Text

Technical Specification Bases Update Status, Revision 37 (Part 1 of 2)
	ML20160A079
Person / Time
Site:	Beaver Valley
Issue date:	05/20/2020
From:	; Energy Harbor Nuclear Corp
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20160A057	List: L-20-051, Technical Specification Bases, Revision 37, Reactor Coolant System (RCS) (Part 2 of 2); ML20160A058; ML20160A059; ML20160A060; ML20160A062; ML20160A063; ML20160A064; ML20160A065; ML20160A066; ML20160A067; ML20160A068; ML20160A069; ML20160A070; ML20160A071; ML20160A072; ML20160A073; ML20160A074; ML20160A075; ML20160A076; ML20160A077; ML20160A078; ML20160A079;
References
	L-20-051
	Download: ML20160A079 (349)
	v • d • e

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 37 19-013 B 3.0-2 11/11/19 B 3.0-3

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 34 17-063 B 3.5.2-9 10/6/17 (continued) B 3.5.2-10 B 3.6.3-10 B 3.6.6-5 B 3.6.7-7 B 3.7.1-3 B 3.7.1-6 B 3.7.2-5 B 3.7.3-5 B 3.7.5-10 35 17-015 B 3.2.4-2 6/14/18 B 3.2.4-3 B 3.2.4-4 B 3.2.4-5 B 3.2.4-6 17-124 B 3.9.2-1 36 17-127 B 3.0-1 10/5/18 B 3.0-3 B 3.0-4 B 3.0-5 B 3.0-6 B 3.0-7 B 3.0-8 B 3.0-9 B 3.0-10 B 3.0-11 B 3.0-12 B 3.0-13 B 3.0-14 B 3.0-15 B 3.0-16 B 3.0-17 B 3.0-18 B 3.0-19 B 3.0-20 B 3.0-21 B 3.0-22 B 3.0-23

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 32 16-001 B 3.4.20-3 2/11/16 B 3.4.20-5 B 3.4.20-6 B 3.4.20-7 B 3.4.20-8 33 17-094 B 3.1.4-5 8/21/17 B 3.1.4-6 B 3.1.4-7 B 3.1.4-8 B 3.1.4-9 B 3.1.4-10 B 3.1.5-1 B 3.1.5-2 B 3.1.5-3 B 3.1.5-4 B 3.1.5-5 B 3.1.6-1 B 3.1.6-2 B 3.1.6-3 B 3.1.6-4 B 3.1.6-5 B 3.1.6-6 B 3.1.6-7 B 3.1.6-8 B 3.1.7.1-3 B 3.1.7.1-4 B 3.1.7.2-2 B 3.1.7.2-3 B 3.1.7.2-4 B 3.1.7.2-5 B 3.1.7.2-6 B 3.1.7.2-7 B 3.1.9-2 B 3.1.9-3 34 17-063 B 3.0-16 10/6/17 B 3.0-17 B 3.0-18 B 3.0-19 B 3.0-20 B 3.0-21 B 3.4.10-4 B 3.4.14-4

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 29 15-074 B 3.8.1-19 6/5/15 (continued) B 3.8.1-20 B 3.8.1-21 B 3.8.1-22 B 3.8.1-23 B 3.8.1-24 B 3.8.1-25 B 3.8.1-26 B 3.8.1-27 B 3.8.1-28 B 3.8.3-5 B 3.8.3-7 B 3.8.4-2 B 3.8.4-4 B 3.8.4-7 B 3.8.4-8 B 3.8.4-9 B 3.8.6-5 B 3.8.6-6 B 3.8.6-7 B 3.8.7-4 B 3.8.8-4 B 3.8.9-8 B 3.8.10-4 B 3.9.1-4 B 3.9.2-3 B 3.9.3-5 B 3.9.3-6 B 3.9.3-7 B 3.9.4-4 B 3.9.5-4 B 3.9.5-5 B 3.9.6-2 30 15-204 B 3.2.1-3 12/3/15 B 3.2.1-4 B 3.2.1-5 B 3.2.1-6 B 3.2.1-7 B 3.2.1-8 B 3.2.1-9 B 3.2.2-6 31 16-015 B 3.2.1-3 1/28/16 B 3.2.1-7 B 3.2.2-6

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 29 15-074 B 3.4.16-4 6/5/15 (continued) B 3.4.16-5 B 3.4.17-3 B 3.4.19-3 B 3.5.1-6 B 3.5.1-7 B 3.5.2-8 B 3.5.2-9 B 3.5.2-10 B 3.5.2-11 B 3.5.4-6 B 3.5.5-3 B 3.6.2-6 B 3.6.3-8 B 3.6.3-9 B 3.6.3-10 B 3.6.3-11 B 3.6.4-3 B 3.6.5-4 B 3.6.6-5 B 3.6.6-6 B 3.6.7-7 B 3.6.7-8 B 3.6.8-4 B 3.7.2-6 B 3.7.3-5 B 3.7.4-5 B 3.7.4-6 B 3.7.5-10 B 3.7.5-11 B 3.7.6-3 B 3.7.7-4 B 3.7.8-4 B 3.7.9-2 B 3.7.9-3 B 3.7.10-10 B 3.7.10-11 B 3.7.11-7 B 3.7.12-2 B 3.7.12-4 B 3.7.12-5 B 3.7.12-6 B 3.7.13-3 B 3.7.15-3 B 3.7.16-5 B 3.8.1-5 B 3.8.1-16 B 3.8.1-17 B 3.8.1-18

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 29 15-074 B 3.3.2-30 6/5/15 (continued) B 3.3.2-36 B 3.3.2-38 B 3.3.2-39 B 3.3.2-41 B 3.3.2-43 B 3.3.2-44 B 3.3.2-45 B 3.3.2-46 B 3.3.2-48 B 3.3.2-49 B 3.3.2-50 B 3.3.2-52 B 3.3.2-53 B 3.3.2-54 B 3.3.3-16 B 3.3.3-17 B 3.3.4-4 B 3.3.4-5 B 3.3.5-6 B 3.3.5-7 B 3.3.6-3 B 3.3.6-4 B 3.3.6-5 B 3.3.6-6 B 3.3.7-5 B 3.3.7-6 B 3.3.7-7 B 3.3.8-4 B 3.3.8-5 B 3.4.1-4 B 3.4.1-5 B 3.4.2-3 B 3.4.3-6 B 3.4.4-3 B 3.4.5-5 B 3.4.6-4 B 3.4.7-4 B 3.4.7-5 B 3.4.8-3 B 3.4.9-4 B 3.4.11-7 B 3.4.11-8 B 3.4.12-10 B 3.4.12-11 B 3.4.12-12 B 3.4.13-6 B 3.4.15-6

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 26 14-184 B 3.3.7-7 7/24/14 B 3.7.10-12 B 3.7.11-1 B 3.7.11-7 27 14-228 B 3.8.4-1 10/10/14 B 3.8.4-2 B 3.8.4-3 28 14-285 B 3.1.3-2 11/14/14 B 3.1.3-3 B 3.1.3-4 B 3.1.3-5 B 3.1.3-6 B 3.1.3-7 14-178 B 3.3.1-47 B 3.3.1-48 B 3.3.1-49 B 3.3.1-50 B 3.3.1-51 29 15-074 B 3.1.1-5 6/5/15 B 3.1.2-5 B 3.1.4-8 B 3.1.4-9 B 3.1.5-4 B 3.1.6-5 B 3.1.7.1-8 B 3.1.8-3 B 3.1.9-5 B 3.1.10-4 B 3.2.1-8 B 3.2.1-9 B 3.2.2-6 B 3.2.3-3 B 3.2.4-5 B 3.2.4-6 B 3.3.1-46 B 3.3.1-47 B 3.3.1-48 B 3.3.1-49 B 3.3.1-50 B 3.3.1-52 B 3.3.1-53 B 3.3.1-55 B 3.3.1-56 B 3.3.1-58 B 3.3.2-17

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 21 12-225 B 3.7.14-3 10/29/12 B 3.7.16-2 22 12-079 & 12-209 B 3.3.2-28 11/9/12 12-079 B 3.3.2-29 B 3.3.2-30 B 3.3.2-31 B 3.3.2-32 B 3.3.2-33 B 3.3.2-34 B 3.3.2-35 B 3.3.2-36 B 3.3.2-37 B 3.3.2-38 B 3.3.2-39 B 3.3.2-40 B 3.3.2-41 B 3.3.2-42 B 3.3.2-43 B 3.3.2-44 B 3.3.2-45 B 3.3.2-46 B 3.3.2-47 B 3.3.2-48 B 3.3.2-49 B 3.3.2-50 B 3.3.2-51 B 3.3.2-52 B 3.3.2-53 B 3.3.2-54 23 13-045 B 3.8.4-2 5/31/13 B 3.8.4-4 B 3.8.4-5 B 3.8.4-7 B 3.8.4-8 B 3.8.4-9 B 3.8.6-6 24 13-268 B 3.4.10-1 3/19/14 25 13-025 B 3.8.1-6 5/23/14 B 3.8.1-7 B 3.8.1-9 B 3.8.1-12

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 15 10-156 B 3.5.1-2 10/22/10 B 3.5.1-3 16 11-065 B 3.6.5-2 6/24/11 B 3.6.6-2 B 3.6.7-3 11-073 B 3.7.12-3 B 3.7.14-1 B 3.7.14-2 B 3.7.14-3 B 3.7.14-4 B 3.7.14-5 B 3.7.14-6 B 3.7.14-7 B 3.7.14-8 B 3.7.15-2 B 3.7.16-1 B 3.7.16-2 B 3.7.16-3 B 3.7.16-4 B 3.7.16-5 B 3.7.16-6 17 11-159 B 3.7.14-8 12/16/11 B 3.7.16-6 18 11-249 B 3.4.15-1 1/16/12 B 3.4.15-2 B 3.4.15-3 B 3.4.15-4 B 3.4.15-5 B 3.4.15-6 19 12-069 B 3.8.4-4 3/15/12 B 3.8.4-5 B 3.8.4-7 B 3.8.4-8 B 3.8.4-9 B 3.8.6-6 20 11-088 B 3.3.2-15 4/20/12 B 3.6.6-1 B 3.6.6-4 B 3.6.7-2 B 3.6.8-1 B 3.6.8-2 B 3.6.8-3 B 3.6.8-4

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 11 08-115 B 3.3.1-59 4/27/09 B 3.3.2-52 B 3.3.5-7 12 09-051 B-i 10/22/09 B-ii B-iii B 3.3.2-15 B 3.6.6-1 B 3.6.6-4 B 3.6.7-2 B 3.6.8-1 B 3.6.8-2 B 3.6.8-3 B 3.6.8-4 B 3.6.8-5 B 3.6.9-1 B 3.6.9-2 B 3.6.9-3 B 3.6.9-4 13 09-173 B 3.8.1-7 1/8/10 B 3.8.1-8 B 3.8.1-9 B 3.8.1-10 B 3.8.1-11 B 3.8.1-12 B 3.8.1-13 B 3.8.1-14 B 3.8.1-15 B 3.8.1-16 B 3.8.1-17 B 3.8.1-18 B 3.8.1-19 B 3.8.1-20 B 3.8.1-21 B 3.8.1-22 B 3.8.1-23 B 3.8.1-24 B 3.8.1-25 B 3.8.1-26 B 3.8.1-27 B 3.8.1-28 14 10-054 B 3.0-17 6/17/10 B 3.0-18 B 3.0-19

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 10 07-065 B 3.3.1-35 1/27/09 B 3.3.1-36 B 3.3.1-39 B 3.3.1-40 B 3.3.1-41 B 3.3.1-42 B 3.3.1-43 B 3.3.1-44 B 3.3.1-45 B 3.3.1-46 B 3.3.1-47 B 3.3.1-48 B 3.3.1-49 B 3.3.1-50 B 3.3.1-51 B 3.3.1-52 B 3.3.1-53 B 3.3.1-54 B 3.3.1-55 B 3.3.1-56 B 3.3.1-57 B 3.3.1-58 B 3.3.1-59 B 3.3.2-34 B 3.3.2-35 B 3.3.2-36 B 3.3.2-37 B 3.3.2-38 B 3.3.2-39 B 3.3.2-40 B 3.3.2-41 B 3.3.2-42 B 3.3.2-43 B 3.3.2-44 B 3.3.2-45 B 3.3.2-46 B 3.3.2-47 B 3.3.2-48 B 3.3.2-49 B 3.3.2-50 B 3.3.2-51 B 3.3.2-52 B 3.3.5-4 B 3.3.5-5 B 3.3.5-6 B 3.3.5-7

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 6 08-020 B 3.3.2-41 4/24/2008 (continued) B 3.3.2-42 B 3.3.2-43 B 3.3.2-44 B 3.3.2-45 B 3.3.2-46 B 3.3.2-47 B 3.3.2-48 B 3.3.2-49 B 3.5.2-10 B 3.5.2-11 B 3.6.1-2 B 3.6.2-2 B 3.6.4-1 B 3.6.5-2 B 3.6.5-3 B 3.6.6-2 B 3.6.7-2 B 3.6.7-3 B 3.6.7-4 B 3.6.7-8 7 08-075 B 3.7.7-3 6/12/2008 B 3.7.8-3 B 3.7.10-1 B 3.7.10-2 B 3.7.10-3 B 3.7.10-4 B 3.7.10-5 B 3.7.10-6 B 3.7.10-7 B 3.7.10-8 B 3.7.10-9 B 3.7.10-10 B 3.7.10-11 B 3.7.10-12 8 08-099 B 3.4.16-5 8/20/2008 9 08-046 B 3.1.7.1-1 9/4/2008 B 3.1.7.1-2 B 3.1.7.1-3 B 3.1.7.1-4 B 3.1.7.1-5 B 3.1.7.1-6 B 3.1.7.1-7 B 3.1.7.1-8 08-081 B 3.7.4-3 B 3.7.4-4 B 3.7.4-5 B 3.7.4-6

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date 3 07-147 B 3.6.7-3 10/15/2007 (continued) B 3.6.7-4 B 3.6.7-4a B 3.6.7-8 07-147 & 07-156 B 3.6.7-8a 07-147 B 3.6.7-9 4 07-103 B 3.5.1-3 3/20/2008 B 3.5.1-6 08-005 B 3.8.2-4 5 08-017 B 3.7.14-1 4/1/2008 B 3.7.14-2 B 3.7.14-3 B 3.7.14-4 B 3.7.14-5 B 3.7.14-6 B 3.7.16-1 B 3.7.16-2 B 3.7.16-3 B 3.7.16-5 6 08-020 B 3.3.2-15 4/24/2008 B 3.3.2-16 B 3.3.2-17 B 3.3.2-18 B 3.3.2-19 B 3.3.2-20 B 3.3.2-21 B 3.3.2-22 B 3.3.2-23 B 3.3.2-24 B 3.3.2-25 B 3.3.2-26 B 3.3.2-27 B 3.3.2-28 B 3.3.2-29 B 3.3.2-30 B 3.3.2-31 B 3.3.2-32 B 3.3.2-33 B 3.3.2-34 B 3.3.2-35 B 3.3.2-36 B 3.3.2-37 B 3.3.2-38 B 3.3.2-39 B 3.3.2-40

TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1&2 Revision Change Pages Implementation No. No. Issued Date N/A All previous Change All Technical Prior to 6/23/2007 Numbers Specification Bases pages 0 1-031/2-035 All Improved Technical 6/23/2007 Specification Bases pages 1 07-087 B 3.8.3-5 9/18/2007 B 3.8.3-6 B 3.8.3-7 B 3.8.3-8 B 3.8.9-9 2 07-151 B-i 10/12/2007 07-068 B 3.0-1 B 3.0-11 B 3.0-12 07-151 B 3.0-13 B 3.0-14 B 3.0-15 B 3.0-16 B 3.0-17 B 3.0-18 B 3.0-19 B 3.0-20 B 3.0-21 3 07-147 B 3.3.2-9 10/15/2007 B 3.3.2-14 B 3.3.2-14a B 3.3.2-14b B 3.3.2-14c B 3.3.2-15 B 3.3.2-16 B 3.3.2-19 B 3.3.2-20 B 3.3.2-28 B 3.3.2-34 B 3.3.2-38 B 3.5.2-11 B 3.6.1-2 B 3.6.2-2 B 3.6.4-1 B 3.6.5-2 B 3.6.6-2 B 3.6.7-1 07-147 & 07-156 B 3.6.7-2

