for the non-essential train since there are no automatic valves which receive an AFAS. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. Normal operating pressure is established in the steam generators when RCS temperature reaches 532°F, this corresponds to a Psat of 900 psia. This deferral is required because there is an insufficient steam pressure to perform the test. AFW System B 3.7.5 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-10 REVISION 56 SURVEILLANCE SR 3.7.5.3 (continued) REQUIREMENTS Also, this SR is modified by a Note that states the SR is not required in MODE 4. In MODE 4, the required AFW train is already aligned and operating. SR 3.7.5.4 This SR ensures that the essential AFW pumps will start in the event of any accident or transient that generates an AFAS signal by demonstrating that each essential AFW pump starts automatically on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The non-essential AFW pump does not automatically activate and is not subject to this SR. This SR is modified by two Notes. Note 1 indicates that the SR be deferred until suitable test conditions are established. Normal operating pressure is established in the steam generators when RCS temperature reaches 532°F, this corresponds to a Psat of 900 psia. This deferral is required because there is insufficient steam pressure to perform the test. Note 2 states that the SR is not required in MODE 4. In MODE 4, the required pump is already operating and the autostart function is not required. SR 3.7.5.5 This SR ensures that the AFW System is properly aligned by verifying the flow path from each essential AFW pump to each steam generator prior to entering MODE 2 operation, after 30 days in MODE 5 or 6. OPERABILITY of essential AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shutdown. The Frequency is reasonable, based on engineering judgment, and administrative controls to ensure that flow paths remain OPERABLE. AFW System B 3.7.5 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.5-11 REVISION 54 SURVEILLANCE SR 3.7.5.5 (continued) REQUIREMENTS To further ensure AFW System alignment, the OPERABILITY of the essential AFW flow paths is verified following extended outages to determine that no misalignment of valves has occurred. This SR ensures that the flow path from the CST to the steam generators is properly aligned by requiring a verification of minimum flow capacity of 650 gpm at pressures corresponding to 1270 psia at the entrance to the steam generators. (This SR is not required for the non-essential AFW pump since it is normally used for startup and shutdown.) ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 10.4.9. 2. ASME Code for Operation and Maintenance of Nuclear Power Plants. This page intentionally blank CST B 3.7.6 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.6-1 REVISION 54 B 3.7 PLANT SYSTEMS B 3.7.6 Condensate Storage Tank (CST) BASES BACKGROUND The CST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the Reactor Coolant System (RCS). The CST is the primary source of water for the Auxiliary Feedwater (AFW) System (LCO 3.7.5, "Auxiliary Feedwater (AFW) System"). The steam produced is released to the atmosphere by the Main Steam Safety Valves (MSSVs) or the atmospheric dump valves. When the main steam isolation valves are open, the preferred means of heat removal is to discharge steam to the condenser by the nonsafety grade path of the steam bypass control valves. The condensed steam is returned to the CST by the condensate pump draw-off. This has the advantage of conserving condensate while minimizing releases to the environment. Because the CST is a principal component in removing residual heat from the RCS, it is designed to withstand earthquakes and other natural phenomena. The CST is designed to Seismic Category I requirements to ensure availability of the feedwater supply. Feedwater is also available from the Reactor Makeup Water Tank (RMWT). A description of the CST is found in the UFSAR, Section 9.2.6 (Ref. 1). ______________________________________________________________________________ APPLICABLE The CST has sufficient volume to maintain the plant for SAFETY ANALYSES 8 hours at MODE 3, followed by a symmetrical cooldown (two steam generators available) to shutdown cooling (SDC) entry conditions at the design cooldown rate in the event of main condenser unavailability. The CST inventory is demonstrated to be sufficient by satisfying the requirements of long-term cooling event which includes both LOCA Long-Term Cooling and Reactor Systems Branch Technical Position 5-1 (RSB 5-1) "Design Requirements of the Residual Heat Removal System" (Ref. 4), scenario, described in UFSAR Appendix 5C, "Natural Circulation Cooldown Analysis", is based on a natural circulation cooldown with both steam generators (SGs) available, using CST B 3.7.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.6-2 REVISION 54 APPLICABLE safety-grade equipment, assuming a loss of offsite power, a SAFETY ANALYSES limiting single failure, and with minimal operator actions (continued) outside the control room, as approved by the NRC. The RSB 5-1 guidance requires 4 hours at hot standby prior to initiating cooldown and is analytically found to be the bounding event for CST sizing. Transients and accidents other than the RSB 5-1 scenario and Long Term LOCA are evaluated deterministically in the UFSAR Chapter 15 analyses to demonstrate the ability to achieve hot standby conditions (Refs 2 and 3). Cooldown scenarios to SDC entry conditions outside the "events" described here are outside the current Design Basis. The Licensing Basis for these scenarios is that there are no significant decay heat removal vulnerabilities when all available plant equipment and the EOPs are evaluated through the facility's probabilistic risk assessment, as documented in the APS resolution of "Unresolved Safety Issue" (USI) A-45, "Shutdown Decay Heat Removal Requirements" and response to GL 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities." The CST satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The CST must contain sufficient cooling water to remove decay heat for 4 hours following a reactor trip from 102% RTP, and then cool down the RCS to SDC entry conditions, assuming a coincident loss of offsite power and the most adverse single failure as required by RSB 5-1. The CST level required is a usable volume of 300,000 gallons, which is based on holding the unit in MODE 3 for 8 hours, followed by a cooldown to SDC entry conditions at 75°F per hour. This basis is analytically bounded by the level required by the NRC Standard Review Plan Branch Technical Position, Reactor Systems Branch 5-1 (Ref. 4). OPERABILITY of the CST is determined by maintaining the tank level at or above the minimum required level. CST B 3.7.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.6-3 REVISION 55 APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the CST is required to be OPERABLE. In MODES 5 and 6, the CST is not required because the AFW System is not required. ______________________________________________________________________________ ACTIONS A.1 and A.2 If the CST level is not within the limit, the OPERABILITY of the backup water supply (RMWT) must be verified within 4 hours. OPERABILITY of the RMWT must include initial alignment and verification of the OPERABILITY of flow paths from the RMWT to the AFW pumps, and availability of sufficient total water inventory using the combined CST and RMWT inventories to satisfy the requirements of long-term cooling event which includes both LOCA Long-Term Cooling and Reactor Systems Branch Technical Position 5-1 (RSB 5-1). The CST level must be returned to OPERABLE status within 7 days, as the RMWT may be performing this function in addition to its normal functions. The 4 hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the RMWT. The 7 day Completion Time is reasonable, based on an OPERABLE RMWT being available, and the low probability of an event requiring the use of the water from the CST occurring during this period. CST B 3.7.6 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.6-4 REVISION 56 ACTIONS B.1 and B.2 (continued) If the CST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4, without reliance on steam generator for heat removal, within 24 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. _______________________________________________________________________________ SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR verifies that the CST contains the required volume of cooling water. (This level 29.5 ft (300,000 gallons)). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.2.6. 2. UFSAR, Chapter 6. 3. UFSAR, Chapter 15. 4. NRC Standard Review Plan Branch Technical Position (BTP) RSB 5-1. EW System B 3.7.7 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.7-1 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.7 Essential Cooling Water (EW) System BASES BACKGROUND The EW System provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. The EW System acts as a backup to the non-safety related Nuclear Cooling Water System for several non-safety related loads. The EW System serves as a barrier to the release of radioactive byproducts between potentially radioactive systems and the Essential Spray Pond System (ESPS), and thus to the environment. The EW System is arranged as two independent full capacity cooling loops, which are normally isolated from the Nuclear Cooling Water System. Each safety related train includes a full capacity pump, surge tank, heat exchanger, piping, valves, chemical addition tank, and instrumentation. Each safety related train is powered from a separate bus. The surge tank in the system provides pump trip protective functions to ensure sufficient net positive suction head is available. The pump in each train is automatically started on receipt of an ESFAS signal. Additional information on the design and operation of the system, along with a list of the components served, is presented in the UFSAR, Section 9.2.2, Reference 1, and Section 9.2.1, Reference 2. The principal safety related function of the EW System is the removal of decay heat from the reactor via the Shutdown Cooling (SDC) System heat exchanger. ______________________________________________________________________________ APPLICABLE The design basis of the EW System is for one EW train in SAFETY ANALYSES conjunction with the ultimate heat sink and a 100% capacity Containment Spray System to remove sufficient heat to ensure a safe reactor shutdown coincident with a loss of offsite power. The EW System provides a gradual reduction in the temperature of the containment sump fluid as it is supplied to the Reactor Coolant System (RCS) by the safety injection pumps. EW System B 3.7.7 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.7-2 REVISION 59 APPLICABLE The EW System is designed to perform its function with a SAFETY ANALYSIS single failure of any active component, assuming a loss of (continued) offsite power. The EW System also functions to cool the unit from SDC entry conditions (Tcold < 350°F) to MODE 5 (Tcold < 210°F) during normal and post accident operations. The time required to cool from 350°F to 210°F is a function of the number of EW and SDC trains operating. One EW train is sufficient to remove decay heat during subsequent operations with Tcold < 210°F. This assumes that the worst case meteorological conditions occur simultaneously with the maximum heat loads on the system. The EW System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The EW trains are independent of each other to the degree that each has separate controls and power supplies and the operation of one does not depend on the other. In the event of a DBA, one EW train is required to provide the minimum heat removal capability assumed in the safety analysis for the systems to which it supplies cooling water. To ensure this requirement is met, two EW trains must be OPERABLE. At least one EW train will operate assuming the worst single active failure occurs coincident with the loss of offsite power. A EW train is considered OPERABLE when the following:

a. The associated pump and surge tank are OPERABLE; and

b. The associated piping, valves, heat exchanger and instrumentation and controls required to perform the safety related function are OPERABLE. The isolation of EW from other components or systems renders those components or systems inoperable, but does not necessarily affect the OPERABILITY of the EW System.

Isolation of the EW System to the Essential Chiller, while rendering the Essential Chiller inoperable, is acceptable and does not impact the OPERABILITY of the EW System. Disassembly, removal of insulation, and other configuration changes to the isolated portions of an OPERABLE system must be explicitly evaluated for operability impact prior to executing any configuration changes of the OPERABLE system. Isolation of the EW System to SDC system heat exchanger is EW System B 3.7.7 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.7-3 REVISION 1 LCO (continued) not acceptable and would render both the EW System and the SDC system inoperable (Ref. 3). The EW System is inoperable in this situation because it is operating outside of the acceptable limits of the system. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the EW System must be prepared to perform its post accident safety functions, primarily RCS heat removal by cooling the SDC heat exchanger. When the plant is in other than MODES 1, 2, 3 or 4, the requirements for the EW System shall be consistent with the definition of OPERABILITY which requires (support) equipment to be capable of performing its related support function(s). ______________________________________________________________________________ ACTIONS A.1 Required Action A.1 is modified by a Note indicating the requirement of entry into the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops - MODE 4," for SDC made inoperable by EW. This note is only applicable in Mode

4. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. With one EW train inoperable, action must be taken to restore OPERABLE status within 72 hours. In this Condition, the remaining OPERABLE EW train is adequate to perform the heat removal function. The 72 hour Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this period. B.1 and B.2 If the EW train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours.

EW System B 3.7.7 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.7-4 REVISION 56 ACTIONS B.1 and B.2 (continued) The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. _______________________________________________________________________________ SURVEILLANCE SR 3.7.7.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the EW flow path provides assurance that the proper flow paths exist for EW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in their correct position. This SR is modified by a Note indicating that the isolation of the EW components or systems renders those components or systems inoperable but does not necessarily affect the OPERABILITY of the EW System. Isolation of the EW System to the Essential Chiller, while rendering the Essential Chiller inoperable, is acceptable and does not impact the OPERABILITY of the EW System. Isolation of the EW System to the SDC system heat exchanger is not acceptable and would render both the EW System and the SDC system inoperable (Ref. 3). The EW System is inoperable in this situation because it is operating outside of the acceptable limits of the system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.7.2 This SR verifies proper automatic operation of the EW valves on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under EW System B 3.7.7 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.7-5 REVISION 56 SURVEILLANCE SR 3.7.7.2 (continued) REQUIREMENTS administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.7.3 This SR verifies proper automatic operation of the EW pumps on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.2.2. 2. UFSAR, Section 9.2.1. 3. CRDR 980794 This page intentionally blank ESPS B 3.7.8 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.8-1 REVISION 1 B 3.7 PLANT SYSTEMS B 3.7.8 Essential Spray Pond System (ESPS) BASES BACKGROUND The ESPS provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. During a normal shutdown, the ESPS also provides this function for various safety related components. The ESPS consists of two separate, 100% capacity safety related cooling water trains. Each train consists of one 100% capacity pump, one Essential Cooling Water (EW) heat exchanger, piping, valves, instrumentation, and a cleanup and Chemistry Control System. The valves are manually aligned, and secured in position. The pumps are automatically started upon receipt of an ESFAS signal. Additional information about the design and operation of the ESPS, along with a list of the components served, is presented in the FSAR, Section 9.2.1 (Ref. 1). The principal safety related function of the ESPS is the removal of decay heat from the reactor via the EW System. ______________________________________________________________________________ APPLICABLE The design basis of the ESPS is for one ESPS train, in SAFETY ANALYSES conjunction with the EW System and a 100% capacity containment spray system to remove sufficient heat to ensure a safe reactor shutdown coincident with a loss of offsite power. The ESPS is designed to perform its function with a single failure of any active component, assuming the loss of offsite power. The ESPS, in conjunction with the EW System, also cools the unit from shutdown cooling (SDC), as discussed in the UFSAR, Section 5.4.7 (Ref. 2) entry conditions to MODE 5 during normal and post accident operations. The time required for this evolution is a function of the number of EW and SDC System trains that are operating. One ESPS train is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes that worst case meteorological conditions occur simultaneously with maximum heat loads on the system. ESPS B 3.7.8 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.8-2 REVISION 60 APPLICABLE The ESPS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). SAFETY ANALYSES (continued) _______________________________________________________________________________ LCO Two ESPS trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst single active failure occurs coincident with the loss of offsite power. An ESPS train is considered OPERABLE when:

a. The associated pump is OPERABLE; and

b. The associated piping, valves, instrumentation, heat exchanger, and instrumentation and controls required to perform the safety related function are OPERABLE. The isolation of the ESPS from other components or systems renders those components or systems inoperable, but does not necessarily affect the OPERABILITY of the ESPS. Isolation of the ESPS to required Diesel Generator (DG) cooler(s),