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B-i Revision 36 B 3.1.4-1 Revision 0 B-ii Revision 36 B 3.1.4-2 Revision 0 B-iii Revision 36 B 3.1.4-3 Revision 0 B 3.1.4-4 Revision 0 B 2.1.1-1 Revision 0 B 3.1.4-5 Revision 33 B 2.1.1-2 Revision 0 B 3.1.4-6 Revision 33 B 2.1.1-3 Revision 0 B 3.1.4-7 Revision 33 B 3.1.4-8 Revision 33 B 2.1.2-1 Revision 0 B 3.1.4-9 Revision 33 B 2.1.2-2 Revision 0 B 3.1.4-10 Revision 33 B 2.1.2-3 Revision 0 B 3.1.5-1 Revision 33 B 3.0-1 Revision 36 B 3.1.5-2 Revision 33 B 3.0-2 Revision 37 B 3.1.5-3 Revision 33 B 3.0-3 Revision 37 B 3.1.5-4 Revision 33 B 3.0-4 Revision 36 B 3.1.5-5 Revision 33 B 3.0-5 Revision 36 B 3.0-6 Revision 36 B 3.1.6-1 Revision 33 B 3.0-7 Revision 36 B 3.1.6-2 Revision 33 B 3.0-8 Revision 36 B 3.1.6-3 Revision 33 B 3.0-9 Revision 36 B 3.1.6-4 Revision 33 B 3.0-10 Revision 36 B 3.1.6-5 Revision 33 B 3.0-11 Revision 36 B 3.1.6-6 Revision 33 B 3.0-12 Revision 36 B 3.1.6-7 Revision 33 B 3.0-13 Revision 36 B 3.1.6-8 Revision 33 B 3.0-14 Revision 36 B 3.0-15 Revision 36 B 3.1.7.1-1 Revision 9 B 3.0-16 Revision 36 B 3.1.7.1-2 Revision 9 B 3.0-17 Revision 36 B 3.1.7.1-3 Revision 33 B 3.0-18 Revision 36 B 3.1.7.1-4 Revision 33 B 3.0-19 Revision 36 B 3.1.7.1-5 Revision 9 B 3.0-20 Revision 36 B 3.1.7.1-6 Revision 9 B 3.0-21 Revision 36 B 3.1.7.1-7 Revision 9 B 3.0-22 Revision 36 B 3.1.7.1-8 Revision 29 B 3.0-23 Revision 36 B 3.1.7.2-1 Revision 0 B 3.1.1-1 Revision 0 B 3.1.7.2-2 Revision 33 B 3.1.1-2 Revision 0 B 3.1.7.2-3 Revision 33 B 3.1.1-3 Revision 0 B 3.1.7.2-4 Revision 33 B 3.1.1-4 Revision 0 B 3.1.7.2-5 Revision 33 B 3.1.1-5 Revision 29 B 3.1.7.2-6 Revision 33 B 3.1.7.2-7 Revision 33 B 3.1.2-1 Revision 0 B 3.1.2-2 Revision 0 B 3.1.8-1 Revision 0 B 3.1.2-3 Revision 0 B 3.1.8-2 Revision 0 B 3.1.2-4 Revision 0 B 3.1.8-3 Revision 29 B 3.1.2-5 Revision 29 B 3.1.9-1 Revision 0 B 3.1.3-1 Revision 0 B 3.1.9-2 Revision 33 B 3.1.3-2 Revision 28 B 3.1.9-3 Revision 33 B 3.1.3-3 Revision 28 B 3.1.9-4 Revision 0 B 3.1.3-4 Revision 28 B 3.1.9-5 Revision 29 B 3.1.3-5 Revision 28 B 3.1.3-6 Revision 28 B 3.1.10-1 Revision 0 B 3.1.3-7 Revision 28 Beaver Valley Units 1 and 2 B EP-1 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.1.10-2 Revision 0 B 3.3.1-21 Revision 0 B 3.1.10-3 Revision 0 B 3.3.1-22 Revision 0 B 3.1.10-4 Revision 29 B 3.3.1-23 Revision 0 B 3.1.10-5 Revision 0 B 3.3.1-24 Revision 0 B 3.3.1-25 Revision 0 B 3.2.1-1 Revision 0 B 3.3.1-26 Revision 0 B 3.2.1-2 Revision 0 B 3.3.1-27 Revision 0 B 3.2.1-3 Revision 31 B 3.3.1-28 Revision 0 B 3.2.1-4 Revision 30 B 3.3.1-29 Revision 0 B 3.2.1-5 Revision 30 B 3.3.1-30 Revision 0 B 3.2.1-6 Revision 30 B 3.3.1-31 Revision 0 B 3.2.1-7 Revision 31 B 3.3.1-32 Revision 0 B 3.2.1-8 Revision 30 B 3.3.1-33 Revision 0 B 3.2.1-9 Revision 30 B 3.3.1-34 Revision 0 B 3.2.1-10 Revision 0 B 3.3.1-35 Revision 10 B 3.3.1-36 Revision 10 B 3.2.2-1 Revision 0 B 3.3.1-37 Revision 0 B 3.2.2-2 Revision 0 B 3.3.1-38 Revision 0 B 3.2.2-3 Revision 0 B 3.3.1-39 Revision 10 B 3.2.2-4 Revision 0 B 3.3.1-40 Revision 10 B 3.2.2-5 Revision 0 B 3.3.1-41 Revision 10 B 3.2.2-6 Revision 31 B 3.3.1-42 Revision 10 B 3.3.1-43 Revision 10 B 3.2.3-1 Revision 0 B 3.3.1-44 Revision 10 B 3.2.3-2 Revision 0 B 3.3.1-45 Revision 10 B 3.2.3-3 Revision 29 B 3.3.1-46 Revision 29 B 3.2.3-4 Revision 0 B 3.3.1-47 Revision 29 B 3.2.3-5 Revision 0 B 3.3.1-48 Revision 29 B 3.3.1-49 Revision 29 B 3.2.4-1 Revision 0 B 3.3.1-50 Revision 29 B 3.2.4-2 Revision 35 B 3.3.1-51 Revision 28 B 3.2.4-3 Revision 35 B 3.3.1-52 Revision 29 B 3.2.4-4 Revision 35 B 3.3.1-53 Revision 29 B 3.2.4-5 Revision 35 B 3.3.1-54 Revision 10 B 3.2.4-6 Revision 35 B 3.3.1-55 Revision 29 B 3.3.1-56 Revision 29 B 3.3.1-1 Revision 0 B 3.3.1-57 Revision 10 B 3.3.1-2 Revision 0 B 3.3.1-58 Revision 29 B 3.3.1-3 Revision 0 B 3.3.1-59 Revision 11 B 3.3.1-4 Revision 0 B 3.3.1-5 Revision 0 B 3.3.2-1 Revision 0 B 3.3.1-6 Revision 0 B 3.3.2-2 Revision 0 B 3.3.1-7 Revision 0 B 3.3.2-3 Revision 0 B 3.3.1-8 Revision 0 B 3.3.2-4 Revision 0 B 3.3.1-9 Revision 0 B 3.3.2-5 Revision 0 B 3.3.1-10 Revision 0 B 3.3.2-6 Revision 0 B 3.3.1-11 Revision 0 B 3.3.2-7 Revision 0 B 3.3.1-12 Revision 0 B 3.3.2-8 Revision 0 B 3.3.1-13 Revision 0 B 3.3.2-9 Revision 0 B 3.3.1-14 Revision 0 B 3.3.2-10 Revision 0 B 3.3.1-15 Revision 0 B 3.3.2-11 Revision 0 B 3.3.1-16 Revision 0 B 3.3.2-12 Revision 0 B 3.3.1-17 Revision 0 B 3.3.2-13 Revision 0 B 3.3.1-18 Revision 0 B 3.3.2-14 Revision 0 B 3.3.1-19 Revision 0 B 3.3.2-15 Revision 0 B 3.3.1-20 Revision 0 B 3.3.2-16 Revision 0 Beaver Valley Units 1 and 2 B EP-2 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.3.2-17 Revision 29 B 3.3.3-18 Revision 0 B 3.3.2-18 Revision 6 B 3.3.2-19 Revision 6 B 3.3.4-1 Revision 0 B 3.3.2-20 Revision 6 B 3.3.4-2 Revision 0 B 3.3.2-21 Revision 6 B 3.3.4-3 Revision 0 B 3.3.2-22 Revision 6 B 3.3.4-4 Revision 29 B 3.3.2-23 Revision 6 B 3.3.4-5 Revision 29 B 3.3.2-24 Revision 6 B 3.3.4-6 Revision 0 B 3.3.2-25 Revision 6 B 3.3.2-26 Revision 6 B 3.3.5-1 Revision 0 B 3.3.2-27 Revision 6 B 3.3.5-2 Revision 0 B 3.3.2-28 Revision 22 B 3.3.5-3 Revision 0 B 3.3.2-29 Revision 22 B 3.3.5-4 Revision 10 B 3.3.2-30 Revision 29 B 3.3.5-5 Revision 10 B 3.3.2-31 Revision 22 B 3.3.5-6 Revision 29 B 3.3.2-32 Revision 22 B 3.3.5-7 Revision 29 B 3.3.2-33 Revision 22 B 3.3.2-34 Revision 22 B 3.3.6-1 Revision 0 B 3.3.2-35 Revision 22 B 3.3.6-2 Revision 0 B 3.3.2-36 Revision 29 B 3.3.6-3 Revision 29 B 3.3.2-37 Revision 22 B 3.3.6-4 Revision 29 B 3.3.2-38 Revision 29 B 3.3.6-5 Revision 29 B 3.3.2-39 Revision 29 B 3.3.6-6 Revision 29 B 3.3.2-40 Revision 22 B 3.3.2-41 Revision 29 B 3.3.7-1 Revision 0 B 3.3.2-42 Revision 22 B 3.3.7-2 Revision 0 B 3.3.2-43 Revision 29 B 3.3.7-3 Revision 0 B 3.3.2-44 Revision 29 B 3.3.7-4 Revision 0 B 3.3.2-45 Revision 29 B 3.3.7-5 Revision 29 B 3.3.2-46 Revision 29 B 3.3.7-6 Revision 29 B 3.3.2-47 Revision 22 B 3.3.7-7 Revision 29 B 3.3.2-48 Revision 29 B 3.3.2-49 Revision 29 B 3.3.8-1 Revision 0 B 3.3.2-50 Revision 29 B 3.3.8-2 Revision 0 B 3.3.2-51 Revision 22 B 3.3.8-3 Revision 0 B 3.3.2-52 Revision 29 B 3.3.8-4 Revision 29 B 3.3.2-53 Revision 29 B 3.3.8-5 Revision 29 B 3.3.2-54 Revision 29 B 3.4.1-1 Revision 0 B 3.3.3-1 Revision 0 B 3.4.1-2 Revision 0 B 3.3.3-2 Revision 0 B 3.4.1-3 Revision 0 B 3.3.3-3 Revision 0 B 3.4.1-4 Revision 29 B 3.3.3-4 Revision 0 B 3.4.1-5 Revision 29 B 3.3.3-5 Revision 0 B 3.3.3-6 Revision 0 B 3.4.2-1 Revision 0 B 3.3.3-7 Revision 0 B 3.4.2-2 Revision 0 B 3.3.3-8 Revision 0 B 3.4.2-3 Revision 29 B 3.3.3-9 Revision 0 B 3.3.3-10 Revision 0 B 3.4.3-1 Revision 0 B 3.3.3-11 Revision 0 B 3.4.3-2 Revision 0 B 3.3.3-12 Revision 0 B 3.4.3-3 Revision 0 B 3.3.3-13 Revision 0 B 3.4.3-4 Revision 0 B 3.3.3-14 Revision 0 B 3.4.3-5 Revision 0 B 3.3.3-15 Revision 0 B 3.4.3-6 Revision 29 B 3.3.3-16 Revision 29 B 3.3.3-17 Revision 29 B 3.4.4-1 Revision 0 Beaver Valley Units 1 and 2 B EP-3 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.4.4-2 Revision 0 B 3.4.13-1 Revision 0 B 3.4.4-3 Revision 29 B 3.4.13-2 Revision 0 B 3.4.13-3 Revision 0 B 3.4.5-1 Revision 0 B 3.4.13-4 Revision 0 B 3.4.5-2 Revision 0 B 3.4.13-5 Revision 0 B 3.4.5-3 Revision 0 B 3.4.13-6 Revision 29 B 3.4.5-4 Revision 0 B 3.4.13-7 Revision 0 B 3.4.5-5 Revision 29 B 3.4.5-6 Revision 0 B 3.4.14-1 Revision 0 B 3.4.14-2 Revision 0 B 3.4.6-1 Revision 0 B 3.4.14-3 Revision 0 B 3.4.6-2 Revision 0 B 3.4.14-4 Revision 34 B 3.4.6-3 Revision 0 B 3.4.14-5 Revision 0 B 3.4.6-4 Revision 29 B 3.4.15-1 Revision 18 B 3.4.7-1 Revision 0 B 3.4.15-2 Revision 18 B 3.4.7-2 Revision 0 B 3.4.15-3 Revision 18 B 3.4.7-3 Revision 0 B 3.4.15-4 Revision 18 B 3.4.7-4 Revision 29 B 3.4.15-5 Revision 18 B 3.4.7-5 Revision 29 B 3.4.15-6 Revision 29 B 3.4.8-1 Revision 0 B 3.4.16-1 Revision 0 B 3.4.8-2 Revision 0 B 3.4.16-2 Revision 0 B 3.4.8-3 Revision 29 B 3.4.16-3 Revision 0 B 3.4.16-4 Revision 29 B 3.4.9-1 Revision 0 B 3.4.16-5 Revision 29 B 3.4.9-2 Revision 0 B 3.4.9-3 Revision 0 B 3.4.17-1 Revision 0 B 3.4.9-4 Revision 29 B 3.4.17-2 Revision 0 B 3.4.17-3 Revision 29 B 3.4.10-1 Revision 24 B 3.4.10-2 Revision 0 B 3.4.18-1 Revision 0 B 3.4.10-3 Revision 0 B 3.4.18-2 Revision 0 B 3.4.10-4 Revision 34 B 3.4.18-3 Revision 0 B 3.4.11-1 Revision 0 B 3.4.19-1 Revision 0 B 3.4.11-2 Revision 0 B 3.4.19-2 Revision 0 B 3.4.11-3 Revision 0 B 3.4.19-3 Revision 29 B 3.4.11-4 Revision 0 B 3.4.19-4 Revision 0 B 3.4.11-5 Revision 0 B 3.4.11-6 Revision 0 B 3.4.20-1 Revision 0 B 3.4.11-7 Revision 29 B 3.4.20-2 Revision 0 B 3.4.11-8 Revision 29 B 3.4.20-3 Revision 32 B 3.4.20-4 Revision 0 B 3.4.12-1 Revision 0 B 3.4.20-5 Revision 32 B 3.4.12-2 Revision 0 B 3.4.20-6 Revision 32 B 3.4.12-3 Revision 0 B 3.4.20-7 Revision 32 B 3.4.12-4 Revision 0 B 3.4.20-8 Revision 32 B 3.4.12-5 Revision 0 B 3.4.12-6 Revision 0 B 3.5.1-1 Revision 0 B 3.4.12-7 Revision 0 B 3.5.1-2 Revision 15 B 3.4.12-8 Revision 0 B 3.5.1-3 Revision 15 B 3.4.12-9 Revision 0 B 3.5.1-4 Revision 0 B 3.4.12-10 Revision 29 B 3.5.1-5 Revision 0 B 3.4.12-11 Revision 29 B 3.5.1-6 Revision 29 B 3.4.12-12 Revision 29 B 3.5.1-7 Revision 29 Beaver Valley Units 1 and 2 B EP-4 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.5.2-1 Revision 0 B 3.6.5-1 Revision 0 B 3.5.2-2 Revision 0 B 3.6.5-2 Revision 16 B 3.5.2-3 Revision 0 B 3.6.5-3 Revision 6 B 3.5.2-4 Revision 0 B 3.6.5-4 Revision 29 B 3.5.2-5 Revision 0 B 3.5.2-6 Revision 0 B 3.6.6-1 Revision 20 B 3.5.2-7 Revision 0 B 3.6.6-2 Revision 16 B 3.5.2-8 Revision 29 B 3.6.6-3 Revision 0 B 3.5.2-9 Revision 34 B 3.6.6-4 Revision 20 B 3.5.2-10 Revision 34 B 3.6.6-5 Revision 34 B 3.5.2-11 Revision 29 B 3.6.6-6 Revision 29 B 3.5.3-1 Revision 0 B 3.6.7-1 Revision 3 B 3.5.3-2 Revision 0 B 3.6.7-2 Revision 20 B 3.5.3-3 Revision 0 B 3.6.7-3 Revision 16 B 3.6.7-4 Revision 6 B 3.5.4-1 Revision 0 B 3.6.7-5 Revision 0 B 3.5.4-2 Revision 0 B 3.6.7-6 Revision 0 B 3.5.4-3 Revision 0 B 3.6.7-7 Revision 34 B 3.5.4-4 Revision 0 B 3.6.7-8 Revision 29 B 3.5.4-5 Revision 0 B 3.6.7-9 Revision 3 B 3.5.4-6 Revision 29 B 3.6.8-1 Revision 20 B 3.5.5-1 Revision 0 B 3.6.8-2 Revision 20 B 3.5.5-2 Revision 0 B 3.6.8-3 Revision 20 B 3.5.5-3 Revision 29 B 3.6.8-4 Revision 29 B 3.5.5-4 Revision 0 B 3.7.1-1 Revision 0 B 3.6.1-1 Revision 0 B 3.7.1-2 Revision 0 B 3.6.1-2 Revision 6 B 3.7.1-3 Revision 34 B 3.6.1-3 Revision 0 B 3.7.1-4 Revision 0 B 3.6.1-4 Revision 0 B 3.7.1-5 Revision 0 B 3.7.1-6 Revision 34 B 3.6.2-1 Revision 0 B 3.7.1-7 Revision 0 B 3.6.2-2 Revision 6 B 3.6.2-3 Revision 0 B 3.7.2-1 Revision 0 B 3.6.2-4 Revision 0 B 3.7.2-2 Revision 0 B 3.6.2-5 Revision 0 B 3.7.2-3 Revision 0 B 3.6.2-6 Revision 29 B 3.7.2-4 Revision 0 B 3.7.2-5 Revision 34 B 3.6.3-1 Revision 0 B 3.7.2-6 Revision 29 B 3.6.3-2 Revision 0 B 3.6.3-3 Revision 0 B 3.7.3-1 Revision 0 B 3.6.3-4 Revision 0 B 3.7.3-2 Revision 0 B 3.6.3-5 Revision 0 B 3.7.3-3 Revision 0 B 3.6.3-6 Revision 0 B 3.7.3-4 Revision 0 B 3.6.3-7 Revision 0 B 3.7.3-5 Revision 34 B 3.6.3-8 Revision 29 B 3.6.3-9 Revision 29 B 3.7.4-1 Revision 0 B 3.6.3-10 Revision 34 B 3.7.4-2 Revision 0 B 3.6.3-11 Revision 29 B 3.7.4-3 Revision 9 B 3.7.4-4 Revision 9 B 3.6.4-1 Revision 6 B 3.7.4-5 Revision 29 B 3.6.4-2 Revision 0 B 3.7.4-6 Revision 29 B 3.6.4-3 Revision 29 Beaver Valley Units 1 and 2 B EP-5 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.7.5-1 Revision 0 B 3.7.12-5 Revision 29 B 3.7.5-2 Revision 0 B 3.7.12-6 Revision 29 B 3.7.5-3 Revision 0 B 3.7.5-4 Revision 0 B 3.7.13-1 Revision 0 B 3.7.5-5 Revision 0 B 3.7.13-2 Revision 0 B 3.7.5-6 Revision 0 B 3.7.13-3 Revision 29 B 3.7.5-7 Revision 0 B 3.7.5-8 Revision 0 B 3.7.14-1 Revision 16 B 3.7.5-9 Revision 0 B 3.7.14-2 Revision 16 B 3.7.5-10 Revision 34 B 3.7.14-3 Revision 21 B 3.7.5-11 Revision 29 B 3.7.14-4 Revision 16 B 3.7.5-12 Revision 0 B 3.7.14-5 Revision 16 B 3.7.14-6 Revision 16 B 3.7.6-1 Revision 0 B 3.7.14-7 Revision 16 B 3.7.6-2 Revision 0 B 3.7.14-8 Revision 17 B 3.7.6-3 Revision 29 B 3.7.15-1 Revision 0 B 3.7.7-1 Revision 0 B 3.7.15-2 Revision 16 B 3.7.7-2 Revision 0 B 3.7.15-3 Revision 29 B 3.7.7-3 Revision 7 B 3.7.7-4 Revision 29 B 3.7.16-1 Revision 16 B 3.7.16-2 Revision 21 B 3.7.8-1 Revision 0 B 3.7.16-3 Revision 16 B 3.7.8-2 Revision 0 B 3.7.16-4 Revision 16 B 3.7.8-3 Revision 7 B 3.7.16-5 Revision 29 B 3.7.8-4 Revision 29 B 3.7.16-6 Revision 17 B 3.7.9-1 Revision 0 B 3.8.1-1 Revision 0 B 3.7.9-2 Revision 29 B 3.8.1-2 Revision 0 B 3.7.9-3 Revision 29 B 3.8.1-3 Revision 0 B 3.8.1-4 Revision 0 B 3.7.10-1 Revision 7 B 3.8.1-5 Revision 29 B 3.7.10-2 Revision 7 B 3.8.1-6 Revision 25 B 3.7.10-3 Revision 7 B 3.8.1-7 Revision 25 B 3.7.10-4 Revision 7 B 3.8.1-8 Revision 13 B 3.7.10-5 Revision 7 B 3.8.1-9 Revision 25 B 3.7.10-6 Revision 7 B 3.8.1-10 Revision 13 B 3.7.10-7 Revision 7 B 3.8.1-11 Revision 13 B 3.7.10-8 Revision 7 B 3.8.1-12 Revision 25 B 3.7.10-9 Revision 7 B 3.8.1-13 Revision 13 B 3.7.10-10 Revision 29 B 3.8.1-14 Revision 13 B 3.7.10-11 Revision 29 B 3.8.1-15 Revision 13 B 3.7.10-12 Revision 26 B 3.8.1-16 Revision 29 B 3.8.1-17 Revision 29 B 3.7.11-1 Revision 26 B 3.8.1-18 Revision 29 B 3.7.11-2 Revision 0 B 3.8.1-19 Revision 29 B 3.7.11-3 Revision 0 B 3.8.1-20 Revision 29 B 3.7.11-4 Revision 0 B 3.8.1-21 Revision 29 B 3.7.11-5 Revision 0 B 3.8.1-22 Revision 29 B 3.7.11-6 Revision 0 B 3.8.1-23 Revision 29 B 3.7.11-7 Revision 29 B 3.8.1-24 Revision 29 B 3.8.1-25 Revision 29 B 3.7.12-1 Revision 0 B 3.8.1-26 Revision 29 B 3.7.12-2 Revision 29 B 3.8.1-27 Revision 29 B 3.7.12-3 Revision 16 B 3.8.1-28 Revision 29 B 3.7.12-4 Revision 29 Beaver Valley Units 1 and 2 B EP-6 Revision 37

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Revision No. Page Revision No.

B 3.8.2-1 Revision 0 B 3.8.9-6 Revision 0 B 3.8.2-2 Revision 0 B 3.8.9-7 Revision 0 B 3.8.2-3 Revision 0 B 3.8.9-8 Revision 29 B 3.8.2-4 Revision 4 B 3.8.9-9 Revision 1 B 3.8.2-5 Revision 0 B 3.8.2-6 Revision 0 B 3.8.10-1 Revision 0 B 3.8.2-7 Revision 0 B 3.8.10-2 Revision 0 B 3.8.10-3 Revision 0 B 3.8.3-1 Revision 0 B 3.8.10-4 Revision 29 B 3.8.3-2 Revision 0 B 3.8.3-3 Revision 0 B 3.9.1-1 Revision 0 B 3.8.3-4 Revision 0 B 3.9.1-2 Revision 0 B 3.8.3-5 Revision 29 B 3.9.1-3 Revision 0 B 3.8.3-6 Revision 1 B 3.9.1-4 Revision 29 B 3.8.3-7 Revision 29 B 3.8.3-8 Revision 1 B 3.9.2-1 Revision 35 B 3.9.2-2 Revision 0 B 3.8.4-1 Revision 27 B 3.9.2-3 Revision 29 B 3.8.4-2 Revision 29 B 3.8.4-3 Revision 27 B 3.9.3-1 Revision 0 B 3.8.4-4 Revision 29 B 3.9.3-2 Revision 0 B 3.8.4-5 Revision 23 B 3.9.3-3 Revision 0 B 3.8.4-6 Revision 0 B 3.9.3-4 Revision 0 B 3.8.4-7 Revision 29 B 3.9.3-5 Revision 29 B 3.8.4-8 Revision 29 B 3.9.3-6 Revision 29 B 3.8.4-9 Revision 29 B 3.9.3-7 Revision 29 B 3.8.5-1 Revision 0 B 3.9.4-1 Revision 0 B 3.8.5-2 Revision 0 B 3.9.4-2 Revision 0 B 3.8.5-3 Revision 0 B 3.9.4-3 Revision 0 B 3.8.5-4 Revision 0 B 3.9.4-4 Revision 29 B 3.8.6-1 Revision 0 B 3.9.5-1 Revision 0 B 3.8.6-2 Revision 0 B 3.9.5-2 Revision 0 B 3.8.6-3 Revision 0 B 3.9.5-3 Revision 0 B 3.8.6-4 Revision 0 B 3.9.5-4 Revision 29 B 3.8.6-5 Revision 29 B 3.9.5-5 Revision 29 B 3.8.6-6 Revision 29 B 3.8.6-7 Revision 29 B 3.9.6-1 Revision 0 B 3.8.6-8 Revision 0 B 3.9.6-2 Revision 29 B 3.8.7-1 Revision 0 B 3.8.7-2 Revision 0 B 3.8.7-3 Revision 0 B 3.8.7-4 Revision 29 B 3.8.8-1 Revision 0 B 3.8.8-2 Revision 0 B 3.8.8-3 Revision 0 B 3.8.8-4 Revision 29 B 3.8.9-1 Revision 0 B 3.8.9-2 Revision 0 B 3.8.9-3 Revision 0 B 3.8.9-4 Revision 0 B 3.8.9-5 Revision 0 Beaver Valley Units 1 and 2 B EP-7 Revision 37

TECHNICAL SPECIFICATION BASES TABLE OF CONTENTS Page No.

B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs ................................................................................ B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL ....................................... B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY ........... B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY ......................... B 3.0-17 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 Shutdown Margin (SDM) ...................................................................... B 3.1.1-1 B 3.1.2 Core Reactivity .................................................................................... B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC)........................................... B 3.1.3-1 B 3.1.4 Rod Group Alignment Limits ................................................................ B 3.1.4-1 B 3.1.5 Shutdown Bank Insertion Limits ........................................................... B 3.1.5-1 B 3.1.6 Control Bank Insertion Limits ............................................................... B 3.1.6-1 B 3.1.7 Rod Position Indication ........................................................................ B 3.1.7.1-1 B 3.1.7.1 Unit 1 Rod Position Indication ........................................................ B 3.1.7.1-1 B 3.1.7.2 Unit 2 Rod Position Indication ........................................................ B 3.1.7.2-1 B 3.1.8 Unborated Water Source Isolation Valves ............................................ B 3.1.8-1 B 3.1.9 PHYSICS TESTS Exceptions - MODE 2 .............................................. B 3.1.9-1 B 3.1.10 RCS Boron Limitations < 500°F ........................................................... B 3.1.10-1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Heat Flux Hot Channel Factor (FQ(Z)) .................................................. B 3.2.1-1 B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor (FNH) ................................ B 3.2.2-1 B 3.2.3 AXIAL FLUX DIFFERENCE (AFD) ..................................................... B 3.2.3-1 B 3.2.4 QUADRANT POWER TILT RATIO (QPTR) ......................................... B 3.2.4-1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation......................................... B 3.3.1-1 B 3.3.2 Engineered Safety Feature Actuation System (ESFAS)

Instrumentation .............................................................................. B 3.3.2-1 B 3.3.3 Post Accident Monitoring (PAM) Instrumentation ................................. B 3.3.3-1 B 3.3.4 Remote Shutdown System................................................................... B 3.3.4-1 B 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start and Bus Separation Instrumentation ............................................................ B 3.3.5-1 B 3.3.6 Unit 2 Containment Purge and Exhaust Isolation Instrumentation ........ B 3.3.6-1 B 3.3.7 Control Room Emergency Ventilation System (CREVS)

Actuation Instrumentation............................................................... B 3.3.7-1 B 3.3.8 Boron Dilution Detection Instrumentation ............................................. B 3.3.8-1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits ........................................................ B 3.4.1-1 B 3.4.2 RCS Minimum Temperature for Criticality ............................................ B 3.4.2-1 B 3.4.3 RCS Pressure and Temperature (P/T) Limits ....................................... B 3.4.3-1 B 3.4.4 RCS Loops - MODES 1 and 2.............................................................. B 3.4.4-1 B 3.4.5 RCS Loops - MODE 3 .......................................................................... B 3.4.5-1 Beaver Valley Units 1 and 2 B-i Revision 36

TECHNICAL SPECIFICATION BASES TABLE OF CONTENTS Page No.

B 3.4 REACTOR COOLANT SYSTEM (RCS) (continued)

B 3.4.6 RCS Loops - MODE 4 .......................................................................... B 3.4.6-1 B 3.4.7 RCS Loops - MODE 5, Loops Filled ..................................................... B 3.4.7-1 B 3.4.8 RCS Loops - MODE 5, Loops Not Filled .............................................. B 3.4.8-1 B 3.4.9 Pressurizer........................................................................................... B 3.4.9-1 B 3.4.10 Pressurizer Safety Valves .................................................................... B 3.4.10-1 B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs) ........................... B 3.4.11-1 B 3.4.12 Overpressure Protection System (OPPS) ............................................ B 3.4.12-1 B 3.4.13 RCS Operational LEAKAGE ................................................................ B 3.4.13-1 B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage ...................................... B 3.4.14-1 B 3.4.15 RCS Leakage Detection Instrumentation ............................................. B 3.4.15-1 B 3.4.16 RCS Specific Activity ........................................................................... B 3.4.16-1 B 3.4.17 RCS Loop Isolation Valves .................................................................. B 3.4.17-1 B 3.4.18 RCS Isolated Loop Startup .................................................................. B 3.4.18-1 B 3.4.19 RCS Loops - Test Exceptions .............................................................. B 3.4.19-1 B 3.4.20 Steam Generator (SG) Tube Integrity .................................................. B 3.4.20-1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.1 Accumulators ....................................................................................... B 3.5.1-1 B 3.5.2 ECCS - Operating ................................................................................ B 3.5.2-1 B 3.5.3 ECCS - Shutdown ................................................................................ B 3.5.3-1 B 3.5.4 Refueling Water Storage Tank (RWST) ............................................... B 3.5.4-1 B 3.5.5 Seal Injection Flow ............................................................................... B 3.5.5-1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment ........................................................................................ B 3.6.1-1 B 3.6.2 Containment Air Locks ......................................................................... B 3.6.2-1 B 3.6.3 Containment Isolation Valves ............................................................... B 3.6.3-1 B 3.6.4 Containment Pressure ......................................................................... B 3.6.4-1 B 3.6.5 Containment Air Temperature .............................................................. B 3.6.5-1 B 3.6.6 Quench Spray (QS) System ................................................................. B 3.6.6-1 B 3.6.7 Recirculation Spray (RS) System ......................................................... B 3.6.7-1 B 3.6.8 Containment Sump pH Control System................................................ B 3.6.8-1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Safety Valves (MSSVs) .................................................... B 3.7.1-1 B 3.7.2 Main Steam Isolation Valves (MSIVs) .................................................. B 3.7.2-1 B 3.7.3 Main Feedwater Isolation Valves (MFIVs) and Main Feedwater Regulation Valves (MFRVs) and MFRV Bypass Valves ................. B 3.7.3-1 B 3.7.4 Atmospheric Dump Valves (ADVs) ...................................................... B 3.7.4-1 B 3.7.5 Auxiliary Feedwater (AFW) System...................................................... B 3.7.5-1 B 3.7.6 Primary Plant Demineralized Water Storage Tank (PPDWST) ............. B 3.7.6-1 B 3.7.7 Component Cooling Water (CCW) System .......................................... B 3.7.7-1 B 3.7.8 Service Water System (SWS) .............................................................. B 3.7.8-1 B 3.7.9 Ultimate Heat Sink (UHS) .................................................................... B 3.7.9-1 B 3.7.10 Control Room Emergency Ventilation System (CREVS) ...................... B 3.7.10-1 B 3.7.11 Control Room Emergency Air Cooling System (CREACS) ................... B 3.7.11-1 B 3.7.12 Supplemental Leak Collection and Release System (SLCRS) ............. B 3.7.12-1 Beaver Valley Units 1 and 2 B-ii Revision 36

TECHNICAL SPECIFICATION BASES TABLE OF CONTENTS Page No.

3.7 PLANT SYSTEMS (continued)

B 3.7.13 Secondary Specific Activity .................................................................. B 3.7.13-1 B 3.7.14 Spent Fuel Pool Storage ...................................................................... B 3.7.14-1 B 3.7.15 Fuel Storage Pool Water Level ............................................................ B 3.7.15-1 B 3.7.16 Fuel Storage Pool Boron Concentration ............................................... B 3.7.16-1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating ....................................................................... B 3.8.1-1 B 3.8.2 AC Sources - Shutdown ....................................................................... B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ............................................ B 3.8.3-1 B 3.8.4 DC Sources - Operating ....................................................................... B 3.8.4-1 B 3.8.5 DC Sources - Shutdown....................................................................... B 3.8.5-1 B 3.8.6 Battery Parameters .............................................................................. B 3.8.6-1 B 3.8.7 Inverters - Operating ............................................................................ B 3.8.7-1 B 3.8.8 Inverters - Shutdown ............................................................................ B 3.8.8-1 B 3.8.9 Distribution Systems - Operating .......................................................... B 3.8.9-1 B 3.8.10 Distribution Systems - Shutdown ......................................................... B 3.8.10-1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration ............................................................................ B 3.9.1-1 B 3.9.2 Nuclear Instrumentation ....................................................................... B 3.9.2-1 B 3.9.3 Containment Penetrations.................................................................... B 3.9.3-1 B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level............................................................................ B 3.9.4-1 B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level ............................................................................ B 3.9.5-1 B 3.9.6 Refueling Cavity Water Level ............................................................... B 3.9.6-1 Beaver Valley Units 1 and 2 B-iii Revision 36

Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.

The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.

The proper functioning of the Reactor Protection System (RPS) and Main Steam Safety Valves (MSSVs) prevents violation of the reactor core SLs.

Beaver Valley Units 1 and 2 B 2.1.1 - 1 Revision 0

Reactor Core SLs B 2.1.1 BASES APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY operation and AOOs. The reactor core SLs are established to preclude ANALYSES violation of the following fuel design criteria:

a. There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB and

b. The hot fuel pellet in the core must not experience centerline fuel melting.

The Reactor Trip System (RTS) setpoints associated with the RTS functions described in Reference 2, in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, RCS Flow, I, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.

Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the RPS and the MSSVs.

The SLs represent a design requirement for establishing the RTS trip setpoints associated with the RTS functions described in Reference 2.

LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," or the assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not exceeded.

SAFETY LIMITS The figure provided in the COLR shows the loci of points of THERMAL POWER, RCS pressure, and average temperature for which the minimum DNBR is not less than the safety analyses limit, that fuel centerline temperature remains below melting, that the average enthalpy in the hot leg is less than or equal to the enthalpy of saturated liquid, and that the core hot channel exit quality is within the limits defined by the DNBR correlation.

The reactor core SLs are established to preclude violation of the following fuel design criteria:

a. There must be at least a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB and

b. There must be at least a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.

Beaver Valley Units 1 and 2 B 2.1.1 - 2 Revision 0

Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS (continued)

The reactor core SLs are used to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).

To ensure that the RPS precludes the violation of the above criteria, additional criteria are applied to the Overtemperature and Overpower T reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and the core hot channel exit quality is within the limits defined by the DNBR correlation. Appropriate functioning of the RPS ensures that for variations in the THERMAL POWER, RCS Pressure, RCS average temperature, RCS flow rate, and I that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs.

APPLICABILITY SL 2.1.1 only applies in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The MSSVs or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3.

Setpoints for the reactor trip functions are specified in the Licensing Requirements Manual for each unit. In MODES 3, 4, 5, and 6, Applicability is not required since the reactor is not generating significant THERMAL POWER.

SAFETY LIMIT The following SL violation responses are applicable to the reactor core VIOLATIONS SLs. If SL 2.1.1 is violated, the requirement to go to MODE 3 places the unit in a MODE in which this SL is not applicable.

The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.

REFERENCES 1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."

2. UFSAR, Section 7.2.

Beaver Valley Units 1 and 2 B 2.1.1 - 3 Revision 0

RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, the continued integrity of the RCS is ensured. According to 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs).

Also, in accordance with GDC 28, "Reactivity Limits" (Ref. 1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.

The design pressure of the RCS is 2500 psia. During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, according to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code,Section XI (Ref. 3).

Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases specified in 10 CFR 50.67, "Accident Source Term" (Ref. 4).

APPLICABLE The RCS pressurizer safety valves, the main steam safety valves SAFETY (MSSVs), and the reactor high pressure trip have settings established to ANALYSES ensure that the RCS pressure SL will not be exceeded.

The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control Beaver Valley Units 1 and 2 B 2.1.2 - 1 Revision 0

RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued) actions are assumed, except that the MSSVs are assumed to open when the steam pressure reaches the safety valve settings, and nominal feedwater supply is maintained.

The Reactor Trip System setpoints (Ref. 5), together with the settings of the pressurizer safety valves and the MSSVs, provide pressure protection for normal operation and AOOs. The reactor high pressure trip setpoint is specifically set to provide protection against overpressurization (Ref. 5).

The safety analyses for both the high pressure trip and the RCS pressurizer safety valves are performed using conservative assumptions relative to pressure control devices.

More specifically, no credit is taken for operation of any of the following:

a. Pressurizer power operated relief valves (PORVs),

b. Steam line atmospheric relief valves,

c. Steam Dump System,

d. Reactor Control System,

e. Pressurizer Level Control System, or

f. Pressurizer spray valve.

SAFETY LIMITS The maximum transient pressure allowed in the Unit 1 and 2 RCS pressure vessels under the ASME Code,Section III, is 110% of design pressure. The Unit 1 RCS piping and fittings are designed to ANSI B31.1 (Ref. 6) and the valves are designed to ASA 16.5 (Ref. 7) which permit a maximum transient pressure of 120% of design. The Unit 2 RCS piping, valves, and fittings are designed to Section III of the ASME Code and have a maximum transient pressure of 110% of design. The most limiting of these two allowances is the 110% of design pressure; therefore, the Unit 1 and 2 SL on maximum allowable RCS pressure is 2735 psig.

APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODE 6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCS can be pressurized.

Beaver Valley Units 1 and 2 B 2.1.2 - 2 Revision 0

RCS Pressure SL B 2.1.2 BASES SAFETY LIMIT If the RCS pressure SL is violated when the reactor is in MODE 1 or 2, VIOLATIONS the requirement is to restore compliance and be in MODE 3 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for radioactive releases in excess of 10 CFR 50.67, "Accident Source Term," limits (Ref. 4).

The allowable Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.

If the RCS pressure SL is exceeded in MODE 3, 4, or 5, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 3, 4, or 5 is more severe than exceeding this SL in MODE 1 or 2, since the reactor vessel temperature may be lower and the vessel material, consequently, less ductile. As such, pressure must be reduced to less than the SL within 5 minutes. The action does not require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.

REFERENCES 1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NB-7000.

3. ASME, Boiler and Pressure Vessel Code,Section XI, Article IWX-5000.

4. 10 CFR 50.67.

5. UFSAR, Section 7.2.

6. ANSI Power Piping Code, B31.1, The American National Standards Institute, 1967.

7. ANSI Steel Pipe Flanges, Flanged Valves, and Fittings, B16.5, The American National Standards Institute.

Beaver Valley Units 1 and 2 B 2.1.2 - 3 Revision 0

LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.8 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered, unless otherwise specified.

The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification and

b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.

Beaver Valley Units 1 and 2 B 3.0 - 1 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.2 (continued)

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits."

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The ACTIONS for not meeting a single LCO adequately manage any increase in plant risk, provided any unusual external conditions (e.g., severe weather, offsite power instability) are considered. In addition, the increased risk associated with simultaneous removal of multiple structures, systems, trains or components from service is assessed and managed in accordance with 10 CFR 50.65(a)(4). Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and either:

a. An associated Required Action and Completion Time is not met and no other Condition applies or

b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is Beaver Valley Units 1 and 2 B 3.0 - 2 Revision 37

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. Planned entry into LCO 3.0.3 should be avoided. If it is not practicable to avoid planned entry into LCO 3.0.3, plant risk should be assessed and managed in accordance with 10 CFR 50.65(a)(4), and the planned entry into LCO 3.0.3 should have less effect on plant safety than other practicable alternatives.

Upon entering LCO 3.0.3, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to enter lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met,

b. The LCO is no longer applicable.

c. A Condition exists for which the Required Actions have now been performed, or

d. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of LCO 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for entering the next lower MODE applies. If a lower MODE is entered in less time than allowed, however, the total allowable time to enter Beaver Valley Units 1 and 2 B 3.0 - 3 Revision 37

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)

MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is entered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for entering MODE 4 is the next 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , because the total time for entering MODE 4 is not reduced from the allowable limit of 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to enter a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.15, "Fuel Storage Pool Water Level." LCO 3.7.15 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage pool and during movement of fuel assemblies over irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.15 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Actions of LCO 3.7.15 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool and suspend movement of fuel assemblies over irradiated fuel assemblies in the fuel storage pool" are the appropriate Required Actions to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with either LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.

LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered following entry into the MODE or other specified condition in the Applicability will permit continued operation within the MODE or other specified condition for an unlimited period of time. Compliance Beaver Valley Units 1 and 2 B 3.0 - 4 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) with ACTIONS that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made and the Required Actions followed after entry into the Applicability.

For example, LCO 3.0.4.a may be used when the Required Action to be entered states that an inoperable instrument channel must be placed in the trip condition within the Completion Time. Transition into a MODE or other specified condition in the Applicability may be made in accordance with LCO 3.0.4 and the channel is subsequently placed in the tripped condition within the Completion Time, which begins when the Applicability is entered. If the instrument channel cannot be placed in the tripped condition and the subsequent default ACTION (Required Action and associated Completion Time not met) allows the OPERABLE train to be placed in operation, use of LCO 3.0.4.a is acceptable because the subsequent ACTIONS to be entered following entry into the MODE include ACTIONS (place the OPERABLE train in operation) that permit safe plant operation for an unlimited period of time in the MODE or other specified condition to be entered.

LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4(b), must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for Beaver Valley Units 1 and 2 B 3.0 - 5 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.

The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented.

The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk and use of the LCO 3.0.4.b allowance is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable.

LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity), and may be applied to other Specifications based on NRC plant-specific approval.

Beaver Valley Units 1 and 2 B 3.0 - 6 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5.

Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate either:

a. The OPERABILITY of the equipment being returned to service or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. If the OPERABILITY of the affected equipment can not be demonstrated, the administrative controls will also ensure the equipment/plant is restored to the required condition in a timely manner.

This Specification does not provide time to perform any other preventive Beaver Valley Units 1 and 2 B 3.0 - 7 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.5 (continued) or corrective maintenance. Minor corrections such as adjustments of limit switches to correct position indication anomalies are considered within the scope of this Specification. LCO 3.0.5 should not be used in lieu of other practicable alternatives that comply with Required Actions and that do not require changing the MODE or other specified conditions in the Applicability in order to demonstrate equipment is OPERABLE.

LCO 3.0.5 is not intended to be used repeatedly.

An example of demonstrating equipment is OPERABLE with the Required Actions not met is opening a manual valve that was closed to comply with Required Actions to isolate a flowpath with excessive Reactor Coolant System (RCS) Pressure Isolation Valve (PIV) leakage in order to perform testing to demonstrate that RCS PIV leakage is now within limit.

Examples of demonstrating equipment OPERABILITY include instances in which it is necessary to take an inoperable channel or trip system out of a tripped condition that was directed by a Required Action, if there is no Required Action Note for this purpose. An example of verifying OPERABILITY of equipment removed from service is taking a tripped channel out of the tripped condition to permit the logic to function and indicate the appropriate response during performance of required testing on the inoperable channel.

Examples of demonstrating the OPERABILITY of other equipment are taking an inoperable channel or trip system out of the tripped condition 1) to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system, or 2) to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

The administrative controls in LCO 3.0.5 apply in all cases to systems or components in Chapter 3 of the Technical Specifications, as long as the testing could not be conducted while complying with the Required Actions. This includes the realignment or repositioning of redundant or alternate equipment or trains previously manipulated to comply with ACTIONS, as well as equipment removed from service or declared inoperable to comply with ACTIONS.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for supported systems that have a support system LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified Beaver Valley Units 1 and 2 B 3.0 - 8 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued) in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions.

When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions.

However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.

This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

Specification 5.5.11, "Safety Function Determination Program (SFDP),"

ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required.

The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and:

a. A required system redundant to system(s) supported by the inoperable support system is also inoperable (EXAMPLE B 3.0.6-1),

Beaver Valley Units 1 and 2 B 3.0 - 9 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

b. A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable (EXAMPLE B 3.0.6-2), or

c. A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable (EXAMPLE B 3.0.6-3).

EXAMPLE B 3.0.6-1 If System 2 of Train A is inoperable and System 5 of Train B is inoperable, a loss of safety function exists in supported System 5.

EXAMPLE B 3.0.6-2 If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.

EXAMPLE B 3.0.6-3 If System 2 of Train A is inoperable, and System 1 of Train B is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.

If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

Beaver Valley Units 1 and 2 B 3.0 - 10 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

Figure B 3.0-1 Configuration of Trains and Systems This loss of safety function does not require the assumption of additional single failures or loss of offsite power. Since operations are being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. Similarly, the ACTIONS for inoperable offsite circuit(s) and inoperable diesel generator(s) provide the necessary restriction for cross train inoperabilities. This explicit cross train verification for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the definition of OPERABILITY).

When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic start due to inoperable instrumentation, or loss of pump suction source due to low tank level) the appropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately Beaver Valley Units 1 and 2 B 3.0 - 11 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued) address the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.

LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions.

Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical Specification (TS) requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS.

Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.

Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.

Beaver Valley Units 1 and 2 B 3.0 - 12 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO 3.0.8.a allows 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the snubber(s) before declaring the supported system inoperable. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function and due to the availability of the redundant train of the supported system.

LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one train or subsystem of a multiple train or subsystem supported system.

LCO 3.0.8.b allows 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to restore the snubber(s) before declaring the supported system inoperable. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function.

LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 must be considered with respect to other plant maintenance activities, and integrated into the existing Maintenance Rule process to the extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associated support function.

Beaver Valley Units 1 and 2 B 3.0 - 13 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

Required Administrative Controls At least one Auxiliary Feedwater train (including a minimum set of supporting equipment required for its successful operation) not associated with the inoperable snubber(s) must be available when LCO 3.0.8a is used.

At least one Auxiliary Feedwater train (including a minimum set of supporting equipment required for its successful operation) not associated with the inoperable snubber(s), or some alternative means of core cooling (e.g., feed and bleed, fire water system or aggressive secondary cooldown using the steam generators), must be available when LCO 3.0.8b is used.

Every time the provisions of LCO 3.0.8 are used, it shall be confirmed that at least one train (or subsystem) of systems supported by the inoperable snubbers would remain capable of performing the systems required safety or support functions for postulated design loads other than seismic loads. LCO 3.0.8 does not apply to non-seismic snubbers. In addition, a record of the design function of the inoperable snubber (i.e., seismic versus non-seismic), the implementation of any Tier 2 restrictions, and the associated plant configuration shall all be available on a recoverable basis for NRC staff inspection.

Utilization of LCO 3.0.8 Sections A, B, C, D and E, extracted from the TSTF-372, Revision 4, Implementation Guidance document, dated October 2005, describe the steps to be followed when utilizing LCO 3.0.8.

A. Determine Whether a Technical Specification System is Rendered Inoperable by a Nonfunctional Snubber When a snubber is to be rendered incapable of performing its related support function (i.e., nonfunctional) for testing or maintenance or is discovered to not be functional, it must be determined whether any Technical Specification (TS) system(s) require the affected snubber(s) for system OPERABILITY, and whether the plant is in a MODE or specified condition in the Applicability that requires the supported TS system(s) to be OPERABLE.

1. If an analysis determines that the supported TS system(s) do not require the snubber(s) to be functional in order to support the OPERABILITY of the system(s), LCO 3.0.8 is not needed.

Beaver Valley Units 1 and 2 B 3.0 - 14 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

2. If the LCO(s) associated with any supported TS system(s) are not currently applicable (i.e., the plant is not in a MODE or other specified condition in the Applicability of the LCO), LCO 3.0.8 is not needed.

3. If the supported TS system(s) are inoperable for reasons other than snubbers, LCO 3.0.8 cannot be used.

LCO 3.0.8 is an allowance, not a requirement. When a snubber is nonfunctional, any supported TS system(s) may be declared inoperable instead of using LCO 3.0.8.

B. Determine the Design Basis of the Nonfunctional Snubber The NRC Safety Evaluation associated with License Amendments 279 and 162 only considered the loss of the ability of a snubber to respond to a seismic event. However, some snubbers have design functions other than response to a seismic event. The inability to perform these non-seismic design functions were not considered or justified in NRC Safety Evaluation associated with License Amendments 279 and 162.

Therefore, when a snubber is to be rendered nonfunctional for testing or maintenance or is discovered to not be functional, the design function of the snubber must be determined in order to determine if LCO 3.0.8 may be used.

1. If the design function of the snubber is to react to only seismic loads, LCO 3.0.8 may be applied.

2 If the design function of the snubber includes both seismic loads and nonseismic loads (e.g., thrust loads, blowdown loads, waterhammer loads, steamhammer loads, LOCA loads, and pipe rupture loads), any TS systems supported by the nonfunctional snubber must be able to remain OPERABLE if subjected to the non-seismic loads with the snubber removed. If the supported TS system will remain OPERABLE when subjected to non-seismic loads, LCO 3.0.8 may be applied. Otherwise, LCO 3.0.8 may not be applied to TS systems supported by the nonfunctional snubber.

3. If the design function of the snubber includes only non-seismic loads (e.g., thrust loads, blowdown loads, waterhammer loads, steamhammer loads, LOCA loads, and pipe rupture loads),

LCO 3.0.8 cannot be applied to the TS systems supported by the nonfunctional snubber. However, if it can be confirmed that snubber is not needed for OPERABILITY of the TS system, LCO 3.0.8 is not needed.

Beaver Valley Units 1 and 2 B 3.0 - 15 Revision 36

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

As stated in the Required Administrative Controls section, every time LCO 3.0.8 is used for TS systems supported by nonfunctional snubbers whose design loads include non-seismic loads, licensees must be able to produce a record of the design function of the nonfunctional snubber (i.e.,

seismic vs. non-seismic).

This record does not have to be created prior to or following use of LCO 3.0.8, but must be able to be created or produced if requested. For example, if a system engineer knows from previous experience that a particular snubber is only designed for seismic loads, it is not necessary to collect existing design documents or create design documents or calculations to demonstrate that fact prior to using LCO 3.0.8. However, if asked to demonstrate the design basis of the snubber, the licensee must be able to produce or create appropriate documentation to support that position.

C. Verify that the Required Safety Functions are Available The risk evaluation that justifies the use of LCO 3.0.8 assumed that the core could be cooled following a loss of offsite power resulting from a seismic event. The three conditions to ensure this capability are described in the Required Administrative Controls section.

D. Consider Effects on Plant Risk When LCO 3.0.8 is applied to TS systems supported by nonfunctional snubbers, the effect of the nonfunctional snubber on plant risk must be considered. There is no requirement to quantitatively assess the risk associated with a nonfunctional snubber when using LCO 3.0.8. It is not required, for example, to consider a train supported by nonfunctional snubbers unavailable in the 10 CFR 50.65(a)(4) risk assessments. All that is required is a qualitative consideration of the use of LCO 3.0.8, such as not removing the snubbers on one train while the opposite train is inoperable. The LCO 3.0.8 requirement to assess and manage risk is met by programs to comply with the requirements of paragraph (a)(4) of the Maintenance Rule, 10 CFR 50.65, to assess and manage risk resulting from maintenance activities.

E. Respond to Emergent Conditions Should plant conditions change while LCO 3.0.8 is being used, an evaluation must be performed to ensure the requirements of Sections A, C and D above, are still met. If these requirements are not met, LCO 3.0.8 cannot be used to consider the supported TS system OPERABLE.

Beaver Valley Units 1 and 2 B 3.0 - 16 Revision 36

SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

SR 3.0.2 and SR 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.g., CHANNEL CALIBRATION) specify that these tests are performed by means of any series of sequential, overlapping, or total steps.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or

b. The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.

Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have Beaver Valley Units 1 and 2 B 3.0 - 17 Revision 36

SR Applicability B 3.0 BASES SR 3.0.1 (continued) to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.

Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

An example of this process is:

Auxiliary feedwater (AFW) pump turbine maintenance during refueling that requires testing at steam pressures > 600 psig. However, if other appropriate testing is satisfactorily completed, the AFW System can be considered OPERABLE. This allows startup and other necessary testing to proceed until the plant reaches the steam pressure required to perform the testing.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per . . ." interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

When a Section 5.5, Programs and Manuals, specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the specification or incorporated by reference, is permitted.

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Beaver Valley Units 1 and 2 B 3.0 - 18 Revision 36

SR Applicability B 3.0 BASES SR 3.0.2 (continued)

Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply.

These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Examples of where SR 3.0.2 does not apply are the Containment Leakage Rate Testing Program (Specification 5.5.12) required by 10 CFR 50, Appendix J, and the inservice testing of pumps and valves in accordance with applicable American Society of Mechanical Engineers Operation and Maintenance Code, as required by 10 CFR 50.55a. These programs establish testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot in and of themselves extend a test interval specified in the regulations directly or by reference.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per ..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been performed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

When a Section 5.5, Programs and Manuals, specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been performed within the testing interval (including the allowance of SR 3.0.2 if invoked by the Section 5.5 specification).

Beaver Valley Units 1 and 2 B 3.0 - 19 Revision 36

SR Applicability B 3.0 BASES SR 3.0.3 (continued)

This delay period provides adequate time to perform Surveillances that have been missed. This delay period permits the performance of a Surveillance before complying with Required Actions or other remedial measures that might preclude performance of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements. When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

SR 3.0.3 is only applicable if there is a reasonable expectation the associated equipment is OPERABLE or that variables are within limits, and it is expected that the Surveillance will be met when performed.

Many factors should be considered, such as the period of time since the Surveillance was last performed, or whether the Surveillance, or a portion thereof, has ever been performed, and any other indications, tests, or activities that might support the expectation that the Surveillance will be met when performed. An example of the use of SR 3.0.3 would be a relay contact that was not tested as required in accordance with a particular SR, but previous successful performances of the SR included the relay contact; the adjacent, physically connected relay contacts were tested during the SR performance; the subject relay contact has been tested by another SR; or historical operation of the subject relay contact has been successful. It is not sufficient to infer the behavior of the associated equipment from the performance of similar equipment. The rigor of determining whether there is a reasonable expectation a Surveillance will be met when performed should increase based on the length of time since the last performance of the Surveillance. If the Surveillance has been performed recently, a review of the Surveillance history and equipment performance may be sufficient to support a reasonable expectation that the Surveillance will be met when performed.

For Surveillances that have not been performed for a long period or that have never been performed, a rigorous evaluation based on objective Beaver Valley Units 1 and 2 B 3.0 - 20 Revision 36

SR Applicability B 3.0 BASES SR 3.0.3 (continued) evidence should provide a high degree of confidence that the equipment is OPERABLE. The evaluation should be documented in sufficient detail to allow a knowledgeable individual to understand the basis for the determination.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used repeatedly to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

Beaver Valley Units 1 and 2 B 3.0 - 21 Revision 36

SR Applicability B 3.0 BASES SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change.

When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that Surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.

The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances Beaver Valley Units 1 and 2 B 3.0 - 22 Revision 36

SR Applicability B 3.0 BASES SR 3.0.4 (continued) when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met.

Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.

Beaver Valley Units 1 and 2 B 3.0 - 23 Revision 36

SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 Shutdown Margin (SDM)

BASES BACKGROUND According to GDC 26, as discussed in Reference 1, the reactivity control systems must be redundant and capable of holding the reactor core subcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.

SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs). As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest reactivity worth is fully withdrawn.

The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable control assemblies and soluble boric acid in the Reactor Coolant System (RCS). The Control Rod System can compensate for the reactivity effects of the fuel and water temperature changes accompanying power level changes over the range from full load to no load. In addition, the Control Rod System, together with the boration system, provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rod of highest reactivity worth remains fully withdrawn. The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes and maintain the reactor subcritical under cold conditions.

During power operation, SDM control is ensured by operating with the shutdown banks fully withdrawn and the control banks within the limits of LCO 3.1.6, "Control Bank Insertion Limits." When the unit is in the shutdown and refueling modes, the SDM requirements are met by means of adjustments to the RCS boron concentration.

Beaver Valley Units 1 and 2 B 3.1.1 - 1 Revision 0

SDM B 3.1.1 BASES APPLICABLE The minimum required SDM is assumed as an initial condition in safety SAFETY analyses. The safety analysis (Ref. 2) establishes an SDM that ensures ANALYSES specified acceptable fuel design limits are not exceeded for normal operation and AOOs, with the assumption of the highest worth rod stuck out on scram.

The acceptance criteria for the SDM requirements are that specified acceptable fuel design limits are maintained. This is done by ensuring that:

a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events,

b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limits for AOOs, and 280 cal/gm energy deposition for the rod ejection accident), and

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

A limiting accident for the SDM requirements is the main steam line break (MSLB), as described in the accident analysis (Ref. 2). The increased steam flow resulting from a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG),

and consequently the RCS. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the MSLB, a post trip return to power may occur; however, no fuel damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL) requirement of SL 2.1.1.

The SDM required in MODES 3 and 4 below P-11, with safety injection (SI) blocked, is greater than the SDM required in MODES 3 and 4 below P-11, with SI unblocked. This SDM requirement ensures that the limiting steamline break (SLB) analyzed at the end of core life with RCS Tavg equal to 547°F would bound a SLB at lower RCS pressures and temperatures.

In addition to the limiting MSLB transient, the SDM requirement must also protect against:

Beaver Valley Units 1 and 2 B 3.1.1 - 2 Revision 0

SDM B 3.1.1 BASES APPLICABLE SAFETY ANALYSIS (continued)

a. Inadvertent boron dilution,

b. An uncontrolled rod withdrawal from subcritical or low power condition, and

c. Rod ejection.

Each of these events is discussed below.

In the boron dilution analysis, the required SDM defines the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. These values, in conjunction with the configuration of the RCS and the assumed dilution flow rate, directly affect the results of the analysis. This event is most limiting at the beginning of core life, when critical boron concentrations are highest.

Depending on the system initial conditions and reactivity insertion rate, the uncontrolled rod withdrawal transient is terminated by either a high power level trip or a high pressurizer pressure trip. In all cases, power level, RCS pressure, linear heat rate, and the DNBR do not exceed allowable limits.

The ejection of a control rod rapidly adds reactivity to the reactor core, causing both the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure.

The ejection of a rod also produces a time dependent redistribution of core power.

SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.

LCO SDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through the soluble boron concentration.

The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the limiting accidents that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 50.67, Accident Source Term, limits (Ref. 4).

For the boron dilution accident, if the LCO is violated, the minimum required time assumed for operator action to terminate dilution may no longer be applicable.

Beaver Valley Units 1 and 2 B 3.1.1 - 3 Revision 0

SDM B 3.1.1 BASES APPLICABILITY In MODE 2 with keff < 1.0 and in MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits."

ACTIONS A.1 If the SDM requirements are not met, boration must be initiated promptly.

A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that boration will be continued until the SDM requirements are met.

In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a highly concentrated solution, such as that normally found in the boric acid storage tank, or the refueling water storage tank. The operator should borate with the best source available for the plant conditions.

In determining the boration flow rate, the time in core life must be considered. For example, assuming that a value of 1.77% k/k must be restored in MODE 4, the RCS boron concentration can be increased from 1526 ppm to 1747 ppm in approximately 100 minutes, utilizing a 30 gpm flow rate, with a source containing a boron concentration of 7,000 ppm. If a boron worth of 8 pcm/ppm is assumed, this combination of parameters will increase the SDM to 1.77%. These RCS boron concentrations represent typical values for MODE 4 at beginning of life (BOL), and are provided for the purpose of offering a specific example.

SURVEILLANCE SR 3.1.1.1 REQUIREMENTS In MODES 1 and 2 with Keff 1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a rod is known to be untrippable, however, SDM verification must account for the worth of the untrippable rod as well as another rod of maximum worth.

In MODES 3, 4, and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:

a. RCS boron concentration, Beaver Valley Units 1 and 2 B 3.1.1 - 4 Revision 0

SDM B 3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

b. Control bank position,

c. RCS average temperature,

d. Fuel burnup based on gross thermal energy generation,

e. Xenon concentration,

f. Samarium concentration, and

g. Isothermal temperature coefficient (ITC).

Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. UFSAR, Section 14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2).

3. UFSAR, Section 14.1.4 (Unit 1) and Section 15.4.6 (Unit 2).

4. 10 CFR 50.67.

Beaver Valley Units 1 and 2 B 3.1.1 - 5 Revision 29

Core Reactivity B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Core Reactivity BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29, as discussed in Reference 1, reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be brought safely to cold, subcritical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity.

Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup.

Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as rod height, temperature, pressure, and power), provides a convenient method of ensuring that core reactivity is within design expectations and that the calculational models used to generate the safety analysis are adequate.

In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration.

Beaver Valley Units 1 and 2 B 3.1.2 - 1 Revision 0

Core Reactivity B 3.1.2 BASES BACKGROUND (continued)

When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated.

APPLICABLE The acceptance criteria for core reactivity are that the reactivity balance SAFETY limit ensures plant operation is maintained within the assumptions of the ANALYSES safety analyses.

Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Every accident evaluation (Ref. 2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods provide an accurate representation of the core reactivity.

Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred.

Beaver Valley Units 1 and 2 B 3.1.2 - 2 Revision 0

Core Reactivity B 3.1.2 BASES APPLICABLE SAFETY ANALYSIS (continued)

The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performed at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the reactivity balance of +/- 1% k/k has been established based on engineering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.

When measured core reactivity is within 1% k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.

APPLICABILITY The limits on core reactivity must be maintained during MODES 1 and 2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES 3, 4, and 5 because the reactor is shut down and the reactivity balance is not changing.

In MODE 6, fuel loading results in a continually changing core reactivity.

Boron concentration requirements (LCO 3.9.1, "Boron Concentration")

ensure that fuel movements are performed within the bounds of the safety analysis.

Beaver Valley Units 1 and 2 B 3.1.2 - 3 Revision 0

Core Reactivity B 3.1.2 BASES ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed.

Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated, and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.

The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.

B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If the SDM for MODE 3 is not met, then the boration required by SR 3.1.1.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.1.2 - 4 Revision 0

Core Reactivity B 3.1.2 BASES SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including control rod position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed once prior to entering MODE 1 as an initial check on core conditions and design calculations at BOC. The SR is modified by a Note. The Note indicates that the normalization of predicted core reactivity to the measured value, if required, must take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.1.2 - 5 Revision 29

MTC B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11, as discussed in Reference 1, the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.

MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less than zero when THERMAL POWER is at RTP. The actual value of the MTC is dependent on core characteristics, such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons to yield an MTC at BOC within the range analyzed in the plant accident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.

The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the UFSAR accident and transient analyses.

If the LCO limits are not met, the unit response during transients may not be as predicted. The core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.

Beaver Valley Units 1 and 2 B 3.1.3 - 1 Revision 0

MTC B 3.1.3 BASES BACKGROUND (continued)

The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits, since this coefficient changes slowly, due principally to the reduction in RCS boron concentration associated with fuel burnup.

APPLICABLE The acceptance criteria for the specified MTC are:

SAFETY ANALYSES a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2) and

b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.

The UFSAR (Ref. 2), contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 3).

The consequences of accidents that cause core overheating must be evaluated when MTC is positive. Such accidents include Rod Withdrawal from Subcritical (Ref. 4), Rod Withdrawal at Power (Ref. 5), Loss of Normal Feedwater Flow (Ref. 6), Loss of Offsite Power (Ref. 7), Loss of Electrical Load (Ref. 8), RCS Depressurization (Ref. 9), Loss of Flow (Ref. 10), Locked Rotor (Ref. 11) and Rod Ejection (Ref. 12). The consequences of accidents that cause core overcooling must be evaluated when MTC is negative. Such accidents include Feedwater Flow Increase (Ref. 13), Feedwater Temperature Decrease (Ref. 14) and Steamline Break (Ref. 15).

In order to ensure a bounding accident analysis, the MTC is assumed to be its most limiting value for the analysis conditions appropriate to each accident. The bounding value is determined by considering rodded and unrodded conditions, whether the reactor is at full or zero power, and whether it is the BOC or EOC life. The most conservative combination appropriate to the accident is then used for the analysis (Ref. 2).

MTC values are bounded in reload safety evaluations assuming steady state conditions at BOC and EOC. An EOC measurement or analytical check (Ref. 16) of the EOC MTC is conducted when the RCS boron concentration reaches approximately 300 ppm. The measured or calculated value may be extrapolated to project the EOC value, in order to confirm reload design predictions.

Beaver Valley Units 1 and 2 B 3.1.3 - 2 Revision 28

MTC B 3.1.3 BASES APPLICABLE SAFETY ANALYSES (continued)

MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed and controlled from the control room, MTC is considered an initial condition process variable because of its dependence on boron concentration.

LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR and Figure 3.1.3-1 to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation.

Assumptions made in the safety analyses require that the MTC be less positive than a given upper bound and more positive than a given lower bound. The maximum upper (most positive) MTC limit occurs near BOC, all rods out (ARO), hot zero power (HZP), no xenon (NoXe) conditions.

Note that in cores containing substantial amounts of burnable absorber in the form of Integral Fuel Burnable Absorber (IFBA), the burnup of most positive MTC under the above conditions may not be at startup, but at some point up to 100 EFPD after startup. If the core never returns to HZP conditions over this period of operations, this most positive MTC may never be physically realized. At EOC the MTC takes on its most negative value, when the lower bound becomes important. This LCO exists to ensure that both the upper and lower bounds are not exceeded.

During operation, the upper MTC limit can only be ensured through measurement. The lower MTC limit can be ensured either through measurement or by ensuring the benchmark criteria in WCAP-13749-P-A and the COLR requirements for the calculated revised predicted MTC are satisfied. The Surveillance checks at BOC and EOC on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met.

The LCO establishes a maximum positive value that cannot be exceeded.

The BOC positive limit is established in Figure 3.1.3-1 and the EOC negative limit is established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating schedule.

APPLICABILITY Technical Specifications place both LCO and SR values on MTC, based on the safety analysis assumptions described above.

In MODE 1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE 2 with the reactor Beaver Valley Units 1 and 2 B 3.1.3 - 3 Revision 28

MTC B 3.1.3 BASES APPLICABILITY (continued) critical, the upper limit must also be maintained to ensure that startup and subcritical accidents (such as the uncontrolled CONTROL ROD assembly or group withdrawal) will not violate the assumptions of the accident analysis. The lower MTC limit must be maintained in MODES 2 and 3, in addition to MODE 1, to ensure that cooldown accidents will not violate the assumptions of the accident analysis. In MODES 4, 5, and 6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.

ACTIONS A.1 If the BOC upper MTC limit is violated, administrative withdrawal limits for control banks must be established to maintain the MTC within its limits.

The MTC becomes more negative with control bank insertion and decreased boron concentration. A Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provides enough time for evaluating the MTC measurement and computing the required bank withdrawal limits.

As cycle burnup is increased, the RCS boron concentration will, in general, be reduced. Note that in cores containing substantial amounts of burnable absorber in the form of IFBA, the core critical boron concentration may actually slowly increase over the first 100 EFPD after startup because the increase in reactivity due to the burnout of the IFBA may be greater than the decrease in reactivity due to the depletion of the fuel. Using physics calculations, the times in cycle life at which the calculated MTC will meet the LCO requirements can be determined.

Note that since the RCS boron concentration can increase over the first 100 EFPD, the calculated MTC may meet the LCO requirement at startup and still not meet the LCO requirement later in the cycle. At the points in core life when the calculated MTC meets the LCO requirement, Condition A no longer exists. The unit is no longer in the Required Action, so the administrative withdrawal limits are no longer in effect.

B.1 If the required administrative withdrawal limits at BOC are not established within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the unit must be brought to MODE 2 with keff < 1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.1.3 - 4 Revision 28

MTC B 3.1.3 BASES ACTIONS (continued)

C.1 Exceeding the EOC MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the EOC MTC limit is exceeded, the plant must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.3.1 REQUIREMENTS This SR requires measurement of the MTC at BOC prior to entering MODE 1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering MODE 1 ensures that the limit will also be met at higher power levels.

The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measurements obtained during the physics tests after refueling. The ARO value can be directly compared to the BOC MTC limit of the LCO. If required, measurement results and predicted design values can be used to establish administrative withdrawal limits for control banks.

SR 3.1.3.2 In similar fashion, the LCO demands that the MTC be less negative than the specified value for EOC full power conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated and/or compensated to the conditions of RTP and all banks withdrawn in order to make a proper comparison with the LCO value.

Because the RTP MTC value will gradually become more negative with further core depletion and boron concentration reduction, a 300 ppm SR value of MTC should necessarily be less negative than the EOC LCO limit. The 300 ppm SR value is sufficiently less negative than the EOC LCO limit value to ensure that the LCO limit will be met when the 300 ppm Surveillance criterion is met.

In order to assure an accurate result SR 3.1.3.2 must be performed after reaching the equivalent of an equilibrium RTP ARO boron concentration of 300 ppm. SR 3.1.3.2 is modified by four Notes that include the following requirements:

Beaver Valley Units 1 and 2 B 3.1.3 - 5 Revision 28

MTC B 3.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)

a. The SR is not required to be performed until 7 effective full power days (EFPDs) after reaching the equivalent of an equilibrium RTP ARO boron concentration of 300 ppm.

b. If the 300 ppm Surveillance limit is exceeded, it is possible that the EOC limit on MTC could be reached before the planned EOC.

Because the MTC changes slowly with core depletion, the Frequency of 14 effective full power days is sufficient to avoid exceeding the EOC limit.

c. The Surveillance limit for RTP boron concentration of 60 ppm is conservative. If the measured MTC at 60 ppm is more positive than the 60 ppm Surveillance limit, the EOC limit will not be exceeded because of the gradual manner in which MTC changes with core burnup.

d. SR 3.1.3.2 is not required to be performed provided that the benchmark criteria specified in WCAP-13749-P-A and the COLR requirements for the calculated revised predicted MTC are satisfied.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. UFSAR Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

3. WCAP 9273-NP-A, "Westinghouse Reload Safety Evaluation Methodology," July 1985.

4. UFSAR Section 14.1.1 (Unit 1) and Section 15.4.1 (Unit 2).

5. UFSAR Section 14.1.2 (Unit 1) and Section 15.4.2 (Unit 2).

6. UFSAR Section 14.1.8 (Unit 1) and Section 15.2.7 (Unit 2).

7. UFSAR Section 14.1.11 (Unit 1) and Section 15.2.6 (Unit 2).

8. UFSAR Section 14.1.7 (Unit 1) and Sections 15.2.2 and 15.2.3 (Unit 2).

9. UFSAR Section 14.1.15 (Unit 1) and Section 15.6.1 (Unit 2).

10. UFSAR Sections 14.1.5 and 14.2.9 (Unit 1) and Sections 15.3.1 and 15.3.2 (Unit 2).

Beaver Valley Units 1 and 2 B 3.1.3 - 6 Revision 28

MTC B 3.1.3 BASES REFERENCES (continued)

11. UFSAR Section 14.2.7 (Unit 1) and Section 15.3.3 (Unit 2).

12. UFSAR Section 14.2.6 (Unit 1) and Section 15.4.8 (Unit 2).

13. UFSAR Section 14.1.9 (Unit 1) and Section 15.1.2 (Unit 2).

14. UFSAR Section 14.1.9 (Unit 1) and Section 15.1.1 (Unit 2).

15. UFSAR Section 14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2).

16. WCAP-13749-P-A, Safety Evaluation Supporting the Conditional Exemption of the Most Negative EOL Moderator Temperature Coefficient Measurement, March 1997 (Westinghouse Proprietary).

Beaver Valley Units 1 and 2 B 3.1.3 - 7 Revision 28

Rod Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Rod Group Alignment Limits BASES BACKGROUND The OPERABILITY (i.e., trippability) of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM.

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design,"

GDC 26, "Reactivity Control System Redundancy and Capability" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants" (Ref. 2).

Mechanical or electrical failures may cause a control or shutdown rod to become inoperable or to become misaligned from its group. Rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on rod alignment have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Rod cluster control assemblies (RCCAs), or rods, are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its RCCA one step (approximately 5/8 inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.

The RCCAs are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups, the groups are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks.

The shutdown banks are maintained either in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, Beaver Valley Units 1 and 2 B 3.1.4 - 1 Revision 0

Rod Group Alignment Limits B 3.1.4 BASES BACKGROUND (continued) using the following withdrawal sequence: When control bank A reaches a predetermined height in the core, control bank B begins to move out with control bank A. Control bank A stops at the position of maximum withdrawal, and control bank B continues to move out. When control bank B reaches a predetermined height, control bank C begins to move out with control bank B. This sequence continues until control banks A, B, and C are at the fully withdrawn position, and control bank D is approximately halfway withdrawn. The insertion sequence is the opposite of the withdrawal sequence. The control rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.

The axial position of shutdown rods and control rods is indicated by two separate and independent systems, which are the Bank Demand Position Indication System (commonly called group step counters) and the Rod Position Indication (RPI) System for Unit 1 and the Digital Rod Position Indication (DRPI) System for Unit 2.

The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (+/- 1 step or +/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.

The RPI and DRPI systems provide an accurate indication of actual rod position, but at a lower precision than the step counters. These systems are based on inductive analog signals from a series of coils spaced along a hollow tube. The RPI System is capable of monitoring rod position within +/- 12 steps. To increase the reliability of the DRPI System, the inductive coils are connected alternately to data system A or B. Thus, if one data system fails, the DRPI will go on half accuracy. The DRPI System is capable of monitoring rod position within +/- 4 steps, for full accuracy, and +4, -10 steps at half accuracy with data system A, and

+10, -4 steps at half accuracy with data system B.

APPLICABLE Control rod misalignment accidents are analyzed in the safety analysis SAFETY (Ref. 3). The acceptance criteria for addressing control rod inoperability ANALYSES or misalignment are that:

a. There be no violations of:

1. Specified acceptable fuel design limits or Beaver Valley Units 1 and 2 B 3.1.4 - 2 Revision 0

Rod Group Alignment Limits B 3.1.4 BASES APPLICABLE SAFETY ANALYSIS (continued)

2. Reactor Coolant System (RCS) pressure boundary integrity and

b. The core remains subcritical after accident transients.

Two types of misalignment are distinguished. During movement of a control rod group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking.

The second type of misalignment occurs if one rod fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity worth is held in the control rods to meet the SDM requirement, with the maximum worth rod stuck fully withdrawn.

Two types of analysis are performed in regard to static rod misalignment (Ref. 4). With control banks at their insertion limits, one type of analysis considers the case when any one rod is completely inserted into the core.

The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit. Satisfying limits on departure from nucleate boiling ratio in both of these cases bounds the situation when a rod is misaligned from its group by 12 steps.

The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the requirements on SDM and ejected rod worth are preserved.

Continued operation of the reactor with a misaligned control rod is allowed if the heat flux hot channel factor ( FQ(Z)) and the nuclear enthalpy hot channel factor (FNH) are verified to be within their limits in the COLR and the safety analysis is verified to remain valid. When a control rod is misaligned, the assumptions that are used to determine the rod insertion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and FQ(Z) and FNH must be verified directly by incore mapping.

Bases Section 3.2 (Power Distribution Limits) contains more complete discussions of the relation of FQ(Z) and FNH to the operating limits.

Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed in safety analyses. Therefore they satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.1.4 - 3 Revision 0

Rod Group Alignment Limits B 3.1.4 BASES LCO The limits on shutdown or control rod alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on control rod OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be inserted. The control rod OPERABILITY requirements (i.e., trippability) are separate from the alignment requirements, which ensure that the RCCAs and banks maintain the correct power distribution and rod alignment. The rod OPERABILITY requirement is satisfied provided the rod will fully insert in the required rod drop time assumed in the safety analysis. Rod control malfunctions that result in the inability to move a rod (e.g., rod lift coil failures), but that do not impact trippability, do not result in rod inoperability.

The requirement to maintain the rod alignment to within plus or minus 12 steps is conservative. The minimum misalignment assumed in safety analysis is 24 steps (15 inches), and in some cases a total misalignment from fully withdrawn to fully inserted is assumed.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, all of which may constitute initial conditions inconsistent with the safety analysis.

The rod alignment requirements of this LCO may be met by determining rod position in accordance with Rod Position Indication Specifications 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2). The ACTIONS of the Rod Position Indication specifications provide alternate methods for determining rod position if a position indicator is inoperable. If the ACTIONS of a Rod Position Indication specification are applicable, the alternate method(s) for determining rod position specified in the applicable ACTIONS may be used to meet the alignment requirements of this LCO.

The LCO requirements are modified by a Note that is only applicable to Unit 1. The Note provides an exception to verifying the LCO requirements are met during rod motion and for the first hour following rod motion. The exception is necessary to accommodate the thermal stabilization required after rod movement for the Unit 1 RPI System. The RPI System requires time to achieve thermal equilibrium after rod movement in order to provide indication within the required accuracy.

During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Therefore, comparison between the two indications to verify the LCO requirements are met is not required during the time specified in this Note.

Beaver Valley Units 1 and 2 B 3.1.4 - 4 Revision 0

Rod Group Alignment Limits B 3.1.4 BASES APPLICABILITY The requirements on RCCA OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in which the reactor is critical and power is generated, and the OPERABILITY (i.e.,

trippability) and alignment of rods have the potential to affect the safety of the plant. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the control rods are typically bottomed and the reactor is shut down and not producing power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, "SHUTDOWN MARGIN," for SDM in MODES 3, 4, and 5 and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during refueling.

ACTIONS A.1.1 and A.1.2 When one or more rods are inoperable (i.e., untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is adequate for determining SDM and, if necessary, for initiating emergency boration and restoring SDM.

In this situation, SDM verification must include the worth of the untrippable rod, as well as a rod of maximum worth.

A.2 If the inoperable rod(s) cannot be restored to OPERABLE status, the plant must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

B.1 (Unit 1)

When a rod becomes misaligned, it can usually be moved and is still trippable. If the rod can be realigned within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , local xenon redistribution during this short interval will not be significant, and operation may proceed without further restriction.

Beaver Valley Units 1 and 2 B 3.1.4 - 5 Revision 33

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued)

An alternative to realigning a single misaligned RCCA to the group average position is to align the remainder of the group to the position of the misaligned RCCA. However, this must be done without violating the bank sequence, overlap, and insertion limits specified in LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits." The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months gives the operator sufficient time to adjust the rod positions in an orderly manner.

B.2.1.1 and B.2.1.2 (Unit 1)

With a misaligned rod, SDM must be verified to be within limit or boration must be initiated to restore SDM to within limit.

In many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bank B to a rod that is misaligned 15 steps from the top of the core would require a significant power reduction, since control bank D must be moved fully in and control bank C must be moved in to approximately 100 to 115 steps.

Power operation may continue with one RCCA trippable but misaligned, provided that SDM is verified within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration.

B.1.1 and B1.2 (Unit 2)

When a rod becomes misaligned, it can usually be moved and is still trippable.

An alternative to realigning a single misaligned RCCA to the group average position is to align the remainder of the group to the position of the misaligned RCCA. However, this must be done without violating the bank sequence, overlap, and insertion limits specified in LCO 3.1.5.2, "Unit 2 Shutdown Bank Insertion Limits," and LCO 3.1.6.2, "Unit 2 Control Bank Insertion Limits."

In many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bank B to a rod that is misaligned 15 steps from the top of the core would require a significant power reduction, since control bank D must be moved fully in and control bank C must be moved in to approximately 100 to 115 steps.

Power operation may continue with one RCCA trippable but misaligned, provided that SDM is verified within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration.

Beaver Valley Units 1 and 2 B 3.1.4 - 6 Revision 33

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued)

B.2.2, B.2.3, B.2.4, B.2.5, and B.2.6 (Unit 1) and B.2, B.3, B.4, and B.5 (Unit 2)

For continued operation with a misaligned rod, THERMAL POWER must be reduced, SDM must periodically be verified within limits, hot channel factors (FQ(Z) and FNH) must be verified within limits, and the safety analyses must be re-evaluated to confirm continued operation is permissible.

Reduction of power to 75% RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core design criteria to be exceeded. The Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor Protection System.

When a rod is known to be misaligned, there is a potential to impact the SDM. Since the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient to ensure this requirement continues to be met.

Verifying that FQ(Z), as approximated by FCQ(Z) and FWQ(Z), and FNH are within the required limits ensures that current operation at 75% RTP with a rod misaligned is not resulting in power distributions that may invalidate safety analysis assumptions at full power. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allows sufficient time to obtain flux maps of the core power distribution using the incore flux mapping system and to calculate FQ(Z) and FNH.

Once current conditions have been verified acceptable, time is available to perform evaluations of accident analysis to determine that core limits will not be exceeded during a Design Basis Event for the duration of operation under these conditions. The accident analyses presented in UFSAR Chapter 14 (Unit 1) and Chapter 15 (Unit 2) (Ref. 3) that may be adversely affected will be evaluated to ensure that the analysis results remain valid for the duration of continued operation under these conditions. A Completion Time of 5 days is sufficient time to obtain the required input data and to perform the analysis.

Beaver Valley Units 1 and 2 B 3.1.4 - 7 Revision 33

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued)

C.1 When Required Actions cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , which obviates concerns about the development of undesirable xenon or power distributions. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging the plant systems.

D.1.1 and D.1.2 More than one rod becoming misaligned from its group average position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. One hour allows the operator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as described in the Bases of LCO 3.1.1. The required Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required valves and start the boric acid pumps.

Boration will continue until the required SDM is restored.

D.2 If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.4.1.1 (Unit 1)

REQUIREMENTS Verification that individual rod positions are within alignment limits provides a history that allows the operator to detect a rod that is beginning to deviate from its expected position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.1.4 - 8 Revision 33

Rod Group Alignment Limits B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued)

The SR is modified by a Note that is only applicable to Unit 1. The Note provides an exception to performing the SR during rod motion and for the first hour following rod motion. The exception is consistent with the Unit 1 LCO exception Note and is necessary to allow for thermal stabilization and accurate rod position indication. During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Therefore, comparison between the two indications to verify the LCO requirements are met is not required during the time specified in this Note. If the SR comes due during the time allowed by the Note, and the RPI has not stabilized within the required accuracy, the SR should be performed as soon as possible after the time provided by the Note expires. In order to facilitate the thermal stabilization of the RPI during the one-hour thermal soak, absolute rod motion should be limited to six steps.

SR 3.1.4.2.1 (Unit 2)

Verification that the position of individual rods is within alignment limits provides a history that allows the operator to detect a rod that is beginning to deviate from its expected position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that permits it to not be performed for rods associated with an inoperable demand position indicator or an inoperable rod position indicator. The alignment limit is based on the demand position indicator which is not available if the indicator is inoperable.

LCO 3.1.7.2, Unit 2 Rod Position Indication, provides Actions to verify the rods are in alignment when one or more rod position indicators are inoperable.

SR 3.1.4.1.2 (Unit 1) and SR 3.1.4.2.2 (Unit 2)

Verifying each rod is OPERABLE would require that each rod be tripped.

However, in MODES 1 and 2 with Keff 1.0, tripping each rod would result in radial or axial power tilts, or oscillations. Exercising each individual rod provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each rod by 10 steps will not cause radial or axial power tilts, or oscillations, to occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Between required performances of SRs 3.1.4.1.2 and 3.1.4.2.2 (determination of rod OPERABILITY by movement), if a rod(s) is discovered to be immovable, Beaver Valley Units 1 and 2 B 3.1.4 - 9 Revision 33

Rod Group Alignment Limits B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued) but remains trippable the rod(s) is considered to be OPERABLE. At any time, if a rod(s) is immovable, a determination of the trippability (OPERABILITY) of the rod(s) must be made, and appropriate action taken.

For Unit 1 only. The RPI System requires time to achieve thermal equilibrium after rod movement in order to provide accurate rod position indication. During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Considering the time it takes to stabilize the RPI and the relatively short time it takes to perform this SR, it is not required that the RPI show a full 10 step movement in order to confirm freedom of movement. The 10-step requirement of this SR is the minimum required change in demand counter indication that should result in a sufficient change in the RPI to determine freedom of movement.

SR 3.1.4.1.3 (Unit 1) and SR 3.1.4.2.3 (Unit 2)

Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect rod motion or drop time. This testing is performed with all RCPs operating and the average moderator temperature 500F to simulate a reactor trip under actual conditions.

This Surveillance is performed during a plant outage, due to the plant conditions needed to perform the SR and the potential for an unplanned plant transient if the Surveillance were performed with the reactor at power.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. 10 CFR 50.46.

3. UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

4. UFSAR, Section 14.1.3 (Unit 1) and Section 15.4.3 (Unit 2).

Beaver Valley Units 1 and 2 B 3.1.4 - 10 Revision 33

Shutdown Bank Insertion Limits B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Shutdown Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available ejected rod worth, SDM and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design,"

GDC 26, "Reactivity Control System Redundancy and Protection,"

GDC 28, "Reactivity Limits" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously.

A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCOs 3.1.4.1 (Unit 1) and 3.1.4.2 (Unit 2), "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCOs 3.1.7.1 (Unit

1) and 3.1.7.2 (Unit 2), "Rod Position Indication," for position indication requirements.

The control banks are used for precise reactivity control of the reactor.

The positions of the control banks are normally automatically controlled by the Rod Control System, but they can also be manually controlled.

They are capable of adding negative reactivity very quickly (compared to borating). The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.

Hence, they are not capable of adding a large amount of positive reactivity. Boration or dilution of the Reactor Coolant System (RCS) compensates for the reactivity changes associated with large changes in RCS temperature. The design calculations are performed with the assumption that the shutdown banks are withdrawn first. The shutdown banks can be fully withdrawn without the core going critical. This Beaver Valley Units 1 and 2 B 3.1.5 - 1 Revision 33

Shutdown Bank Insertion Limits B 3.1.5 BASES BACKGROUND (continued) provides available negative reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator.

During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted. The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left in this position until the reactor is shut down. They affect core power and burnup distribution, and add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.

APPLICABLE On a reactor trip, all RCCAs (shutdown banks and control banks), except SAFETY the most reactive RCCA, are assumed to insert into the core. The ANALYSES shutdown banks shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal.

The control banks may be partially inserted in the core, as allowed by LCOs 3.1.6.1 (Unit 1) and 3.1.6.2 (Unit 2), "Control Bank Insertion Limits."

The shutdown bank and control bank insertion limits are established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power.

The combination of control banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.

The acceptance criteria for addressing shutdown and control rod bank insertion limits and inoperability or misalignment is that:

a. There be no violations of:

1. Specified acceptable fuel design limits or

2. RCS pressure boundary integrity and

b. The core remains subcritical after accident transients.

As such, the shutdown bank insertion limits affect safety analysis involving core reactivity and SDM (Ref. 3).

The shutdown bank insertion limits preserve an initial condition assumed in the safety analyses and, as such, satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.1.5 - 2 Revision 33

Shutdown Bank Insertion Limits B 3.1.5 BASES LCO The shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.

The shutdown bank insertion limits are defined in the COLR.

For Unit 2, the LCO is modified by a Note indicating the LCO requirement is not applicable to shutdown banks being inserted while performing SR 3.1.4.2.2. This SR verifies the freedom of the rods to move, and may require the shutdown bank to move below the LCO limits, which would normally violate the LCO. This Note applies to each shutdown bank as it is moved below the insertion limit to perform the SR. This Note is not applicable should a malfunction stop performance of the SR.

APPLICABILITY The shutdown banks must be within their insertion limits, with the reactor in MODES 1 and 2. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE 3, unless an approach to criticality is being made. In MODE 3, 4, 5, or 6, the shutdown banks are typically fully inserted in the core and contribute to the SDM. Refer to LCO 3.1.1 for SDM requirements in MODES 3, 4, and 5. LCO 3.9.1, "Boron Concentration," ensures adequate SDM in MODE 6.

For Unit 1, the Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR 3.1.4.1.2. This SR verifies the freedom of the rods to move, and requires the shutdown banks to move below the LCO limits, which would normally violate the LCO.

ACTIONS A.1.1, A.1.2, and A.2 (Unit 1)

When one or more shutdown banks is not within insertion limits, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is allowed to restore the shutdown banks to within the insertion limits.

This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion limits. Also, verification of SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1). If shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

Beaver Valley Units 1 and 2 B 3.1.5 - 3 Revision 33

Shutdown Bank Insertion Limits B 3.1.5 BASES ACTIONS (continued)

A.1, A.2.1, A.2.2, and A.3 (Unit 2)

If one shutdown bank is inserted less than or equal to 12 steps below the insertion limit, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to restore the shutdown bank to within the limit. This is necessary because the available SDM may be reduced with a shutdown bank not within its insertion limit. Also, verification of SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1). If a shutdown bank is not within its insertion limit, SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

While the shutdown bank is outside the insertion limit, all control banks must be within their insertion limits to ensure sufficient shutdown margin is available. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is sufficient to repair most rod control failures that would prevent movement of a shutdown bank.