while rendering the DG inoperable, is acceptable and does not impact the OPERABILITY of the ESPS. Disassembly, removal of insulation, and other configuration changes to the isolated portions of an OPERABLE system must be explicitly evaluated for operability impact prior to executing any configuration changes of the OPERABLE system. Isolation of the ESPS to the essential cooling water heat exchanger is not acceptable and would render both the Essential Cooling Water System and the ESPS inoperable (Ref. 3). The ESPS is inoperable in this situation because it is operating outside of the acceptable limits of the system. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the ESPS System is required to support the OPERABILITY of the equipment serviced by the ESPS and required to be OPERABLE in these MODES. When the plant is in other than MODES 1, 2, 3 or 4, the requirements of the ESPS shall be consistent with the definition of OPERABILITY which requires (support) equipment to be capable of performing its related support function(s). ESPS B 3.7.8 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.8-3 REVISION 1 ACTIONS A.1 With one ESPS train inoperable, action must be taken to restore OPERABLE status within 72 hours. In this Condition, the remaining OPERABLE ESPS train is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the ESPS train could result in loss of ESPS function. Required Action A.1 is modified by two Notes. The first Note indicates that the applicable Conditions of LCO 3.8.1, "AC Sources - Operating," must be entered when the inoperable ESPS train results in an inoperable emergency diesel generator. The second Note indicates that the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops - MODE 4," should be entered if an inoperable ESPS train results in an inoperable SDC System. This note is only applicable in MODE 4. The 72 hour Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this time period. B.1 and B.2 If the ESPS train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. ______________________________________________________________________________ SURVEILLANCE SR 3.7.8.1 REQUIREMENTS Verifying the correct alignment for manual and power operated, valves in the ESPS flow path ensures that the proper flow paths exist for ESPS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This ESPS B 3.7.8 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.8-4 REVISION 60 SURVEILLANCE SR 3.7.8.1 (continued) REQUIREMENTS Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR is modified by a Note indicating that the isolation of the ESPS components or systems renders those components or systems inoperable but does not necessarily affect the OPERABILITY of the ESPS. Isolation of the ESPS to required Diesel Generator (DG) cooler(s), while rendering the DG inoperable, is acceptable and does not impact the OPERABILITY of the ESPS. Isolation of the ESPS to the essential cooling water heat exchanger is not acceptable and would render both the Essential Cooling Water System and the ESPS inoperable (Ref. 3). The ESPS is inoperable in this situation because it is operating outside of the acceptable limits of the system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.8.2 The SR verifies proper automatic operation of the ESPS pumps on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.2.1. 2. UFSAR, Section 5.4.7. 3. CRDR 980795 UHS B 3.7.9 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.9-1 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.9 Ultimate Heat Sink (UHS) BASES BACKGROUND The UHS provides a heat sink for process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. This is done utilizing the Essential Spray Pond System (ESPS). The UHS is the essential spray ponds as discussed in the UFSAR, Section 9.2.5 (Ref. 1). The two principal functions of the UHS are the dissipation of residual heat after reactor shutdown, and dissipation of residual heat after an accident. The basic performance requirements are that a 26 day supply of water be available, and that the design basis temperatures of safety related equipment not be exceeded. Additional information on the design and operation of the system along with a list of components served can be found in Reference 1. ______________________________________________________________________________ APPLICABLE The UHS is the sink for heat removed from the reactor core SAFETY ANALYSES following all accidents and anticipated operational occurrences in which the unit is cooled down and placed on shutdown cooling. Its maximum post accident heat load occurs 20 minutes after a design basis loss of coolant accident (LOCA). Near this time, the unit switches from injection to recirculation, and the containment spray system is required to remove the core decay heat. The operating limits are based on conservative heat transfer analyses for the worst case LOCA. Reference 1 provides the details of the assumptions used in the analysis. The assumptions include: worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and the worst case failure. The UHS is designed in accordance with Regulatory Guide 1.27 (Ref. 2), which requires a 30 day supply of cooling water in the UHS. The 26 day supply contained in the two essential spray ponds meets the intent of this requirement. The UHS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). UHS B 3.7.9 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.9-2 REVISION 44 LCO The UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the ESPS to operate for at least 26 days with no makeup following the design basis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the ESPS. To meet this condition, the UHS temperature should not exceed 89°F and the level of each ESP should not fall below 12 ft usable water depth during normal unit operation. Since the bottom 1.5 ft of the ESPS is required to meet pump submergence requirements, an actual depth of 13.5 ft is needed to meet the 26 day requirement for inventory purposes. The 12' is the water volume that would be depleted over 26 days following a design basis LOCA if no makeup were available. The thermal performance analysis utilizes the entire volume inventory of the pond(s) since the entire volume is always available as a heat sink. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES. When the plant is in other than MODES 1, 2, 3, or 4, the requirements for the UHS shall be consistent with the definition of OPERABILITY, which requires (support) equipment to be capable of performing its related support function(s). _______________________________________________________________________________ ACTIONS A.1 and A.2 If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. UHS B 3.7.9 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.9-3 REVISION 56 SURVEILLANCE SR 3.7.9.1 REQUIREMENTS This SR verifies adequate long term (26 days) cooling can be maintained with no makeup. The level specified also ensures sufficient NPSH is available for operating the ESPS pumps. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A usable water depth of 12 feet requires 13'-6" of actual water depth. The implementing procedure requires the operator to verify that the level is greater than or equal to 13'-6" measured locally at the spray pond or 14' indicated in the control room using installed instrumentation. The difference is a result of instrument uncertainty. SR 3.7.9.2 This SR verifies that the ESPS is available to cool the EW System to at least its maximum design temperature within the maximum accident or normal design heat loads for 26 days following a DBA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.2.5. 2. Regulatory Guide 1.27. This page intentionally blank EC System B 3.7.10 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.10-1 REVISION 10 B 3.7 PLANT SYSTEMS B 3.7.10 Essential Chilled Water (EC) System BASES BACKGROUND The EC System provides a heat transfer system to the ultimate heat sink for the removal of process and operating heat from selected safety related air handling systems during a Design Basis Accident (DBA) or transient. The EC System is a closed loop system consisting of two independent trains. Each 100% capacity train includes a heat exchanger, surge tank, pump, chemical addition tank, piping, valves, controls, and instrumentation. An independent 100% capacity chilled water refrigeration unit cools each train. The EC System is actuated on receipt of an ESFAS signal and supplies chilled water to the Heating, Ventilation, and Air Conditioning (HVAC) units in Engineered Safety Feature (ESF) equipment areas (e.g., the main control room, DC equipment room, AFW pump rooms, EW pump rooms and safety injection pump rooms). The flow path for the EC System includes the closed loop of piping to all serviced equipment. During normal operation, the normal Chilled Water System (WC) and the normal HVAC System cools the areas served by the EC System. The WC System and the normal HVAC System are nonsafety grade systems. Following ESFAS actuations, the EC System with essential HVAC units provide this cooling function to the control room and safety grade equipment. Additional information about the design and operation of the system, along with a list of components served, can be found in the UFSAR, Section 9.2.9 (Ref. 1). ______________________________________________________________________________ APPLICABLE The design basis of the EC System is to remove the post SAFETY ANALYSES accident heat load from ESF spaces following a DBA coincident with a loss of offsite power. Each train provides chilled water to the HVAC units. The EC system design flowrates and temperatures are referenced in the Design Bases Manual. EC System B 3.7.10 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.10-2 REVISION 59 APPLICABLE The maximum heat load in the ESF pump room area occurs SAFETY ANALYSIS during the recirculation phase following a loss of coolant (continued) accident. During recirculation, hot fluid from the containment sump is supplied to the high pressure safety injection and containment spray pumps. This heat load to the area atmosphere must be removed by the EC System to ensure that these pumps remain OPERABLE. The EC satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Two EC trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst single failure. An EC train is considered OPERABLE when: a. The associated pump and surge tank are OPERABLE; and b. The associated piping, valves, heat exchanger, refrigeration unit, and instrumentation and controls required to perform the safety related function are OPERABLE. The isolation of the EC System from other components or systems renders those components or systems inoperable, but does not necessarily affect the OPERABILITY of the EC System. Isolation of the EC System to any single EC supplied cooling coil, while rendering the cooling coil inoperable, is acceptable and does not impact the OPERABILITY of the EC System. Disassembly, removal of insulation, and other configuration changes to the isolated portions of an OPERABLE system must be explicitly evaluated for operability impact prior to executing any configuration changes of the OPERABLE system. Isolation of the EC System to any additional cooling coil is not acceptable without an engineering evaluation and an operability determination for that configuration (Ref. 2). The EC System is inoperable in this situation, unless it has been specifically evaluated, because it is operating outside of the acceptable limits of the system. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the EC System is required to be OPERABLE when a LOCA or other accident would require ESF operation. EC System B 3.7.10 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.10-3 REVISION 1 APPLICABILITY (continued) When the plant is in other than MODES 1, 2, 3 or 4, the requirements for the EC System shall be consistent with the definition of OPERABILITY which requires (support) equipment to be capable of performing its related support function(s). ______________________________________________________________________________ ACTIONS A.1 If one EC train is inoperable, action must be taken to restore OPERABLE status within 72 hours. In this condition, one OPERABLE ECW train is adequate to perform the cooling function. The 72 hour Completion Time is reasonable, based on the low probability of an event occurring during this time and the 100% capacity OPERABLE EC train. B.1 and B.2 If the EC train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. ______________________________________________________________________________ SURVEILLANCE SR 3.7.10.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the EC flow path provides assurance that the proper flow paths exist for EC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. EC System B 3.7.10 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.10-4 REVISION 56 SURVEILLANCE SR 3.7.10.1 (continued) REQUIREMENTS The isolation of the EC System from other components or systems renders those components or systems inoperable, but does not necessarily affect the OPERABILITY of the EC System. Isolation of the EC System to any single EC supplied cooling coil, while rendering the cooling coil inoperable, is acceptable and does not impact the OPERABILITY of the EC System. Isolation of the EC System to any additional cooling coil is not acceptable without an engineering evaluation and an operability determination for that configuration (Ref. 2). The EC System is inoperable in this situation, unless it has been specifically evaluated, because it is operating outside of the acceptable limits of the system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.10.2 This SR verifies proper automatic operation of the EC System components and that the EC pumps will start in the event of any accident or transient that generates an applicable ESFAS signal. This SR also ensures that each automatic valve in the flow paths actuates to its correct position on an actual or simulated ESFAS signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.2.9. 2. CRDR 980796 CREFS B 3.7.11 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-1 REVISION 50 B 3.7 PLANT SYSTEMS B 3.7.11 Control Room Essential Filtration System (CREFS) BASES BACKGROUND The CREFS provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. The CREFS consists of two independent, redundant trains that recirculate and filter the air in the control room envelope (CRE) and a CRE boundary that limits the inleakage of unfiltered air. Each CREFS train consists of a prefilter, a High Efficiency Particulate Air (HEPA) filter, an activated charcoal adsorber section for removal of gaseous activity (principally iodine), and a fan. Ductwork, valves or dampers, doors, barriers, and instrumentation also form part of the system. A second bank of HEPA filters follows the adsorber section to collect carbon fines, and provides back-up in case of failure of the main HEPA filter bank. The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations, and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of the unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program. The CREFS is an emergency system. Upon receipt of the actuating signal(s), normal HVAC to the CRE is isolated, and the stream of ventilation air is mixed with outside air and recirculated through the filter trains of the system. The prefilters remove any large particles in the air, to prevent excessive loading of the HEPA filters and charcoal adsorbers. CREFS B 3.7.11 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-2 REVISION 50 BACKGROUND (continued) Actuation of CREFS aligns the system for recirculation of the air within the CRE through the redundant trains of HEPA and charcoal filters. Actuation of the CREFS also initiates pressurization and filtered ventilation of the air supply to the CRE. Outside air is combined and filtered with the air being recirculated from the CRE. Pressurization of CRE minimizes infiltration of unfiltered air from all the surrounding areas adjacent to the CRE boundary. The air entering the CRE is continuously monitored by radiation detectors. One detector output above the setpoint will cause actuation of the CREFS trains. A single CREFS train operating at a flow rate of 1000 cfm is designed to pressurize the CRE to 0.125 inches water gauge relative to external areas adjacent to the CRE boundary. The CREFS operation in maintaining the CRE habitable is discussed in the UFSAR, Section 6.4 (Ref. 1). Redundant recirculation trains provide the required filtration. Normally open isolation dampers in the normal Control Room HVAC System are arranged in series pairs so that the failure of one damper to shut will not result in a breach of isolation. The CREFS is designed in accordance with Seismic Category I requirements. The CREFS is designed to maintain a habitable environment in the CRE for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding a 5 rem whole body dose or its equivalent to any part of the body to the CRE occupants in the event of a large radioactive release. _______________________________________________________________________________ APPLICABLE The CREFS components are arranged in redundant, safety SAFETY ANALYSES related ventilation trains. The location of components and ducting within the CRE ensures an adequate supply of filtered air to all areas requiring access. CREFS B 3.7.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-3 REVISION 51 APPLICABLE The CREFS provides airborne radiological protection for CRE SAFETY ANALYSES occupants, as demonstrated by the CRE occupant dose (continued) analyses for the most limiting design basis accident fission product release presented in the UFSAR, Chapter 15 (Ref. 2). The CREFS provides protection from smoke and hazardous chemicals to the CRE occupants; however, hazardous chemicals are not stored or used onsite in quantities sufficient to necessitate CRE protection, as required by Regulatory Guide 1.78. In addition, nearby industrial, military, and transportation facilities present no hazard to the operation of PVNGS, and there are no site-related design basis events due to accidents at these facilities (Ref. 1 and Ref. 3). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panel (Ref. 4). The worst case single active failure of a component of the CREFS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. The CREFS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO Two independent and redundant trains of the CREFS are required to be OPERABLE to ensure that at least one is available if a single active failure disables the other train. Total system failure, such as from a loss of both ventilation trains or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem whole body or its equivalent to any part of the body to the CRE occupants in the event of a large radioactive release. Each CREFS train is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE. A CREFS train is considered OPERABLE when the associated: a. Fan is OPERABLE; b. HEPA filters and charcoal adsorber are not excessively restricting flow, and are capable of performing their filtration functions; and c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained. CREFS B 3.7.11 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.11-4 REVISION 55 LCO In order for the CREFS trains to be considered OPERABLE, (continued) the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that the CRE occupants are protected from hazardous chemicals and smoke. The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary integrity to the design condition when a need for CRE isolation is indicated. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, 4, 5, 6, and during movement of irradiated fuel assemblies, the CREFS must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. During movement of irradiated fuel assemblies, the CREFS must be OPERABLE to cope with the release from a fuel handling accident. CREFS B 3.7.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-5 REVISION 50 ACTIONS A.1 With one CREFS train inoperable, for reasons other than an inoperable CRE boundary, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining OPERABLE CREFS train is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREFS train could result in loss of CREFS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and the ability of the remaining train to provide the required capability. B.1, B.2, and B3.3 If the unfiltered air leakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body) or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABE CRE boundary within 90 days. During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour Completion Time is reasonable based upon the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect CREFS B 3.7.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-6 REVISION 55 ACTIONS B.1, B.2, and B.3 (continued) their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair and test most problems with the CRE boundary. C.1 and C.2 In MODE 1, 2, 3, or 4, if the inoperable CREFS or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes the accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. D.1 In MODE 5 or 6, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CREFS train must be immediately placed in the essential filtration mode (e.g., emergency or pressurization mode of operation fan running, valves/dampers aligned to the post-CREFAS mode). This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected. E.1 and E.2 During movement of irradiated fuel assemblies, if required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CREFS train must be immediately placed in the essential filtration mode (e.g., emergency or pressurization mode of operation fan running, valves/dampers aligned to the post-CREFAS mode) or movement of irradiated fuel assemblies must be suspended immediately. The first action ensures that the remaining train is OPERABLE, that no undetected failures preventing system operation will occur, and that any active failure will be readily detected. CREFS B 3.7.11 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-7 REVISION 57 ACTIONS E.1 and E.2 (continued) An alternative to Required Action E.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position. F.1 and F.2 If two CREFS trains become inoperable for reasons other than an inoperable CRE boundary or one or more CREFS trains become inoperable due to an inoperable CRE boundary, during Mode 5 or 6, or during the movement of irradiated fuel assemblies, immediate action must be taken to suspend activities that could release radioactivity that might enter the CRE. The Required Actions place the unit in a condition that minimizes accident risk. These actions do not preclude movement of fuel assemblies to safe positions. G.1 If both CREFS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable CRE boundary (i.e., Condition B), the CREFS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. ______________________________________________________________________________ SURVEILLANCE SR 3.7.11.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. Since the environment and normal operating conditions on this system are not severe, testing each train periodically provides an adequate check on this system. Periodic operations for 15 minutes to demonstrate the function of the system is required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CREFS B 3.7.11 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-8 REVISION 56 SURVEILLANCE SR 3.7.11.2 REQUIREMENTS (continued) This SR verifies that the required CREFS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The CREFS filter tests are in accordance with Regulatory Guide 1.52 (Ref. 5). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP. SR 3.7.11.3 This SR verifies that each CREFS train starts and operates on an actual or simulated actuation signal. This includes verification that the system is automatically placed into a filtration mode of operation with flow through the HEPA filters and charcoal adsorber banks. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.11.4 This SR verifies the operability of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program. The CRE is considered habitable when the radiological dose of CRE occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem whole body or its equivalent to any part of the body and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered. Required Action B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref 6) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 7). CREFS B 3.7.11 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.11-9 REVISION 50 SURVEILLANCE SR 3.7.11.4 (continued) REQUIREMENTS These compensatory measures may also be used as mitigating actions as required by Action B.2. Temporary analytical methods may also be used as compensatory measures to restore operability (Ref. 8). Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending on the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 6.4. 2. UFSAR, Chapter 15. 3. UFSAR, Section 2.2.3. 4. UFSAR, Section 9.4. 5. Regulatory Guide 1.52 (Rev. 2).

6. Regulatory Guide 1.196. 7. NEI 99-03, "Control Room Envelope Habitability Assessment," June 2001. 8. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. ML040300694).

This page intentionally left blank CREATCS B 3.7.12 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.12-1 REVISION 1 B 3.7 PLANT SYSTEMS B 3.7.12 Control Room Emergency Air Temperature Control System (CREATCS) BASES BACKGROUND The CREATCS provides temperature control for the control room following isolation of the control room. The CREATCS consists of two independent, redundant trains that provide cooling of recirculated control room air. Each train consists of cooling coils, instrumentation, and controls to provide for control room temperature control. The CREATCS is a subsystem providing air temperature control for the control room. The CREATCS is an emergency system, which is part of the Control Room Essential Filtration System (CREFS). A single train will provide the required temperature control to maintain the control room between 70°F and 80°F. The CREATCS operation to maintain the control room temperature is discussed in the UFSAR, Section 9.4 (Ref. 1). ______________________________________________________________________________ APPLICABLE The design basis of the CREATCS is to maintain temperature SAFETY ANALYSES of the control room environment throughout 30 days of continuous occupancy. The CREATCS components are arranged in redundant safety related trains. During emergency operation, the CREATCS maintains the temperature between 70°F and 80°F. A single active failure of a component of the CREATCS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control. The CREATCS is designed in accordance with Seismic Category I requirements. The CREATCS is capable of removing sensible and latent heat loads from the control room, considering equipment heat loads and personnel occupancy requirements, to ensure equipment OPERABILITY. The CREATCS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). CREATCS B 3.7.12 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.12-2 REVISION 21 LCO Two independent and redundant trains of the CREATCS are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other train. Total system failure could result in the equipment operating temperature exceeding limits in the event of an accident. The CREATCS is considered OPERABLE when the individual components that are necessary to maintain the control room temperature are OPERABLE in both trains. These components include the cooling coils and associated temperature control instrumentation. In addition, the CREATCS must be OPERABLE to the extent that air circulation can be maintained. _______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, 4, 5, and 6, and during movement of irradiated fuel assemblies, the CREATCS must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY requirements following isolation of the control room. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. _______________________________________________________________________________ ACTIONS A.1 With one CREATCS train inoperable, action must be taken to restore OPERABLE status within 30 days. In this Condition, the remaining OPERABLE CREATCS train is adequate to maintain the control room temperature within limits. The 30 day Completion Time is reasonable, based on the low probability of an event occurring requiring control room isolation, consideration that the remaining train can provide the required capabilities, and the alternate safety or nonsafety related cooling means that are available. CREATCS B 3.7.12 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.12-3 REVISION 55 ACTIONS B.1 and B.2 (continued) In MODE 1, 2, 3, or 4, when Required Action A.1 cannot be completed within the required Completion Time, the unit must be placed in a MODE that minimizes the accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. C.1 In MODE 5 or 6, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CREATCS train must be placed in operation immediately (including supporting systems. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected. D.1 and D.2 During movement of irradiated fuel assemblies, if Required Action A.1 cannot be completed within the Required Completion Time, the OPERABLE CREATCS train must be placed in operation immediately (including supporting systems) or movement of irradiated fuel assemblies must be suspended immediately. The first action ensures that the remaining train is OPERABLE, that no undetected failures preventing system operation will occur, and that any active failure will be readily detected. If the system is not immediately placed in operation, this action requires suspension of the movement of irradiated fuel assemblies in order to minimize the risk of a release of radioactivity that might require isolation of the control room. This does not preclude the movement of fuel to a safe position. E.1 and E.2 In MODE 5 or 6, or during movement of irradiated fuel assemblies with two CREATCS trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position. CREATCS B 3.7.12 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.12-4 REVISION 56 ACTIONS F.1 (continued) If both CREATCS trains are inoperable in MODE 1, 2, 3, or 4, the CREATCS may not be capable of performing the intended function and the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately. _______________________________________________________________________________ SURVEILLANCE SR 3.7.12.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to meet design requirements. This SR consists of a combination of testing and calculations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.4. ESF PREACS B 3.7.13 (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.13-1 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.13 Engineered Safety Feature (ESF) Pump Room Exhaust Air Cleanup System (PREACS) BASES BACKGROUND The ESF PREACS filters air from the area of the active ESF components during the recirculation phase of a Loss Of Coolant Accident (LOCA). The ESF PREACS consists of two independent and redundant trains shared with the fuel building. Each train consists of a heater, a prefilter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), and a fan. Ductwork, dampers, and instrumentation also form part of the system. A second bank of HEPA filters follows the adsorber section. The downstream HEPA filter is not credited in the accident analysis, but serves to collect charcoal fines and to back up the upstream HEPA filter, should it develop a leak. The system initiates filtered ventilation of the pump rooms and lower region of the auxiliary building following receipt of a safety injection actuation signal. The ESF PREACS is a standby system. The Auxiliary Building Normal HVAC System provides normal cooling. During emergency operations, the ESF PREACS dampers are realigned and fans are started to initiate filtration. Upon receipt of the actuating Engineered Safety Feature Actuation System signal(s), normal air discharges from the ESF pump rooms are isolated, and the stream of ventilation air discharges through the system filter trains. The prefilters remove any large particles in the air to prevent excessive loading of the HEPA filters and charcoal adsorbers. The ESF PREACS is discussed in the FSAR, Sections 6.5.1, 9.4.2, and 15.6.5 (Refs. 1, 2, and 3, respectively). The primary purpose of the heaters is to maintain the relative humidity at an acceptable level consistent with iodine removal efficiencies, as discussed in the Regulatory Guide 1.52 (Ref. 4). ESF PREACS B 3.7.13 BASES _______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.13-2 REVISION 0 APPLICABLE The design basis of the ESF PREACS is established by the SAFETY ANALYSES large break LOCA. The system evaluation assumes a passive failure of the ECCS outside containment, such as safety injection pump seal failure, during the recirculation mode. In such a case, the system limits the radioactive release to within 10 CFR 100 limits (Ref. 5). The analysis of the effects and consequences of a large break LOCA is presented in Reference 3. The ESF PREACS also actuates following a small break LOCA, requiring the unit to go into the recirculation mode of long term cooling and to clean up releases of smaller leaks, such as from valve stem packing. The two types of system failures that are considered in the accident analysis are complete loss of function and excessive LEAKAGE. Either type of failure may result in a lower efficiency of removal for any gaseous and particulate activity released to the ESF envelope following a LOCA. The ESF PREACS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Two independent and redundant ESF PREACS trains are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other train coincident with a loss of offsite power. Total system failure could result in the atmospheric release from the ESF envelope exceeding the required limits in the event of a Design Basis Accident (DBA). ESF PREACS is considered OPERABLE when the individual components necessary to maintain the ESF Pump Room filtration are OPERABLE in both trains. An ESF PREACS train is considered OPERABLE when its associated: a. Fan is OPERABLE; b. HEPA filter and charcoal adsorber are not excessively restricting flow and are capable of performing their filtration functions; and ESF PREACS B 3.7.13 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.13-3 REVISION 0 LCO c. Heater, prefilter, ductwork, valves, and dampers are (continued) OPERABLE, and air circulation can be maintained. In addition, the auxiliary building envelope below the 100 ft. elevation must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors. ______________________________________________________________________________ APPLICABILITY In MODES 1, 2, 3, and 4, the ESF PREACS is required to be OPERABLE consistent with the OPERABILITY requirements of the ECCS. In MODES 5 and 6, the ESF PREACS is not required to be OPERABLE, since the ECCS is not required to be OPERABLE. ______________________________________________________________________________ ACTIONS A.1 With one ESF PREACS train inoperable, action must be taken to restore OPERABLE status within 7 days. During this time, the remaining OPERABLE train is adequate to perform the ESF PREACS function. The 7 day Completion Time is appropriate because the risk contribution is less than that for the ECCS (72 hour Completion Time) and this system is not a direct support system for the ECCS. The 7 day Completion Time is reasonable, based on the low probability of a DBA occurring during this time period, and the consideration that the remaining train can provide the required capability. B.1 and B.2 If the ESF PREACS train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. ESF PREACS B 3.7.13 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.13-4 REVISION 57 SURVEILLANCE SR 3.7.13.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. Since the environment and normal operating conditions on this system are not severe, testing each train periodically provides an adequate check on this system. Operations for 15 minutes demonstrates the function of the system. There is not expected to be any moisture buildup on the adsorbers and HEPA filters due to the low humidity at PVNGS (Ref. 7). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.13.2 This SR verifies that the required ESF PREACS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The ECCS PREACS filter tests are in accordance with Regulatory Guide 1.52 (Ref. 4). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP. SR 3.7.13.3 This SR verifies that each ESF PREACS train starts and operates on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.13.4 This SR verifies the integrity of the ESF envelope. The ability of the ESF envelope to maintain a negative pressure, with respect to potentially uncontaminated adjacent areas, is periodically tested to verify proper function of the ESF PREACS. During the post accident mode of operation, the ESF PREACS is designed to maintain a slight negative pressure in the ESF envelope with respect to adjacent areas to prevent unfiltered LEAKAGE. For the purposes of testing, the term ESF PREACS B 3.7.13 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.13-5 REVISION 56 SURVEILLANCE SR 3.7.13.4 (continued) REQUIREMENTS "measurable negative pressure" is defined as 10 times the minimum instrument reading. The ESF PREACS is designed to maintain this negative pressure at a flow rate of 6,000 cfm 10% from the ESF envelope. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 6.5.1. 2. UFSAR, Section 9.4.2. 3. UFSAR, Section 15.6.5. 4. Regulatory Guide 1.52 (Rev. 2). 5. 10 CFR 100.11. 6. NUREG-0800, Section 6.5.1, Rev. 2, July 1981. 7. UFSAR, Section 1.8 This page intentionally blank Fuel Storage Pool Water Level B 3.7.14 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.14-1 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.14 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel. A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2, Reference 1, and the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given in the UFSAR, Section 15.7.4 (Ref. 3). ______________________________________________________________________________ APPLICABLE The minimum water level in the fuel storage pool meets the SAFETY ANALYSES intent of the assumptions of the fuel handling accident described in Regulatory Guide 1.25 (Ref. 4). The resultant 2 hour thyroid dose to a person at the exclusion area boundary is less than one-third of the 10 CFR 100 (Ref. 5) limits. According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface for a fuel handling accident. With a 23 ft water level, the assumptions of Reference 4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle, dropped and lying horizontally on top of the spent fuel racks, however, there may be < 23 ft of water above the top of the bundle and the surface, by the width of the bundle. The decontamination factor for 22 ft-6 in of water is essentially the same as that for 23 ft of water so the intent of Regulatory Guide 1.25 is met. The fuel storage pool water level satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii). Fuel Storage Pool Water Level B 3.7.14 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.14-2 REVISION 21 LCO The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel storage and movement within the fuel storage pool. _______________________________________________________________________________ APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the fuel storage pool since the potential for a release of fission products exists. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. _______________________________________________________________________________ ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. When the initial conditions for an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended. This effectively precludes a spent fuel handling accident from occurring. This does not preclude moving a fuel assembly to a safe position. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. Fuel Storage Pool Water Level B 3.7.14 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.14-3 REVISION 56 SURVEILLANCE SR 3.7.14.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. During refueling operations, the level in the fuel storage pool is at equilibrium with that of the refueling canal, and the level in the refueling canal is checked daily in accordance with LCO 3.9.6, "Refueling Water Level-Fuel Assemblies". ______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.1.2. 2. UFSAR, Section 9.1.3. 3. UFSAR, Section 15.7.4. 4. Regulatory Guide 1.25 5. 10 FR 100.11. This page intentionally blank Fuel Storage Pool Boron Concentration B 3.7.15 _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.15-1 REVISION 3 B 3.7 PLANT SYSTEMS B 3.7.15 Fuel Storage Pool Boron Concentration BASES BACKGROUND As described in LCO 3.7.17, "Spent Fuel Assembly Storage," fuel assemblies are stored in the spent fuel racks in accordance with criteria based on initial enrichment and discharge burnup. Although the water in the spent fuel pool is normally borated to 2150 ppm, the criteria that limit the storage of a fuel assembly to specific rack locations is conservatively developed without taking credit for boron. In order to maintain the spent fuel pool keff < 1.0, a soluble boron concentration of 900 ppm is required to maintain the spent fuel pool keff 0.95 assuming the most limiting single fuel mishandling accident. ______________________________________________________________________________ APPLICABLE A fuel assembly could be inadvertently loaded into a spent SAFETY ANALYSES fuel rack location not allowed by LCO 3.7.17 (e.g., an unirradiated fuel assembly or an insufficiently depleted fuel assembly). Another type of postulated accident is associated with a fuel assembly that is dropped onto the fully loaded fuel pool storage rack or between a rack and the pool walls. These incidents could have a positive reactivity effect, decreasing the margin to criticality. However, the negative reactivity effect of the soluble boron compensates for the increased reactivity caused by these postulated accident scenarios. The concentration of dissolved boron in the fuel pool satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO The specified concentration of dissolved boron in the fuel pool preserves the assumptions used in the analyses of the potential accident scenarios described above. This concentration of dissolved boron is the minimum required concentration for fuel assembly storage and movement within the fuel pool. ______________________________________________________________________________ APPLICABILITY This LCO applies whenever any fuel assembly is stored in the spent fuel pool in order to comply with the TS 4.3.1.1.c design requirement that keff 0.95. Fuel Storage Pool Boron Concentration B 3.7.15 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.15-2 REVISION 56 ACTIONS A.1 and A.2 The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply. When the concentration of boron in the spent fuel pool is less than required, immediate action must be taken to preclude an accident from happening or to mitigate the consequences of an accident in progress. This is most efficiently achieved by immediately suspending the movement of fuel assemblies. This does not preclude the movement of fuel assemblies to a safe position. In addition, action must be immediately initiated to restore boron concentration to within limit. If moving fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation. Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown. _______________________________________________________________________________ SURVEILLANCE SR 3.7.15.1 REQUIREMENTS This SR verifies that the concentration of boron in the spent fuel pool is within the required limit. As long as this SR is met, the analyzed incidents are fully addressed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 9.1.2. 2. PVNGS Operating License Amendments 82, 69 and 54 for Units 1, 2 and 3, respectively, and associated NRC Safety Evaluation dated September 30, 1994. 3. 13-N-001-1900-1221-1, "Palo Verde Spent Fuel Pool Criticality Analysis," ABB calculation A-PV-FE-0106, revision 3, dated January 15, 1999. Secondary Specific Activity B 3.7.16 _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.16-1 REVISION 7 B 3.7 PLANT SYSTEMS B 3.7.16 Secondary Specific Activity BASES BACKGROUND Activity in the secondary coolant results from steam generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half lives, and thus is indication of current conditions. During transients, I-131 spikes have been observed as well as increased releases of some noble gases. Other fission product isotopes, as well as activated corrosion products in lesser amounts, may also be found in the secondary coolant. A limit on secondary coolant specific activity during power operation minimizes releases to the environment because of normal operation, anticipated operational occurrences, and accidents. This limit is lower than the activity value that might be expected from a 1 gpm tube leak (LCO 3.4.14, "RCS Operational LEAKAGE") of primary coolant at the limit of 1.0 Ci/gm (LCO 3.4.17, "RCS Specific Activity"). The steam line failure is assumed to result in the release of the noble gas and iodine activity contained in the steam generator inventory, the feedwater, and reactor coolant LEAKAGE. Most of the iodine isotopes have short half lives (i.e., < 20 hours). I-131, with a half life of 8.04 days, concentrates faster than it decays, but does not reach equilibrium because of blowdown and other losses. Secondary Specific Activity B 3.7.16 BASES _______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.16-2 REVISION 0 APPLICABLE The accident analysis of the main steam line break (MSLB), SAFETY ANALYSES as discussed in the UFSAR, Chapter 15 (Ref. 2), assumes the initial secondary coolant specific activity to have a radioactive isotope concentration of 0.10 Ci/gm DOSE EQUIVALENT I-131. This assumption is used in the analysis for determining the radiological consequences of the postulated accident. The accident analysis, based on this and other assumptions, shows that the radiological consequences of an MSLB do not exceed a small fraction of the unit EAB limits (Ref. 1) for whole body and thyroid dose rates. With the loss of offsite power, the remaining steam generator is available for core decay heat dissipation by venting steam to the atmosphere through MSSVs and Atmospheric Dump Valves (ADVs). The Auxiliary Feedwater System supplies the necessary makeup to the steam generator. Venting continues until the reactor coolant temperature and pressure have decreased sufficiently for the Shutdown Cooling System to complete the cooldown. In the evaluation of the radiological consequences of this accident, the activity released from the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through MSSVs and ADVs during the event. Secondary specific activity limits satisfy Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO As indicated in the Applicable Safety Analyses, the specific activity limit in the secondary coolant system of 0.10 Ci/gm DOSE EQUIVALENT I-131 to limit the radiological consequences of a Design Basis Accident (DBA) to a small fraction of the required limit (Ref. 1). Monitoring the specific activity of the secondary coolant ensures that when secondary specific activity limits are exceeded, appropriate actions are taken in a timely manner to place the unit in an operational MODE that would minimize the radiological consequences of a DBA. Secondary Specific Activity B 3.7.16 BASES (continued) ______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.16-3 REVISION 56 APPLICABILITY In MODES 1, 2, 3, and 4, the limits on secondary specific activity apply due to the potential for secondary steam releases to the atmosphere. In MODES 5 and 6, the steam generators are not being used for heat removal. Both the RCS and steam generators are depressurized, and primary to secondary LEAKAGE is minimal. Therefore, monitoring of secondary specific activity is not required. ______________________________________________________________________________ ACTIONS A.1 and A.2 DOSE EQUIVALENT I-131 exceeding the allowable value in the secondary coolant, is an indication of a problem in the RCS, and contributes to increased post accident doses. If secondary specific activity cannot be restored to within limits in the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. ______________________________________________________________________________ SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR ensures that the secondary specific activity is within the limits of the accident analysis. A gamma isotope analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident releases. It also serves to identify and trend any unusual isotopic concentrations that might indicate changes in reactor coolant activity or LEAKAGE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Secondary Specific Activity B 3.7.16 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.16-4 REVISION 0 REFERENCES 1. 10 CFR 100.11. 2. UFSAR, Chapter 15. Spent Fuel Assembly Storage B 3.7.17 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.17-1 REVISION 61 B 3.7 PLANT SYSTEMS B 3.7.17 Spent Fuel Assembly Storage BASES BACKGROUND The spent fuel storage is designed to store either new (nonirradiated) nuclear fuel assemblies, or burned (irradiated) fuel assemblies in a vertical configuration underwater. The storage pool was originally designed to store up to 1329 fuel assemblies in a borated fuel storage mode. The current storage configuration, which allows credit to be taken for boron concentration, burnup, and decay time, and does not require neutron absorbing (boraflex) storage cans, provides for a maximum storage of 1209 fuel assemblies in a four-region configuration. The design basis of the spent fuel cooling system, however, is to provide adequate cooling to the spent fuel during all operating conditions (including full core offload) for only 1205 fuel assemblies (UFSAR section 9.1.3). Therefore, an additional four spaces are mechanically blocked to limit the maximum number of fuel assemblies that may be stored in the spent fuel storage pool to 1205. Region 1 is comprised of two 9x8 storage racks and one 12x8 storage rack. Cell blocking devices are placed in every other storage cell location in Region 1 to maintain a two-out-of-four checkerboard configuration. These cell blocking devices prevent inadvertent insertion of a fuel assembly into a cell that is not allowed to contain a fuel assembly. Region 3 is comprised of three 9x8 storage racks and one 9x9 storage rack in Units 2 and 3. Region 3 is comprised of four 9x8 storage racks and one 9x9 storage rack in Unit 1. Since fuel assemblies may be stored in every Region 3 cell location, no cell blocking devices are installed in Region 3. Regions 2 and 4 are mixed and are comprised of seven 9x8 storage racks and three 12x8 storage racks in Units 2 and 3, Regions 2 and 4 are mixed and are comprised of six 9x8 storage racks and three 12x8 storage racks in Unit 1. Regions 2 and 4 are mixed in a repeating 3x4 storage pattern in which two-out-of-twelve cell locations are designated Region 2 and ten-out-of-twelve cell locations are designated Region 4 (see UFSAR Figures 9.1-7 and 9.1-7A). Since fuel assemblies may be stored in every Region 2 and Region 4 cell location, no cell blocking devices are installed in Region 2 and Region 4. Spent Fuel Assembly Storage B 3.7.17 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.17-2 REVISION 3 BACKGROUND The spent fuel storage cells are installed in parallel rows (continued) with a nominal center-to-center spacing of 9.5 inches. This spacing, a minimum soluble boron concentration of 900 ppm, and the storage of fuel in the appropriate region based on assembly burnup in accordance with TS Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3 is sufficient to maintain a keff of ~0.95 for fuel of original maximum radially averaged enrichment of up to 4.80%. _______________________________________________________________________________ APPLICABLE The spent fuel storage pool is designed for non-SAFETY ANALYSES criticality by use of adequate spacing, credit for boron concentration, and the storage of fuel in the appropriate region based on assembly burnup in accordance with TS Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3. The design requirements related to criticality (TS 4.3.1.1) are keff < 1.0 assuming no credit for boron and keff ~ 0.95 taking credit for soluble boron. The burnup versus enrichment requirements (TS Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3) are developed assuming keff < 1.0 with no credit taken for soluble boron, and that keff ~ 0.95 assuming a soluble boron concentration of 900 ppm and the most limiting single fuel mishandling accident. The analysis of the reactivity effects of fuel storage in the spent fuel storage racks was performed by ABB-Combustion Engineering (CE) using the three-dimensional Monte Carlo code KENO-VA with the updated 44 group ENDF/B-5 neutron cross section library. The KENO code has been previously used by CE for the analysis of fuel rack reactivity and have been benchmarked against results from numerous critical experiments. These experiments simulate the PVNGS fuel storage racks as realistically as possible with respect to parameters important to reactivity such as enrichment and assembly spacing. The modeling of Regions 2, 3, and 4 included several conservative assumptions. These assumptions neglected the reactivity effects of poison shims in the assemblies and structural grids. These assumptions tend to increase the calculated effective multiplication factor (keff) of the racks. The stored fuel assemblies were modeled as CE 16x16 assemblies with a nominal pitch of 0.5065 inches between fuel rods, a fuel pellet diameter of 0.3255 inches, and a U0(2) density of 10.31 g/cc. Spent Fuel Assembly Storage B 3.7.17 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.17-3 REVISION 3 APPLICABLE KENO-Va calculations were used to construct curves of burnup SAFETY ANALYSES versus initial enrichment for decay times in 5 year (continued) increments from 0 to 20 years for both Regions 3 and 4 (TS Figures 3.7.17-2 and 3.7.17-3) such that all points on the curves produce a keff value (including all biases and uncertainties) of < 1.0 for unborated water. Biases associated with methodology and water temperature were included, and uncertainties associated with methodology, KENO-Va calculation, fuel enrichment, fuel rack pitch, fuel rack and L-insert thickness, pellet stack density, and asymmetric fuel assembly loading were included. KENO-Va calculations were also performed to determine the soluble boron concentration required to maintain the spent fuel pool keff (including all biases and uncertainties) ~ 0.95 at a 95% probability/95% confidence level. A soluble boron concentration of 900 ppm is required to assure that the spent fuel pool keff remains ~ 0.95 at all times. This soluble boron concentration accounts for the positive reactivity effects of the most limiting single fuel mishandling event and uncertainties associated with fuel assembly reactivity and burnup. This method of reactivity equivalencing has been accepted by the NRC (Reference 3) and used for numerous other spent fuel storage pools that take credit for burnup, decay time, and soluble boron. Most abnormal storage conditions will