B.1 (Unit 1)

If the shutdown banks cannot be restored to within their insertion limits within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

B.1.1, B.1.2, and B.2 (Unit 2)

When one or more shutdown banks is not within insertion limits for reasons other than Condition A, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is allowed to restore the shutdown banks to within the insertion limits. This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion limits. Also, verification of SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1). If shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

Beaver Valley Units 1 and 2 B 3.1.5 - 4 Revision 33

Shutdown Bank Insertion Limits B 3.1.5 BASES ACTIONS (continued)

C.1 (Unit 2)

If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE where the LCO is not applicable.

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.5.1.1 (Unit 1) and SR 3.1.5.2.1 (Unit 2)

REQUIREMENTS Verification that the shutdown banks are within their insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown banks will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip.

This SR and Frequency ensure that the shutdown banks are withdrawn before the control banks are withdrawn during a unit startup.

The primary means for verifying that the insertion limits are met is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable.

Specifications 3.1.4, "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position Indication" provide the appropriate limits and Actions for individual rod position indication.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. 10 CFR 50.46.

3. UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.1.5 - 5 Revision 33

Control Bank Insertion Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Control Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available SDM, and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design,"

GDC 26, "Reactivity Control System Redundancy and Protection,"

GDC 28, "Reactivity Limits" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously.

A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCOs 3.1.4.1 (Unit 1) and 3.1.4.2 (Unit 2), "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCOs 3.1.7.1 (Unit

1) and 3.1.7.2 (Unit 2), "Rod Position Indication," for position indication requirements.

The control bank insertion limits are specified in the COLR. An example is provided for information only in Figure B 3.1.6-1. The control banks are required to be at or above the insertion limit lines.

Figure B 3.1.6-1 also indicates how the control banks are moved in an overlap pattern. Overlap is the distance traveled together by two control banks. Overlap is a function of the fully withdrawn position defined in the COLR, and the tip-to-tip relationship shown on the figure. On the figure, the tip-to-tip relationship is shown as the difference between control bank C and D positions at 8% power, or 130 steps.

Beaver Valley Units 1 and 2 B 3.1.6 - 1 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES BACKGROUND (continued)

The control banks are used for precise reactivity control of the reactor.

The positions of the control banks are normally controlled automatically by the Rod Control System, but can also be manually controlled. They are capable of adding reactivity very quickly (compared to borating or diluting).

The power density at any point in the core must be limited, so that the fuel design criteria are maintained. Together, LCOs 3.1.4.1 and 3.1.4.2, LCOs 3.1.5.1 and 3.1.5.2, "Shutdown Bank Insertion Limits,"

LCOs 3.1.6.1 and 3.1.6.2, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR),"

provide limits on control component operation and on monitored process variables, which ensure that the core operates within the fuel design criteria.

The shutdown and control bank insertion and alignment limits, AFD, and QPTR are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and control bank insertion limits ensure the required SDM is maintained.

Operation within the subject LCO limits will prevent fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.

APPLICABLE The shutdown and control bank insertion limits, AFD, and QPTR LCOs SAFETY are required to prevent power distributions that could result in fuel ANALYSES cladding failures in the event of a LOCA, loss of flow, ejected rod, or other accident requiring termination by an RTS trip function.

The acceptance criteria for addressing shutdown and control bank insertion limits and inoperability or misalignment are that:

a. There be no violations of:

1. Specified acceptable fuel design limits or

2. Reactor Coolant System pressure boundary integrity and

b. The core remains subcritical after accident transients.

As such, the shutdown and control bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref. 3).

Beaver Valley Units 1 and 2 B 3.1.6 - 2 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES APPLICABLE SAFETY ANALYSES (continued)

The SDM requirement is ensured by limiting the control and shutdown bank insertion limits so that the allowable inserted worth of the RCCAs is such that sufficient reactivity is available in the rods to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth RCCA remains fully withdrawn upon trip (Ref. 4).

Operation at the insertion limits or AFD limits may approach the maximum allowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the insertion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected RCCA worths.

The control and shutdown bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 5).

The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii), in that they are initial conditions assumed in the safety analysis.

LCO The limits on control banks sequence, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate negative reactivity insertion is available on trip. The overlap between control banks provides more uniform rates of reactivity insertion and withdrawal and is imposed to maintain acceptable power peaking during control bank motion.

For Unit 2, the LCO is modified by a Note indicating the LCO requirement is not applicable to control banks being inserted while performing SR 3.1.4.2.2. This SR verifies the freedom of the rods to move, and may require the control bank to move below the LCO limits, which would normally violate the LCO. This Note applies to each control bank as it is moved below the insertion limit to perform the SR. This Note is not applicable should a malfunction stop performance of the SR.

APPLICABILITY The control bank sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2 with keff 1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions. Applicability in MODES 3, 4, and 5 is not required, since neither the power distribution nor ejected rod worth assumptions would be exceeded in these MODES.

Beaver Valley Units 1 and 2 B 3.1.6 - 3 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES APPLICABILITY (continued)

For Unit 1, the applicability requirements have been modified by a Note indicating the LCO requirements are suspended during the performance of SR 3.1.4.1.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the LCO.

ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 (Unit 1)

When the control banks are outside the acceptable insertion limits, they must be restored to within those limits. This restoration can occur in two ways:

a. Reducing power to be consistent with rod position or

b. Moving rods to be consistent with power.

Also, verification of SDM or initiation of boration to regain SDM is required within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , since the SDM in MODES 1 and 2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") has been upset. If control banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

Similarly, if the control banks are found to be out of sequence or in the wrong overlap configuration, they must be restored to meet the limits.

Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the simultaneous occurrence of either a LOCA, loss of flow accident, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

A.1, A.2.1, A.2.2, and A.3 (Unit 2)

If Control Bank A, B, or C is inserted less than or equal to 12 steps below the insertion, sequence, or overlap limits, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to restore the control bank to within the limits. Verification of SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1). If a control bank is not within its insertion limit, SDM will Beaver Valley Units 1 and 2 B 3.1.6 - 4 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES ACTIONS (continued) be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

While the control bank is outside the insertion, sequence, or overlap limits, all shutdown banks must be within their insertion limits to ensure sufficient shutdown margin is available and that power distribution is controlled. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is sufficient to repair most rod control failures that would prevent movement of a shutdown bank.

Condition A is limited to Control banks A, B, or C. The allowance is not required for Control Bank D because the full power bank insertion limit can be met during performance of the SR 3.1.4.2.2 control rod freedom of movement (trippability) testing.

B.1.1, B.1.2, B.2, C.1.1, C.1.2, and C.2 (Unit 2)

When the control banks are outside the acceptable insertion limits for reasons other than Condition A, they must be restored to within those limits. This restoration can occur in two ways:

a. Reducing power to be consistent with rod position or

b. Moving rods to be consistent with power.

Also, verification of SDM or initiation of boration to regain SDM is required within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , since the SDM in MODES 1 and 2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") has been upset. If control banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

Similarly, if the control banks are found to be out of sequence or in the wrong overlap configuration for reasons other than Condition A, they must be restored to meet the limits.

Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the simultaneous occurrence of either a LOCA, loss of flow accident, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

Beaver Valley Units 1 and 2 B 3.1.6 - 5 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES ACTIONS (continued)

C.1 (Unit 1)

If Required Actions A.1 and A.2, or B.1 and B.2 cannot be completed within the associated Completion Times, the plant must be brought to MODE 2 with keff < 1.0, where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

D.1 (Unit 2)

If the Required Actions cannot be completed within the associated Completion Times, the plant must be brought to MODE 2 with keff < 1.0, where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.6.1.1 (Unit 1) and SR 3.1.6.2.1 (Unit 2)

REQUIREMENTS This Surveillance is required to ensure that the reactor does not achieve criticality with the control banks below their insertion limits. The required insertion limits are specified in the COLR.

The primary means for verifying the required control bank position is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable.

Specifications 3.1.4, "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position Indication" provide the appropriate limits and Actions for individual rod position indication.

The estimated critical position (ECP) depends upon a number of factors, one of which is xenon concentration. If the ECP was calculated long before criticality, xenon concentration could change to make the ECP substantially in error. Conversely, determining the ECP immediately before criticality could be an unnecessary burden. There are a number of unit parameters requiring operator attention at that point. Performing the ECP calculation within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months prior to criticality avoids a large error from changes in xenon concentration, but allows the operator some flexibility to schedule the ECP calculation with other startup activities.

Beaver Valley Units 1 and 2 B 3.1.6 - 6 Revision 33

Control Bank Insertion Limits B 3.1.6 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.6.1.2 (Unit 1) and SR 3.1.6.2.2 (Unit 2)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The primary means for verifying that the insertion limits are met is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable.

Specifications 3.1.4.1 (Unit 1) and 3.1.4.2 (Unit 2), "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position Indication" provide the appropriate limits and Actions for individual rod position indication.

SR 3.1.6.1.3 (Unit 1) and SR 3.1.6.2.3 (Unit 2)

When control banks are maintained within their insertion limits as checked by SRs 3.1.6.1.2 and 3.1.6.2.2 above, it is unlikely that their sequence and overlap will not be in accordance with requirements provided in the COLR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The primary means for verifying that the sequence and overlap limits are met is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable. Specifications 3.1.4.1 and 3.1.4.2, "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position Indication" provide the appropriate limits and Actions for individual rod position indication.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. 10 CFR 50.46.

3. UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

4. UFSAR, Section 3.3.2.6 (Unit 1) and Section 4.3.2.5 (Unit 2).

5. UFSAR, Section 3.3.2.5 (Unit 1) and Section 4.3.2.4 (Unit 2).

Beaver Valley Units 1 and 2 B 3.1.6 - 7 Revision 33

Control Bank Insertion Limits B 3.1.6 54.53, 225 200 100, 187 BANK C Rod Bank Position (Steps Withdrawn) 150 0, 114 100 BANK D 50 THIS FIGURE IS FOR ILLUSTRATION ONLY.

DO NOT USE FOR OPERATION.

8, 0 0

0 20 40 60 80 100 Relative Power (Percent)

Figure B 3.1.6-1 (page 1 of 1)

Control Bank Insertion vs. Percent RTP Beaver Valley Units 1 and 2 B 3.1.6 - 8 Revision 33

Unit 1 Rod Position Indication B 3.1.7.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Rod Position Indication B.3.1.7.1 Unit 1 Rod Position Indication BASES BACKGROUND According to GDC 13, as discussed in Reference 1, instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO 3.1.7.1 is required to ensure OPERABILITY of the control rod position indication system to determine control rod positions and thereby ensure compliance with the control rod alignment and insertion limits.

The OPERABILITY, including rod position, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM. Rod position indication is required to assess OPERABILITY and misalignment.

Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, control rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on control rod alignment and OPERABILITY have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control.

The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position Indication System (commonly called group step counters) and the Rod Position Indication (RPI) System.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 1 Revision 9

Unit 1 Rod Position Indication B 3.1.7.1 BASES BACKGROUND (continued)

The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (+/- 1 step or +/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.

The RPI System provides an accurate indication of actual control rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from coils spaced along a hollow tube.

The maximum uncertainty is +/- 12 steps (+/- 7.5 inches). With an indicated deviation of 12 steps between the group step counter and RPI, the maximum deviation between actual rod position and the demand position could be 24 steps, or 15 inches.

One method for determining each rod position is the indicators on the vertical board. A secondary method of determining rod position is the in-plant computer. Either the vertical board indicators or in-plant computer is sufficient to comply with this specification. The in-plant computer receives the same inputs from ARPI as the vertical board indicators and provides resolution equivalent to or better than the vertical board indicators. The in-plant computer also provides a digital readout of each rod position which eliminates interpolation and parallax errors inherent to analog scales. When an IPC computer point(s) is used as the primary means of rod position indication, administrative controls require the control room staff to continuously display the IPC computer point(s) in the control room.

Due to the need for the control rod drive shaft to reach thermal equilibrium for accurate individual rod position indication, the group demand counter is considered the primary indicator of precise rod position information during rod movement and for the first hour following rod motion. The RPI channels may only display general rod movement information during this time. A one-hour thermal soak is allowed before the RPI channels must perform within the required accuracy. In order to facilitate the thermal stabilization of the RPI during the one-hour thermal soak, absolute rod motion should be limited to six steps.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 2 Revision 9

Unit 1 Rod Position Indication B 3.1.7.1 BASES APPLICABLE Control and shutdown rod position accuracy is essential during power SAFETY operation. Power peaking, ejected rod worth, or SDM limits may be ANALYSES violated in the event of a Design Basis Accident (Ref. 2), with control or shutdown rods operating outside their limits undetected. Therefore, the acceptance criteria for rod position indication is that rod positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5.1, "Shutdown Bank Insertion Limits," and LCO 3.1.6.1, "Control Bank Insertion Limits"). The rod positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4.1, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide operators with information that ensures the plant is operating within the bounds of the accident analysis assumptions.

The control rod position indication system channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indication system monitors control rod position, which is an initial condition of the accident analyses.

LCO LCO 3.1.7.1 specifies that the RPI System and the Bank Demand Position Indication System be OPERABLE. For the control rod position indication system to be OPERABLE requires meeting the SR of the LCO and the following:

a. The RPI System indicates within 12 steps of the group step counter demand position as required by LCO 3.1.4.1, "Rod Group Alignment Limits,"

b. For the RPI System there are no failed coils, and

c. The Bank Demand Indication System has been calibrated either in the fully inserted position or to the RPI System.

The 12 step agreement limit between the Bank Demand Position Indication System and the RPI System indicates that the Bank Demand Position Indication System is adequately calibrated, and can be used for indication of the measurement of control rod bank position.

A deviation of less than the allowable limit, given in LCO 3.1.4.1, in position indication for a single control rod, ensures high confidence that the position uncertainty of the corresponding control rod group is within the assumed values used in the safety analysis (that specified control rod group insertion limits).

Beaver Valley Units 1 and 2 B 3.1.7.1 - 3 Revision 33

Unit 1 Rod Position Indication B 3.1.7.1 BASES LCO (continued)

These requirements ensure that rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.

OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned control rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.

APPLICABILITY The requirements on the RPI and step counters are only applicable in MODES 1 and 2 (consistent with LCO 3.1.4.1, LCO 3.1.5.1, and LCO 3.1.6.1), because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have the potential to affect the safety of the plant. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System.

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.

A.1, A.2.1, and A.2.2 When the RPI System indicates one or more potentially misaligned rods, prompt action must be taken to determine if the rod is actually misaligned or if there is a problem with the RPI System. In order to make the prompt determination, Required Action A.1 specifies that the affected rod position must be verified by measuring the associated RPI channel primary voltage within 15 minutes. If the results of the RPI channel primary voltage measurement indicate that the affected rod is misaligned, Required Action A.2.1 specifies that the applicable Conditions and Required Actions of LCO 3.1.4.1, "Rod Group Alignment Limits" be entered within 15 minutes. If the results of the RPI channel primary voltage measurement do not indicate a misaligned rod, Required Action A.2.2 specifies that the affected RPI is declared inoperable and the applicable Conditions and Required Actions of LCO 3.1.7.1, "Unit 1 Rod Position Indication" be entered within 15 minutes.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 4 Revision 33

Unit 1 Rod Position Indication B 3.1.7.1 BASES ACTIONS (continued)

Condition A is modified by a Note that provides an exception to applying Condition A to misalignment indications that occur during rod motion and for up to one hour following rod motion. The exception is necessary to accommodate the thermal stabilization required after rod movement for the RPI. The RPI System requires time to achieve thermal equilibrium after rod movement in order to provide indication within the required accuracy. During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Reliance on the demand counter indication for up to one hour following rod motion is acceptable for determining rod position and therefore, Condition A is not applicable until after the one hour thermal soak provided by the Note.

B.1 When one RPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable incore detectors or by measuring the rod position channel primary voltage. The Required Action may also be satisfied by using the movable incore detectors to ensure at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months that FQ(Z) satisfies LCO 3.2.1, FNH satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. If a bank has been significantly moved, the Required Actions of Condition D below are applicable. Therefore, verification of RCCA position within the Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

B.2 Reduction of THERMAL POWER to 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factors.

The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is reasonable, based on operating experience, for reducing power to 50% RTP from full power conditions without challenging plant systems and allowing for rod position determination by Required Action B.1 above.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 5 Revision 9

Unit 1 Rod Position Indication B 3.1.7.1 BASES ACTIONS (continued)

C.1, C.2, C.3, and C.4 When more than one RPI per group fail, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident analyses are limited. Placing the Rod Control System in manual assures unplanned rod motion will not occur. Placing the Rod Control System in manual together with the indirect position determination available via movable incore detectors or by measuring the rod position channel primary voltage will minimize the potential for rod misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod motion must be prevented while in this Condition.

Monitoring and recording Reactor Coolant System Tavg help assure that significant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at steady state plant operating conditions.

The position of the rods may be determined indirectly by use of the movable incore detectors or by measuring the rod position channel primary voltage. The Required Action may also be satisfied by using the movable incore detectors to ensure at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months that FQ(Z) satisfies LCO 3.2.1, FNH satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the non-indicating rods have not been moved. Verification of control rod position once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate for allowing continued full power operation for a limited, 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with the shutdown without full rod position indication.

Based on operating experience, normal power operation does not require excessive rod movement. If one or more rods has been significantly moved, the Required Actions of Condition D below is required.

D.1.1, D.1.2, and D.2 These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24 steps in one direction, since the position was last determined, the Required Actions of B.1 or C.3, as applicable are still appropriate but must be initiated immediately under Required Action D.1.1 to begin verifying that these rods are still properly positioned, relative to their group positions.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 6 Revision 9

Unit 1 Rod Position Indication B 3.1.7.1 BASES ACTIONS (continued)

If, within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the rod positions have not been determined, THERMAL POWER must be reduced to 50% RTP to avoid undesirable power distributions that could result from continued operation at > 50% RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months provides an acceptable period of time to verify the rod positions or reduce power to 50% RTP.

E.1.1 and E.1.2 With one demand position indicator per bank inoperable, the rod positions can be determined by the RPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indication system for each control and shutdown rod is OPERABLE and the most withdrawn rod and the least withdrawn rod are 12 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate.

E.2 Reduction of THERMAL POWER to 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits. The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months provides an acceptable period of time to verify the rod positions per Condition D or reduce power to 50% RTP.

F.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.7.1.1 REQUIREMENTS Verification that each control bank benchboard group step demand counter agrees within +/-2 steps with the solid state indicators in the logic cabinet helps to assure that the benchboard demand counters are indicating correctly and that the demand counters may be relied on during rod movement and for the first hour following rod movement for the primary indication of precise rod position.

Beaver Valley Units 1 and 2 B 3.1.7.1 - 7 Revision 9

Unit 1 Rod Position Indication B 3.1.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.1.2 Verification that the RPI agrees with the demand position within +/-12 steps ensures that the RPI is operating correctly. The verification of RPI and demand position indication within the required 12 steps over the full range of indicated rod travel is accomplished by comparisons of the indications at specific rod positions (identified in the applicable surveillance procedure) and calibrations as necessary to ensure the required accuracy is achieved.

This Surveillance is performed prior to reactor criticality after each removal of the reactor head, as there is the potential for unnecessary plant transients if the SR were performed with the reactor at power.

The SR is modified by a Note. The Note provides an exception to the SR during rod motion and for the first hour following rod motion. The exception is necessary to allow for thermal stabilization and accurate rod position indication. During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Therefore, comparison between the two indications to verify the LCO requirements are met is not required during the time specified in this Note. If the SR comes due during the time allowed by the Note, and the RPI has not stabilized within the required accuracy, the SR should be performed as soon as possible after the time provided by the Note expires. In order to facilitate the thermal stabilization of the RPI during the one-hour thermal soak, absolute rod motion should be limited to six steps.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance."

2. UFSAR, Chapter 14 (Unit 1).

Beaver Valley Units 1 and 2 B 3.1.7.1 - 8 Revision 29

Unit 2 Rod Position Indication B 3.1.7.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Rod Position Indication B.3.1.7.2 Unit 2 Rod Position Indication BASES BACKGROUND According to GDC 13, as discussed in Reference 1, instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO 3.1.7.2 is required to ensure OPERABILITY of the control rod position indicators to determine control rod positions and thereby ensure compliance with the control rod alignment and insertion limits.

The OPERABILITY, including rod position, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM. Rod position indication is required to assess OPERABILITY and misalignment.

Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, control rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on control rod alignment and OPERABILITY have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control.

The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position Indication System (commonly called group step counters) and the Digital Rod Position Indication (DRPI) System.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 1 Revision 0

Unit 2 Rod Position Indication B 3.1.7.2 BASES BACKGROUND (continued)

The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise ( 1 step or 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.

The DRPI System provides a highly accurate indication of actual control rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube with a center to center distance of 3.75 inches, which is 6 steps. To increase the reliability of the system, the inductive coils are connected alternately to data system A or B. Thus, if one system fails, the DRPI will go on half accuracy with an effective coil spacing of 7.5 inches, which is 12 steps. Therefore, the normal indication accuracy of the DRPI System is 4 steps, for full accuracy, and +4, -10 steps at half accuracy with data system A, and +10, -4 steps at half accuracy with data system B. As such, only one data system (A or B) is required for an OPERABLE DRPI System indicating within 12 steps of the group step counter demand position indicator. With an indicated deviation of 12 steps between the group step counter and DRPI, the maximum deviation between actual rod position and the demand position could be 22 steps, or 13.75 inches.

APPLICABLE Control and shutdown rod position accuracy is essential during power SAFETY operation. Power peaking, ejected rod worth, or SDM limits may be ANALYSES violated in the event of a Design Basis Accident (Ref. 2), with control or shutdown rods operating outside their limits undetected. Therefore, the acceptance criteria for rod position indication is that rod positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5.2, "Unit 2 Shutdown Bank Insertion Limits," and LCO 3.1.6.2, "Unit 2 Control Bank Insertion Limits").

The rod positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4.2, "Unit 2 Rod Group Alignment Limits").

Control rod positions are continuously monitored to provide operators with information that ensures the plant is operating within the bounds of the accident analysis assumptions.

The control rod position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indicators monitor control rod position, which is an initial condition of the accident analyses.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 2 Revision 33

Unit 2 Rod Position Indication B 3.1.7.2 BASES LCO LCO 3.1.7.2 specifies that the DRPI System (data system A or B) and the Bank Demand Position Indication System be OPERABLE. For the control rod position indicators to be OPERABLE requires meeting the SR of the LCO and the following:

a. The required DRPI System indicates within 12 steps of the group step counter demand position as required by LCO 3.1.4.2, "Unit 2 Rod Group Alignment Limits,"

b. For the required DRPI System there are no failed coils, and

c. The Bank Demand Indication System has been calibrated either in the fully inserted position or to the DRPI System.

The 12 step agreement limit between the Bank Demand Position Indication System and the DRPI System indicates that the Bank Demand Position Indication System is adequately calibrated, and can be used for indication of the measurement of control rod bank position.

A deviation of less than the allowable limit, given in LCO 3.1.4.2, in position indication for a single control rod, ensures high confidence that the position uncertainty of the corresponding control rod group is within the assumed values used in the safety analysis (that specified control rod group insertion limits).

These requirements ensure that control rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.

OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned control rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.

APPLICABILITY The requirements on the DRPI and step counters are only applicable in MODES 1 and 2 (consistent with LCO 3.1.4.2, LCO 3.1.5.2, and LCO 3.1.6.2), because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have the potential to affect the safety of the plant. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 3 Revision 33

Unit 2 Rod Position Indication B 3.1.7.2 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.

A.1, A.2.1, and A.2.2 When one DRPI channel per group in one or more groups fails, the position of the rod may still be determined indirectly by use of the movable incore detectors. The Required Action may also be satisfied by using the movable incore detectors to ensure at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months that FQ(Z) satisfies LCO 3.2.1, FNH satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. If a bank has been significantly moved, the Required Action of C.1 or C.2 below is required. Therefore, verification of RCCA position within the Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

Required Action A.1 requires verification of the position of a rod with an inoperable DRPI once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months which may put excessive wear and tear on the moveable incore detector system, Required Action A.2.1 provides an alternative. Required Action A.2.1 requires verification of rod position using the moveable incore detectors every 31 EFPD, which coincides with the normal use of the system to verify core power distribution.

Required Action A.2.1 includes six distinct requirements for verification of the position of rods associated with an inoperable DRPI using the movable incore detectors:

a. Initial verification within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of the inoperability of the DRPI;

b. Re-verification once every 31 Effective Full Power Days (EFPD) thereafter;

c. Verification within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months if rod control system parameters indicate unintended rod movement. An unintended rod movement is defined as the release of the rods stationary gripper when no action was demanded either manually or automatically from the rod control system, or a rod motion in a direction other than the direction demanded by the rod control system. Verifying that no unintended rod movement has occurred is performed by monitoring the rod control system stationary gripper coil current for indications of rod movement; Beaver Valley Units 1 and 2 B 3.1.7.2 - 4 Revision 33

Unit 2 Rod Position Indication B 3.1.7.2 BASES ACTIONS (continued)

d. Verification within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months if the rod with an inoperable DRPI is intentionally moved greater than 12 steps;

e. Verification prior to exceeding 50% RTP if power is reduced below 50% RTP; and

f. Verification within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of reaching 100% RTP if power is reduced to less than 100% RTP.

Should the rod with the inoperable DRPI be moved more than 12 steps, or if reactor power is changed, the position of the rod with the inoperable DRPI must be verified.

Required Action A.2.2 states that the inoperable DRPI must be restored to OPERABLE status prior to entering MODE 2 from MODE 3. The repair of the inoperable RPI must be performed prior to returning to power operation following a shutdown.

A.3 Reduction of THERMAL POWER to 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factors.

The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is reasonable, based on operating experience, for reducing power to 50% RTP from full power conditions without challenging plant systems and allowing for rod position determination by Required Action A.1 above.

B.1 and B.2 When more than one DRPI per group in one or more groups fail, additional actions are necessary. Placing the Rod Control System in manual assures unplanned rod motion will not occur. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod motion must be prevented while in this Condition.

The inoperable DRPIs must be restored, such that a maximum of one DRPI per group is inoperable, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides sufficient time to troubleshoot and restore the DRPI system to operation while avoiding the plant challenges associated with the shutdown without full rod position indication.

Based on operating experience, normal power operation does not require excessive rod movement. If one or more rods has been significantly moved, the Required Action of C.1 or C.2 below is required.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 5 Revision 33

Unit 2 Rod Position Indication B 3.1.7.2 BASES ACTIONS (continued)

C.1 and C.2 With one DRPI inoperable in one or more groups and the affected groups have moved greater than 24 steps in one direction since the last determination of rod position, additional actions are needed to verify the position of rods within inoperable DRPI. Within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the position of the rods with inoperable position indication must be determined using the moveable incore detectors to verify these rods are still properly positioned, relative to their group positions.

If, within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the rod positions have not been determined, THERMAL POWER must be reduced to 50% RTP to avoid undesirable power distributions that could result from continued operation at > 50% RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months provides an acceptable period of time to verify the rod positions or reduce power to 50% RTP.

D.1.1 and D.1.2 With one or more demand position indicator per bank inoperable in one or more banks, the rod positions can be determined by the DRPI System.

Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indicators are OPERABLE and the most withdrawn rod and the least withdrawn rod are 12 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate.

D.2 Reduction of THERMAL POWER to 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits. The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months provides an acceptable period of time to verify the rod positions per Required Action A.1 or reduce power to 50% RTP.

E.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 6 Revision 33

Unit 2 Rod Position Indication B 3.1.7.2 BASES SURVEILLANCE SR 3.1.7.2.1 REQUIREMENTS Verification that the DRPI agrees with the demand position within 12 steps ensures that the DRPI is operating correctly. Since the DRPI does not display the actual shutdown rod positions between 18 and 210 steps, only points within the indicated ranges are required in comparison.

This Surveillance is performed prior to reactor criticality after each removal of the reactor head, as there is the potential for unnecessary plant transients if the SR were performed with the reactor at power.

The Surveillance is modified by a Note which states it is not required to be met for DRPIs associated with rods that do not meet LCO 3.1.4.2. If a rod is known to not to be within 12 steps of the group demand position, the ACTIONS of LCO 3.1.4.2 provide the appropriate Actions.

REFERENCES 1. Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. UFSAR, Chapter 15.

Beaver Valley Units 1 and 2 B 3.1.7.2 - 7 Revision 33

Unborated Water Source Isolation Valves B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Unborated Water Source Isolation Valves BASES BACKGROUND During MODES 4, 5, and 6 isolation valves for flow paths from the Primary Grade Water System to the charging system must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves must be secured in the closed position.

The Chemical and Volume Control System is capable of supplying borated and unborated water to the Reactor Coolant System (RCS) through various flow paths. Since an unplanned positive reactivity addition made by reducing the boron concentration is inappropriate during MODES 4, 5, and 6, isolation of the required unborated water sources prevents an unplanned boron dilution.

APPLICABLE The possibility of an inadvertent boron dilution event (Ref. 1) occurring SAFETY in MODES 4, 5, and 6 is precluded by adherence to this LCO, which ANALYSES requires that potential dilution sources be isolated. Closing the required valves prevents the flow of unborated water to the RCS. The valves are used to isolate unborated water sources. These valves have the potential to indirectly allow dilution of the RCS boron concentration. By isolating unborated water sources, a safety analysis for an uncontrolled boron dilution accident in accordance with the Standard Review Plan (Ref. 2) is not required for MODES 4, 5, and 6.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that flow paths from the Primary Grade Water System to the RCS (via the charging system) be isolated to prevent unplanned boron dilution during MODES 4, 5, and 6 and thus avoid a reduction in SDM.

In order to meet the requirements of the LCO, the following valves must be isolated:

For Unit 1 either a) 1CH-90 or b) 1CH-91 and 1CH-93.

For Unit 2 either a) 2CHS-37 and 2CHS-828 or b) 2CHS-91, 2CHS-96 and 2CHS-138.

Beaver Valley Units 1 and 2 B 3.1.8 - 1 Revision 0

Unborated Water Source Isolation Valves B 3.1.8 BASES LCO (continued)

The LCO requirement to secure closed each valve used to isolate unborated water sources is modified by a Note. The Note provides an exception to the LCO requirement that allows unborated water source isolation valves to be opened under administrative control for planned boron dilution or makeup activities.

APPLICABILITY In MODES 4, 5, and 6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of the required sources of unborated water to the RCS.

For all other MODES, the boron dilution accident was analyzed and was found to be capable of being mitigated.

ACTIONS The ACTIONS Table has been modified by a Note that allows separate Condition entry for each unborated water source isolation valve.

A.1 Continuation of CORE ALTERATIONS and positive reactivity changes is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate unborated water sources not secured in the closed position, all operations involving CORE ALTERATIONS and positive reactivity changes must be suspended immediately. The Completion Time of "immediately" for performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.

A.2 Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the required unborated water isolation valves secured closed. Securing the valves in the closed position ensures that the valves cannot be inadvertently opened. The Completion Time of "immediately" requires an operator to initiate actions to close an open valve and secure the isolation valve in the closed position immediately.

Once actions are initiated, they must be continued until the valves are secured in the closed position.

Beaver Valley Units 1 and 2 B 3.1.8 - 2 Revision 0

Unborated Water Source Isolation Valves B 3.1.8 BASES ACTIONS (continued)

A.3 Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.1.1.1 (verification of SDM), or SR 3.9.1.1 (verification of boron concentration) must be performed whenever Condition A is entered to demonstrate that the required boron concentration or SDM exists. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is sufficient to obtain and analyze a reactor coolant sample for boron concentration or to determine the SDM.

SURVEILLANCE SR 3.1.8.1 REQUIREMENTS These valves are to be secured closed to isolate the Primary Grade Water System dilution paths. The likelihood of a significant reduction in the boron concentration is remote due to the volume of borated water and the fact that the required unborated water sources are isolated, precluding a dilution. In MODES 4 and 5, the SDM is verified under SR 3.1.1.1 and in MODE 6 the boron concentration is checked under SR 3.9.1.1. This Surveillance demonstrates that the valves are secured closed by direct field observation. The surveillance must be performed within 15 minutes after a planned boron dilution or makeup activity. The requirement to perform this surveillance promptly after completing dilution or makeup activities provides positive control over such activities and assures the affected valves are restored to the secured closed condition after use. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

In order to meet the requirements of the SR, the condition of the following valves must be verified:

For Unit 1 either a) 1CH-90 or b) 1CH-91 and 1CH-93.

For Unit 2 either a) 2CHS-37 and 2CHS-828 or b) 2CHS-91, 2CHS-96 and 2CHS-138.

REFERENCES 1. UFSAR, Section 14.1.4 (Unit 1) and Section 15.4.6 (Unit 2).

2. NUREG-0800, Section 15.4.6.

Beaver Valley Units 1 and 2 B 3.1.8 - 3 Revision 29

PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 PHYSICS TESTS Exceptions - MODE 2 BASES BACKGROUND The primary purpose of the MODE 2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.

Section XI of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59 (Ref. 2).

The requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref. 3). The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 3).

PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of the testing required to ensure that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation.

The MODE 2 PHYSICS TESTS required for reload fuel cycles (Ref. 3) are performed in accordance with the requirements described in Reference 3. The required MODE 2 tests are listed below:

a. Critical Boron Concentration - Control Rods Withdrawn,

b. Critical Boron Concentration - Reference Bank Inserted,

c. Control Rod Worth, and

d. Isothermal Temperature Coefficient (ITC).

Beaver Valley Units 1 and 2 B 3.1.9 - 1 Revision 0

PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 BASES APPLICABLE The fuel is protected by LCOs that preserve the initial conditions of the SAFETY core assumed during the safety analyses. The methods for development ANALYSES of the LCOs that are excepted by this LCO are described in the Westinghouse Reload Safety Evaluation Methodology Report (Ref. 4).

The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.

Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref. 3). Although these PHYSICS TESTS are generally accomplished within the limits for all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO 3.1.3, "Moderator Temperature Coefficient (MTC),"

LCO 3.1.4.1, "Unit 1 Rod Group Alignment Limits," LCO 3.1.4.2, Unit 2 Rod Group Alignment Limits, LCO 3.1.5.1, "Unit 1 Shutdown Bank Insertion Limit," LCO 3.1.4.2, Unit 2 Shutdown Bank Insertion Limit, LCO 3.1.6.1, "Unit 1 Control Bank Insertion Limits," LCO 3.1.6.2, Unit 2 Control Bank Insertion Limits, and LCO 3.4.2, "RCS Minimum Temperature for Criticality" are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to 5% RTP, the reactor coolant temperature is kept 531F, and SDM is within the limits provided in the COLR.

The PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables.

Among the process variables involved are AFD and QPTR, which represent initial conditions of the unit safety analyses. Also involved are the movable control components (control and shutdown rods), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR.

As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO This LCO allows the reactor parameters of MTC and minimum temperature for criticality to be outside their specified limits. In addition, it allows selected control and shutdown rods to be positioned outside of their specified alignment and insertion limits. One power range neutron flux channel may be bypassed, reducing the number of required channels from 4 to 3. Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.

Beaver Valley Units 1 and 2 B 3.1.9 - 2 Revision 33

PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 BASES LCO (continued)

The requirements of LCO 3.1.3, LCO 3.1.4.1, LCO 3.1.4.2, LCO 3.1.5.1, LCO 3.1.5.2, LCO 3.1.6.1, LCO 3.1.6.2, and LCO 3.4.2 may be suspended and the number of required channels for LCO 3.3.1, "RTS Instrumentation," Functions 2, 3, and 17.e may be reduced to 3 required channels during the performance of PHYSICS TESTS provided:

a. RCS lowest loop average temperature is 531F,

b. SDM is within the limits provided in the COLR, and

c. THERMAL POWER is 5% RTP.

In addition to the LCOs listed above the Test Exception provides the following Unit 1 specific exception that may also be used during PHYSICS TESTING:

For Unit 1 only, primary detector voltage measurements may be used to determine the position of rods in shutdown banks A and B and control banks A and B in lieu of the benchboard indicators required by LCO 3.1.7.1.

APPLICABILITY This LCO is applicable when performing low power PHYSICS TESTS.

The Applicability is stated as "during PHYSICS TESTS initiated in MODE 2" to ensure that the 5% RTP maximum power level is not exceeded. Should the THERMAL POWER exceed 5% RTP, and consequently the unit enter MODE 1, this Applicability statement prevents exiting this Specification and its Required Actions.

ACTIONS A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.

Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.

Beaver Valley Units 1 and 2 B 3.1.9 - 3 Revision 33

PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 BASES ACTIONS (continued)

B.1 When THERMAL POWER is > 5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.

C.1 When the RCS lowest Tavg is < 531°F, the appropriate action is to restore Tavg to within its specified limit. The allowed Completion Time of 15 minutes provides time for restoring Tavg to within limits without allowing the plant to remain in an unacceptable condition for an extended period of time. Operation with the reactor critical and with temperature below 531°F could violate the assumptions for accidents analyzed in the safety analyses.

D.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within an additional 15 minutes. The Completion Time of 15 additional minutes is reasonable, based on operating experience, for reaching MODE 3 in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.9.1 REQUIREMENTS The power range and intermediate range neutron detectors are required to be OPERABLE in MODE 2 in accordance with LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel in accordance with the frequency requirement of the referenced RTS surveillances which ensures each channel is tested prior to the initiation of PHYSICS TESTS. The performance of the RTS CHANNEL OPERATIONAL TEST requirements referenced in this SR will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS.

Beaver Valley Units 1 and 2 B 3.1.9 - 4 Revision 0

PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.9.2 Verification that the RCS lowest loop Tavg is 531°F will ensure that the unit is not operating in a condition that could invalidate the safety analyses. Verification of the RCS temperature during the performance of the PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.3 Verification that the THERMAL POWER is 5% RTP will ensure that the plant is not operating in a condition that could invalidate the safety analyses. Verification of the THERMAL POWER during the performance of the PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.4 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:

a. RCS boron concentration,

b. Control bank position, and

c. RCS average temperature.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix B, Section XI.

2. 10 CFR 50.59.

3. ANSI/ANS-19.6.1 - 1997, August 23, 1997.

4. WCAP-9272-P-A, "Westinghouse Reload Safety Evaluation Methodology Report," July 1985.

Beaver Valley Units 1 and 2 B 3.1.9 - 5 Revision 29

RCS Boron Limitations < 500°F B 3.1.10 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.10 RCS Boron Limitations < 500°F BASES BACKGROUND The control rod drive mechanisms (CRDMs) are wired into pre-selected RCCA banks, such that the RCCA banks during normal operation (i.e.,

not in bank select mode) can only be withdrawn in their proper withdrawal sequence. The control of the power supplied to the RCCA banks is such that no more than two RCCA banks can be withdrawn at any time.

When the RCCA banks are capable of being withdrawn from the core, i.e., power supplied to the CRDMs during an approach to criticality for reactor startup, or during maintenance and surveillance testing, there is the potential for an inadvertent RCCA bank withdrawal due to a malfunction of the control rod drive system.

Westinghouse NSAL-00-016 (Ref. 1) discussed the reactor trip functions associated with the Uncontrolled RCCA Bank Withdrawal from a Low Power or Subcritical Condition event (RWFS) (Ref. 2). The primary protection for a RWFS is provided by the Power Range Neutron Flux -

Low trip Function. The Source Range Neutron Flux trip Function is implicitly credited as the primary reactor trip function for a RWFS event in MODES 3, 4, or 5, since the Power Range Neutron Flux - Low trip Function is not required to be OPERABLE in these MODES. However, the Source Range Neutron Flux trip Function is not response time tested per SR 3.3.1.14, and therefore can not be considered to be fully OPERABLE to provide protection for a RWFS event in MODES 3, 4, and 5.

NSAL-00-016 also identified that the Power Range Neutron Flux - Low trip Function may not be OPERABLE at RCS temperatures significantly below the hot zero power Tavg due to calibration issues associated with shielding caused by the cold water in the downcomer region of the reactor vessel. The low RCS temperature limit for Power Range Neutron Flux Trip Function OPERABILITY is 500°F. Therefore, the Power Range Neutron Flux - Low trip Function may not provide the required protection in and below MODE 3 when RCS temperatures are < 500°F due to the calibration issues described above.

Borating the RCS to greater than an all rods out (ARO) critical boron concentration when the RCCA banks are capable of rod withdrawal provides sufficient SHUTDOWN MARGIN in the event of an RWFS when RCS temperatures are < 500°F.

Beaver Valley Units 1 and 2 B 3.1.10 - 1 Revision 0

RCS Boron Limitations < 500°F B 3.1.10 BASES APPLICABLE The RCCA bank withdrawal event addressed by this LCO is the RWFS SAFETY event. An RCCA bank withdrawal event at power is also analyzed, and is ANALYSES addressed by the requirements of other Specifications that are applicable in MODE 1.

The RWFS event assumes a positive reactivity insertion rate that is greater than the worth obtained from the simultaneous withdrawal of the combination of two sequential control banks with the highest combined worth at the maximum withdrawal speed.

The event is assumed to be terminated by the Power Range Neutron Flux

- Low trip Function. The Source Range Neutron Flux and Intermediate Range Neutron Flux trip Functions are also available to terminate an RWFS event, but are not explicitly credited in the safety analyses to terminate the event.

The Power Range Neutron Flux - Low trip Function is considered OPERABLE to provide the required protection for an RWFS event when the RCS temperature is 500°F. This temperature limitation is due to calibration issues associated with shielding caused by cold water in the downcomer region of the reactor vessel. Additionally, although not explicitly analyzed, in MODES 3, 4, and 5, the Source Range Neutron Flux trip Function is implicitly credited to provide protection for an RWFS event.

Since there is no explicit RCCA bank withdrawal analysis performed for MODE 3 when the RCS temperature is < 500°F and in MODES 4 and 5, and the Power Range Neutron Flux - Low trip Function can not be credited to mitigate an RWFS event at RCS temperatures below 500°F, LCO 3.1.10 requires that the RCS boron concentration be greater than the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal in these MODES. This requirement provides sufficient SHUTDOWN MARGIN to prevent the undesirable consequences (i.e., criticality) that could result from an RWFS event.

RCS Boron Limitations < 500°F satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that the boron concentration of the RCS be greater than the ARO critical boron concentration to provide adequate SHUTDOWN MARGIN in the event of an RWFS event.

Beaver Valley Units 1 and 2 B 3.1.10 - 2 Revision 0

RCS Boron Limitations < 500°F B 3.1.10 BASES APPLICABILITY In the event of an RWFS, the LCO must be applicable to provide adequate SHUTDOWN MARGIN in the following MODES and specified conditions:

In MODE 2 with keff < 1.0 with any RCS cold leg temperature < 500°F and with the Rod Control System capable of rod withdrawal.

In MODE 3 with any RCS cold leg temperature < 500°F and with the Rod Control System capable of rod withdrawal; and

In MODES 4 and 5 with the Rod Control System capable of rod withdrawal.

In MODE 6, the requirements of LCO 3.1.10 are not necessary because the rod control system is not capable of rod withdrawal.

In MODE 2 with keff 1.0, in MODE 2 with keff < 1.0 and all RCS cold leg temperatures 500°F and the Rod Control System capable of rod withdrawal, and in MODE 3 with all RCS cold leg temperatures 500°F and the Rod Control System capable of rod withdrawal, LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation," ensures that the Power Range Neutron Flux-Low trip Function is OPERABLE to mitigate a potential RWFS event.

In MODE 1, the requirements of LCO 3.1.10 are not applicable since an uncontrolled RCCA bank withdrawal event at power would be mitigated by the Power Range Neutron Flux-High trip Function. This Function is required to be OPERABLE by LCO 3.3.1.

ACTIONS A.1 If the RCS boron concentration is not within limit, action must be taken immediately to restore the boron concentration to within limit. Borating the RCS to a concentration greater than the ARO critical boron concentration provides sufficient SHUTDOWN MARGIN, if an RWFS event should occur. Initiating action immediately to restore the boron concentration to within the limit provides assurance that the LCO requirement will be restored in a timely manner. The Completion Time is reasonable considering the low probability of an RWFS event occurring while restoring the boron concentration to within the limit. Additionally, although not explicitly credited as a primary trip, the Source Range Neutron Flux trip Function would provide protection from an RWFS event during this period of time.

Beaver Valley Units 1 and 2 B 3.1.10 - 3 Revision 0

RCS Boron Limitations < 500°F B 3.1.10 BASES ACTIONS (continued)

A.2 If the RCS boron concentration is not within limit, an alternate action is to make the Rod Control System incapable of rod withdrawal. This action precludes a RWFS event from occurring with an inadequate SHUTDOWN MARGIN. Initiating action immediately to make the rod control system incapable of rod withdrawal provides adequate assurance that the unit is promptly placed in a condition in which the boron concentration requirements of the LCO are no longer required to mitigate the consequences of a RWFS event.

A.3 If the RCS boron concentration is not within limit, another alternate action is to restore all RCS cold leg temperatures to 500°F. At this RCS temperature the Power Range Neutron Flux - Low trip Function would be OPERABLE and provide the necessary protection should a RWFS event occur. Initiating action immediately to restore all RCS cold leg temperatures to 500°F provides adequate assurance that the unit is promptly placed in a condition in which the boron concentration requirements of the LCO are no longer necessary. Additionally, although not credited as a primary trip, the Source Range Neutron Flux trip Function would provide protection for a RWFS event while RCS Temperature is being increased.

Required Action A.3 is modified by a Note that states it is not applicable in MODES 4 and 5. The Note provides assurance that this Required Action would only be taken in MODES 2 or 3 (i.e., during a unit startup) when the RCS temperature can readily be increased to 500°F. After the RCS cold leg temperatures are increased to 500°F, the requirements of LCO 3.1.10 are no longer applicable and protection during a RWFS event is provided by the Power Range Neutron Flux - Low trip Function, which is required to be OPERABLE by LCO 3.3.1.

SURVEILLANCE SR 3.1.10.1 REQUIREMENTS This SR ensures that the RCS boron concentration is within limit. The boron concentration is determined periodically by chemical analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.1.10 - 4 Revision 29

RCS Boron Limitations < 500°F B 3.1.10 BASES REFERENCES 1. Westinghouse Nuclear Safety Advisory Letter NSAL-00-016, "Rod Withdrawal from Subcritical Protection in Lower Modes,"

December 4, 2000.

2. Unit 1 UFSAR, Chapter 14 and Unit 2 UFSAR Chapter 15.

Beaver Valley Units 1 and 2 B 3.1.10 - 5 Revision 0

FQ(Z)

B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Heat Flux Hot Channel Factor (FQ(Z))

BASES BACKGROUND The purpose of the limits on the values of FQ(Z) is to limit the local (i.e., pellet) peak power density. The value of FQ(Z) varies along the axial height (Z) of the core.

FQ(Z) is defined as the maximum local fuel rod linear power density divided by the average fuel rod linear power density, assuming nominal fuel pellet and fuel rod dimensions. Therefore, FQ(Z) is a measure of the peak fuel pellet power within the reactor core.

During power operation, the global power distribution is limited by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which are directly and continuously measured process variables. These LCOs, along with LCO 3.1.6, "Control Bank Insertion Limits," maintain the core limits on power distributions on a continuous basis.

FQ(Z) varies with fuel loading patterns, control bank insertion, fuel burnup, and changes in axial power distribution.

FQ(Z) is measured periodically using the incore detector system. These measurements are generally taken with the core at or near equilibrium conditions.

Using the measured three dimensional power distributions, it is possible to derive a measured value for FQ(Z). However, because this value represents an equilibrium condition, it does not include the variations in the value of FQ(Z) which are present during nonequilibrium situations such as load following or power ascension.

To account for these possible variations, the equilibrium value of FQ(Z) is adjusted as FWQ(Z) by an elevation dependent factor that accounts for the calculated worst case transient conditions.

Core monitoring and control under non-equilibrium conditions are accomplished by operating the core within the limits of the appropriate LCOs, including the limits on AFD, QPTR, and control rod insertion.

Beaver Valley Units 1 and 2 B 3.2.1 - 1 Revision 0

FQ(Z)

B 3.2.1 BASES APPLICABLE This LCO precludes core power distributions that violate the following fuel SAFETY design criteria:

ANALYSES

a. During a large or small break loss of coolant accident (LOCA), the peak cladding temperature must not exceed 2200°F (Ref. 1),

b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleate boiling (DNB) condition,

c. During an ejected rod accident, the energy deposition to the fuel must not exceed 280 cal/gm (Ref. 2), and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 3).

Limits on FQ(Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains valid. Other criteria must also be met (e.g., maximum cladding oxidation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.

FQ(Z) satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The Heat Flux Hot Channel Factor, FQ(Z) shall be limited by the following relationships:

FQ(Z) [CFQ / P] K(Z) for P > 0.5 FQ(Z) [CFQ / 0.5] K(Z) for P 0.5 where: CFQ is the FQ(Z) limit at RTP provided in the COLR, K(Z) is the normalized FQ(Z) as a function of core height provided in the COLR, and P = THERMAL POWER / RTP The actual values of CFQ and K(Z) are given in the COLR; however, CFQ is normally a number on the order of 2.40, and K(Z) is a function that looks like the one provided in Figure B 3.2.1-1. Figure B 3.2.1-1 is for illustration purposes only. The actual unit specific K(Z) as a function of core height figures are contained in the COLR.

Beaver Valley Units 1 and 2 B 3.2.1 - 2 Revision 0

FQ(Z)

B 3.2.1 BASES LCO (continued)

For Relaxed Axial Offset Control operation, FQ(Z) is approximated by FCQ(Z) and FWQ(Z). Thus, both FQC(Z) and FWQ(Z) must meet the preceding limits on FQ(Z).

An FCQ(Z) evaluation requires obtaining an incore flux map in MODE 1.

From the incore flux map results we obtain the measured value (FMQ(Z)) of FQ(Z). Then,

- NOTE -

An additional measurement uncertainty is to be applied if the number of measured thimbles for the moveable incore detector system is less than or equal to 37 but greater than or equal to 25. The additional uncertainty of (0.01)*[3-(T/12.5)] is added to the measurement uncertainty, 1.05, where T is the total number of measured thimbles. The total uncertainty applied is then 1.03 times the adjusted measurement uncertainty. At least three measured thimbles per core quadrant are also required.

FCQ(Z) = FMQ(Z) 1.0815 where 1.0815 is a factor that accounts for fuel manufacturing tolerances and flux map measurement uncertainty (Ref. 4).

FCQ(Z) is an excellent approximation for FQ(Z) when the reactor is at the steady state power at which the incore flux map was taken.

The expression for FWQ(Z) is:

FWQ(Z) = FQC(Z) W(Z) where W(Z) is a cycle dependent function that accounts for power distribution transients encountered during normal operation. W(Z) is included in the COLR. The FQC(Z) is calculated at equilibrium conditions.

The FQ(Z) limits define limiting values for core power peaking that precludes peak cladding temperatures above 2200°F during either a large or small break LOCA.

This LCO requires operation within the bounds assumed in the safety analyses. Calculations are performed in the core design process to confirm that the core can be controlled in such a manner during operation that it can stay within the LOCA FQ(Z) limits. If FCQ(Z) cannot be maintained within the LCO limits, reduction of the core power is required and if FWQ(Z) cannot be maintained within the LCO limits, reduction of the AFD limits is required. Note that sufficient reduction of the AFD limits will also result in a reduction of the core power.

Beaver Valley Units 1 and 2 B 3.2.1 - 3 Revision 31

FQ(Z)

B 3.2.1 BASES LCO (continued)

Violating the LCO limits for FQ(Z) produces unacceptable consequences if a design basis event occurs while FQ(Z) is outside its specified limits.

APPLICABILITY The FQ(Z) limits must be maintained in MODE 1 to prevent core power distributions from exceeding the limits assumed in the safety analyses.

Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require a limit on the distribution of core power.

ACTIONS A.1 Reducing THERMAL POWER by 1% RTP for each 1% by which FCQ(Z) exceeds its limit, maintains an acceptable absolute power density. FCQ(Z) is FMQ(Z) multiplied by a factor accounting for manufacturing tolerances and measurement uncertainties. FMQ(Z) is the measured value of FQ(Z).

The Completion Time of 15 minutes provides an acceptable time to reduce power in an orderly manner and without allowing the plant to remain in an unacceptable condition for an extended period of time. The maximum allowable power level initially determined by Required Action A.1 may be affected by subsequent determinations of FCQ(Z) and would require power reductions within 15 minutes of the FCQ(Z) determination, if necessary to comply with the decreased maximum allowable power level.

Decreases in FCQ(Z) would allow increasing the maximum allowable power level and increasing power up to this revised limit.

A.2 A reduction of the Power Range Neutron Flux - High trip setpoints by 1% for each 1% by which FCQ(Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.1. The maximum allowable Power Range Neutron Flux - High trip setpoints initially determined by Required Action A.2 may be affected by subsequent determinations of FCQ(Z) and would require Power Range Neutron Flux - High trip setpoint reductions within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of the FCQ(Z) determination, if necessary to comply with the decreased maximum allowable Power Range Neutron Flux - High trip setpoints. Decreases in FCQ(Z) would allow increasing the maximum allowable Power Range Neutron Flux - High trip setpoints.

Beaver Valley Units 1 and 2 B 3.2.1 - 4 Revision 30

FQ(Z)

B 3.2.1 BASES ACTIONS (continued)

A.3 Reduction in the Overpower T trip setpoints (value of K4) by 1% for each 1% by which FCQ(Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.1. The maximum allowable Overpower T trip setpoints initially determined by Required Action A.3 may be affected by subsequent determinations of FCQ(Z) and would require Overpower T trip setpoint reductions within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of the FCQ(Z) determination, if necessary to comply with the decreased maximum allowable Overpower T trip setpoints. Decreases in FCQ(Z) would allow increasing the maximum allowable Overpower T trip setpoints.