not result in an increase in the keff of the racks. However, it is possible to postulate events, with a burnup and enrichment combination outside of the acceptable area in TS Figure 3.7.17-1, or with a burnup, decay time, and enrichment combination outside of the acceptable area in TS Figures 3.7.17-2 or 3.7.17-3, which could lead to an increase in reactivity. These events would include an assembly drop on top of a rack or between a rack and the pool walls, or the misloading of an assembly. For such events, partial credit may be taken for the soluble boron in the spent fuel pool water to ensure protection against a criticality accident since the staff does not require the assumption of two unlikely, independent, concurrent events (double contingency principle). Although a soluble boron concentration of only 900 ppm is required to assure that keff remains ~ 0.95 assuming the single most limiting fuel mishandling event, TS 3.7.15 conservatively requires the presence of 2150 ppm of soluble boron in the spent fuel pool water. As such, the reduction in keff caused by the required soluble boron concentration more than offsets the reactivity addition caused by credible accidents, and the staff criterion of keff ~ 0.95 is met at all times. Spent Fuel Assembly Storage B 3.7.17 BASES _______________________________________________________________________________ _____________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.7.17-4 REVISION 3 APPLICABLE The criticality aspects of the spent fuel pool meet the SAFETY ANALYSES requirements of General Design Criterion 62 for the (continued) prevention of criticality in fuel storage and handling. The spent fuel pool heat load calculations were based on a full pool with 1205 fuel assemblies. From the spent fuel pool criticality analysis, the number of fuel assemblies that can be stored in the four-region configuration is 1209 fuel assemblies. The design basis of the spent fuel cooling system, however, is to provide adequate cooling to the spent fuel during all operating conditions (including full core offload) for only 1205 fuel assemblies (UFSAR section 9.1.3). Therefore, an additional four spaces are mechanically blocked to limit the maximum number of fuel assemblies that may be stored in the spent fuel storage pool to 1205. The original licensing basis for the spent fuel pool allowed for spent fuel to be loaded in either a 4x4 array or a checkerboard array, depending on the use of borated poison. A fuel handling accident was assumed to occur with maximum loading of the pool. The fuel pool rack construction precludes more than one assembly from being impacted in a fuel handling accident. The UFSAR analysis conclusion regarding the worst scenario for a dropped assembly (in which the horizontal impact of a fuel assembly on top of the spent fuel assembly damages fuel rods in the dropped assembly but does not impact fuel in the stored assemblies) continues to be limiting. The spent fuel assembly storage satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The restrictions on the placement of fuel assemblies within the spent fuel pool, according to Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3 in the accompanying LCO, ensures that the keff of the spent fuel pool will always remain < 1.0 assuming the pool to be flooded with unborated water. The restrictions are consistent with the criticality safety analysis performed for the spent fuel pool according to Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3 in the accompanying LCO. Specification 4.3.1.1 provides additional details for fuel storage in each of the four Regions. Spent Fuel Assembly Storage B 3.7.17 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.17-5 REVISION 3 APPLICABILITY This LCO applies whenever any fuel assembly is stored in the spent fuel pool. ______________________________________________________________________________ ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. When the configuration of fuel assemblies stored in the spent fuel pool is not in accordance with Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3, immediate action must be taken to make the necessary fuel assembly movement(s) to bring the configuration into compliance with Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation. Therefore, in either case, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown. ______________________________________________________________________________ SURVEILLANCE SR 3.7.17.1 REQUIREMENTS This SR verifies by administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Figures 3.7.17-1, 3.7.17-2, and 3.7.17-3 in the accompanying LCO and Specification 4.3.1.1. To manually determine the allowed SFP region for a fuel assembly, the actual burnup is compared to the burnup requirement for the given initial enrichment and appropriate decay time from Figure 3.7.17-1, 3.7.17-2, or 3.7.17-3. If the actual burnup is greater than or equal to the burnup requirement, then the fuel assembly is eligible to be stored in the corresponding region. If the actual burnup is less than the burnup requirement, then the comparison needs to be repeated using another curve for a lower numbered region. Note the following: Spent Fuel Assembly Storage B 3.7.17 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.7.17-6 REVISION 52 SURVEILLANCE that a fuel assembly that does not meet the burnup REQUIREMENTS requirement for Region 2 must be stored in Region 1, (continued) that any fuel assembly may be stored in Region 1, that any fuel assembly may be stored in a lower numbered region than the region for which it qualifies because burnup requirements decrease as region numbers decrease (refer also to Tech Spec 4.3.1.1), and that comparing actual burnup to the burnup requirement for zero decay time will always be correct or conservative. _______________________________________________________________________________ REFERENCES 1. UFSAR, Sections 9.1.2 and 9.1.3. 2. PVNGS Operating License Amendments 82, 69, and 54 for Units 1, 2, and 3 respectively, and associated NRC Safety Evaluation, dated September 30, 1994. 3. Letter to T. E. Collins, U.S. NRC to T. Greene, WOG, "Acceptance for Referencing of Licensing Topical Report WCAP-14416-P, Westinghouse Spent Fuel Rack Methodology (TAC NO. M93254)", October 25, 1996. 4. 13-N-001-1900-1221-1, "Palo Verde Spent Fuel Pool Criticality Analysis," ABB calculation A-PV-FE-0106, revision 03, dated January 15, 1999. 5. Westinghouse letter NF-APS-10-19, "Criticality Safety Evaluation of the Spent Fuel Pool Map with a Proposed Region 3 Increase," dated February 25, 2010. AC Sources - Operating B 3.8.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-1 REVISION 35 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources: normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Features (ESF) systems. The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to two preferred offsite power sources (normal and alternate) and a single DG. Offsite power is supplied to the unit switchyard from the transmission network by seven transmission lines. From the switchyard, two electrically and physically separated circuits provide AC power, through ESF service transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the updated FSAR, Chapter 8 (Ref. 2). An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus or buses. Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer (NBN-X03 and NBN-X04) supplying offsite power to the onsite Class 1E Distribution System. Within 30 seconds after the initiating signal is received, all permanently connected and auto-connected emergency loads needed to recover the unit or maintain it in a safe condition are returned to service via the automatic load sequencer. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-2 REVISION 2 BACKGROUND The onsite standby power source for each 4.16 kV ESF bus is (continued) dedicated DG. DG-A and DG-B are dedicated to ESF buses PBA-S03 and PBB-S04, respectively. A DG starts automatically (in emergency mode) on a safety injection actuation signal (SIAS) (i.e., low pressurizer pressure or high containment pressure signals), auxiliary feedwater actuation signals (AFAS-1 and AFAS-2) (e.g., low steam generator level), or on a loss of power (an ESF bus degraded voltage or undervoltage signal). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a SIAS or AFAS signal. Following the loss of offsite power, the sequencer sheds nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application. The DGs will also start and operate in the standby mode (running unloaded) without tying to the ESF bus on a SIAS or AFAS. In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA). Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within 40 seconds after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service. Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 5500 kW with 10% overload permissible for up to 2 hours in any 24 hour period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in the updated FSAR, Chapter 8 (Ref. 2). Offsite power sources must have the capability to effect a safe shutdown and to mitigate the effects of an accident as specified in Regulatory Guide 1.93 (Ref. 6). As a result of AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-3 REVISION 34 BACKGROUND certain anticipated operational occurrences (AOOs) and (continued) design basis accidents (DBAs), the voltage to ESF buses PBA-S03 and PBB-S04 would change as a result of one or more of the following three automatic operations: (1) tripping of the generating unit, (2) fast bus transfer of the non-Class 1E distribution system to the startup transformers, and (3) powering of the ESF loads by the automatic load sequencer. Analyses have been performed to determine the magnitude of voltage change due to each of these operations. Under conditions where these voltage changes would result in either inadequate voltages to the ESF equipment or tripping of the degraded voltage relays, the guidance from Regulatory Guide 1.93 (Ref. 6) is not met and the affected offsite circuit(s) do not meet their required capability. Tripping of a Palo Verde unit can result in either a decrease or increase in the switchyard voltage due to the change in the flow of volt-amperes reactive (VARs) into or out of the electrical grid. If two or more of Palo Verde units are on line and available to regulate switchyard voltage, the voltage will not change significantly following tripping of one unit. If only one unit is on line, is not providing switchyard voltage support (generator gross MVAR output st-trip switchyard voltage will be equal to or greater than the pre-trip switchyard voltage. If it had been providing switchyard voltage support (generator gross MVAR output > 0) the post-trip switchyard voltage could be lower than the pre-trip switchyard voltage. In this case, adequate voltage to the Class 1E buses is assured by blocking fast bus transfer and thus minimizing the loading and voltage drop on the startup transformer secondary circuit. Voltage analyses also conclude that the maximum switchyard voltage should not exceed 535.5 kV. However, even if this limit is exceeded, the offsite circuits still have the capability to effect a safe shutdown, mitigate the effects of an accident, and continue to meet the operability requirements of Regulatory Guide 1.93 (Ref. 6). Sustained switchyard overvoltages during startup transformer light loading conditions can cause accelerated thermal aging of some plant electrical equipment. However, this would not cause catastrophic equipment failure or unavailability. A high voltage alarm at the APS Energy Control Center (ECC) alerts the transmission grid operators of the need for corrective actions, which could involve adjustment of the MVAR output of the Palo Verde generator(s), adjustment of AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.1-4 REVISION 34 BACKGROUND the MVAR output of nearby cogeneration units, or switching (continued) of transmission system voltage control devices. Therefore, there is no LCO for high switchyard voltage. Grid frequency can also affect the operation of safety equipment. For example, sustained high frequency can result in an excessive differential pressure across motor operated valves, and sustained low frequency can result in substandard pump flow. There are no LCOs for offsite circuit frequency, because the grid frequency is continuously monitored and maintained within a tight tolerance by non-Palo Verde organizations. These organizations utilize various automatic and manual methods to control frequency, such as maintaining a spinning reserve, load shedding, and turbine-governor controls. Analyses, as discussed in UFSAR Section 8.2.2 (Ref. 2), and operating experience have demonstrated that the tripping of a Palo Verde unit has a minimal effect on grid frequency. _______________________________________________________________________________ APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES updated FSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems. The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power or all onsite AC power; and b. A worst case single failure. The AC sources satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-5 REVISION 20 LCO Two circuits between the offsite transmission network and the onsite Class 1E Electrical Power Distribution System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA. Offsite circuits are those that are described in the updated FSAR and are part of the licensing basis for the unit. In addition, one automatic load sequencer per train must be OPERABLE. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses. The startup transformers (NAN-X01, NAN-X02, and NAN-X03) convert the 525 kV offsite power to the Non-Class 1E 13.8 kV power. Each secondary winding of a startup transformer normally provides power to one of two interconnected 13.8 kV intermediate buses (NAN-S05 & NAN-S06) per unit, in such a way that the two 13.8 kV intermediate buses of the same unit receive power from two different start-up transformers (preferred offsite sources: normal and alternate supply). For example, Unit 1 NAN-S05's normal supply is from a NAN-X03 secondary winding and NAN-S05's alternate supply is from a NAN-X01 secondary winding; Unit 1 NAN-S06's normal supply is from a NAN-X02 secondary winding and NAN-S05's alternate supply is from a NAN-X01 secondary winding. The secondary winding are sized to start and carry one-half of the non-Class 1E loads of one unit and two trains of ESF loads, one which is from another unit, during unit trips or during startup/shutdown operation. The 13.8 kV intermediate buses (NAN-S05 & NAN-S06), in turn, distribute power to the 4.16 kV Class 1E buses (PBA-S03 & PBB-S04) via a 13.8 kV bus (NAN-S03 or NAN-S04) and an ESF transformer (NBN-X03 or NBN-X04). Two fast bus transfer circuits are also provided to transfer the non-Class 1E house loads fed from NAN-S01 and NAN-S02 to 13.8 kV buses NAN-S03 and NAN-S04 respectively during a plant trip or during startup/shutdown operation. Prior to a plant trip, NAN-S01 and NAN-S02 are fed from the auxiliary transformer, and are fed from NAN-S03 and NAN-S04 respectively after the plant trip. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-6 REVISION 57 LCO Each DG must be capable of starting, accelerating to at (continued) least the minimum acceptable speed (i.e., frequency) and voltage, and connecting to its respective ESF bus on detection of bus under-voltage. This will be accomplished within () 10 seconds after receipt of the diesel generator start signal. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby condition with the engine hot and DG in standby condition with the engine at normal keep-warm conditions. Additional DG capabilities must be demonstrated to meet required Surveillances (e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode). Proper sequencing of loads, including tripping of nonessential loads, is a required function. The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. An offsite circuit may be connected to both 4.16 kV Class 1E buses (PBA-S03 & PBB-S04) and not violate separation criteria. While in this alignment, the associated 13.8 kV startup transformer secondary circuit must not be connected to any non-Class 1E house load bus (NAN-S01 or NAN-S02) nor have fast bus transfer capability to any such bus enabled. This restriction assures adequacy of voltage to ESF equipment. The offsite circuit that is not connected to either 4.16 kV Class 1E bus is inoperable. _______________________________________________________________________________ APPLICABILITY The AC sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-7 REVISION 42 APPLICABILITY The AC power requirements for MODES 5 and 6, and during (continued) movement of irradiated fuel assemblies are covered in LCO 3.8.2, "AC Sources - Shutdown." ______________________________________________________________________________ ACTIONS Condition A applies only when the offsite circuit is unavailable to commence automatic load sequencing in the event of a design basis accident (DBA). In cases where the offsite circuit is available for sequencing, but a DBA could cause actuation of the Degraded Voltage Relays, Condition G applies. A note prohibits the application of LCO 3.4.0.b to an inoperable DG. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 To ensure a highly reliable power source remains with the one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered. A.2 Required Action A.2, which only applies if the train (i.e., ESF bus) cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features. These features require Class 1E power from PBA-S03 or PBB-S04 ESF buses to be OPERABLE, and include: charging pumps; radiation monitors Train A RU-29 and Train B RU-30 (TS 3.3.9), Train A RU-31 and Train B RU-145; pressurizer heaters (TS 3.4.9); ECCS (TS 3.5.3 and TS 3.5.4); containment spray (TS 3.6.6); containment isolation valves NCA-UV-402, NCB-UV-403, WCA-UV-62, and WCB-UV-61 (TS AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-8 REVISION 50 ACTIONS A.2 (continued) 3.6.3); auxiliary feedwater system (TS 3.7.5); essential cooling water system (TS 3.7.7); essential spray pond system (TS 3.7.8); essential chilled water system (TS 3.7.10); control room essential filtration system (TS 3.7.11) control room emergency air temperature control system (TS 3.7.12); ESF pump room air exhaust cleanup system (TS 3.7.13); shutdown cooling subsystems (TS 3.4.6, 3.4.7, 3.4.8, and 3.4.15); and fuel building ventilation. Mode applicability is as specified in each appropriate TS section. The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. The train has no offsite power supplying its loads; and b. A required feature on the other train is inoperable. If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked. Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-9 REVISION 42 ACTIONS A.2 (continued) Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 10 days. This could lead to a total of 13 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 10 days (for a total of 23 days) allowed prior to complete restoration of the LCO. The 13 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour and 13 day Completion Time means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition A was entered. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-10 REVISION 43 ACTIONS B.1 (continued) To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if an offsite circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered. B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of redundant required features. These features require Class 1E power from PBA-S03 or PBB-S04 ESF buses to be OPERABLE, and are identical to those specified in ACTION A.2. Mode applicability is as specified in each appropriate TS section. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG. The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. An inoperable DG exists; and b. A required feature on the other train is inoperable. If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time begins to be tracked. Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently, is acceptable because it minimizes risk while AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-11 REVISION 43 CORRECTED PAGE ON REV 50 ACTIONS B.2 (continued) allowing time for restoration before subjecting the unit to transients associated with shutdown. In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. If a DG has been declared inoperable and Condition B has been entered, and during that inoperability a new problem with the inoperable DG is discovered, a separate entry into Condition B is not required for the new DG problem. Therefore, the Required Actions of Condition B would not apply to the new DG problem. The new DG problem must be entered into the corrective action program and corrective actions specified in accordance with the corrective action program. Transportability must be addressed in a timely manner in accordance with the corrective action program. B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other DG, the other DG would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG. In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition B. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-12 REVISION 48 ACTIONS B.3.1 and B.3.2 (continued) According to Generic Letter 84-15 (Ref. 7), 24 hours is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG. B.4 In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 10 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. When utilizing an extended DG Completion Time (a Completion Time greater than 72 hours and less than or equal to 10 days), the compensatory measures listed below shall be implemented. For planned maintenance utilizing an extended Completion Time, the compensatory measures shall be implemented prior to entering Condition B. For an unplanned entry into an extended Completion Time, the compensatory measures shall be implemented without delay. 1. The redundant DG (along with all of its required systems, subsystems, trains, components, and devices) will be verified OPERABLE (as required by TS) and no discretionary maintenance activities will be scheduled on the redundant (OPERABLE) DG. 2. No discretionary maintenance activities will be scheduled on the station blackout generators (SBOGs). 3. No discretionary maintenance activities will be scheduled on the startup transformers. 4. No discretionary maintenance activities will be scheduled in the APS switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit utilizing the extended DG Completion Time. 5. All activity, including access, in the Salt River Project (SRP) switchyard shall be closely monitored and controlled. Discretionary maintenance within the switchyard that could challenge offsite power supply availability will be evaluated in accordance with 10 CFR 50.65(a)(4) and managed on a graded approach according to risk significance. 6. The SBOGs will not be used for non-safety functions (i.e., power peaking to the grid). AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-13 REVISION 48 ACTIONS B.4 (continued) 7. Weather conditions will be assessed prior to removing a DG from service during planned maintenance activities. Additionally, DG outages will not be scheduled when severe weather conditions and/or unstable grid conditions are predicted or present. 8. All maintenance activities associated with the unit that is utilizing the extended DG Completion Time will be assessed and managed per 10 CFR 50.65 (Maintenance Rule). 9. The functionality of the SBOGs will be verified by ensuring that the monthly start test has been successfully completed within the previous four weeks before entering the extended DG Completion Time. 10. The OPERABILITY of the steam driven auxiliary feedwater pump will be verified before entering the extended DG Completion Time. 11. The system dispatcher will be contacted once per day and informed of the DG status, along with the power needs of the facility. 12. Should a severe weather warning be issued for the local area that could affect the switchyard or the offsite power supply during the extended DG Completion Time, an operator will be available locally at the SBOG should local operation of the SBOG be required as a result of on-site weather related damage. 13. No discretionary maintenance will be allowed on the main and unit auxiliary transformers associated with the unit. If one or more of the above compensatory measures is not met while in the extended completion time, the corrective action program shall be entered, the risk managed in accordance with the Maintenance Rule, and the compensatory measure(s) restored without delay. The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hours (3 days). This could lead to a total of 13 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-14 REVISION 48 ACTIONS B.4 (continued) could again become inoperable, the DG restored OPERABLE, and an additional 72 hours (for a total of 16 days) allowed prior to complete restoration of the LCO. The 13 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 10 day and 13 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered. C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours is appropriate. These features are powered from redundant AC safety trains. These features require Class 1E power from PBA-S03 or PBB-S04 ESF buses to be OPERABLE, and are identical to those specified in ACTION A.2. Mode applicability is as specified in each appropriate TS section. The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. All required offsite circuits are inoperable; and b. A required feature is inoperable. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-15 REVISION 48 ACTIONS C.1 and C.2 (continued) If at any time during the existence of Condition C (two offsite circuits inoperable) and a required feature becomes inoperable, this Completion Time begins to be tracked. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed 24 hours. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources. Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this level of degradation: a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source. With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria. According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours. If two offsite sources are restored within 24 hours, unrestricted operation may continue. If only one offsite source is restored within 24 hours, power operation continues in accordance with Condition A. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-16 REVISION 41 ACTIONS C.1 and C.2 (continued) Condition C applies only when the offsite circuits are unavailable to commence automatic load sequencing in the event of a design basis accident (DBA). In cases where the offsite circuits are available for sequencing, but a DBA could cause actuation of the Degraded Voltage Relays, Condition G applies. D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to a train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems - Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG without regard to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours. In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-17 REVISION 41 ACTIONS E.1 (continued) With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with both DGs inoperable, operation may continue for a period that should not exceed 2 hours. F.1 and F.2 The sequencer(s) is an essential support system to both the offsite circuit and the DG associated with a given ESF bus. Furthermore, the sequencer is on the primary success path for most major AC electrically powered safety systems powered from the associated ESF bus. Therefore, loss of an ESF bus sequencer affects every major ESF system in the load group. The 24 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining sequencer OPERABILITY. This time period also ensures that the probability of an accident (requiring sequencer OPERABILITY) occurring during periods when the sequencer is inoperable is minimal. Required Action F.2 is intended to provide assurance that a single failure of a DG Sequencer will not result in a complete loss of safety function of critical redundant required features. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-18 REVISION 41 ACTIONS G.1 and G.2 (continued) To ensure offsite circuits will not be lost as a consequence of a DBE, certain conditions must be maintained. Failure to maintain these conditions may result in double sequencing should an accident requiring sequencer operation occur. An offsite circuit meets its required capability by maintaining either of the following conditions: 1. Steady-state switchyard voltage at or above the minimum level needed to support the offsite circuit's functions. The minimum allowable voltage is the value calculated as follows or 528.5 kV, whichever is less: Base minimum voltage (provides for emergency loads on PBA-S03 or PBB-S04 and house loads on NAN-S01 or NAN-S02) 518 kV If the offsite circuit is connected to 1-E-NAN-S05 or 1-E-NAN-S06 add 6.5 kV If the house load group associated with the offsite circuit is connected to both NBN-S01 and NBN-S02 (tie breaker NBN-S01C closed) add 4 kV If the offsite circuit is connected to another unit's PBA-S03 or PBB-S04 add 1.5 kV This option does not apply if the unit under review is the only Palo Verde unit synchronized to the 525 kV switchyard and its main generator gross MVAR output is > 0 or if the offsite circuit is connected to both PBA-S03 and PBB-S04 in the same unit. The values used to calculate minimum allowable voltage are based on calculations 01, 02, 03-EC-MA-0221 that analyze many different bus alignment conditions. The values are conservative, with sufficient margin to account for analytical uncertainties and to provide assurance that the degraded voltage relays will not actuate as a result of an accident. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-19 REVISION 41 ACTIONS G.1 and G.2 (continued) The highest minimum voltage of 528.5 kV is based on management of the loading of the startup transformer secondary windings to not exceed their rated 70 MVA capacity during a design basis event. When two units are sharing a secondary winding, the associated tie breaker NAN-S03B or NAN-S04B must always be open and fast bus transfer control switch NAN-HK-S03B or NAN-HK-S04B in "Manual" position in at least one of the units. Meters A-E-MAN-EI-001 and A-E-MAN-EI-002 are used to monitor switchyard voltage. The allowable values take into account metering uncertainties. A voltage dip lasting 35 seconds or less is considered a transient, rather than steady-state condition based on the credited 35 second time delay of the degraded voltage relay. The time delay feature on the meters' alarms may be set up to 35 seconds to avoid nuisance alarms. 