A.4 Verification that FCQ(Z) has been restored to within its limit, by performing SR 3.2.1.1 and SR 3.2.1.2 prior to increasing THERMAL POWER above the limit imposed by Required Action A.1, ensures that core conditions during operation at higher power levels and future operation are consistent with safety analyses assumptions.

Condition A is modified by a Note that requires Required Action A.4 to be performed whenever the Condition is entered. This ensures that SR 3.2.1.1 and SR 3.2.1.2 will be performed prior to increasing THERMAL POWER above the limit of Required Action A.1, even when Condition A is exited prior to performing Required Action A.4.

Performance of SR 3.2.1.1 and SR 3.2.1.2 are necessary to assure FQ(Z) is properly evaluated prior to increasing THERMAL POWER.

B.1 If it is found that the maximum calculated value of FQ(Z) that can occur during normal maneuvers, FWQ(Z), exceeds its specified limits, there exists a potential for FCQ(Z) to become excessively high if a normal operational transient occurs. Reducing the AFD limits by 1% for each 1% by which FWQ(Z) exceeds its limit within the allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded.

The implicit assumption is that if W(Z) values were recalculated (consistent with the reduced AFD limits), then FCQ(Z) times the recalculated W(Z) values would meet the FQ(Z) limit. Note that complying with this action (of reducing AFD limits) may also result in a power reduction. Hence the need for Required Actions B.2, B.3 and B.4.

Beaver Valley Units 1 and 2 B 3.2.1 - 5 Revision 30

FQ(Z)

B 3.2.1 BASES ACTIONS (continued)

B.2 A reduction of the Power Range Neutron Flux-High trip setpoints by 1%

for each 1% by which the maximum allowable power is reduced, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER as a result of reducing AFD limits in accordance with Required Action B.1.

B.3 Reduction in the Overpower T trip setpoints value of K4 by 1% for each 1% by which the maximum allowable power is reduced, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER as a result of reducing AFD limits in accordance with Required Action B.1.

B.4 Verification that FWQ(Z) has been restored to within its limit, by performing SR 3.2.1.1 and SR 3.2.1.2 prior to increasing THERMAL POWER above the maximum allowable power limit imposed by Required Action B.1 ensures that core conditions during operation at higher power levels and future operation are consistent with safety analyses assumptions.

Condition B is modified by a Note that requires Required Action B.4 to be performed whenever the Condition is entered. This ensures that SR 3.2.1.1 and SR 3.2.1.2 will be performed prior to increasing THERMAL POWER above the limit of Required Action B.1, even when Condition A is exited prior to performing Required Action B.4.

Performance of SR 3.2.1.1 and SR 3.2.1.2 are necessary to assure FQ(Z) is properly evaluated prior to increasing THERMAL POWER.

C.1 If Required Actions A.1 through A.4 or B.1 through B.4 are not met within their associated Completion Times, the plant must be placed in a MODE or condition in which the LCO requirements are not applicable. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

This allowed Completion Time is reasonable based on operating experience regarding the amount of time it takes to reach MODE 2 from full power operation in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.2.1 - 6 Revision 30

FQ(Z)

B 3.2.1 BASES SURVEILLANCE SR 3.2.1.1 and SR 3.2.1.2 are modified by a Note. The Note applies REQUIREMENTS during the first power ascension after a refueling. It states that THERMAL POWER may be increased until an equilibrium power level has been achieved at which a power distribution map can be obtained. This allowance is modified, however, by one of the Frequency conditions that requires verification that FQC(Z) and FWQ(Z) are within their specified limits after a power rise of more than 10% RTP over the THERMAL POWER at which they were last verified to be within specified limits. Because FCQ(Z) and FWQ(Z) could not have previously been measured in this reload core, there is a second Frequency condition, applicable only for reload cores, that requires determination of these parameters before exceeding 75% RTP.

This ensures that some determination of FQC(Z) and FWQ(Z) are made at a lower power level at which adequate margin is available before going to 100% RTP. Also, this Frequency condition, together with the Frequency condition requiring verification of FQC(Z) and FWQ(Z) following a power increase of more than 10%, ensures that they are verified as soon as RTP (or any other level for extended operation) is achieved. In the absence of these Frequency conditions, it is possible to increase power to RTP and operate for 31 days without verification of FQC(Z) and FWQ(Z). The Frequency condition is not intended to require verification of these parameters after every 10% increase in power level above the last verification. It only requires verification after a power level is achieved for extended operation that is 10% higher than that power at which FQ(Z) was last measured.

SR 3.2.1.1

- NOTE -

An additional measurement uncertainty is to be applied if the number of measured thimbles for the moveable incore detector system is less than or equal to 37 but greater than or equal to 25. The additional uncertainty of (0.01)*[3-(T/12.5)] is added to the measurement uncertainty, 1.05, where T is the total number of measured thimbles. The total uncertainty applied is then 1.03 times the adjusted measurement uncertainty. At least three measured thimbles per core quadrant are also required.

Verification that FQC(Z) is within its specified limits involves increasing FMQ(Z) to allow for manufacturing tolerance and measurement uncertainties in order to obtain FQC(Z). Specifically, FMQ(Z) is the measured value of FQ(Z) obtained from incore flux map results and FQC(Z) = FMQ(Z) 1.0815 (Ref. 4). FQC(Z) is then compared to its specified limits.

The limit with which FCQ(Z) is compared varies inversely with power above 50% RTP and directly with a function called K(Z) provided in the COLR.

Beaver Valley Units 1 and 2 B 3.2.1 - 7 Revision 31

FQ(Z)

B 3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Performing this Surveillance in MODE 1 prior to exceeding 75% RTP ensures that the FCQ(Z) limit is met when RTP is achieved, because peaking factors generally decrease as power level is increased.

If THERMAL POWER has been increased by 10% RTP since the last determination of FCQ(Z), another evaluation of this factor is required 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after achieving equilibrium conditions at this higher power level (to ensure that FCQ(Z) values are being reduced sufficiently with power increase to stay within the LCO limits).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.2.1.2 The nuclear design process includes calculations performed to determine that the core can be operated within the FQ(Z) limits. Because flux maps are taken in steady state conditions, the variations in power distribution resulting from normal operational maneuvers are not present in the flux map data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation, Z, is called W(Z). Multiplying the measured total peaking factor, FCQ(Z), by W(Z) gives the maximum FQ(Z) calculated to occur in normal operation, FWQ(Z).

The SR Note specifies in part "If measurements indicate that the maximum over z of [FCQ(Z)/ K(Z)] has increased ...". This statement in the Note refers to the fact that both FCQ and K are functions of the axial height.

At each applicable core elevation the ratio of FCQ(Z) / K(Z) is calculated to determine the maximum ratio (maximum over z). If this maximum ratio has increased since the last set of evaluations, then the Note modifying this SR specifies additional verifications that must be performed.

The limit with which FWQ(Z) is compared varies inversely with power above 50% RTP and directly with the function K(Z) provided in the COLR.

The W(Z) Table is provided in the COLR for discrete core elevations.

Flux map data are typically taken for 30 to 75 core elevations. FWQ(Z) evaluations are not applicable for the following axial core regions, measured in percent of core height:

a. Lower core region, from 0 to 10% inclusive and

b. Upper core region, from 90 to 100% inclusive.

Beaver Valley Units 1 and 2 B 3.2.1 - 8 Revision 30

FQ(Z)

B 3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The top and bottom 10% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making a precise measurement in these regions.

This Surveillance has been modified by a Note that may require more frequent surveillances be performed. If FWQ(Z) is evaluated, an evaluation of the expression below is required to account for any increase to FMQ(Z) that may occur and cause the FQ(Z) limit to be exceeded before the next required FQ(Z) evaluation.

If the two most recent FQ(Z) evaluations show an increase in the expression maximum over z of [ FCQ(Z) / K(Z) ], it is required to meet the FQ(Z) limit with the last FWQ(Z) increased by the greater of a factor of 1.02 or by an appropriate factor specified in the COLR (Ref. 5) or to evaluate FQ(Z) more frequently, each 7 EFPD. These alternative requirements prevent FQ(Z) from exceeding its limit for any significant period of time without detection.

Performing the Surveillance in MODE 1 prior to exceeding 75% RTP ensures that the FQ(Z) limit is met when RTP is achieved, because peaking factors are generally decreased as power level is increased.

FQ(Z) is verified at power levels 10% RTP above the THERMAL POWER of its last verification, 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after achieving equilibrium conditions to ensure that FQ(Z) is within its limit at higher power levels.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.46, 1974.

2. Regulatory Guide 1.77, Rev. 0, May 1974.

3. 10 CFR 50, Appendix A, GDC 26.

4. WCAP-7308-L-P-A, "Evaluation of Nuclear Hot Channel Factor Uncertainties," June 1988.

5. WCAP-10216-P-A, Rev. 1A, "Relaxation of Constant Axial Offset Control (and) FQ Surveillance Technical Specification," February 1994.

Beaver Valley Units 1 and 2 B 3.2.1 - 9 Revision 30

FQ(Z)

B 3.2.1 THIS FIGURE FOR ILLUSTRATION ONLY.

DO NOT USE FOR OPERATION.

ACTUAL UNIT SPECIFIC FIGURES ARE CONTAINED IN THE COLR.

Figure B 3.2.1-1 (page 1 of 1)

K(Z) - Normalized FQ(Z) as a Function of Core Height Beaver Valley Units 1 and 2 B 3.2.1 - 10 Revision 0

FNH B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor (FNH)

BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are expressed in terms of hot channel factors. Control of the core power distribution with respect to these factors ensures that local conditions in the fuel rods and coolant channels do not challenge core integrity at any location during either normal operation or a postulated accident analyzed in the safety analyses.

FNH is defined as the ratio of the integral of the linear power along the fuel rod with the highest integrated power to the average integrated fuel rod power. Therefore, FNH is a measure of the maximum total power produced in a fuel rod.

FNH is sensitive to fuel loading patterns, bank insertion, and fuel burnup.

FNH typically increases with control bank insertion and typically decreases with fuel burnup.

FNH is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by a computer to determine FNH. This factor is calculated at least every 31 EFPD. However, during power operation, the global power distribution is monitored by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which address directly and continuously measured process variables.

The COLR provides peaking factor limits that ensure that the design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and any transient condition arising from events of moderate frequency. The DNB design basis ensures the probability that DNB will not occur on the most limiting fuel rod is at least 95% at a 95% confidence level. This is met by limiting the minimum DNBR to the 95/95 DNB criterion of 1.22 for typical and thimble cells using the WRB-2M Critical Heat Flux (CHF) correlation, and 1.23 for the typical cell and 1.22 for the thimble cell using the WRB-1 CHF correlation.

All DNB limited transient events are assumed to begin with an FNH value that satisfies the LCO requirements.

Operation outside the LCO limits may produce unacceptable consequences if a DNB limiting event occurs. The DNB design basis ensures that there is no overheating of the fuel that results in possible Beaver Valley Units 1 and 2 B 3.2.2 - 1 Revision 0

FNH B 3.2.2 BASES BACKGROUND (continued) cladding perforation with the release of fission products to the reactor coolant.

APPLICABLE Limits on FNH preclude core power distributions that exceed the following SAFETY fuel design limits:

ANALYSES

a. There must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core does not experience a DNB condition,

b. During a large or small break loss of coolant accident (LOCA), peak cladding temperature (PCT) must not exceed 2200°F (Ref. 3),

c. During an ejected rod accident, the energy deposition to the fuel must not exceed 280 cal/gm (Ref. 1), and

d. Fuel design limits required by GDC 26 (Ref. 2) for the condition when control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn.

For transients that may be DNB limited, the Reactor Coolant System flow and FNH are the core parameters of most importance. The limits on FNH ensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from events of moderate frequency.

The DNB design basis ensures the probability that DNB will not occur on the most limiting fuel rod is at least 95% at a 95% confidence level. This is met by limiting the minimum DNBR to the 95/95 DNB criterion of 1.22 for typical and thimble cells using the WRB-2M CHF correlation, and 1.23 for the typical cell and 1.22 for the thimble cell using the WRB-1 CHF correlation. These values provide a high degree of assurance that the hottest fuel rod in the core does not experience a DNB.

The allowable FNH limit increases with decreasing power level. This functionality in FNH is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL 2.1.1. Therefore, DNB events in which the core limits are modeled implicitly use this variable value of FNH in the analyses. Likewise, all transients that may be DNB limited are assumed to begin with an initial FNH as a function of power level defined by the COLR limit equation.

The LOCA safety analysis indirectly models FNH as an input parameter.

The Nuclear Heat Flux Hot Channel Factor (FQ(Z)) and the axial peaking factors are also indirectly modeled in the LOCA safety analyses that verify the acceptability of the resulting peak cladding temperature (Ref. 3).

Beaver Valley Units 1 and 2 B 3.2.2 - 2 Revision 0

FNH B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued)

The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the safety and accident analyses remain valid. The following LCOs ensure this: LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.2, "Nuclear Enthalpy Rise Hot Channel Factor (FNH)," and LCO 3.2.1, "Heat Flux Hot Channel Factor (FQ(Z))."

FNH and FQ(Z) are measured periodically using the movable incore detector system. Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition 1 events) are accomplished by operating the core within the limits of the LCOs on AFD, QPTR, and Bank Insertion Limits.

FNH satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO FNH shall be maintained within the limits of the relationship provided in the COLR.

The FNH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the highest probability for a DNB.

The limiting value of FNH, described by the equation contained in the COLR, is a design radial peaking factor (nuclear enthalpy rise hot channel factor) used in the unit safety analyses.

A power multiplication factor in this equation includes an additional margin for higher radial peaking from reduced thermal feedback and greater control rod insertion at low power levels. The limiting value of FNH is allowed to increase by the value for PFH specified in the COLR for every 1% RTP reduction in THERMAL POWER.

APPLICABILITY The FNH limits must be maintained in MODE 1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT.

Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to FNH in other MODES (MODES 2 through 5) have significant margin to the DNBR limit, and therefore, there is no need to restrict FNH in these MODES.

Beaver Valley Units 1 and 2 B 3.2.2 - 3 Revision 0

FNH B 3.2.2 BASES ACTIONS A.1.1 With FNH exceeding its limit, the unit is allowed 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore FNH to within its limits. This restoration may, for example, involve realigning any misaligned rods or reducing power enough to bring FNH within its power dependent limit. When the FNH limit is exceeded, the DNBR limits are not likely violated in steady state operation, because events that could significantly perturb the FNH value (e.g., static control rod misalignment) are considered in the safety analyses. However, the DNBR limits may be violated if a DNB limiting event occurs. Thus, the allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months provides an acceptable time to restore FNH to within its limits without allowing the plant to remain in an unacceptable condition for an extended period of time.

Condition A is modified by a Note that requires that Required Actions A.2 and A.3 must be completed whenever Condition A is entered. Thus, if power is not reduced because this Required Action is completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months time period, Required Action A.2 nevertheless requires another measurement and calculation of FNH within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in accordance with SR 3.2.2.1.

However, if power is reduced below 50% RTP, Required Action A.3 requires that another determination of FNH must be performed prior to exceeding 50% RTP, prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after reaching or exceeding 95% RTP. In addition, Required Action A.2 is performed if power ascension is delayed past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

A.1.2.1 and A.1.2.2 If the value of FNH is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, the alternative option is to reduce THERMAL POWER to < 50% RTP in accordance with Required Action A.1.2.1 and reduce the Power Range Neutron Flux - High to 55% RTP in accordance with Required Action A.1.2.2. Reducing RTP to < 50% RTP increases the DNB margin and does not likely cause the DNBR limit to be violated in steady state operation. The reduction in trip setpoints ensures that continuing operation remains at an acceptable low power level with adequate DNBR margin. The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for Required Action A.1.2.1 is consistent with those allowed for in Required Action A.1.1 and provides an acceptable time to reach the required power level from full power operation without allowing the plant to remain in an unacceptable condition for an extended period of time. The Completion Times of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for Required Actions A.1.1 and A.1.2.1 are not additive.

Beaver Valley Units 1 and 2 B 3.2.2 - 4 Revision 0

FNH B 3.2.2 BASES ACTIONS (continued)

The allowed Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to reset the trip setpoints per Required Action A.1.2.2 recognizes that, once power is reduced, the safety analysis assumptions are bounding and there is no urgent need to reduce the trip setpoints. This is a sensitive operation that may inadvertently trip the Reactor Protection System.

A.2 Once the power level has been reduced to < 50% RTP per Required Action A.1.2.1, an incore flux map (SR 3.2.2.1) must be obtained and the measured value of FNH verified not to exceed the allowed limit at the lower power level. The unit is provided 20 additional hours to perform this task over and above the 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowed by either Action A.1.1 or Action A.1.2.1. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is acceptable because of the increase in the DNB margin, which is obtained at lower power levels, and the low probability of having a DNB limiting event within this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain the incore flux map, perform the required calculations, and evaluate FNH.

A.3 Verification that FNH is within its specified limits after an out of limit occurrence ensures that the cause that led to the FNH exceeding its limit is corrected, and that subsequent operation proceeds within the LCO limit.

This Action demonstrates that the FNH limit is within the LCO limits prior to exceeding 50% RTP, again prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER is 95% RTP.

This Required Action is modified by a Note that states that THERMAL POWER does not have to be reduced prior to performing this Action.

B.1 When Required Actions A.1.1 through A.3 cannot be completed within their required Completion Times, the plant must be placed in a MODE in which the LCO requirements are not applicable. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience regarding the time required to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.2.2 - 5 Revision 0

FNH B 3.2.2 BASES SURVEILLANCE SR 3.2.2.1 REQUIREMENTS

- NOTE -

An additional measurement uncertainty is to be applied if the number of measured thimbles for the moveable incore detector system is less than or equal to 37 but greater than or equal to 25. The additional uncertainty of (0.01)*[3-(T/12.5)] is added to 1.04, where T is the total number of measured thimbles. At least three measured thimbles per core quadrant are also required.

The value of FH N is determined by using the movable incore detector system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FH N from the measured flux distributions. The measured value of FH must be multiplied by 1.04 N

to account for measurement uncertainty before making comparisons to the FHN limit.

After each refueling, FH N must be determined in MODE 1 prior to exceeding 75% RTP. This requirement ensures that FH N limits are met at the beginning of each fuel cycle.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Regulatory Guide 1.77, Rev. 0, May 1974.

2. 10 CFR 50, Appendix A, GDC 26.

3. 10 CFR 50.46.

Beaver Valley Units 1 and 2 B 3.2.2 - 6 Revision 31

AFD B 3.2.3 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 AXIAL FLUX DIFFERENCE (AFD)

BASES BACKGROUND The purpose of this LCO is to establish limits on the values of the AFD in order to limit the amount of axial power distribution skewing to either the top or bottom of the core. By limiting the amount of power distribution skewing, core peaking factors are consistent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.

Relaxed Axial Offset Control (RAOC) is a calculational procedure that defines the allowed operational space of the AFD versus THERMAL POWER. The AFD limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AFD. Subsequently, power peaking factors and power distributions are examined to ensure that the loss of coolant accident (LOCA), loss of flow accident, and anticipated transient limits are met. Violation of the AFD limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity.

The AFD is monitored on an automatic basis using the unit process computer, which has an AFD monitor alarm. The computer determines the 1 minute average of each of the OPERABLE excore detector outputs and provides an alarm message immediately if the AFD for two or more OPERABLE excore channels is outside its specified limits. If the AFD monitor is out of service, indicated AFD for each OPERABLE excore channel is manually monitored in accordance with the requirements specified in the Licensing Requirements Manual (Ref. 1).

Although the RAOC defines limits that must be met to satisfy safety analyses, typically an operating scheme, Constant Axial Offset Control (CAOC) is used to control axial power distribution in day to day operation (Ref. 2). CAOC requires that the AFD be controlled within a narrow tolerance band around a burnup dependent target to minimize the variation of axial peaking factors and axial xenon distribution during unit maneuvers.

The CAOC operating space is typically smaller and lies within the RAOC operating space. Control within the CAOC operating space constrains the variation of axial xenon distributions and axial power distributions.

RAOC calculations assume a wide range of xenon distributions and then confirm that the resulting power distributions satisfy the requirements of the accident analyses.

Beaver Valley Units 1 and 2 B 3.2.3 - 1 Revision 0

AFD B 3.2.3 BASES APPLICABLE The AFD is a measure of the axial power distribution skewing to either SAFETY the top or bottom half of the core. The AFD is sensitive to many core ANALYSES related parameters such as control bank positions, core power level, axial burnup, axial xenon distribution, and, to a lesser extent, reactor coolant temperature and boron concentration.

The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.

The RAOC methodology (Ref. 3) establishes a xenon distribution library with tentatively wide AFD limits. One dimensional axial power distribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, and for initial conditions of anticipated transients. The tentative limits are adjusted as necessary to meet the safety analysis requirements.

The limits on the AFD ensure that the Heat Flux Hot Channel Factor (FQ(Z)) is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition 2, 3, or 4 events. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most limiting Condition 4 event with respect to the AFD limits is the LOCA. The most limiting Condition 3 event with respect to the AFD limits is the loss of flow accident. The most limiting Condition 2 events with respect to the AFD limits include the uncontrolled RCCA bank withdrawal at power, dropped RCCA, and boron dilution accidents. Condition 2 accidents simulated to begin from within the AFD limits are used to confirm the adequacy of the Overpower T and Overtemperature T trip setpoints.

The limits on the AFD satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The shape of the power profile in the axial (i.e., the vertical) direction is largely under the control of the operator through the manual operation of the control banks or automatic motion of control banks. The automatic motion of the control banks is in response to temperature deviations resulting from manual operation of the Chemical and Volume Control System to change boron concentration or from power level changes.

Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors (Ref. 4). Separate signals are taken from the top and bottom detectors. The AFD is defined as the difference in normalized flux signals between the top and bottom excore detectors in each detector well. For convenience, this flux difference is converted to provide flux difference units expressed as a percentage and labeled as % flux or %I.

Beaver Valley Units 1 and 2 B 3.2.3 - 2 Revision 0

AFD B 3.2.3 BASES LCO (continued)

The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typical RAOC AFD limits. The AFD limits for RAOC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.

Violating this LCO on the AFD could produce unacceptable consequences if a Condition 2, 3, or 4 event occurs while the AFD is outside its specified limits.

The LCO is modified by a Note which states that AFD shall be considered outside its limit when two or more OPERABLE excore channels indicate AFD to be outside its limit.

APPLICABILITY The AFD requirements are applicable in MODE 1 greater than or equal to 50% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.

For AFD limits developed using RAOC methodology, the value of the AFD does not affect the limiting accident consequences with THERMAL POWER < 50% RTP and for lower operating power MODES.

ACTIONS A.1 As an alternative to restoring the AFD to within its specified limits, Required Action A.1 requires a THERMAL POWER reduction to

< 50% RTP. This places the core in a condition for which the value of the AFD is not important in the applicable safety analyses. A Completion Time of 30 minutes is reasonable, based on operating experience, to reach 50% RTP without challenging plant systems.

SURVEILLANCE SR 3.2.3.1 REQUIREMENTS This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limits. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.2.3 - 3 Revision 29

AFD B 3.2.3 BASES REFERENCES 1. Licensing Requirements Manual (LRM).

2. WCAP-8403 (nonproprietary), "Power Distribution Control and Load Following Procedures," Westinghouse Electric Corporation, September 1974.

3. WCAP-10216-P-A, Rev. 1A, "Relaxation of Constant Axial Offset Control: FQ Surveillance Technical Specification," February 1994.

4. UFSAR, Chapter 7 (Unit 1) and UFSAR Chapter 4 (Unit 2).

Beaver Valley Units 1 and 2 B 3.2.3 - 4 Revision 0

AFD B 3.2.3 Figure B 3.2.3-1 (page 1 of 1)

AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER Beaver Valley Units 1 and 2 B 3.2.3 - 5 Revision 0

QPTR B 3.2.4 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.4 QUADRANT POWER TILT RATIO (QPTR)

BASES BACKGROUND The QPTR limit ensures that the gross radial power distribution remains consistent with the design values used in the safety analyses. Precise radial power distribution measurements are made during startup testing, after refueling, and periodically during power operation.

The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, and LCO 3.1.6, "Control Rod Insertion Limits," provide limits on process variables that characterize and control the three dimensional power distribution of the reactor core. Control of these variables ensures that the core operates within the fuel design criteria and that the power distribution remains within the bounds used in the safety analyses.

APPLICABLE This LCO precludes core power distributions that violate the following fuel SAFETY design criteria:

ANALYSES

a. During a large or small break loss of coolant accident, the peak cladding temperature must not exceed 2200°F (Ref. 1),

b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 departure from nucleate boiling (DNB) criterion) that the hot fuel rod in the core does not experience a DNB condition,

c. During an ejected rod accident, the energy deposition to the fuel must not exceed 280 cal/gm (Ref. 2), and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 3).

The LCO limits on the AFD, the QPTR, the Heat Flux Hot Channel Factor (FQ(Z)), the Nuclear Enthalpy Rise Hot Channel Factor (FNH), and control bank insertion are established to preclude core power distributions that exceed the safety analyses limits.

The QPTR limits ensure that FNH and FQ(Z) remain below their limiting values by preventing an undetected change in the gross radial power distribution.

Beaver Valley Units 1 and 2 B 3.2.4 - 1 Revision 0

QPTR B 3.2.4 BASES APPLICABLE SAFETY ANALYSES (continued)

In MODE 1, the FH N and FQ(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.

The QPTR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat generation rate contributing to excessive power peaks resulting from X-Y plane power tilts. A limiting QPTR of 1.02 can be tolerated before the margin for uncertainty in FQ(Z) and (FNH) is possibly challenged.

APPLICABILITY The QPTR limit must be maintained in MODE 1 with THERMAL POWER

> 50% RTP to prevent core power distributions from exceeding the design limits.

Applicability in MODE 1 50% RTP and in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, therefore, not important. Note that the FNH and FQ(Z) LCOs still apply, but allow progressively higher peaking factors at 50% RTP or lower.

ACTIONS Unless Required Action A.1 limits THERMAL POWER to 50% RTP, Required Actions A.1 through A.6 permit continued operation in the MODE or other specified conditions in the Applicability for an unlimited period of time, as used in LCO 3.0.4.a.

A.1 With the QPTR exceeding its limit, the maximum allowable THERMAL POWER level is established by the following equation and THERMAL POWER is reduced or maintained below that maximum allowable level:

Maximum allowable THERMAL POWER = 100% RTP - (3% RTP x

((QPTR - 1.00) x 100))

If THERMAL POWER is below the maximum allowable THERMAL POWER level at the time of Condition A entry, no power reduction is required. Power ascension is allowed while in Condition A provided the maximum allowable THERMAL POWER is not exceeded.