2. Associated tie breaker NAN-S03B or NAN-S04B to house load buses NAN-S01 or NAN-S02 open and fast bus transfer control switch NAN-HK-S03B or NAN-HK-S04B in "Manual" position. When two units are sharing a startup transformer secondary winding, this condition must be met in both units. If the required capability in Condition G is not met, the effects of an AOO or DBA could cause further depression of the voltage at the ESF bus and actuation of the degraded voltage relays. These actuations would result in disconnection of the bus from the offsite circuits. Regulatory Guide 1.93 (Ref. 6) defines this condition as "The Available Offsite Power Sources Are One Less Than the LCO" or "The Available Offsite AC Power Sources Are Two Less Than the LCO," depending on the number of affected circuits. However, degraded post-trip voltage could also cause ESF electrical equipment to be exposed to a degraded condition during the degraded voltage relay time-out period. There is a risk that equipment misoperation or damage could occur during this time. In this scenario, the ESF equipment may not perform as designed following an automatic disconnection of the offsite circuits and reconnection to the diesel generators (DGs), even though adequate power is available from the DG. For certain DBAs, an additional consideration AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-20 REVISION 41 ACTIONS G.1 and G.2 (continued) is that the initial sequencing of the ESF equipment onto the offsite circuits, subsequent tripping of the degraded voltage relays, and interruption in equipment credited in the UFSAR Chapter 6 and 15 safety analyses could challenge the credited equipment response times. Therefore, it is appropriate to implement Required Actions that are more stringent than those specified in Condition A or C. If the required capability in Condition G is not met, the following options are available to restore full or partial Operability. Options are listed in their order of preference. 1. Achieve Condition 1 as discussed above (switchyard voltage at or above the minimum allowable value). This is accomplished by either of the following: Increase switchyard voltage. If more than one Palo Verde unit is operating, switchyard voltage is increased by increasing MVAR output of any Palo Verde unit, or by any number of methods implemented by the Energy Control Center. If only one Palo Verde unit is operating, switchyard voltage is increased by any number of methods implemented by the Energy Control Center while maintaining the generator gross MVAR output of the Palo Verde unit to Reduce minimum allowable voltage as calculated above. This is achieved by realignment of equipment power sources, if such an option is available. 2. Achieve Condition 2 as discussed above. This is accomplished by ensuring the affected tie breaker (NAN-S03B or NAN-S04B) is open and the fast bus transfer control switch (NAN-HK-S03B or NAN-HK-S04B) is in the "Manual" position. If two units are sharing a startup transformer secondary winding, this condition must be achieved in both units. Although Palo Verde has no formal restrictions on the amount of time that fast bus transfer can be out of service, this option should be used judiciously in order to maintain forced circulation capability. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-21 REVISION 41 ACTIONS G.1 and G.2 (continued) 3. Transfer the safety bus(es) to the diesel generator(s). This is less desirable than option 2, because it would perturb the plant. It would cause the plant to remain in an LCO 3.8.1 condition (A or C, depending on whether one or two buses are transferred). Options 1 and 2 satisfy Required Action G.1, and Option 3 satisfies Required Action G.2. With more than one offsite circuit that does not meet the required capability, Condition G could be satisfied for each offsite circuit by the use of Required Action G.1 or G.2. The Completion Time for both Required Action G.1 and G.2 is one hour. The one hour time limit is appropriate and consistent with the need to remove the unit from this condition, because the level of degradation exceeds that described in Regulatory Guide 1.93 (Ref. 6) for two offsite circuits inoperable. The regulatory guide assumes that an adequate onsite power source is still available to both safety trains, but in a scenario involving automatic load sequencing and low voltage to the ESF buses, adequate voltage is not assured from any of the power sources for the following systems immediately after the accident signal has been generated (i.e., while the degraded voltage relay is timing out): radiation monitors Train A RU-29 or Train B RU-30 (TS 3.3.9), Train B RU-145; ECCS (TS 3.5.3); containment spray (TS 3.6.6); containment isolation valves (TS 3.6.3); auxiliary feedwater system (TS 3.7.5); essential cooling water system (TS 3.7.7); essential spray pond system (TS 3.7.8); essential chilled water system (TS 3.7.10); control room essential filtration system (TS 3.7.11); ESF pump room air exhaust cleanup system (TS 3.7.13); and fuel building ventilation. Required Action G.2 is modified by a Note. The reason for the Note is to ensure that the offsite circuit is not inoperable for a time greater than the Completion Time allowed by LCO 3.8.1 Condition A or C. Therefore, if Conditions A or C are entered, the Completion Time clock for Conditions A and C would start at the Time Condition G was entered. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-22 REVISION 41 ACTIONS H.1 and H.2 (continued) If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. I.1 Condition I corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown. _______________________________________________________________________________ SURVEILLANCE The AC sources are designed to permit inspection and testing REQUIREMENTS of all important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A, GDC 18 (Ref. 8). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SR for demonstrating OPERABILITY of the DGs are based on the recommendations of Regulatory Guide 1.9 (Ref. 3), unless otherwise noted in the Updated FSAR Section 1.8. The DG capabilities (starting and loading) are required to be met from a variety of initial conditions such as DG in standby condition with the engine hot (SR 3.8.1.15) and DG in standby condition with the engine at normal keep-warm conditions (SR 3.8.1.2, SR 3.8.1.7 and SR 3.8.1.19). Although it is expected that most DG starts will be performed from normal keep-warm conditions, DG starts should be performed with the jacket water cooling and lube oil temperatures within the lower to upper limits of DG OPERABILITY, except as noted above. Rapid cooling of the DG down to normal keep-warm conditions should be minimized. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-23 REVISION 57 SURVEILLANCE The required steady state frequency range for the DG is REQUIREMENTS 60 +0.7/-0.3 Hz to be consistent with the safety analysis to (continued) provide adequate safety injection flow. In accordance with the guidance provided in Regulatory Guide 1.9 (Ref. 3), where steady state conditions do not exist (i.e., transients), the frequency range should be restored to within +/- 2% of the 60 Hz nominal frequency (58.8 Hz to 61.2 Hz) and the voltage range should be restored to within +/- 10% of the 4160 volts nominal voltage (3740 volts to 4580 volts). The timed start is satisfied when the DG achieves at least 3740 volts and 58.8 Hz within 10 seconds. At these values, the DG output breaker permissives are satisfied. Then, with concurrent or subsequent detection of a loss of voltage on the ESF bus, the DG breaker would close, reenergizing the bus. Steady state and transient voltage and frequency limits have not been adjusted for instrument accuracy. Error values for specific instruments are established by plant staff to derive the indicated values for the steady state and transient voltage and frequency limits. Specific MODE restraints have been footnoted where applicable to each 18 month SR. The reason for "This Surveillance shall not be performed in MODE 1 or 2" is that during operation with the reactor critical, performance of this SR could cause perturbations to the EDS that could challenge continued steady state operation and, as a result, unit safety systems; or that performing the SR would remove a required DG from service. The reason for "This Surveillance shall not be performed in MODE 1, 2, 3, or 4" is that performing this SR would remove a required offsite circuit from service, perturb the EDS, and challenge safety systems. SR 3.8.1.1 This SR assures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and indicated availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-24 REVISION 50 SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 REQUIREMENTS (continued) These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition. To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup period prior to loading. For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the DGs are started from standby condition. Standby conditions for a DG mean that the engine lube oil and coolant temperatures are maintained consistent with manufacturer recommendations. Additionally, during standby conditions the diesel engine lube oil is circulated continuously and the engine coolant is circulated on and off via thermostatic control. In order to reduce stress and wear on diesel engines, the DG manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. This is the intent of Note 3, which is only applicable when such modified start procedures are recommended by the manufacturer. SR 3.8.1.2 Note 4 and SR 3.8.1.7 Note 2 state that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are analyzed values for the steady-state diesel generator frequency limits are 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are (Ref. 12), and respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-25 REVISION 56 SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued) REQUIREMENTS SR 3.8.1.7 requires that the DG starts from standby conditions with the engine at normal keep-warm conditions and achieves required voltage and frequency within 10 seconds, and subsequently achieves steady state required voltage and frequency ranges. The 10 second start requirement supports the assumptions of the design basis LOCA analysis in the FSAR, Chapter 15 (Ref. 5). A minimum voltage and frequency is specified rather than an upper and a lower limit because a diesel engine acceleration at full fuel (such as during a fast start) is likely to "overshoot" the upper limit initially and then go through several oscillations prior to a voltage and frequency within the stated upper and lower bounds. The time to reach "steady state" could exceed 10 seconds, and be cause to fail the SR. However, on an actual emergency start, the EDG would reach minimum voltage and frequency in 10 seconds at which time it would be loaded. Application of the load will dampen the oscillations. Therefore, only specifying the minimum voltage and frequency (at which the EDG can accept load) demonstrates the necessary capability of the EDG to satisfy safety requirements without including a potential for failing the Surveillance. Error values for specific instruments are established to derive indicated values in test procedures. While reaching minimum voltage and frequency (at which the DG can accept load) in 10 seconds is an immediate test of OPERABILITY, the ability of the governor and voltage regulator to achieve steady state operation, and the time to do so are important indicators of continued OPERABILITY. Therefore, the time to achieve steady state voltage and frequency will be monitored as a function of continued OPERABILITY. The 10 second start requirement is not applicable to SR 3.8.1.2 (see Note 3) when a modified start procedure as described above is used. If a modified start is not used, 10 second start requirement of SR 3.8.1.7 applies. The existing design for a CSAS actuation signal does not provide an emergency mode start to the DG. A CSAS actuation signal cannot occur until after a SIAS actuation signal has already been generated. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-26 REVISION 56 SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued) REQUIREMENTS Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads of 90 to 100 percent (4950 - 5500 kW) of the continuous rating of the DG. Consistent with the guidance provided in the Regulatory Guide 1.9 (Ref. 3) load-run test description, the 4950 - 5500 kW band will demonstrate 90 to 100 percent of the continuous rating of the DG. The load band (4950 - 5500 kW) is meant as guidance to avoid routine overloading of the engine. Loads in excess of this band for special testing may be performed within the guidance of the generator capability curve. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because of changing bus loads do not invalidate this test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-27 REVISION 56 SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This SR verifies that there is enough usable fuel oil in the DG Day Tank to run the diesel generator at full load for a minimum of 1 hour plus 10%. The surveillance is on fuel level since there is no direct indicator of volume. Level is read in feet on the Main Control Board indicators or in equivalent units on local DG instrumentation. The source for the run-time requirement is the UFSAR Sec. 1.8 and Question 9A.9 commitment to ANSI N195-1976. That standard refers to the level at which fuel is automatically added to the tank. For the DG Day Tanks the "pump start" level is above the SR and so is additionally conservative. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The presence of water does not necessarily represent failure of this SR provided the accumulated water is removed during the performance of this Surveillance. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-28 REVISION 56 SURVEILLANCE SR 3.8.1.6 REQUIREMENTS (continued) This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.7 See SR 3.8.1.2. SR 3.8.1.8 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the auto-connected emergency loads. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the surveillance in MODE 1 or 2 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-29 REVISION 53 SURVEILLANCE REQUIREMENTS SR 3.8.1.8 (continued) OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load, or equivalent load, without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. Train A Normal Water Chiller (less than 925 kw) and Train B AFW pump (less than 1000 kw) are the bounding loads for DG A and DG B to reject, respectively. These values were established in references 14 through 17. This Surveillance may be accomplished by: a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while solely supplying the bus; or b. Tripping its associated single largest post-accident load with the DG solely supplying the bus. As required by IEEE-308 (Ref. 11), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-30 REVISION 56 SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 3 seconds specified is equal to 60% of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are the voltage and frequency values the system must meet, within three seconds, following load rejection. Error values for specific instruments are established to derive indicated values in test procedures. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing this SR would remove a required offsite circuit from service, perturb the EDS, and challenge safety systems. This SR is performed in emergency mode (not paralleled to the grid) ensuring that the DG is tested under load conditions that are as close to design basis conditions as possible. This restriction from normally performing the surveillance in Mode 1, 2, 3, or 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines that plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-31 REVISION 50 SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS The following compensatory measures shall be implemented prior to the performance of this SR in MODE 1 or 2: a. Weather conditions will be assessed, and the SR will not be scheduled when severe weather conditions and/or unstable grid conditions are predicted or present. b. No discretionary maintenance activities will be scheduled in the APS switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit performing this SR. c. All activity, including access, in the Salt River Project (SRP) switchyard shall be closely monitored and controlled. Discretionary maintenance within the switchyard that could challenge offsite power supply availability will be evaluated in accordance with 10 CFR 50.65(a)(4) and managed on a graded approach according to risk significance. SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-32 REVISION 56 SURVEILLANCE SR 3.8.1.10 (continued) REQUIREMENTS In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed using design basis kW loading and maximum kVAR loading permitted during testing. These loads represent the inductive loading that the DG would experience to the extent practicable and is consistent with the guidance of Regulatory Guide 1.9 (Ref. 3). Consistent with the guidance provided in the Regulatory Guide 1.9 full-load rejection test description, the 4950 - 5500 kW band will demonstrate the DG's capability to reject a load equal to 90 to 100 percent of its continuous rating. Error values for specific instruments are established to derive indicated values in test procedures. Administrative limits have been placed upon the Class 1E 4160 V buses due to high voltage concerns. As a result power factors deviating much from unity are currently not possible when the DG runs parallel to the grid while the plant is shutdown. To the extent practicable, VARs will be provided by the DG during this SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. This Note ensures that the DG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a lagging power factor of 0.89. This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. This power factor should be able to be achieved when performing this SR at power and synchronized with offsite power by transferring house loads from the auxiliary transformer to the startup transformer in order to lower the Class 1E bus voltage. Under certain conditions, however, Note 2 allows the surveillance to be conducted at a power factor other than 0.89. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.89 results in voltages on the emergency busses that are too high. This would occur when performing this SR while shutdown and the loads on the startup transformer are too light to lower the voltage sufficiently to achieve a 0.89 power factor. Under these conditions, the power factor AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-33 REVISION 56 SURVEILLANCE SR 3.8.1.10 (continued) REQUIREMENTS should be maintained as close as practicable to 0.89 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain a power factor of 0.89 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG. In such cases, the power factor shall be maintained as close as practicable to 0.89 without exceeding DG excitation limits. The following compensatory measures shall be implemented prior to the performance of this SR in MODE 1 or 2: a. Weather conditions will be assessed, and the SR will not be scheduled when severe weather conditions and/or unstable grid conditions are predicted or present. b. No discretionary maintenance activities will be scheduled in the APS switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit performing this SR. c. All activity, including access, in the Salt River Project (SRP) switchyard shall be closely monitored and controlled. Discretionary maintenance within the switchyard that could challenge offsite power supply availability will be evaluated in accordance with 10 CFR 50.65(a)(4) and managed on a graded approach according to risk significance. SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.4, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-34 REVISION 56 SURVEILLANCE SR 3.8.1.11 (continued) REQUIREMENTS shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time. The DG auto-start time of 10 seconds is derived from requirements of the accident analysis. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved. The requirement to verify the connection and power supply of permanent and auto-connected emergency loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or shutdown cooling (SDC) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified to the extent possible ensuring power is available to the component. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by four Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-35 REVISION 50 SURVEILLANCE SR 3.8.1.11 (continued) REQUIREMENTS surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with the failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that momentary voltage and frequency transients induced by load changes do not invalidate this test. Note 4 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are and the steady-state diesel generator frequency limits are 59.7 and 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 60.5 hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis accident (LOCA) signal, and subsequently achieves steady state required voltage and frequency ranges, and operates for time to demonstrate stability. Error values for specific instruments for non-steady state (transients) are established to derive indicated values in test procedures. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-36 REVISION 56 SURVEILLANCE SR 3.8.1.12 (continued) REQUIREMENTS The existing design for CSAS actuation signal does not provide an emergency mode start to the DG. A CSAS actuation signal cannot occur until after a SIAS actuation signal has already been generated. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and auto-connected emergency loads (auto-connected through the automatic load sequencer) are energized from the offsite electrical power system on an ESF signal without loss of offsite power. The requirement to verify the connection of permanent and auto-connected emergency loads is intended to satisfactorily show the relationship of these loads to the offsite circuit loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or SDC systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the offsite circuit system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified to the extent possible ensuring power is available to the component. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-37 REVISION 45 SURVEILLANCE SR 3.8.1.12 (continued) REQUIREMENTS This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing this SR would remove a required offsite circuit from service, perturb the EDS, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are -state diesel generator frequency limits are hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error are hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-38 REVISION 56 SURVEILLANCE SR 3.8.1.13 REQUIREMENTS (continued) This Surveillance demonstrates that DG and its associated 4.16 KV output breaker noncritical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ESF actuation test signal, and critical protective functions (engine overspeed, generator differential current, engine low lube oil pressure, and manual emergency stop trip), trip the DG to avert substantial damage to the DG unit. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.9, requires demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours, 2 hours of which is at a load equivalent to 105 to 110% of the continuous rating of the DG (5775 - 6050 kW) and 22 hours at a load equivalent to 90 to 100% of the continuous duty rating of the DG (4950 - 5500 kW). The DG starts for this Surveillance can be performed either from normal keep-warm or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR (Note 3 and Note 4). In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing is performed using design basis kW loading and maximum kVAR loading permitted during testing. These AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-39 REVISION 56 SURVEILLANCE SR 3.8.1.14 (continued) REQUIREMENTS loads represent the inductive loading that the DG would experience to the extent practicable and is consistent with the intent of Regulatory Guide 1.9 (Ref. 3). Administrative limits have been placed upon the Class 1E 4160 V buses due to high voltage concerns. As a result, power factors deviating much from unity are currently not possible when the DG runs parallel to the grid while the plant is shutdown. To the extent practicable, VARs will be provided by the DG during this SR. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The following compensatory measures shall be implemented prior to the performance of this SR in MODE 1 or 2 with the DG connected to an offsite circuit: a. Weather conditions will be assessed, and the SR will not be scheduled when severe weather conditions and/or unstable grid conditions are predicted or present. b. No discretionary maintenance activities will be scheduled in the APS switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit performing this SR. c. All activity, including access, in the Salt River Project (SRP) switchyard shall be closely monitored and controlled. Discretionary maintenance within the switchyard that could challenge offsite power supply availability will be evaluated in accordance with 10 CFR 50.65(a)(4) and managed on a graded approach according to risk significance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-40 REVISION 56 SURVEILLANCE SR 3.8.1.14 (continued) REQUIREMENTS This Surveillance is modified by four Notes. Note 1 states that momentary variations due to changing bus loads do not invalidate the test. Note 2 ensures that the DG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a lagging power factor of 0.89. This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. This power factor should be able to be achieved when performing this SR at power and synchronized with offsite power by transferring house loads from the auxiliary transformer to the startup transformer in order to lower the Class 1E bus voltage. Under certain conditions, however, Note 2 allows the surveillance to be conducted at a power factor other than 0.89. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.89 results in voltages on the emergency busses that are too high. This would occur when performing this SR while shutdown, and the loads on the startup transformer are too light to lower the voltage sufficiently to achieve a 0.89 power factor. Under these conditions, the power factor should be maintained as close as practicable to 0.89 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain a power factor of 0.89 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG. In such cases, the power factor shall be maintained as close as practicable to 0.89 without exceeding DG excitation limits. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR (Note 3 and Note 4). AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-41 REVISION 56 SURVEILLANCE SR 3.8.1.15 REQUIREMENTS (continued) This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 10 seconds, and subsequently achieves steady state required voltage and frequency ranges. Error values for specific instruments for non-steady state (transients) are established to derive indicated values in test procedures. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Per the guidance in Regulatory Guide 1.9, this SR would demonstrate the hot restart functional capability at full-load temperature conditions, after the DG has operated for 2 hours (or until operating temperatures have stabilized) at full load. Momentary transients due to changing bus loads do not invalidate the test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are analyzed values for the steady-state diesel generator frequency limits are steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 4300 volts (Ref. 12), and respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-42 REVISION 56 SURVEILLANCE SR 3.8.1.16 REQUIREMENTS (continued) As required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.11, this Surveillance ensures that the manual synchronization and load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, in standby operation (running unloaded), the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timers are reset. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-43 REVISION 56 SURVEILLANCE SR 3.8.1.17 REQUIREMENTS (continued) Demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to ready-to-load operation if a LOCA actuation signal (e.g., simulated SIAS) is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage, in standby operation (running unloaded) with the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 11), paragraph 6.2.6(2) and Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.13. The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-44 REVISION 56 SURVEILLANCE SR 3.8.1.17 (continued) REQUIREMENTS perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. SR 3.8.1.18 Under accident and loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 1 second load sequence time tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. FSAR, Chapter 8 (Ref. 2) provides a summary of the automatic loading of ESF buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-45 REVISION 56 SURVEILLANCE SR 3.8.1.18 (continued) REQUIREMENTS or operated independently for the surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ESF actuation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-46 REVISION 56 SURVEILLANCE SR 3.8.1.19 (continued) REQUIREMENTS enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyze values for the steady-state diesel generator voltage limits are the steady-state diesel generator frequency limits are 59.7 and 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are

Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. Error values for specific instruments for non-steady state (transients) are established to derive indicated values in test procedures. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. Note 2 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are AC Sources - Operating B 3.8.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-47 REVISION 45 SURVEILLANCE SR 3.8.1.20 (continued) REQUIREMENTS 4377.2 volts and the analyzed values for the steady-state diesel generator frequency limits are hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 4080 and hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits. ______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 17 2. Updated FSAR, Chapter 8 3. Regulatory Guide 1.9, Revision 3, "Selection, Design, Qualification and Testing of Emergency Diesel Generator Units Used as Class 1E Onsite Electric Power Systems at Nuclear Power Plants," July 1993. 4. Updated FSAR, Chapter 6 5. Updated FSAR, Chapter 15 6. Regulatory Guide 1.93, "Availability of Electric Power Sources," Revision 0, December 1974. 7. GL 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2, 1984. 8. 10 CFR 50, Appendix A, GDC 18 9. Regulatory Guide 1.137, "Fuel Oil Systems for Standby Diesel Generators," Revision 1, October 1979. 10. ANSI C84.1-1982 11. IEEE Standard 308-1974, "IEEE Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations." AC Sources - Operating B 3.8.1 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.1-48 REVISION 53 REFERENCE 12. Calculation 13-EC-PE-123, "Diesel Generator voltage (continued) meter loop E-PEN-EI-G01/G02 uncertainty calculation." 13. Calculation 13-EC-PE-124, "Diesel Generator frequency meter loop E-PEN-SI-G01/G02 uncertainty calculation." 14. Calculation 13-MC-DG-401 "Emergency Diesel Generator 'As Built' Brake Horsepower Loads" 15. Calculation 01-EC-MA-221, "AC Distribution" 16. Calculation 02-EC-MA-221, "AC Distribution" 17. Calculation 03-EC-MA-221, "AC Distribution" AC Sources ShutdownB 3.8.2(continued)______________________________________________________________________________PALO VERDE UNITS 1,2,3B 3.8.2-1REVISION 0B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.2 AC Sources - ShutdownBASESBACKGROUNDA description of the AC sources is provided in the Bases forLCO 3.8.1, "AC Sources Operating."______________________________________________________________________________APPLICABLEThe OPERABILITY of the minimum AC sources during MODES 5SAFETY ANALYSESand 6, and during movement of irradiated fuel assembliesensures that:a.The unit can be maintained in the shutdown orrefueling condition for extended periods;b.Sufficient instrumentation and control capability isavailable for monitoring and maintaining the unitstatus; andc.Adequate AC electrical power is provided to mitigateevents postulated during shutdown, such as a fuel handling accident.In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and minimal in consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.During MODES 1, 2, 3, and 4 , various deviations from theanalysis assumptions and design requirements are allowed AC Sources ShutdownB 3.8.2BASES_______________________________________________________________________________(continued)______________________________________________________________________________PALO VERDE UNITS 1,2,3B 3.8.2-2REVISION 0APPLICABLEwithin the Required Actions. This allowance is inSAFETY ANALYSESrecognition that certain testing and maintenance activities (continued)must be conducted provided an acceptable level of risk isnot exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:a.The fact that time in an outage is limited. This is arisk prudent goal as well as a utility economicconsideration.b.Requiring appropriate compensatory measures forcertain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.c.Prudent utility consideration of the risk associatedwith multiple activities that could affect multiple systems.d.Maintaining, to the extent practical, the ability toperform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)._______________________________________________________________________________LCOOne offsite circuit capable of supplying the onsite Class 1Epower distribution subsystem(s) of LCO 3.8.10, "Distribution Systems Shutdown," ensures that all required loads arepowered from offsite power. An OPERABLE DG, associated with a distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the AC Sources ShutdownB 3.8.2BASES______________________________________________________________________________(continued)______________________________________________________________________________PALO VERDE UNITS 1,2,3B 3.8.2-3REVISION 0LCOoffsite circuit. Together, OPERABILITY of the required (continued)offsite circuit and DG ensures the availability ofsufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).The offsite circuit must be capable of maintaining ratedfrequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es). Offsite circuits are those that are described in the updated FSAR and are part of the licensing basis for the unit. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of the offsite circuit.The DG must be capable of starting, accelerating to ratedspeed and voltage, connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. The DG must be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby condition with the engine hot and DG in standby condition at normal keep-warm conditions.Proper sequencing of loads, including tripping ofnonessential loads, is a required function for DG OPERABILITY.In addition, proper sequencer operation is an integral partof offsite circuit OPERABILITY since its inoperability impacts on the ability to start and maintain energized loads required OPERABLE by LCO 3.8.10.It is acceptable for trains to be cross tied during shutdownconditions, allowing a single offsite power circuit to supply all required trains.______________________________________________________________________________APPLICABILITYThe AC sources required to be OPERABLE in MODES 5 and 6, andduring movement of irradiated fuel assemblies provide assurance that:a.Systems to provide adequate coolant inventory makeupare available for the irradiated fuel assemblies; AC Sources ShutdownB 3.8.2BASES_______________________________________________________________________________(continued)______________________________________________________________________________PALO VERDE UNITS 1,2,3B 3.8.2-4REVISION 21APPLICABILITYb.Systems needed to mitigate a fuel handling accident (continued)are available;c.Systems necessary to mitigate the effects of eventsthat can lead to core damage during shutdown are available; andd. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity.The AC power requirements for MODES 1, 2, 3, and 4 arecovered in LCO 3.8.1._______________________________________________________________________________ACTIONSThe ACTIONS are modified by a Note that identifies requiredActions A.2.3 and B.3 are not applicable to the movement of irradiated fuel assemblies in Modes 1 through 4.A.1An offsite circuit would be considered inoperable if it werenot available to one required ESF train. Although two trains may be required by LCO 3.8.10, the remaining train with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By the allowance of the option to declare required features inoperable, with no offsite power available, appropriate restrictions will be implemented in accordance with the affected required features LCO's ACTIONS.A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4With the offsite circuit not available to all requiredtrains, the option would still exist to declare all required features inoperable. Since this option may involve undesired administrative efforts, the allowance for AC Sources ShutdownB 3.8.2BASES____________________________________________________________________________________________________________________________________________________________(continued)PALO VERDE UNITS 1,2,3B 3.8.2-5REVISION 21ACTIONSA.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4(continued)sufficiently conservative actions is made. With therequired DG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions. The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory provided the required SDM is maintained.Suspension of these activities does not preclude completionof actions to establish a safe conservative condition. If moving irradiated fuel assemblies while in MODES 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Therefore, inability to immediately suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems.The Completion Time of immediately is consistent with therequired times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.Pursuant to LCO 3.0.6, the Distribution System's ACTIONS arenot entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to any required ESF bus, the ACTIONS for LCO 3.8.10 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO 3.8.10 provides the appropriate restrictions for the situation involving a de-energized train. AC Sources ShutdownB 3.8.2BASES_______________________________________________________________________________PALO VERDE UNITS 1,2,3B 3.8.2-6REVISION 0SURVEILLANCESR 3.8.2.1REQUIREMENTSSR 3.8.2.1 requires the SRs from LCO 3.8.1 that arenecessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, 3, and 4. The SRs that are applicable and required to be performed are SR 3.8.1.1, SR 3.8.1.2, SR 3.8.1.4, SR 3.8.1.5, and SR 3.8.1.7. The SRs listed in the Note are not required to be performed as a condition of OPERABILITY because their performance would unnecessarily challenge the only remaining OPERABLE DG or offsite circuit. In addition, SR 3.8.1.6 is not required to be performed since the fuel oil transfer pump would not cycle without the one-hour load demand SR or the 24-hour run SR, neither of which is required to be performed.The reasons for the exception to SR 3.8.2.1 applicabilityare as follows: SR 3.8.1.8 is not applicable since only one offsite circuit is required to be OPERABLE and an alternate offsite circuit may not be available; SR 3.8.1.12, SR 3.8.1.17, and SR 3.8.1.19 are not applicable because the ESF functions (i.e., AFAS and SIAS) are not required to be OPERABLE during shutdown; SR 3.8.1.17 is not applicable because the required OPERABLE DG(s) is not required to undergo periods of being load tested (parallel to the offsite circuit). SR 3.8.1.20 is not applicable because starting independence is not required with DG(s) that are not required to be OPERABLE.This SR is modified by a Note. The reason for the Note isto preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during performance of SRs, and to preclude deenergizing a required 4160 V ESF bus of disconnecting a required offsite circuit during performance of SRs. With limited AC Sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR._______________________________________________________________________________REFERENCESNone. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.3-1 REVISION 0 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each diesel generator (DG) is provided with a storage tank having a fuel oil capacity sufficient to operate that diesel for a period of 7 days, while the DG is supplying maximum post loss of coolant accident load demand as discussed in the FSAR, Section 9.5.4.2.1 (Ref. 1). The maximum load demand is calculated using the assumption that at least two DGs are available. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Fuel oil is transferred from storage tank to day tank by a transfer pump associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks, pumps, and piping are located underground. For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195-1976 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level. The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. Each engine oil sump contains an inventory capable of supporting a minimum of 7 days of operation. This supply is sufficient supply to allow the operator to replenish lube oil from outside sources. Each DG has independent and redundant starting air subsystems. Each DG starting subsystem provides a stored compressed air supply sufficient for accomplishing a DG start in 10 seconds. Each air receiver has been sized to accomplish 5 consecutive DG starts from the receiver design working pressure without being refilled. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-2 REVISION 0 APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 4), and in the FSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for LCO Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems. Since diesel fuel oil, lube oil, and the air start subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown." The starting air system is required to have a minimum capacity for five consecutive DG start attempts without recharging the air start receivers. _______________________________________________________________________________ APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil and starting Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-3 REVISION 50 APPLICABILITY air are required to be within limits when the associated DG (continued) is required to be OPERABLE. ______________________________________________________________________________ ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem are governed by separate Condition entry and application of associated Required Actions. A.1 In this Condition (i.e., < 80% indicated fuel level), the 7 day fuel oil supply for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events such as full load operation required after an inadvertent start while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity ( 6 days or 71% indicated fuel level), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. B.1 With lube oil inventory < 2.5 inches visible in the sightglass, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-4 REVISION 0 ACTIONS B.1 (continued) This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity ( > 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. The normal level of lube oil is maintained at mid-scale visible on the sightglass which ensures sufficient lube oil to support at least 13.5 days of engine operation during periods when the DG is supplying maximum post-LOCA load demand as discussed in the FSAR (Ref. 1). This is based on a conservative lube oil consumption rate of 1.5 gallons per hour and 486 gallons of available lube oil between the top of the lube oil suction pipe in the engine crankcase (minimum available level) and the mid-scale position on the sightglass. 252 gallons or 7 days of available lube oil is actually indicated at 1 inch visible in the sightglass. With 2.5 inches visible in the sightglass, a conservative supply of lube oil is ensured for 7 days of full load operation. C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion time allows for further evaluation, resampling, and re-analysis of the DG fuel oil. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-5 REVISION 54 ACTIONS D.1 (continued) With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function. E.1 Each DG is OPERABLE with one air receiver capable of delivering an operating pressure of 230 psig indicated. Although there are two independent and redundant starting air receivers per DG, only one starting air receiver is required for DG OPERABILITY. Each receiver is sized to accomplish 5 DG starts from its normal operating pressure of 250 psig, and each will start the DG in 10 seconds with a minimum pressure of 185 psig indicated. If the required starting air receiver is < 230 psig and 185 psig indicated, the starting air system is degraded and a period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This 48-hour period is acceptable based on the minimum starting air capacity ( 185 psig indicated), the fact that the DG start must be accomplished on the first attempt (there are no sequential starts in emergency mode), and the low probability of an event during this brief period. Calculation 13-JC-DG-203 (Ref. 8) supports the proposed values for receiver pressures. F.1 With a Required Action and associated Completion Time not met, or one or more DGs with diesel fuel oil, lube oil, or starting air subsystem inoperable for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-6 REVISION 56 ACTIONS F.1 (continued) A Note modifies condition F. Periodic starting of the Emergency Diesel Generator(s) requires isolation on one of the two normally aligned air start receivers. During the subsequent Diesel Generator start, the air pressure in the one remaining air receiver may momentarily drop below the minimum required pressure of 185 psig indicated. This would normally require declaring the now running Diesel Generator inoperable, due to low pressure in the air start system. This is not required, as the Diesel Generator would now be running following the successful start. Should the start not be successful, the DG would be declared inoperable per the requirements of LCO 3.8.1. As such, this Condition is modified by a Note stating that should the required starting air receiver pressure momentarily drop to <185 psig indicated while starting the Diesel Generator on one air receiver only, then entry into Condition F is not required. It is expected that this condition would be fairly short duration (approximately 8 minutes), as the air start compressors should quickly restore the air receiver pressure after the diesel start. _______________________________________________________________________________ SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each DG's operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The 2.5 inches visible in the sightglass requirement is based on the DG manufacturer consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the capability to Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-7 REVISION 56 SURVEILLANCE SR 3.8.3.2 (continued) REQUIREMENTS transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer recommended minimum level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.3 The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows: a. Sample the fuel oil in accordance with ASTM-D4057 (Ref. 6); b. Verify in accordance with the tests specified in ASTM D975 (Ref. 6) that the sample has an absolute specific gravity at 60/60°F of 0.83 and 0.89, or an API gravity at 60°F of 27° and 39°, a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes, and a flash point 125°F; and c. Verify in accordance with the tests specified in ASTM D1796 (Ref. 6) that the sample water and sediment is 0.05 percent volume. Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-8 REVISION 41 SURVEILLANCE SR 3.8.3.3 (continued) REQUIREMENTS Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975 (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975 (Ref. 6), except that the analysis for cetane number may be performed in accordance with ASTM D976 (Ref. 6) or ASTM D4737 (Ref. 6). The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This surveillance ensures the availability of high quality fuel oil for the DGs. Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure. Particulate concentrations should be determined in accordance with ASTM D2276, Method A (Ref. 6). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. Each tank must be considered and tested separately. The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.3-9 REVISION 56 SURVEILLANCE SR 3.8.3.4 REQUIREMENTS (continued) This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds or cranking) or engine cranking speed. The pressure specified in this SR is intended to reflect the lowest value at which the DG can be considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil storage tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The presence of water does not necessarily represent failure of this SR provided the accumulated water is removed during the performance of this Surveillance. Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.3-10 REVISION 54 REFERENCES 1. FSAR, Section 9.5.4.2. 2. Regulatory Guide 1.137. 3. ANSI N195-1976, Appendix B. 4. FSAR, Chapter 6. 5. FSAR, Chapter 15. 6. ASTM Standards: D4057-81; D975-07b; D976-91; D4737-90; D1796-83; D2276-89, Method A. 7. ASTM Standards, D975, Table 1. 8. "Emergency Diesel Generator and Diesel Fuel Oil Systems Instrumentation Uncertainty Calculation", 13-JC-DG-203, Parts 23 and 51 DC Sources - Operating B 3.8.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-1 REVISION 61 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital instrument bus power (via inverters). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3). The 125 VDC electrical power system consists of two independent and redundant safety related Class 1E DC electrical power subsystems (Train A and Train B). Each subsystem consists of two 125 VDC batteries, the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling. Each subsystem contains two DC power channels. There are four channels designated as A and C for Train A, and B and D for Train B for each unit (See 3.8.4 LCO Bases section for detailed description). Additionally there is one backup battery charger per subsystem, which provides backup service in the event that the normal battery charger is out of service. If the backup battery charger is substituted for one of the normal battery chargers, then the requirements of independence and redundancy between subsystems are maintained. During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries. The Train A and Train B DC electrical power subsystems provide the control power for its associated Class 1E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital instrument buses. DC Sources - Operating B 3.8.4 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-2 REVISION 61 BACKGROUND The DC power distribution system is described in more detail (continued) in the Bases for LCO 3.8.9, "Distribution Systems- Operating," and for LCO 3.8.10, "Distribution Systems - Shutdown." Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems, such as batteries, battery chargers, or distribution panels. Each battery has adequate storage capacity to meet the duty cycle(s) discussed in the UFSAR, Chapter 8 (Ref 4). The battery is designed with additional capacity above that required by the design duty cycle to allow for temperature variations and other factors. In addition, each DC electrical power subsystem contains a backup battery charger which is manually transferable to either channel of a subsystem. The transfer mechanism is mechanically interlocked to prevent both DC channels of a subsystem from being simultaneously connected to the backup battery charger. The batteries for Train A and Train B DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating. The minimum design voltage limit is determined for each train per Reference 13. The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215 +/- 0.010. This specific gravity corresponds to an open circuit battery voltage of approximately 123 V for 60 cell battery (i.e., cell voltage of 2.07 volts per cell (Vpc) at the upper range of the specific gravity) (Refs. 14 and 15). The open circuit voltage is the voltage maintained where there is no charging or discharging. Optimal long term performance is obtained by maintaining a float voltage 2.17 to 2.25 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cell battery as discussed in the UFSAR, Chapter 8 (Ref. 4). DC Sources - Operating B 3.8.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-3 REVISION 61 BACKGROUND Each Train A and Train B DC electrical power subsystem (continued) battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient excess capacity to restore the battery from the design minimum charge to its fully charged state within 12 hours while supplying normal steady state loads discussed in the UFSAR, Chapter 8 (Ref. 4). The battery charger is normally in the float-charge mode. Float-charge is the condition in which the charger is supplying the connected loads and the battery cells are receiving adequate current to optimally charge the battery. This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state. When desired, the charger can be placed in the equalize mode. The equalize mode is at a higher voltage than the float mode and charging current is correspondingly higher. The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance. Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.g., following a battery service test) until the battery terminal voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-calcium batteries have recharge efficiencies of greater than 95%, so once at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct observation of the exponentially decaying charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery. DC Sources - Operating B 3.8.4 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-4 REVISION 61 APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 6) and Chapter 15 (Ref. 7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite AC power or all onsite AC power; and b. A worst case single failure. The DC sources satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery (the backup battery charger, one per train, may be used to satisfy this requirement), and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the subsystem are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4). Each DC electrical power subsystem (Train A or Train B) is subdivided into channels. Train A consists of Channel A and Channel C. Train B consists of Channel B and Channel D. Channel A includes 125 VDC bus PKA-M41, 125 VDC battery bank PKA-F11, and normal battery charger PKA-H11 or backup battery charger PKA-H15. Channel C includes 125 VDC bus PKC-M43, 125 VDC battery bank PKC-F13, and normal battery charger PKC-H13 or backup battery charger PKA-H15. DC Sources - Operating B 3.8.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-5 REVISION 61 LCO Channel B includes 125 VDC bus PKB-M42, 125 VDC battery bank (continued) PKB-F12, and normal battery charger PKB-H12 or backup battery charger PKB-H16. Channel D includes 125 VDC bus PKD-M44, 125 VDC battery bank PKD-F14, and normal battery charger PKD-H14 or backup battery charger PKB-H16. An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to the associated DC bus(es). ______________________________________________________________________________ APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA. The DC electrical power requirements for MODES 5 and 6, and during movement of irradiated fuel assemblies are addressed in the Bases for LCO 3.8.5, "DC Sources - Shutdown." ______________________________________________________________________________ ACTIONS A.1, A.2, and A.3 Condition A represents one subsystem with one battery charger inoperable (e.g., the voltage limit of SR 3.8.4.1 is not maintained). The ACTIONS provide a tiered response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period. Required Action A.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage (2.17 volts per cell (Vpc) times the number of connected cells or 130.2 V for a 60 cell battery at the battery terminals) within 2 hours. This time provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage provides good assurance that, within 12 hours, the battery will be restored to its fully charged condition DC Sources - Operating B 3.8.4 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-6 REVISION 61 ACTIONS (Required Action A.2) from fully charged condition (condition) any discharge that might have occurred due to the charger inoperability. A discharged battery having terminal voltage of at least the minimum established float voltage indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is a good assurance of fully recharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk. If established battery terminal float voltage cannot be restored to greater than equal to the minimum established float voltage within 2 hours, and the charger is not operating in the current-limiting mode, a faulty charger is indicated. A faulty charger that is incapable of maintaining established battery terminal float voltage does not provide assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event that the DC system is designed for. If the charger is operating in the current limit mode after 2 hours that is an indication that the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action A.2). Required Action A.2 requires that the battery float current be verified as less than or equal to 2 amps. This indicates that, if the battery had been discharged as the result of the inoperable battery charger, it is now fully capable of supplying the maximum expected load requirement. The 2 amp value is based on returning the battery to 95% charge and assumes a 5% design margin for the battery. If at the expiration of the initial 12 hour period the battery float current is not less than or equal to 2 amps this indicates there may be additional battery problems and the battery must be declared inoperable. DC Sources - Operating B 3.8.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-7 REVISION 61 ACTIONS Required Action A.3 limits the restoration time for the (continued) inoperable battery charger to 72 hours. This action is applicable if an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used. The backup class 1E charger is used to restore OPERABILITY as no balance of plant non-class 1E battery charger exists. The 72 hour Completion Time reflects a reasonable time to effect restoration of the qualified battery charger to OPERABLE status. B.1 Condition B represents one subsystem with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. This condition is exclusive of the status of one battery charger. It is therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected subsystem. The 2 hour limit is consistent with the allowed time for an inoperable DC distribution subsystem. If one of the required DC electrical power subsystems is inoperable for reasons other than Condition A, the remaining DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure would, however, result in the complete loss of the remaining 125 VDC electrical power subsystem with attendant loss of ESF functions, continued power operation should not exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref. 8) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown. DC Sources - Operating B 3.8.4 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-8 REVISION 61 ACTIONS C.1 and C.2 (continued) If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. The Completion Time to bring the unit to MODE 5 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8). _______________________________________________________________________________ SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the battery chargers, which support the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state while supplying the continuous steady state loads of the associated DC subsystem. On float charge, battery cells will receive adequate current to optimally charge the battery. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum float voltage established by the battery manufacturer (2.17 volts per cell (Vpc) times the number of connected cells or 130.2 V for a 60 cell battery at the battery terminals). This voltage maintains the battery plates in a condition that supports maintaining the grid life. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.2 Deleted SR 3.8.4.3 Deleted SR 3.8.4.4 and SR 3.8.4.5 Deleted DC Sources - Operating B 3.8.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-9 REVISION 61 SURVEILLANCE SR 3.8.4.6 REQUIREMENTS (continued) This SR verifies the design capacity of the battery chargers. According to Regulatory Guide 1.32 (Ref. 10), the battery charger supply is recommended to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied. This SR provides two options. One option requires that each battery charger be capable of supplying the required amps at the minimum established float voltage for 8 hours. The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The time period is sufficient for the charger temperature to have stabilized and to have maintained for at least 2 hours. The other option requires that each battery charger be capable of recharging the battery after a service test coincident with supplying the largest coincident demands of the various continuous steady state loads (irrespective of the status of the plant during which these demands occur). This level of loading may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration for this test may be longer than the charger sizing criteria since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current. The battery is recharged when the measured charging current is 2 amps. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.7 A battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference 4. DC Sources - Operating B 3.8.4 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-10 REVISION 61 SURVEILLANCE SR 3.8.4.7 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in SR 3.8.6.9 in lieu of a service test since the modified performance discharge test parameters envelope the service test. The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. SR 3.8.4.8 Deleted DC Sources - Operating B 3.8.4 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.4-11 REVISION 61 REFERENCES 1. 10 CFR.50, Appendix A, GDC 17. 2. Regulatory Guide 1.6, March 10, 1971. 3. IEEE-308-1974. 4. UFSAR, Chapter 8.3.2. 5. Deleted 6. UFSAR, Chapter 6. 7. UFSAR, Chapter 15. 8. Regulatory Guide 1.93, December 1974. 9. Deleted 10. Regulatory Guide 1.32, Revision 0, August 11, 1972. 11. Deleted 12. Deleted 13. Calculations 01/02/03-EC-PK-0207 14. SDOC EN050B-A00024, Installation, Operation and Maintenance Manual for Class 1E Batteries and Racks. 15. EPRI TR-100248, Rev 2, Stationary Battery Guide: Design, Application, and Maintenance, December 6, 2006. This page intentionally blank DC Sources ~ Shutdown B 3.8.5 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.5-1 REVISION 1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources ~ Operating." ______________________________________________________________________________ APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6, and during movement of irradiated fuel assemblies ensures that: a. The unit can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident. In general, when the unit is shut down, the Technical Specification requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in DC Sources ~ Shutdown B 3.8.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.5-2 REVISION 61 APPLICABLE MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 SAFETY ANALYSES and 6. Worst case bounding events are deemed not credible (continued) in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and minimal in consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems. The DC sources support the equipment and instrumentation required to mitigate the Loss of Shutdown Cooling and Loss of RCS Inventory accidents analyzed in response to NRC Generic Letter 88-17 "Loss of Decay Heat Removal." The Generic Letter does not require the assumption of a single failure and concurrent loss of all offsite or all onsite power. The DC sources satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The DC electrical power subsystem as defined in this LCO consists of two batteries, one battery charger per battery and the corresponding control equipment and interconnecting cabling within the subsystem. The DC electrical power subsystem is required to ensure the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents). In Modes 5 and 6 and during movement of irradiated fuel assemblies, one DC electrical power subsystem, consisting of two batteries, one battery charger per battery and the corresponding control equipment and interconnecting cabling within the train, is required to be OPERABLE to support the requirements of LCO 3.8.10 "Distribution Systems ~ Shutdown". This DC electrical power subsystem also supports the one required OPERABLE Diesel Generator specified in LCO 3.8.2 "AC Sources ~ Shutdown" on the corresponding train. For situations where redundant trains of supported equipment are DC Sources ~ Shutdown B 3.8.5 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.5-3 REVISION 61 LCO required to be OPERABLE by LCO 3.8.10, the necessary (continued) DC buses of that additional DC distribution subsystem shall be energized by a minimum of its associated battery charger or backup battery charger. Should the minimum battery charger requirements not be maintained for that additional DC distribution subsystem required by LCO 3.8.10, then LCO 3.8.10 (Condition 'A') would be applicable and not LCO 3.8.5. This is because the requirements of LCO 3.8.5 would still be met (i.e. one OPERABLE DC electrical power subsystem maintained). ______________________________________________________________________________ APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 5 and 6, and during movement of irradiated fuel assemblies provide assurance that: a. Required features needed to mitigate a fuel handling accident are available; b. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. The DC electrical power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.4. ______________________________________________________________________________ ACTIONS The Actions are modified by a Note that identifies required Action A.2.3 is not applicable to the movement of irradiated fuel assemblies in Modes 1 through 4. A.1, A.2.1, A.2.2, A.2.3, and A.2.4 If two 125 VDC subsystems buses are required to be energized per LCO 3.8.10, of the two required subsystems, the DC Sources ~ Shutdown B 3.8.5 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.5-4 REVISION 61 ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued) remaining buses with DC power available may be capable of supporting sufficient systems to allow continuation of CORE ALTERATIONS and fuel movement. By allowing the option to declare required features inoperable with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. For example, assume that the 'A' subsystem 125 VDC sources are required to be OPERABLE per LCO 3.8.5. Also assume that two SDC subsystems are required to be OPERABLE and the corresponding 125VDC subsystem buses energized (i.e. PK system buses 'A' and 'C' for subsystem 'A' and buses 'B' and 'D' for subsystem 'B') per LCO 3.8.10. Finally, assume that an electrical fault occurs on the PK system channel 'C' bus and the bus has been declared INOPERABLE. The action of LCO 3.8.5 would allow declaring the corresponding SDC suction valve J-SIC-UV-653 INOPERABLE. However the SDC system itself would not necessarily need to be declared INOPERABLE and this would allow CORE ALTERATIONS to continue. However, in many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions). The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained. Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. If moving irradiated fuel assemblies while in MODES 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Therefore, inability to immediately suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystem and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the unit safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystem should be completed as quickly as possible in order to DC Sources ~ Shutdown B 3.8.5 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.5-5 REVISION 61 ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued) minimize the time during which the unit safety systems may be without sufficient power. ______________________________________________________________________________ SURVEILLANCE SR 3.8.5.1 REQUIREMENTS R 3.8.5.1 states that Surveillances required by SR 3.8.4.1, 3.8.4.6 and 3.8.4.7 are applicable in these MODES. See the corresponding Bases for LCO 3.8.4 for a discussion of each SR. This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 6. 2. UFSAR, Chapter 15. This page intentionally blank Battery Parameters B 3.8.6 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.6-1 REVISION 61 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Parameters BASES BACKGROUND This LCO delineates the limits on battery float current as well as electrolyte temperature, level, and float voltage, for the DC power subsystem batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources ~ Shutdown." In addition to the limitations of this Specification, the Battery Monitoring Maintenance Program also implements a program specified in Specification 5.5.19 for monitoring various battery parameters. The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215 +/- 0.010. This specific gravity corresponds to an open circuit battery voltage of approximately 123 V for 60 cell battery (i.e., cell voltage of 2.07 volts per cell (Vpc) at the upper range of the specific gravity) (Refs. 6 and 7). The open circuit voltage is the voltage maintained when there is no charging or discharging. Optimal long term performance is obtained by maintaining a float voltage 2.17 to 2.25 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cell battery as discussed in the UFSAR, Chapter 8 (Ref. 4). ______________________________________________________________________________ APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one subsystem of DC sources OPERABLE during accident conditions, in the event of: a. An assumed loss of all offsite AC power or all onsite AC power; and b. A worst case single failure. Battery Parameters B 3.8.6 _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.6-2 REVISION 61 BASES _______________________________________________________________________________ APPLICABLE Battery parameters satisfy Criterion 3 of 10 CFR 50.36 SAFETY ANALYSES (c)(2)(ii). (continued) _______________________________________________________________________________ LCO Battery parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Battery parameter limits are conservatively established, allowing continued DC electrical system function even with limits not met. Train A batteries are composed of Channel A and Channel C batteries. Train B batteries are composed of Channel B and Channel D batteries. _______________________________________________________________________________ APPLICABILITY The battery parameters are required solely for the support of the associated DC electrical power subsystems. Therefore, battery parameter limits are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussion in the Bases for LCO 3.8.4 and LCO 3.8.5. _______________________________________________________________________________ ACTIONS A.1, A.2, and A.3 With one or more cells in one battery in one subsystem less than or equal to 2.07 V, the battery cell is degraded. Within 2 hours verification of the required battery charger OPERABILITY made by monitoring the battery terminal voltage (SR 3.8.4.1) and of the overall battery state of charge by monitoring the battery float charge current (SR 3.8.6.4). This assures that there is still sufficient battery capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells in one or more batteries less than or equal to 2.07 V, and continued operation is permitted for a limited period up to 24 hours. Since the Required Actions only specify "perform," a failure of SR 3.8.4.1 or SR 3.8.6.4 acceptance criteria does not result in this Required Action not met. However, if one of the SRs is failed the appropriate Condition(s), depending on the cause of the failures, is entered. If SR 3.8.6.4 is failed then there is no assurance that there is still sufficient battery capacity to perform the intended function and the battery must be declared inoperable immediately. Battery Parameters B 3.8.6 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.6-3 REVISION 61 BASES ______________________________________________________________________________ ACTIONS B.1 and B.2 (continued) One battery in one subsystem with float current > 2 amps indicates that a partial discharge of the battery capacity has occurred. This may be due to a temporary loss of a battery charger or possibly due to one or more battery cells in a low voltage condition reflecting some loss of capacity. Within 2 hours verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage. If the terminal voltage is found to be less than the minimum established float voltage (2.17 volts per cell (Vpc) times the number of connected cells or 130.2 V for a 60 cell battery at the battery terminals) there are two possibilities, the battery charger is inoperable or is operating in the current limit mode. Condition A addresses charger inoperability. If the charger is operating in the current limit mode after 2 hours that is an indication that the battery has been substantially discharged and likely cannot perform its required design functions. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action B.2). The battery must therefore be declared inoperable. If the float voltage is found to be satisfactory but there are one or more battery cells with float voltage less than or equal to 2.07 V, the associated "OR" statement in Condition F is applicable and the battery must be declared inoperable immediately. If float voltage is satisfactory and there are not cells less than or equal to 2.07 V there is a good assurance that, within 12 hours, the battery will be restored to its fully charged condition (Required Action B.2) from any discharge that might have occurred due to a temporary loss of the battery charger. A discharged battery with float voltage (the charger setpoint) across its terminals indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is a good assurance of fully recharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk. Battery Parameters B 3.8.6 _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.6-4 REVISION 61 BASES _______________________________________________________________________________ ACTIONS B.1 and B.2 (continued) If the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this is not indication of a substantially discharged battery and 12 hours is reasonable time prior to declaring the battery inoperable. Since Required Action B.1 only specifies "perform" a failure or SR 3.8.4.1 acceptance criteria does not result in the Required Action not met. However, if SR 3.8.4.1 is failed, the appropriate Condition(s), depending on the cause of the failure, is entered. C.1, C.2, and C.3 With one battery in one subsystem with one or more cells electrolyte level above the top of the plates, but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of electrolyte level not met. Within 31 days the minimum established design limits for electrolyte level must be re-established. Condition C is modified by a Note specifying that Required Action C.2 shall be completed if electrolyte level was below the top of the plates. With electrolyte level below the top of the plates there is a potential for dryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Specification 5.5.19, Battery Monitoring and Maintenance Program). They are modified by a Note that indicates they are only applicable if electrolyte level is below the top of the plates. Within 8 hours level is required to be restored to above the top of the plates. The Required Action C.2 requirement to verify that there is no leakage by visual inspection and the Specification 5.5.19.b item to initiate action to equalize and test in accordance with manufacturer's recommendations are taken from IEEE Standard 450 (Ref 3). They are performed following the restoration of the electrolyte level to above the top of the plates. Based on the results of the manufacturer's recommended testing the battery may have to be declared inoperable and the affected cells replaced. Battery Parameters B 3.8.6 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.6-5 REVISION 61 BASES ______________________________________________________________________________ ACTIONS D.1 (continued) With one battery in one subsystem with pilot cell temperature less than the minimum established design limits. 12 hours is allowed to restore the temperature to within limits. A low electrolyte temperature limits the current and power available. Since the battery is sized with margin, while battery capacity is degraded, sufficient capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperature not met. E.1 With one or more batteries in redundant subsystems with battery parameters not within limits there is not sufficient assurance that battery capacity has not been affected to the degree that the batteries can still perform their required function, given that redundant batteries are involved. With redundant batteries involved this potential could result in a total loss of function on multiple systems that rely upon batteries. The longer Completion Times specified for battery parameters on non-redundant batteries not within limits are therefore not appropriate, and the parameters must be restored to within limits on at least one subsystem within 2 hours. F.1 With one battery with any battery cell parameters outside the allowances of the Required Actions for Condition A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable. Additionally, discovering one or more batteries in one subsystem with one or more battery cells float voltage less than or equal to 2.07 V and float current greater than 2 amps indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately. Battery Parameters B 3.8.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.6-6 REVISION 61 SURVEILLANCE SR 3.8.6.1 Deleted SR 3.8.6.2 Deleted SR 3.8.6.3 Deleted SR 3.8.6.4 Verifying battery float current while on float charge is used to determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a charged state. The equipment used to monitor float current must have the necessary accuracy and capability to measure electrical currents in the expected range. The minimum required procedural time to measure battery float current will be 30 seconds or as recommended by the float current measurement instrument manufacturer. This minimum float current measurement time is required to provide a more accurate battery float current reading. The float current requirements are based on the float current indicative of a charged battery. Use of float current to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that states the float current requirement is not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.8.4.1. When this float voltage is not maintained the Required Actions of LCO 3.8.4 Action A are being taken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limit of 2 amps is established based on the nominal float voltage value and is not directly applicable when this voltage is not maintained. Battery Parameters B 3.8.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.6-7 REVISION 61 SURVEILLANCE SR 3.8.6.5 and SR 3.8.6.8 REQUIREMENTS (continued) Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer, which corresponds to 130.2 V at the battery terminals, or 2.17 volts per cell (Vpc). This provides adequate over-potential, which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltages in this range or less, but greater than 2.07 Vpc, are addressed in Specification 5.5.19. SRs 3.8.6.5 and 3.8.6.8 require verification that the cell float voltages are greater than the short term absolute minimum voltage of 2.07 V. Plant procedures must require verification of the selection of the pilot cell or cells when performing SR 3.8.6.5. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.6.6 The limit specified for electrolyte level ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The minimum design electrolyte level is the minimum level indication mark on the battery cell jar. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.6.7 This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit (i.e., 60F). Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity. Battery room temperature must be routinely monitored such that a room temperature excursion could reasonably expect to be detected and corrected prior to the average battery Battery Parameters B 3.8.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.6-8 REVISION 61 SURVEILLANCE SR 3.8.6.7 (continued) REQUIREMENTS electrolyte temperature dropping below the minimum electrolyte temperature. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.6.9 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as-found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.6.9 however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 3.8.4.7. A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test. It may consist of just two rates; for instance the one minute rate for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test. Battery Parameters B 3.8.6 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.6-9 REVISION 61 SURVEILLANCE SR 3.8.6.7 (continued) REQUIREMENTS The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 3) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80% limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity 100% of the manufacturer's ratings. Degradation is indicated, according to IEEE-450 (Ref. 3), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. These Frequencies are consistent with the recommendations in IEEE-450 (Ref. 3). This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. Battery Parameters B 3.8.6 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.6-10 REVISION 61 REFERENCES 1. UFSAR, Chapter 6. 2. UFSAR, Chapter 15. 3. IEEE-450-2002. 4. UFSAR, Chapter 8. 5 IEEE-485-1983, June 1983. 6. SDOC EN050B-A00024, Installation, Operation and Maintenance Manual for Class 1E Batteries and Racks. 7. EPRI TR-100248, Rev. 2, Stationary Battery Guide: Design, Application, and Maintenance, December 6, 2006. Inverters Operating B 3.8.7 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.7-1 REVISION 48 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Inverters - Operating BASES BACKGROUND The inverters are the preferred source of power for the AC vital instrument buses because of the stability and reliability they achieve by being powered from the 125 VDC battery source. The function of the inverter is to provide AC electrical power to the AC vital instrument buses. The AC vital instrument bus can be powered from an AC source via a Class 1E constant voltage regulator or from the inverter connected to the station battery. This configuration provides an uninterruptible power source for the instrumentation and controls for the Reactor Protective System (RPS) and the Engineered Safety Feature Actuation System (ESFAS). There are two inverters per Train (A and B) which totals to four inverters per unit. Specific details on inverters and their operating characteristics are found in the UFSAR, Chapter 8 (Ref. 1). ______________________________________________________________________________ APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RPS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems. The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes maintaining required AC vital instrument buses OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite AC electrical power or all onsite AC electrical power; and b. A worst case single failure. Inverters Operating B 3.8.7 BASES (continued) _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.7-2 REVISION 48 SAFETY ANALYSIS Inverters are a part of the distribution system and, as (continued) such, satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The inverters ensure the availability of AC electrical power for the systems' instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the AC vital instrument buses even if the 4.16 kV safety buses are de-energized. OPERABLE inverters require the associated AC vital instrument bus to be powered by the inverter with output voltage and frequency within tolerances, and power input to the inverters from a 125 VDC station battery. This LCO is modified by a Note that allows one inverter to be disconnected from its associated battery for 24 hours, if the AC vital instrument bus is powered from a Class 1E constant voltage regulator during the period and all other inverters are operable. This allows an equalizing charge to be placed on one battery. If the inverter was not disconnected, the resulting voltage condition might damage the inverter. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The 24 hour time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital instrument bus while taking into consideration the time required to perform an equalizing charge on the battery bank. The intent of this Note is to limit the number of inverters that may be disconnected. Only the inverter associated with the single battery undergoing an equalizing charge may be Inverters Operating B 3.8.7 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.7-3 REVISION 53 LCO disconnected. All other inverters must be connected to (continued) their associated batteries and aligned to their associated AC vital instrument buses. ______________________________________________________________________________ APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. Inverter requirements for MODES 5 and 6, and during movement of irradiated fuel assemblies are covered in the Bases for LCO 3.8.8, "Inverters Shutdown." ______________________________________________________________________________ ACTIONS A.1 With a required inverter inoperable, its associated AC vital instrument bus becomes inoperable until it is re-energized from its Class 1E constant voltage source regulator. Required Action A.1 is modified by a Note, which states to enter the applicable conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating," when Condition A is entered with one AC vital instrument bus de-energized. This ensures the AC vital instrument bus is re-energized within 2 hours via the Class 1E constant voltage regulator. Required Action A.1 allows 7 days to fix the inoperable inverter and return it to service. The 7 day limit is a risk informed Completion Time based on a plant specific risk analysis, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC Inverters Operating B 3.8.7 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.7-4 REVISION 53 ACTIONS A.1 (continued) vital instrument bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to the AC vital instrument buses is the preferred source for powering instrumentation trip setpoint devices. Planned inverter maintenance or other activities that require entry into Required Action A.1 will not be undertaken concurrent with the following: a. Planned maintenance on the associated train Diesel Generator (DG): or b. Planned maintenance on another RPS or ESFAS channel that results in that channel being in a tripped condition. These actions are taken because it is recognized that with an inverter inoperable and the instrument bus being powered by the regulating transformer, instrument power for that train is dependent on power from the associated DG following a loss of offsite power event. B.1 and B.2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. _______________________________________________________________________________ Inverters Operating B 3.8.7 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.7-5 REVISION 56 SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital instrument buses energized from the inverter. The verification of proper voltage and frequency output ensures that the required power is readily available for the instrumentation of the RPS and ESFAS connected to the AC vital instrument buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 8. 2. UFSAR, Chapter 6. 3. UFSAR, Chapter 15. This Page is Intentionally Left Blank Inverters Shutdown B 3.8.8 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.8-1 REVISION 1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters - Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7, "Inverters Operating." ______________________________________________________________________________ APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Protective System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum inverters to each AC vital instrument bus during MODES 5 and 6, and during movement of irradiated fuel assemblies ensures that: a. The unit can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident. In general, when the unit is shut down, the Technical Specification requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not Inverters Shutdown B 3.8.8 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.8-2 REVISION 1 APPLICABLE required. The rationale for this is based on the fact that SAFETY ANALYSES many Design Basis Accidents (DBAs) that are analyzed in (continued) MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and minimal in consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems. The inverters support the equipment and instrumentation required to mitigate the Loss of Shutdown Cooling and Loss of RCS Inventory accidents analyzed in response to NRC Generic Letter 88-17 "Loss of Decay Heat Removal." The Generic Letter does not require the assumption of a single failure and concurrent loss of all offsite or all onsite power. The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The required inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital instrument buses even if the 4.16 kV safety buses are de-energized. OPERABILITY of the inverters requires that the AC vital instrument bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents). In Modes 5 & 6 and during movement of irradiated fuel assemblies, one train of inverters, consisting of two channels with one inverter per channel, is required to be OPERABLE to support the requirements of LCO 3.8.10 "Distribution Systems Shutdown". This train of inverters also supports the one required OPERABLE Diesel Generator specified in LCO 3.8.2 "AC Sources Shutdown" on that same train. For situations where redundant trains of supported Inverters Shutdown B 3.8.8 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.8-3 REVISION 21 LCO equipment are required to be OPERABLE by LCO 3.8.10, the (continued) necessary AC vital instrument bus(es) associated with the additional train of inverters shall be energized by either the bus(es)' associated inverter or AC voltage regulator. For those situations where an AC vital instrument bus associated with the additional train of inverters is energized by its inverter, the corresponding DC bus must be energized by a minimum of its associated battery charger or backup battery charger per LCO 3.8.5. ______________________________________________________________________________ APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6, and during movement of irradiated fuel assemblies provide assurance that: a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core; b. Systems needed to mitigate a fuel handling accident are available; c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7. ______________________________________________________________________________ ACTIONS The Actions are modified by a Note that identifies required Action A.2.3 is not applicable to the movement of irradiated fuel assemblies in Modes 1 through 4. A.1, A.2.1, A.2.2, A.2.3, and A.2.4 If two trains of AC vital instrument buses are required by LCO 3.8.10, "Distribution Systems Shutdown," of the two required trains, the remaining bus(es) with AC power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel Inverters Shutdown B 3.8.8 BASES _______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.8-4 REVISION 56 ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued) movement, operations with a potential for draining the reactor vessel, and operations with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCOs' Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions). The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained. Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. If moving irradiated fuel assemblies while in MODES 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Therefore, inability to immediately suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without sufficient power. _______________________________________________________________________________ SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital instrument buses energized from the inverter. The verification of proper voltage and frequency output ensures that the required power is readily available for the instrumentation connected to the AC vital instrument buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Inverters Shutdown B 3.8.8 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.8-5 REVISION 56 REFERENCES 1. UFSAR, Chapter 6. 2. UFSAR, Chapter 15. This page intentionally blank Distribution Systems - Operating B 3.8.9 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.9-1 REVISION 51 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital instrument bus electrical power distribution systems are divided into two trains. Each train has redundant and independent AC, DC, and AC vital instrument bus electrical power distribution subsystems. The AC primary electrical power distribution system consists of two 4.16 kV Engineered Safety Feature (ESF) buses. Each 4.16 kV ESF bus is normally connected to an offsite source. If the offsite source is de-energized or disconnected, the onsite emergency DG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources - Operating," and the Bases for LCO 3.8.4, "DC Sources - Operating." The secondary AC electrical power distribution system for each train includes the safety related load centers, motor control centers and distribution panels shown in Table B 3.8.9-1. The 120 VAC vital instrument buses are arranged in two channels per subsystem and are normally powered from the inverters. There are four channels designated as A, B, C and D for each unit. The alternate power supply for the vital instrument buses are Class 1E constant voltage source regulators powered from train-related Class 1E motor control centers and its use is governed by LCO 3.8.7, "Inverters Operating." There are two independent 125 VDC electrical power distribution subsystems (Train A and Train B). Each subsystem contains two DC power channels. There are four channels designated as A, B, C, and D for each unit. The list of all required distribution buses is presented in Table B 3.8.9-1. The six electrical power distribution subsystems consist of those components identified by Table B 3.8.9-1. Load breakers not identified by this table do not impact this LCO but may impact supported system LCOs. Load breakers that are required to maintain energized those buses identified by Table B 3.8.9.-1 (e.g. PG to PH) do impact this LCO. Distribution Systems - Operating B 3.8.9 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-2 REVISION 0 APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital instrument bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems. The OPERABILITY of the AC, DC, and AC vital instrument bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power or all onsite AC electrical power; and b. A worst case single failure. The distribution systems satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). _______________________________________________________________________________ LCO The six required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital instrument bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital instrument bus electrical power distribution subsystems are required to be OPERABLE. Maintaining the Train A and Train B AC, DC, and AC vital instrument bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor. Distribution Systems - Operating B 3.8.9 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.9-3 REVISION 51 LCO OPERABLE AC electrical power distribution subsystems require (continued) the associated buses, load centers, motor control centers, and distribution panels to be energized to their proper voltages. OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE AC vital instrument bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage from the associated inverter via inverted DC voltage, or Class 1E constant voltage regulator. In addition, tie breakers between redundant safety related AC, DC, and AC vital instrument bus power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable. This applies to the onsite, safety related redundant electrical power distribution subsystems. It does not, however, preclude redundant Class 1E 4.16 kV buses from being powered from the same offsite circuit. ______________________________________________________________________________ APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. Electrical power distribution subsystem requirements for MODES 5 and 6, and during movement of irradiated fuel assemblies are covered in the Bases for LCO 3.8.10, "Distribution Systems - Shutdown." Distribution Systems - Operating B 3.8.9 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-4 REVISION 0 ACTIONS A.1 With one or more required AC buses, load centers, or motor control centers (see Table B 3.8.9.-1), except AC vital instrument buses, in one subsystem inoperable, the remaining AC electrical power distribution subsystem in the other train is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers and motor control centers must be restored to OPERABLE status within 8 hours. Condition A worst scenario is one train (PBA or PBB) without AC power (i.e., no offsite power to the train and the associated DG inoperable). In this condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour time limit before requiring a unit shutdown in this condition is acceptable because of: a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power. The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of Distribution Systems - Operating B 3.8.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-5 REVISION 0 ACTIONS A.1 (continued) failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE. This could continue indefinitely. The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition A was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. B.1 With AC vital instrument bus(es) (Channels A or C, or Channels B or D) (see Table B 3.8.9-1) in one train inoperable, the remaining OPERABLE AC vital bus electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital instrument buses must be restored to OPERABLE status within 2 hours by powering the bus from the associated inverter via inverted DC voltage or the Class 1E constant voltage regulator. Condition B represents one train without adequate AC vital instrument bus power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of OPERABILITY to the remaining vital instrument buses, and restoring power to the affected electrical power distribution subsystem. Distribution Systems - Operating B 3.8.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-6 REVISION 0 ACTIONS B.1 (continued) This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate AC vital instrument power. Taking exception to LCO 3.0.2 for components without adequate AC vital instrument power, which would have the Required Action Completion Times shorter than 2 hours if declared inoperable, is acceptable because of: a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue; b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components without adequate AC vital instrument power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and c. The potential for an event in conjunction with a single failure of a redundant component. The 2 hour Completion Time takes into account the importance to safety of restoring the AC vital instrument bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital instrument buses, and the low probability of a DBA occurring during this period. The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the vital instrument bus distribution system. At this time, an AC train could again become inoperable, and vital instrument bus distribution restored OPERABLE. This could continue indefinitely. Distribution Systems - Operating B 3.8.9 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-7 REVISION 0 ACTIONS B.1 (continued) This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. C.1 With DC bus(es) in one train (see Table B 3.8.9-1) inoperable, the remaining DC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC buses must be restored to OPERABLE status within 2 hours by powering the bus from the associated battery or battery charger. Condition C represents one train without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining DC buses and restoring power to the affected DC electrical power distribution subsystem. Distribution Systems - Operating B 3.8.9 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-8 REVISION 0 ACTIONS C.1 (continued) This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components which would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours, is acceptable because of: a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue; b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and c. The potential for an event in conjunction with a single failure of a redundant component. The 2 hour Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3). The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the DC distribution system. At this time, an AC train could again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition C was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. Distribution Systems - Operating B 3.8.9 BASES ______________________________________________________________________________ ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.9-9 REVISION 0 ACTIONS D.1 and D.2 (continued) If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. E.1 Condition E corresponds to a level of degradation in the electrical distribution system that causes a required safety function to be lost. When more than one Condition is entered, and this results in the loss of a required safety function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. Distribution Systems - Operating B 3.8.9 BASES (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.9-10 REVISION 56 SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital instrument bus electrical power distribution systems are functioning properly, with the required circuit breakers closed and the buses energized. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 6. 2. UFSAR, Chapter 15. 3. Regulatory Guide 1.93, Revision 0, December 1974. Distribution Systems - Operating B 3.8.9 PALO VERDE UNITS 1,2,3 B 3.8.9-11 REVISION 51 Table B 3.8.9-1 (Units 1, 2, and 3) TYPE VOLTAGE TRAIN A TRAIN B AC safety buses 4160 V 480 V 480 V ESF Bus PBA-S03 Load Centers PGA-L31, PGA-L33, PGA-L35 Motor Control Centers PHA-M31, PHA-M33, PHA-M35, PHA-M37 ESF Bus PBB-S04 Load Centers PGB-L32, PGB-L34, PGB-L36 Motor Control Center PHB-M32, PHB-M34, PHB-M36, PHB-M38 CHANNEL A CHANNEL C CHANNEL B CHANNEL D DC buses 125 V Control Center PKA-M41 Distribution Panel PKA-D21 Control Center PKC-M43 Distribution Panel PKC-D23 Control Center PKB-M42 Distribution Panel PKB-D22 Control Center PKD-M44 Distribution Panel PKD-D24 CHANNEL A CHANNEL C CHANNEL B CHANNEL D AC vital instrumen buses 120 V Distribution Panel PNA-D25 Distribution Panel PNC-D27 Distribution Panel PNB-D26 Distribution Panel PND-D28 NOTE: Each train of the electrical power distribution system is comprised of the independent AC, DC, and AC vital instrument bus subsystems. This page intentionally blank Distribution Systems - Shutdown B 3.8.10 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.10-1 REVISION 0 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.10 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital instrument bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems - Operating." ______________________________________________________________________________ APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital instrument bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. The OPERABILITY of the AC, DC, and AC vital instrument bus electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum AC, DC, and AC vital instrument bus electrical power distribution subsystems during MODES 5 and 6, and during movement of irradiated fuel assemblies, ensures that: a. The unit can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident. The AC and DC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). Distribution Systems - Shutdown B 3.8.10 BASES (continued) _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.8.10-2 REVISION 21 LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of required systems, equipment and components - all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY. Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents). _______________________________________________________________________________ APPLICABILITY The AC, DC, and AC vital instrument bus electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6, and during movement of irradiated fuel assemblies, provide assurance that: a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core; b. Systems needed to mitigate a fuel handling accident are available; c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling condition. Movement of spent fuel casks containing irradiated fuel assemblies is not within the scope of the Applicability of this technical specification. The movement of dry casks containing irradiated fuel assemblies will be done with a single-failure-proof handling system and with transport equipment that would prevent any credible accident that could result in a release of radioactivity. The AC, DC, and AC vital instrument bus electrical power distribution subsystem requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.9. Distribution Systems - Shutdown B 3.8.10 BASES (continued) ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.10-3 REVISION 48 ACTIONS The Actions are modified by a Note that identifies required Action A.2.3 is not applicable to the movement of irradiated fuel assemblies in Modes 1 through 4. A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant trains of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected required features LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions). The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory provided the required SDM is maintained. Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. If moving irradiated fuel assemblies while in MODES 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Therefore, inability to immediately suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC, DC, and AC vital instrument bus electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems. Distribution Systems - Shutdown B 3.8.10 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.8.10-4 REVISION 56 ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued) Notwithstanding performance of the above conservative Required Actions, a required shutdown cooling (SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring SDC inoperable, which results in taking the appropriate SDC actions. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power. _______________________________________________________________________________ SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital instrument bus electrical power distribution system is functioning properly, with all the required buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Chapter 6. 2. UFSAR, Chapter 15. Boron Concentration B 3.9.1 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.1-1 REVISION 34 CORRECTED PAGE B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS) and the refueling canal, during refueling ensures that the reactor remains subcritical during MODE 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling. The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Unit procedures ensure the specified boron concentration in order to maintain an overall core reactivity of keff 0.95 during fuel handling, with control element assemblies (CEAs) and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by unit procedures. GDC 26 of 10 CFR 50, Appendix A, requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration. The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized, the vessel head is unbolted and the head is slowly removed. The refueling canal is flooded with borated water from the refueling water tank into the open reactor vessel by gravity feeding or by the use of the Shutdown Cooling (SDC) System pumps. Boron Concentration B 3.9.1 BASES _______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.1-2 REVISION 0 BACKGROUND The pumping action of the SDC System in the RCS and the (continued) natural circulation due to thermal driving heads in the reactor vessel and the refueling canal mix the water to obtain a uniform concentration. The SDC System is in operation during refueling (see LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS and the refueling canal above the COLR limit. _______________________________________________________________________________ APPLICABLE During refueling operations, the reactivity condition of the SAFETY ANALYSES core is consistent with the initial conditions assumed for the boron dilution accident in the accident analysis and is conservative for MODE 6. The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance. The required boron concentration and the unit refueling procedures that demonstrate the correct fuel loading plan (including full core mapping) ensure the keff of the core will remain 0.95 during the refueling operation. Hence, at least a 5% k/k margin of safety is established during refueling. During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes. The limiting boron dilution accident analyzed occurs in MODE 5 (Ref. 2). A detailed discussion of this event is provided in B 3.1.2, "SHUTDOWN MARGIN - Reactor Trip Breakers Closed." The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). Boron Concentration B 3.9.1 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.1-3 REVISION 0 LCO The LCO requires that a minimum boron concentration be maintained in the RCS and the refueling canal to ensure a uniform boron concentration is maintained for reactivity control in the volumes having direct access to the reactor vessel while in MODE 6. The boron concentration limit specified in the COLR ensures a core keff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE 6. ______________________________________________________________________________ APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a keff 0.95. Above MODE 6, LCO 3.1.1, "SHUTDOWN MARGIN (SDM) Reactor Trip Breakers Open," and LCO 3.1.2, "SHUTDOWN MARGIN Reactor Trip Breakers Closed," ensure that an adequate amount of negative reactivity is available to shut down the reactor and to maintain it subcritical. ______________________________________________________________________________ ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the RCS or the refueling canal is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately. Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. A.3 In addition to immediately suspending CORE ALTERATIONS or positive reactivity additions, boration to restore the concentration must be initiated immediately. Boron Concentration B 3.9.1 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.1-4 REVISION 56 ACTIONS A.3 (continued) In determining the required combination of boration flow rate and concentration, there is no unique design basis event that must be satisfied. The only requirement is to restore the boron concentration to its required value as soon as possible at greater than or equal to 26 gpm of a solution containing greater than 4000 ppm boron. In order to raise the boron concentration as soon as possible, the operator should begin boration with the best source available for unit conditions. Once boration is initiated, it must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration. _______________________________________________________________________________ SURVEILLANCE SR 3.9.1.1 REQUIREMENTS This SR ensures the coolant boron concentration in the RCS and the refueling canal is within the COLR limits. The boron concentration of the coolant in each volume is determined periodically by chemical analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 26. 2. UFSAR, Section 9.1.2. Nuclear Instrumentation B 3.9.2 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.2-1 REVISION 48 B 3.9 REFUELING OPERATIONS B 3.9.2 Nuclear Instrumentation BASES BACKGROUND The Startup Channel Neutron Flux Monitors or Startup Range Monitors (SRMs) are used during core alterations or movement of irradiated fuel assemblies in containment to monitor the core reactivity condition. The installed SRMs are part of the Excore Nuclear Instrumentation System. These detectors are located external to the reactor vessel and detect neutrons leaking from the core. The use of portable detectors is permitted, provided the LCO requirements are met. The installed SRMs are BF3 detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the neutron flux in counts per second. The instrument range covers five decades of neutron flux (1E+5 cps) with a 5% instrument accuracy. The detectors also provide continuous visual indication in the control room and an audible indication in the control room and containment. An audible BDAS alarm alerts operators to a possible dilution accident. The excore startup channels are designed in accordance with the criteria presented in Reference 1. ______________________________________________________________________________ APPLICABLE Two OPERABLE SRMs and the associated BDAS are required to SAFETY ANALYSES provide a signal to alert the operator to unexpected changes in core reactivity from a boron dilution accident. The safety analysis of the uncontrolled boron dilution accident is described in Reference 2. The analysis of the uncontrolled boron dilution accident shows that normally available reactor subcriticality would be reduced, but there is sufficient time for the operator to take corrective actions. The SRMs satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO This LCO requires two SRMs OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity. Nuclear Instrumentation B 3.9.2 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.2-2 REVISION 61 LCO (continued) The SRMs include detectors, preamps, amplifiers, power supplies, indicators, recorders, speakers, alarms, switches and other components necessary to complete the SRM functions. Specifically, each SRM must provide continuous visual indication in the Control Room and each SRM must have the capability to provide audible indication in both the Control Room and Containment via use of the Control Room switch. _______________________________________________________________________________ APPLICABILITY In MODE 6, the SRMs must be OPERABLE to determine changes in core reactivity. There is no other direct means available to check core reactivity levels. The requirements for the associated Boron Dilution Alarm System (BDAS) operability in MODE 6 are contained in LCO 3.3.12, "Boron Dilution Alarm System." LCO 3.3.12 also covers SRM and BDAS operability requirements for MODES 3, 4 and 5. _______________________________________________________________________________ ACTIONS A.1 and A.2 With only one SRM OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and positive reactivity additions must be suspended immediately. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position. With one required SRM channel inoperable due to loss of its neutron flux indication function, the associated BDAS is also inoperable. If the SRM is inoperable strictly due to a loss of its audible indication function, and the SRM is able to provide neutron flux indication signal to the associated BDAS, the BDAS channel can be considered OPERABLE. With one required BDAS channel inoperable, Action A.1 of LCO 3.3.12 requires the RCS boron concentration to be determined immediately and at the applicable monitoring frequency specified in the COLR Section 3.3.12 in order to satisfy the requirements of the inadvertent deboration safety analysis. The monitoring frequency specified in the COLR ensures that a decrease in the boron concentration during a boron dilution event will be detected with sufficient time for termination of the event before the reactor achieves Nuclear Instrumentation B 3.9.2 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.2-3 REVISION 61 ACTIONS A.1 and A.2 (continued) criticality. The boron concentration measurement and the OPERABLE BDAS channel provide alternate methods of detection of boron dilution. B.1 With no SRM OPERABLE, action to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until an SRM is restored to OPERABLE status. With no SRM OPERABLE, there is no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the SRMs are OPERABLE. This stabilized condition is verified by performing Action B.1 of LCO 3.3.12 which requires RCS boron concentration to be determined by redundant methods immediately and at the monitoring frequency specified in the COLR Section 3.3.12. This action satisfies the requirements of the inadvertent deboration safety analysis. RCS boron concentration sampling by redundant methods ensures a boron dilution will be detected with sufficient time to terminate the event before the reactor achieves criticality. ______________________________________________________________________________ SURVEILLANCE SR 3.9.2.1 REQUIREMENTS SR 3.9.2.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Nuclear Instrumentation B 3.9.2 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.2-4 REVISION 56 SURVEILLANCE SR 3.9.2.2 REQUIREMENTS (continued) SR 3.9.2.2 is the performance of a CHANNEL CALIBRATION. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The detectors are of simple construction, and any failures in the detectors will be apparent as change in channel output. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational. This SR is an extension of SR 3.3.12 for the Boron Dilution Alarm System CHANNEL CALIBRATION listed here because of its Applicability in these MODES. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CALIBRATION is normally performed during a plant outage, but can be performed with the reactor at power if detector curve determination is not performed. Detector curve determination can only be performed under conditions that apply during a plant outage since the flux level needs to be at shutdown levels for detector energization. _______________________________________________________________________________ REFERENCES 1. 10 CFR 50, Appendix A, GDC 13, GDC 26, GDC 28, and GDC 29. 2. UFSAR, Section 15.4.6. Containment Penetrations B 3.9.3 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-1 REVISION 18 B 3.9 REFUELING OPERATIONS B 3.9.3 Containment Penetrations BASES BACKGROUND During CORE ALTERATIONS or movement of fuel assemblies within containment with irradiated fuel in containment, a release of fission product radioactivity within the containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1, "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. The LCO requirements are referred to as "containment closure" rather than "containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J leakage criteria and tests are not required. The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained well within the requirements of 10 CFR 100. Additionally, the containment structure provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions. The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, the equipment hatch must be capable of being closed and held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced. The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 operation in accordance with LCO 3.6.2, "Containment Air Locks." Each air lock has doors at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of shutdown when containment Containment Penetrations B 3.9.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-2 REVISION 19 BACKGROUND closure is not required, the door interlock mechanism may be (continued) disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain capable of being closed. The requirements on containment penetration closure ensure that a release of fission product radioactivity within containment will be restricted to within regulatory limits. The Containment Purge and Exhaust System includes two subsystems. The refueling purge subsystem includes a 42 inch supply penetration and a 42 inch exhaust penetration. The second subsystem, power access purge subsystem, includes an 8 inch supply penetration and an 8 inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the refueling purge supply and exhaust penetrations are secured in the closed position. The two valves in each of the two power access purge penetrations can be opened intermittently, but are closed automatically by the Engineered Safety Features Actuation System (ESFAS). Neither of the subsystems is subject to a Specification in MODE 5. In MODE 6, large air exchanges are necessary to conduct refueling operations. The refueling purge system is used for this purpose and the valves are closed by the ESFAS in accordance with LCO 3.3.8, "Containment Purge Isolation Actuation Signal (CPIAS)." The Power Access Purge System remains operational in MODE 6 and the valves are also closed by the ESFAS. The other containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be achieved by an OPERABLE automatic isolation valve, or by a manual isolation valve, blind flange, or equivalent. Containment Penetrations B 3.9.3 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-3 REVISION 27 BACKGROUND Equivalent isolation methods must be approved and may (continued) include use of devices designed to allow eddy current testing and sludge lancing of the steam generators. Devices which present a substantial restriction to the release of containment atmosphere may be considered equivalent. ______________________________________________________________________________ APPLICABLE During CORE ALTERATIONS or movement of irradiated fuel SAFETY ANALYSES assemblies within containment, the most severe radiological consequences result from a fuel handling accident. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref. 2). Fuel handling accidents, analyzed in Reference 2, include dropping a single irradiated fuel assembly and handling tool or a heavy object onto other irradiated fuel assemblies. The requirements of LCO 3.9.6, "Refueling Water Level-Fuel Assemblies," LCO 3.9.7, "Refueling Water Level-CEAs," and the minimum decay time of 100 hours prior to CORE ALTERATIONS ensure that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses that are well within the guideline values specified in 10 CFR 100. The acceptance limits for offsite radiation exposure are contained in Standard Review Plan Section 15.7.4, Rev. 1 (Ref. 3), which defines "well within" 10 CFR 100 to be 25% or less of the 10 CFR 100 values. Containment penetrations satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii). ______________________________________________________________________________ LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge supply exhaust penetrations, containment personnel airlocks, and equipment hatch. For the OPERABLE containment purge supply and exhaust penetrations, this LCO ensures that these penetrations are isolable by a valve in the Containment Purge Isolation System. The OPERABILITY requirements for this LCO ensure that the automatic purge valve closure times specified in the UFSAR can be achieved and therefore meet the assumptions used in the safety analysis to ensure releases through the valves are terminated, such that the radiological doses are within the acceptance limit. The Containment Penetrations B 3.9.3 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-4 REVISION 19 LCO equipment hatch is required to be kept free of obstructions (continued) that could impede its closure so it is capable of being closed with a minimum of four bolts should a fuel handling accident occur inside containment. The containment personnel airlock doors may be open during movement of irradiated fuel in the containment and during CORE ALTERATIONS provided that one door is capable of being closed in the event of a fuel handling accident. Should a fuel handling accident occur inside containment, one personnel airlock door will be closed following an evacuation of containment. The LCO is modified by a Note allowing penetration flow paths with direct access from the containment atmosphere to the outside atmosphere to be unisolated under administrative controls. Administrative controls ensure that 1) appropriate personnel are aware of the open status of the penetration flow path during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, and 2) specified individuals are designated and readily available to isolate the flow path in the event of a fuel handling accident. _______________________________________________________________________________ APPLICABILITY The containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment because this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1, "Containment." In MODES 5 and 6, when CORE ALTERATIONS or movement of irradiated fuel assemblies within containment are not being conducted, the potential for a fuel handling accident does not exist. Therefore, under these conditions no requirements are placed on containment penetration status. _______________________________________________________________________________ ACTIONS A.1 and A.2 With the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere not in the required status, including the Containment Purge Isolation System not capable of automatic actuation when the purge Containment Penetrations B 3.9.3 BASES ______________________________________________________________________________ (continued) _____________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-5 REVISION 56 ACTIONS A.1 and A.2 (continued) valves are open, the unit must be placed in a condition in which the isolation function is not needed. This is accomplished by immediately suspending CORE ALTERATIONS and movement of irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position. ______________________________________________________________________________ SURVEILLANCE SR 3.9.3.1 REQUIREMENTS This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open purge and exhaust valves will demonstrate that the valves are not blocked from closing. Also, the Surveillance will demonstrate that each valve operator has motive power, which will ensure each valve is capable of being closed by an OPERABLE automatic containment purge isolation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.9.3.2 This Surveillance demonstrates that each containment purge valve actuates to its isolation position on manual initiation or on an actual or simulated high radiation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. These surveillances performed during MODE 6 will ensure that the valves are capable of closing after a postulated fuel handling accident to limit a release of fission product radioactivity from the containment. Containment Penetrations B 3.9.3 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.3-6 REVISION 56 SURVILLANCE SR 3.9.3.3 REQUIREMENTS (continued) This Surveillance demonstrates that the necessary hardware, tools, equipment and personnel are available to close the equipment hatch and that the equipment hatch is clear of obstructions that would impede its closure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. GPU Nuclear Safety Evaluation SE-0002000-001, Rev. 0, May 20, 1988. 2. UFSAR, Section 15.7.4. 3. NUREG-0800, Section 15.7.4, Rev. 1, July 1981. SDC and Coolant Circulation - High Water Level B 3.9.4 (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.4-1 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.4 Shutdown Cooling (SDC) and Coolant Circulation - High Water Level BASES BACKGROUND The purposes of the SDC System in MODE 6 are to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, to provide sufficient coolant circulation to minimize the effects of a boron dilution accident, and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the SDC heat exchanger(s), where the heat is transferred to the Essential Cooling Water System via the SDC heat exchanger(s). The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the SDC System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the SDC heat exchanger(s) and bypassing the heat exchanger(s). Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the SDC System. ______________________________________________________________________________ APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200°F, boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel due to a resulting loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the SDC System is required to be operational in MODE 6, with the water level 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit de-energizing of the SDC pump for short durations under the condition that the boron concentration is not diluted. This conditional de-energizing of the SDC pump does not result in a challenge to the fission product barrier. SDC and Coolant Circulation - High Water Level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). SDC and Coolant Circulation - High Water Level B 3.9.4 BASES (continued) _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.4-2 REVISION 54 LCO Only one SDC loop is required for decay heat removal in MODE 6, with water level 23 ft above the top of the reactor vessel flange. Only one SDC loop is required because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one SDC loop must be in operation to provide: a. Removal of decay heat; b. Mixing of borated coolant to minimize the possibility of a criticality; and c. Indication of reactor coolant temperature. An OPERABLE SDC train is composed of an OPERABLE SDC pump (LPSI or CS) capable of providing flow to the SDC heat exchanger for heat removal. SDC pumps are OPERABLE if they are capable of being powered and are able to provide flow, if required. The LCO is modified by a Note that allows the required operating SDC loop to be removed from service for up to 1 hour in each 8 hour period, provided no operations are permitted that would cause a reduction of the RCS boron concentration. Boron concentration reduction is prohibited because uniform concentration distribution cannot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles, surveillance testing of ECCS pumps, and RCS to SDC isolation valve testing. During this 1 hour period, decay heat is removed by natural convection to the large mass of water in the refueling cavity. _______________________________________________________________________________ APPLICABILITY One SDC loop must be in operation in MODE 6, with the water level 23 ft above the top of the reactor vessel flange, to provide decay heat removal. The 23 ft level was selected because it corresponds to the 23 ft requirement established for fuel movement in LCO 3.9.6, "Refueling Water Level - Fuel Assemblies." SDC and Coolant Circulation - High Water Level B 3.9.4 BASES ______________________________________________________________________________ (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.4-3 REVISION 0 APPLICABILITY Requirements for the SDC System in other MODES are covered (continued) by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.5, Emergency Core Cooling Systems (ECCS). SDC loop requirements in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, are located in LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level." ______________________________________________________________________________ ACTIONS SDC loop requirements are met by having one SDC loop OPERABLE and in operation, except as permitted in the Note to the LCO. A.1 If SDC loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations can occur through the addition of water with a lower boron concentration than that contained in the RCS. Therefore, actions that reduce boron concentration shall be suspended immediately. A.2 If SDC loop requirements are not met, actions shall be taken immediately to suspend loading irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase the decay heat load, such as loading an irradiated fuel assembly, is a prudent action under this condition. A.3 If SDC loop requirements are not met, actions shall be initiated and continued in order to satisfy SDC loop requirements. SDC and Coolant Circulation - High Water Level B 3.9.4 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.4-4 REVISION 56 ACTIONS A.4 (continued) If SDC loop requirements are not met, all containment penetrations to the outside atmosphere must be closed to prevent fission products, if released by a loss of decay heat event, from escaping the containment building. The 4 hour Completion Time allows fixing most SDC problems without incurring the additional action of violating the containment atmosphere. _______________________________________________________________________________ SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance demonstrates that the SDC loop is in operation and circulating reactor coolant at a flowrate of greater than or equal to 3780 gpm. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _________________________________________________________________________________ REFERENCES 1. UFSAR, Section 5.4.7. SDC and Coolant Circulation - Low Water Level B 3.9.5 ________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.5-1 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.5 Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level BASES BACKGROUND The purposes of the SDC System in MODE 6 are to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, to provide sufficient coolant circulation to minimize the effects of a boron dilution accident, and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the SDC heat exchanger(s), where the heat is transferred to the Essential Cooling Water System via the SDC heat exchanger(s). The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the SDC System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the SDC heat exchanger(s) and bypassing the heat exchanger(s). Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the SDC System. ______________________________________________________________________________ APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200°F, boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel due to the resulting loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the SDC System are required to be OPERABLE, and one train is required to be in operation in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, to prevent this challenge. SDC and Coolant Circulation - Low Water Level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). SDC and Coolant Circulation - Low Water Level B 3.9.5 BASES _______________________________________________________________________________ ________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.5-2 REVISION 58 LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both SDC loops must be OPERABLE. Additionally, one loop of the SDC System must be in operation in order to provide: a. Removal of decay heat; b. Mixing of borated coolant to minimize the possibility of a criticality; and c. Indication of reactor coolant temperature. An OPERABLE SDC train is composed of an OPERABLE SDC pump (LPSI or CS) capable of providing flow to the SDC heat exchanger for heat removal. SDC pumps are OPERABLE if they are capable of being powered and are able to provide flow, if required. Note that the CS pumps shall not be used for normal operations if the water level is at or below the top of the hot-leg pipe (103' - 1") due to concerns of potential air entrainment and gas binding of the CS pump (Ref. 2). Both SDC pumps may be aligned to the Refueling Water Tank (RWT) to support filling the refueling cavity or for performance of required testing. The LCO is modified by a Note that allows a required operating SDC loop to be removed from service for up to 1 hour in each 8 hour period, provided no operations are permitted that would cause a reduction of the RCS boron concentration. Boron concentration reduction is prohibited because uniform concentration distribution cannot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles, surveillance testing of ECCS pumps, and RCS to SDC isolation valve testing. During this 1 hour period, decay heat is removed by natural convection to the large mass of water in the refueling cavity. This LCO is modified by a Note that allows one SDC loop to be inoperable for a period of 2 hours provided the other loop is OPERABLE and in operation. Prior to declaring the loop inoperable, consideration should be given to the existing plant configuration. This consideration should include that the core time to boil is not short, there is no draining operation to further reduce RCS water level and that the capacity exists to inject borated water into the reactor vessel. This permits surveillance tests to be performed on the non-operating loop during a time when these tests are safe and possible. SDC and Coolant Circulation - Low Water Level B 3.9.5 BASES ______________________________________________________________________________ ________________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.5-3 REVISION 58 APPLICABILITY Two SDC loops are required to be OPERABLE, and one SDC loop must be in operation in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the SDC System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System. MODE 6 requirements, with a water level 23 ft above the reactor vessel flange, are covered in LCO 3.9.4, "Shutdown Cooling and Coolant Circulation - High Water Level." ______________________________________________________________________________ ACTIONS A.1 and A.2 If one SDC loop is inoperable, action shall be immediately initiated and continued until the SDC loop is restored to OPERABLE status and to operation, or until 23 ft of water level is established above the reactor vessel flange. When the water level is established at 23 ft above the reactor vessel flange, the Applicability will change to that of LCO 3.9.4, "Shutdown Cooling and Coolant Circulation - High Water Level," and only one SDC loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions. B.1 If no SDC loop is in operation or no SDC loops are OPERABLE, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations can occur by the addition of water with lower boron concentration than that contained in the RCS. Therefore, actions that reduce boron concentration shall be suspended immediately. B.2 If no SDC loop is in operation or no SDC loops are OPERABLE, action shall be initiated immediately and continued without interruption to restore one SDC loop to OPERABLE status and operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE SDC loops and one operating SDC loop should be accomplished expeditiously. B.3 If no SDC loop is in operation or no SDC loops are OPERABLE, all containment penetrations providing direct access from SDC and Coolant Circulation - Low Water Level B 3.9.5 BASES _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.5-4 REVISION 58 ACTIONS B.3 (Continued) the containment atmosphere to the outside atmosphere must be closed within 4 hours. With the SDC loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere. Closing containment penetrations that are open to the outside atmosphere ensures that dose limits are not exceeded. The Completion Time of 4 hours is reasonable, based on the low probability of the coolant boiling in that time. _______________________________________________________________________________ SURVEILLANCE SR 3.9.5.1 REQUIREMENTS This Surveillance demonstrates that one SDC loop is operating and circulating reactor coolant at a flowrate of greater than or equal to 3780 gpm. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, this Surveillance demonstrates that the other SDC loop is OPERABLE. In addition, during operation of the SDC loop with the water level in the vicinity of the reactor vessel nozzles, the SDC loop flow rate determination must also consider the SDC pump suction requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.9.5.2 Verification that the required pump that is not in operation is OPERABLE ensures that an additional SDC pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. _______________________________________________________________________________ REFERENCES 1. UFSAR, Section 5.4.7. 2. PVNGS Calculation 13-MC-SI-0250, Appendix C. Refueling Water Level-Fuel Assemblies B 3.9.6 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.6-1 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.6 Refueling Water Level-Fuel Assemblies BASES BACKGROUND The movement of fuel assemblies within containment requires a minimum water level of 23 ft above the top of the reactor vessel flange when either the fuel assemblies being moved or the fuel assemblies seated within the reactor vessel are irradiated. During refueling this maintains sufficient water level in the refueling canal, the fuel transfer canal, the refueling cavity, and the spent fuel pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to < 33% of 10 CFR 100 limits, which meets the intent of the guidance of Reference 3. ______________________________________________________________________________ APPLICABLE During movement of fuel assemblies, the water level in SAFETY ANALYSES the refueling canal and refueling cavity is an initial condition design parameter in the analysis of the fuel handling accident in containment postulated by Regulatory Guide 1.25 (Ref. 1). A minimum water level of 23 ft (Regulatory Position C.1.c of Ref. 1) allows a decontamination factor of 100 (Regulatory Position C.1.g of Ref. 1) to be used in the accident analysis for iodine. This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all the dropped fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 10% of the total fuel rod iodine inventory (Ref. 1). The fuel handling accident analysis inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time of 100 hours prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref. 4). Refueling water level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). Refueling Water Level-Fuel Assemblies B 3.9.6 BASES _______________________________________________________________________________ (continued) _______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.6-2 REVISION 0 LCO A minimum refueling water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits as provided by the guidance of Reference 3. _______________________________________________________________________________ APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies within containment when either the fuel assemblies being moved or the fuel assemblies seated in the reactor vessel are irradiated. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.14, "Fuel Storage Pool Water Level." _______________________________________________________________________________ ACTIONS A.1 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving movement of fuel assemblies shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement shall not preclude completion of movement of a component to a safe position. _______________________________________________________________________________ SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2). Refueling Water Level-Fuel Assemblies B 3.9.6 BASES ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.6-3 REVISION 56 SURVEILLANCE SR 3.9.6.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. Regulatory Guide 1.25, March 23, 1972. 2. UFSAR, Section 15.7.4. 3. NUREG-0800, Section 15.7.4. 4. 10 CFR 100.10. This page intentionally blank Refueling Water Level-CEAs B 3.9.7 ______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.7-1 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.7 Refueling Water Level - CEAs BASES BACKGROUND The movement of CEAs within the reactor vessel, when irradiated fuel assemblies are seated in the reactor vessel requires a minimum water level of 23 ft above the top of the irradiated fuel. During refueling this maintains sufficient water level in the refueling canal, the fuel transfer canal, the refueling cavity, and the spent fuel pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to < 33% of 10 CFR 100 limits, which meets the intent of the guidance of Reference 3. ______________________________________________________________________________ APPLICABLE During movement of CEA's the water level in the refueling SAFETY ANALYSES canal and refueling cavity is an initial condition design parameter in the analysis of the fuel handling accident in containment postulated by Regulatory Guide 1.25 (Ref. 1). A minimum water level of 23 ft (Regulatory Position C.1.c of Ref. 1) allows a decontamination factor of 100 (Regulatory Position C.1.g of Ref. 1) to be used in the accident analysis for iodine. This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all the dropped fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 10% of the total fuel rod iodine inventory (Ref. 1). The fuel handling accident analysis inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time of 100 hours prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref. 4). Refueling water level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). Refueling Water Level-CEAs B 3.9.7 BASES _______________________________________________________________________________ _______________________________________________________________________________ (continued) PALO VERDE UNITS 1,2,3 B 3.9.7-2 REVISION 0 LCO A minimum refueling water level of 23 ft above irradiated assemblies seated within the reactor vessel is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits as provided by the guidance of Reference 3. _______________________________________________________________________________ APPLICABILITY LCO 3.9.7 is applicable during movement of CEAs within the reactor vessel when irradiated fuel assemblies are seated within the reactor vessel. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.14, "Fuel Storage Pool Water Level." _______________________________________________________________________________ ACTIONS A.1 With a water level of < 23 ft above the top of irradiated fuel assemblies seated within the reactor vessel, all operations involving movement of CEAs within the reactor vessel shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of movement of CEAs shall not preclude completion of movement of a component to a safe position. Refueling Water Level-CEAs B 3.9.7 BASES (continued) ______________________________________________________________________________ PALO VERDE UNITS 1,2,3 B 3.9.7-3 REVISION 56 SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of irradiated fuel assemblies seated within the reactor vessel ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level above the top of the irradiated fuel limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ______________________________________________________________________________ REFERENCES 1. Regulatory Guide 1.25, March 23, 1972. 2. UFSAR, Section 15.7.4. 3. NUREG-0800, Section 15.7.4. 4. 10 CFR 100.10. This page intentionally blank]]

ML15027A122: Difference between revisions

Revision as of 03:10, 15 June 2018

Text

Navigation menu

ML15027A122: Difference between revisions

Revision as of 03:10, 15 June 2018

Text

Navigation menu

Search