Beaver Valley Units 1 and 2 B 3.2.4 - 2 Revision 35

QPTR B 3.2.4 BASES ACTIONS (continued)

The use of a QPTR of 1.00 in this equation rather than the LCO limit is required by Required Action A.1 and reflects the desire for a normalized radial power distribution. Establishing the maximum allowable THERMAL POWER level and reducing THERMAL POWER, if necessary, is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months allows sufficient time to identify the cause and correct the out of limit QPTR, or to reduce THERMAL POWER if necessary. Note that power changes may cause changes in the QPTR measured value.

The maximum allowable power level initially determined by Required Action A.1 may be affected by subsequent determinations of QPTR.

Increases in QPTR would require power reduction within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of QPTR determination, if necessary to comply with the decreased maximum allowable power level.

A.2 After completion of Required Action A.1, the QPTR alarm may still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is sufficient because any additional change in QPTR would be relatively slow.

A.3 The peaking factors FQ(Z), as approximated by FQC(Z) and FWQ(Z), and FH N are of primary importance in ensuring that the power distribution remains consistent with the initial conditions used in the safety analyses.

Performing SRs on FH N and FQ(Z) within the Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after achieving equilibrium conditions from a Thermal Power reduction per Required Action A.1 ensures that these primary indicators of power distribution are within their respective limits. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to support flux mapping. A Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after achieving equilibrium conditions from Thermal Power reduction per Required Action A.1 takes into consideration the rate at which peaking factors are likely to change, and the time required to stabilize the plant and perform a flux map. If these peaking factors are not within their limits, the applicable Required Actions provide an appropriate response for the abnormal condition. If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7 days thereafter to evaluate FNH and FQ(Z) with changes in power distribution. Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.

Beaver Valley Units 1 and 2 B 3.2.4 - 3 Revision 35

QPTR B 3.2.4 BASES ACTIONS (continued)

A.4 Although FNH and FQ(Z) are of primary importance as initial conditions in the safety analyses, other changes in the power distribution may occur as the QPTR limit is exceeded and may have an impact on the validity of the safety analysis. A change in the power distribution can affect such reactor parameters as bank worths and peaking factors for rod malfunction accidents. When the QPTR exceeds its limit, it does not necessarily mean a safety concern exists. It does mean that there is an indication of a change in the gross radial power distribution that requires an investigation and evaluation that is accomplished by examining the incore power distribution. Specifically, the core peaking factors and the quadrant tilt must be evaluated because they are the factors that best characterize the core power distribution. This re-evaluation is required to ensure that, before increasing THERMAL POWER to above the limit of Required Action A.1, the reactor core conditions are consistent with the assumptions in the safety analyses.

A.5 If the QPTR has exceeded the 1.02 limit and a re-evaluation of the safety analysis is completed and shows that safety requirements are met, the excore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL POWER to above the limit of Required Action A.1.

Normalization is accomplished in such a manner that the indicated QPTR following normalization is near 1.00. This is done to detect any subsequent significant changes in QPTR.

Required Action A.5 is modified by two Notes. Note 1 states that the QPTR is not restored to within limits until after the re-evaluation of the safety analysis has determined that core conditions at RTP are within the safety analysis assumptions (i.e., Required Action A.4). Note 2 states that if Required Action A.5 is performed, then Required Action A.6 shall be performed. Required Action A.5 normalizes the excore detectors to restore QPTR to within limits, which restores compliance with LCO 3.2.4.

Thus, Note 2 prevents exiting the Actions prior to completing flux mapping to verify peaking factors, per Required Action A.6. These Notes are intended to prevent any ambiguity about the required sequence of actions.

A.6 Once the flux tilt is restored to within limits (i.e., Required Action A.5 is performed), it is acceptable to return to full power operation. However, as an added check that the core power distribution is consistent with the safety analysis assumptions, Required Action A.6 requires verification Beaver Valley Units 1 and 2 B 3.2.4 - 4 Revision 35

QPTR B 3.2.4 BASES ACTIONS (continued) that FQ(Z), as approximated by FQC(Z) and FWQ(Z), and FH N are within their specified limits within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of achieving equilibrium conditions at RTP.

As an added precaution, if the core power does not reach equilibrium conditions at RTP within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , but is increased slowly, then the peaking factor surveillances must be performed within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after increasing THERMAL POWER above the limit of Required Action A.1.

These Completion Times are intended to allow adequate time to increase THERMAL POWER to above the limit of Required Action A.1, while not permitting the core to remain with unconfirmed power distributions for extended periods of time.

Required Action A.6 is modified by a Note that states that the peaking factor surveillances may only be done after the excore detectors have been normalized to restore QPTR to within limits (i.e., Required Action A.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, which can only be accomplished after the excore detectors are normalized to restore QPTR to within limits and the core returned to power.

B.1 If Required Actions A.1 through A.6 are not completed within their associated Completion Times, the unit must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to 50% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable, based on operating experience regarding the amount of time required to reach the reduced power level without challenging plant systems.

SURVEILLANCE SR 3.2.4.1 REQUIREMENTS SR 3.2.4.1 is modified by two Notes. Note 1 allows QPTR to be calculated with three power range channels if THERMAL POWER is 75% RTP and the input from one Power Range Neutron Flux channel is inoperable. Note 2 allows performance of SR 3.2.4.2 in lieu of SR 3.2.4.1.

This Surveillance verifies that the QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

For those causes of power tilt that occur quickly (e.g., a dropped rod),

there typically are other indications of abnormality that prompt a verification of core power tilt.

Beaver Valley Units 1 and 2 B 3.2.4 - 5 Revision 35

QPTR B 3.2.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.2.4.2 This Surveillance is modified by a Note, which states that it is not required until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the input from one or more Power Range Neutron Flux channels are inoperable and the THERMAL POWER is > 75% RTP.

With an NIS power range channel inoperable, tilt monitoring for a portion of the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capability for detection of small power tilts in some quadrants is decreased. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

For purposes of monitoring the QPTR when one power range channel is inoperable, the moveable incore detectors are used to confirm that the normalized symmetric power distribution is consistent with the indicated QPTR and any previous data indicating a tilt. The incore detector monitoring is performed with a full incore flux map or two sets of four thimble locations with quarter core symmetry. The two sets of four symmetric thimbles is a set of eight unique detector locations. These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, and N-8.

The symmetric thimble flux map can be used to generate symmetric thimble "tilt." This can be compared to a reference symmetric thimble tilt, from the most recent full core flux map, to generate an incore QPTR.

Therefore, incore monitoring of QPTR can be used to confirm that QPTR is within limits.

With one NIS channel inoperable, the indicated tilt may be changed from the value indicated with all four channels OPERABLE. To confirm that no change in tilt has actually occurred, which might cause the QPTR limit to be exceeded, the incore result may be compared against previous flux maps either using the symmetric thimbles as described above or a complete flux map. Nominally, quadrant tilt from the Surveillance should be within 2% of the tilt shown by the most recent flux map data.

REFERENCES 1. 10 CFR 50.46.

2. Regulatory Guide 1.77, Rev 0, May 1974.

3. 10 CFR 50, Appendix A, GDC 26.

Beaver Valley Units 1 and 2 B 3.2.4 - 6 Revision 35

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs when reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action may actually occur.

The nominal trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)."

For each automatic protective device there is a setting beyond which the device would not be able to perform its function due, for example, to greater than expected drift. The value of this setting is specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value.

Beaver Valley Units 1 and 2 B 3.3.1 - 1 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The Allowable Value specified in Table 3.3.1-1 serves as the OPERABILITY limit such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with the assumptions stated in the BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 1). If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

In addition to the channel OPERABILITY guidance discussed above, the CHANNEL OPERATIONAL TEST (COT) and CHANNEL CALIBRATION Surveillance Requirements (SRs) specified on Table 3.3.1-1 for certain RTS Functions are modified by Notes (k) and (l) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.1-1 next to the numerical SR designations for the affected RTS Functions. The additional Technical Specification requirements for these RTS Functions include OPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specification requirements are only applicable to the RTS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers on Table 3.3.1-1.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value,

2. Fuel centerline melt shall not occur, and

3. The RCS pressure of 2748.5 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50.67 limits during AOOs.

Beaver Valley Units 1 and 2 B 3.3.1 - 2 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within the 10 CFR 50.67 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The RTS instrumentation is segmented into four distinct but interconnected modules as described in UFSAR, Chapter 7 (Ref. 2), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured,

2. Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, trip device setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications,

3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the trip device outputs from the signal process control and protection system, and

4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and in some cases as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the nominal trip setpoint and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behavior observed during performance of the CHANNEL CHECK.

Beaver Valley Units 1 and 2 B 3.3.1 - 3 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. The safety analyses and associated RTS Functions are discussed in UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2) (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a trip device is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). However, exceptions to the requirement for four channels are part of the design and licensing basis of the RTS (e.g., steam generator level instrumentation).

The actual number of channels required for each unit parameter is specified in Technical Specification Table 3.3.1-1.

Two logic trains are required to ensure no single random failure of a logic train will disable the RTS. The logic trains are designed such that testing required while the reactor is at power may be accomplished without causing trip. Provisions to allow removing logic trains from service during maintenance are unnecessary because of the logic system's designed reliability.

Beaver Valley Units 1 and 2 B 3.3.1 - 4 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Allowable Values, RTS Setpoints, and LSSS The nominal trip setpoints used in trip devices are based on the analytical limits stated in Reference 1. The selection of these nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. The nominal trip setpoints account for calibration tolerances, instrument uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5).

The nominal trip setpoints are specified in the Licensing Requirements Manual (LRM). The Allowable Values specified in the Technical Specifications are determined by adding (or subtracting) the calibration accuracy of the trip device to the nominal trip setpoint in the non-conservative direction (i.e., toward or closer to the safety analysis limit) for the application. The Allowable Values remain conservative with respect to the analytical limits. For those channels that provide trip actuation via a bistable in the process racks, the calibration accuracy is defined by the rack calibration accuracy term. For a limited number of channels that provide trip actuation without being processed via the process racks (e.g., undervoltage relay or turbine trip channels) the Allowable Value is defined by device drift or repeatability (Ref. 1). The application of the calibration accuracy term (or device drift as applicable) to each RTS setpoint results in a "calibration tolerance band." Thus, the trip setpoint value is considered a "nominal" value (i.e., expressed as a value with a calibration tolerance) for the purposes of the COT and CHANNEL CALIBRATION. The calibration tolerance band for each RTS setpoint is specified in plant procedures. A detailed description of the methodology used to calculate the Allowable Values and nominal trip setpoints, including their explicit uncertainties, is provided in Reference 1 which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each nominal trip setpoint and corresponding Allowable Value. The nominal trip setpoint entered into the trip device is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the channel is considered OPERABLE. As discussed earlier, for certain RTS Functions, the COT and CHANNEL CALIBRATION SR numbers specified on Table 3.3.1-1 are modified by Notes that impose additional Technical Specification requirements for channel OPERABILITY.

Beaver Valley Units 1 and 2 B 3.3.1 - 5 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The nominal trip setpoint is the value at which the trip device is set and is the expected value to be achieved during calibration. The nominal trip setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted to be within the calibration tolerance. Any trip device with a nominal trip setpoint is considered to be properly adjusted when the "as left" setpoint value is within the calibration tolerance.

The nominal trip setpoint is based on the calculated total loop uncertainty per the plant specific methodology documented in the Licensing Requirements Manual. The setpoint methodology, used to derive the nominal trip setpoints, is based upon combining all of the uncertainties in the channels. Inherent in the determination of the nominal trip setpoints are the magnitudes of these channel uncertainties. Sensors and other instrumentation utilized in these channels should be capable of operating within the allowances of these uncertainty magnitudes. Occasional drift in excess of the allowance may be determined to be acceptable based on the other device performance characteristics. Device drift in excess of the allowance that is more than occasional, may be indicative of more serious problems and would warrant further investigation.

Operable RTS Functions with setpoints maintained within the Allowable Values specified in the Technical Specifications ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed).

For most RTS Functions the Allowable Value specified on Table 3.3.1-1 is the LSSS required by 10 CFR 50.36. However, for certain RTS Functions, the COT and CHANNEL CALIBRATION SR numbers specified on Table 3.3.1-1 are modified by Notes (k) and (l) that impose additional Technical Specification Requirements for channel OPERABILITY and change the LSSS for the affected Functions. For each RTS Function in Table 3.3.1-1 with Notes modifying the required COT and CHANNEL CALIBRATION SR numbers, the nominal trip setpoint specified in the Licensing Requirements Manual is the LSSS.

This definition of the LSSS is consistent with the guidance issued to the industry through correspondence with Nuclear Energy Institute (NEI)

(Reference NRC-NEI Letter dated September 7, 2005). The definition of LSSS values continues to be discussed between the industry and the NRC, and further modifications to these Bases will be implemented as guidance is provided.

Beaver Valley Units 1 and 2 B 3.3.1 - 6 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Table 3.3.1-1 Notes (k) and (l) are applicable to the COT and CHANNEL CALIBRATION SRs for specific instrument functions since changes to Allowable Values associated with these instrument functions were already under review by the NRC at the time the revised NRC setpoint criteria were documented and made available to the industry in an NRC letter to NEI. Changes to the remaining instrument functions may be pursued after guidance endorsed by both the NRC and NEI is issued.

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the nominal trip setpoint calibration tolerance specified in plant procedures. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of inputs from field contacts, control board switches and the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The input signals from field contacts, control board switches and bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Beaver Valley Units 1 and 2 B 3.3.1 - 7 Revision 0

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Reactor Trip Switchgear Two RTBs are connected in series in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs.

Opening either of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.

This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each RTB is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism. The RTB bypass breakers are also equipped with a shunt trip device; however, manual actuation (local or remote) is required to energize this trip mechanism on the bypass breakers.

The decision logic matrix Functions are contained in the functional diagrams included in Reference 2. In addition to the reactor trip or ESF, these diagrams also illustrate the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the selected decision logic matrix Functions while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

APPLICABLE The RTS functions to maintain the SLs during all AOOs and mitigates the SAFETY consequences of DBAs in all MODES in which the Rod Control System is ANALYSES, LCO, capable of rod withdrawal or one or more rods are not fully inserted.

and APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions not explicitly credited in the accident analysis may be implicitly credited in the safety Beaver Valley Units 1 and 2 B 3.3.1 - 8 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions not explicitly analyzed and may be anticipatory in nature or serve as backups to RTS trip Functions that are explicitly credited in the accident analysis to provide defense in depth.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the nominal trip setpoint. A trip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to plant conditions provided that the +/- calibration tolerance band remains the same and the Allowable Value is administratively controlled accordingly in the conservative direction to meet the assumptions of the setpoint methodology. The conservative direction is established by the direction of the inequality applied to the Allowable Value. Failure of any instrument may render the affected channel(s) inoperable and reduce the reliability of the affected Functions.

In addition to the channel OPERABILITY guidance discussed above, the COT and CHANNEL CALIBRATION SRs specified on Table 3.3.3-1 for certain RTS Functions are modified by Notes (k) and (l) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.1-1 next to the numerical SR designations for the affected RTS Functions. The additional Technical Specification requirements for these RTS Functions include OPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specification requirements are only applicable to the RTS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers on Table 3.3.1-1.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration may be required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, Beaver Valley Units 1 and 2 B 3.3.1 - 9 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) even with random failure of one of the other three protection channels.

Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. However, exceptions to these requirements are part of the current licensing and design basis (e.g., in the steam generator level instrumentation a median selector switch is utilized to provide functional separation between the protection and control systems instead of a fourth level instrument channel). The specific exceptions to the above general philosophy are discussed below.

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. The Manual Reactor Trip feature is not credited by any safety analyses.

It is used by the reactor operator to manually shut down the reactor.

The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE.

These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need Beaver Valley Units 1 and 2 B 3.3.1 - 10 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn, except for specific activities such as drag testing performed under administrative controls, and the CRDMs are typically disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. One NIS power range detector provides input to the Rod Control System and (for Unit 2 only) the Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. As such, the power range instrument channels are combined in a two-out-of-four trip logic. Note that this Function also provides a signal to prevent automatic (for Unit 2) and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a. Power Range Neutron Flux - High The Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a fast positive reactivity excursion that could potentially lead to a violation of the safety analysis limit DNBR during power operation. These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux -

High channels to be OPERABLE.

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux - High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux - High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

Beaver Valley Units 1 and 2 B 3.3.1 - 11 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Power Range Neutron Flux - Low The LCO requirement for the Power Range Neutron Flux - Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux -

Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2 with keff 1.0, MODE 2 with keff < 1.0, and all RCS cold leg temperatures 500°F, and RCS boron concentration the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal, or one or more rods not fully inserted, and in MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration is the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal, or one or more rods are not fully inserted, the Power Range Neutron Flux - Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than the P-10 setpoint specified in the LRM. This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux - High trip Function.

In MODE 3, with an RCS cold leg temperature < 500°F, 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, with an RCS cold leg temperature

< 500°F, 4, 5, or 6.

3. Power Range Neutron Flux - High Positive Rate The Power Range Neutron Flux Rate trip uses the same channels as discussed for Function 2 above.

The Power Range Neutron Flux - High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. Although this Beaver Valley Units 1 and 2 B 3.3.1 - 12 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Function is not explicitly credited in the safety analyses as a primary reactor trip, this Function compliments the Power Range Neutron Flux - High and Low Setpoint trip Functions to ensure that the applicable acceptance criteria are met for a rod ejection from the power range.

The LCO requires all four of the Power Range Neutron Flux - High Positive Rate channels to be OPERABLE.

In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux - High Positive Rate trip must be OPERABLE.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks are fully withdrawn in MODE 3 for reactor startup, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn, except for specific activities such as drag testing performed under administrative controls, and the SDM is increased during refueling operations. For the majority of the time the plant is in MODE 6 the reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup.

In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.

4. Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low Setpoint trip Function. The Intermediate Range Neutron Flux trip is not credited in the safety analyses as a primary reactor trip. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

Beaver Valley Units 1 and 2 B 3.3.1 - 13 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The trip Function is accomplished by a one-out-of-two trip logic.

Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux - High Setpoint trip and the Power Range Neutron Flux - High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 2 below the P-6 setpoint, the Source Range Neutron Flux Trip provides the primary core protection for reactivity accidents. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE. In MODE 3 with the RCS temperature 500°F, the Power Range Neutron Flux - Low trip Function provides the protection for an uncontrolled RCCA bank withdrawal event from low power or subcritical conditions. In MODE 3 with any RCS cold leg temperature < 500°F, and in MODES 4 and 5, LCO 3.1.10, "RCS Boron Limitations < 500°F," requires that the RCS boron concentration be greater than the all-rods-out (ARO) critical boron concentration to ensure that sufficient SHUTDOWN MARGIN is available if an uncontrolled RCCA bank withdrawal event were to occur. In MODE 6, all rods are fully inserted, except for specific activities such as drag testing performed under administrative controls, and the core has an increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present in this MODE.

5. Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low trip Function. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located Beaver Valley Units 1 and 2 B 3.3.1 - 14 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3 (with any RCS cold leg temperature < 500°F), 4, and 5 when rods are capable of withdrawal or one or more rods are not fully inserted.

In MODE 3 with the RCS temperature 500°F, the Power Range Neutron Flux - Low trip Function provides protection for an uncontrolled RCCA bank withdrawal or control rod ejection event from low power or subcritical conditions.

In MODE 3 with any RCS cold leg temperature < 500°F, and in MODES 4 and 5, LCO 3.1.10 requires that the RCS be borated to greater than the ARO critical boron concentration to ensure that sufficient SHUTDOWN MARGIN is available to mitigate an uncontrolled RCCA bank withdrawal event or control rod ejection event. Therefore, the safety analyses do not take explicit credit for the Source Range Neutron Flux trip Function as a primary trip to mitigate an uncontrolled RCCA bank withdrawal or control rod ejection event. LCO 3.1.10 ensures that sufficient SHUTDOWN MARGIN is available if an uncontrolled RCCA bank withdrawal or control rod ejection event were to occur.

The reliance on the boron limitation of LCO 3.1.10 when the RCS temperature is below 500°F in MODES 3, 4, and 5 and the Power Range Neutron Flux - Low trip Function when the RCS temperature is 500°F in MODE 3, to address an uncontrolled RCCA bank withdrawal accident, is consistent with the guidance of Westinghouse Nuclear Safety Advisory Letter 00-016 (Ref. 6).

The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution (during startup) and control rod ejection events. The trip Function is accomplished by a one-out-of-two trip logic.

Alternate source range neutron flux detectors may be used in place of the primary NIS source range neutron flux detectors as long as the required source range indication and trip functions are provided by the alternate detectors.

Beaver Valley Units 1 and 2 B 3.3.1 - 15 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 2 below the P-6 setpoint and in MODES 3, 4, and 5 when there is a potential for an uncontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be OPERABLE.

Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux - Low trip will provide core protection for reactivity accidents.

Above the P-6 setpoint, the NIS source range detectors are de-energized.

In MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE 6, the outputs of the Function to the RTS logic are not required OPERABLE. The requirements for the NIS source range detectors to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution are addressed in LCO 3.3.8 "Boron Dilution Detection Instrumentation," for MODE 3, 4, or 5 and LCO 3.9.2, "Nuclear Instrumentation," for MODE 6.

6. Overtemperature T The Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection.

The inputs to the Overtemperature T trip include pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the nominal trip setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature,

pressurizer pressure - the nominal trip setpoint is varied to correct for changes in system pressure, and Beaver Valley Units 1 and 2 B 3.3.1 - 16 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

axial power distribution - f(I), the nominal trip setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the trip setpoint is reduced in accordance with Note 1 (Unit 1) and Note 3 (Unit 2) of Table 3.3.1-1.

Dynamic compensation is included for system piping delays from the core to the temperature measurement system.

The Overtemperature T trip Function is calculated for each loop as described in Note 1 (Unit 1) and Note 3 (Unit 2) in Table 3.3.1-1.

Trip occurs if Overtemperature T is indicated in two loops. The pressure and temperature signals are used for other control functions. The actuation logic can withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. In order to meet this requirement with three channels of Tavg and T, functional separation between the protection and control systems is accomplished by the use of a median signal selector switch. Note that this Function also provides a signal to generate a turbine runback prior to reaching the trip setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.

The LCO requires three channels of the Overtemperature T trip Function to be OPERABLE. An OPERABLE hot leg channel consists of: 1) three RTDs per hot leg, or 2) two RTDs per hot leg with the failed RTD disconnected and the required bias applied. The trip Function is accomplished by a two-out-of-three trip logic. Note that the Overtemperature T Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent a violation of the safety limit DNBR. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

Beaver Valley Units 1 and 2 B 3.3.1 - 17 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Overpower T The Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions.

This trip Function also limits the required range of the Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux - High Setpoint trip. The Overpower T trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the nominal Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature, and

rate of change of reactor coolant average temperature -

including dynamic compensation for the delays between the core and the temperature measurement system.

The Overpower T trip Function is calculated for each loop as per Note 2 (Unit 1) and Note 4 (Unit 2) in Table 3.3.1-1. Trip occurs if Overpower T is indicated in two loops. The temperature signals are used for other control functions. The actuation logic can withstand an input failure to the control system, which may then require the protection function actuation and a single failure in the remaining channels providing the protection function actuation. In order to meet this requirement with three channels of Tavg and T, functional separation between the protection and control systems is accomplished by the use of a median signal selector switch. Note that this Function also provides a signal to generate a turbine runback prior to reaching the nominal Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.

The LCO requires three channels of the Overpower T trip Function to be OPERABLE. An OPERABLE hot leg channel consists of:

1) three RTDs per hot leg, or 2) two RTDs per hot leg with the failed RTD disconnected and the required bias applied. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

The trip Function is accomplished by a two-out-of-three trip logic.

Beaver Valley Units 1 and 2 B 3.3.1 - 18 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure - High and - Low trips and the Overtemperature T trip. A separate control channel provides input to the Pressurizer Pressure Control System. Therefore, the actuation logic can withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.

a. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires three channels of Pressurizer Pressure - Low to be OPERABLE. The trip Function is accomplished by a two-out-of-three trip logic.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure - Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-10 or turbine First Stage pressure greater than P-13). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.

b. Pressurizer Pressure - High The Pressurizer Pressure - High trip Function ensures that protection is provided against overpressurizing the RCS. This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

Beaver Valley Units 1 and 2 B 3.3.1 - 19 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires three channels of the Pressurizer Pressure -

High to be OPERABLE. The trip Function is accomplished by a two-out-of-three trip logic.

The Pressurizer Pressure - High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding an unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure - High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure - High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions. Additionally, the Overpressure Protection System (OPPS) provides overpressure protection in MODE 4 and below when any RCS cold leg temperature is the OPPS enable temperature specified in the PTLR.

9. Pressurizer Water Level - High The Pressurizer Water Level - High trip Allowable Value in Table 3.3.1-1 is specified in % of instrument span. The Pressurizer Water Level - High trip Function provides a backup signal for the Pressurizer Pressure - High trip and also provides protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The Pressurizer Water Level - High trip Function is not credited in any safety analyses as the primary reactor trip. The LCO requires three channels of Pressurizer Water Level - High to be OPERABLE. The trip Function is accomplished by a two-out-of-three trip logic. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve setting.

Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before a reactor high pressure trip.

Beaver Valley Units 1 and 2 B 3.3.1 - 20 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip Allowable Value in Table 3.3.1-1 is specified in % of indicated loop flow. The Reactor Coolant Flow - Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, specified in the LRM, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-7. The trip Function is accomplished by a two-out-of-three trip logic in each loop.

In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE 1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.

11. Reactor Coolant Pump (RCP) Breaker Position The RCP Breaker Position trip Function consists of one set of auxiliary contacts on each RCP breaker. The Function anticipates the Reactor Coolant Flow - Low trips to avoid RCS heatup that would occur before the low flow trip actuates. The RCP Breaker Position trip Function is not credited in any safety analyses as the primary reactor trip.

Beaver Valley Units 1 and 2 B 3.3.1 - 21 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RCP Breaker Position trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The position of each RCP breaker is monitored. Above the P-7 setpoint, a loss of flow in two or more loops will initiate a reactor trip. As such, the trip Function is accomplished by a two-out-of-three trip logic. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow - Low trip alone provides sufficient protection of the DNBR limit for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of two RCPs.

This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-7 setpoint, the RCP Breaker Position trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled.

12. Undervoltage Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored. Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. As such, the trip Function is accomplished by a two-out-of-three trip logic. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCP channels to prevent reactor trips due to momentary electrical power transients. The Undervoltage RCP Bus trip Function is not credited in any safety analyses as the primary reactor trip.

The LCO requires three Undervoltage RCP channels one per bus to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.3.1 - 22 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled. This Function uses the same relays as the ESFAS Function, "Undervoltage Reactor Coolant Pump (RCP)" start of the auxiliary feedwater (AFW) pumps.

13. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip.

The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. As such, the trip Function is accomplished by a two-out-of-three trip logic. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached.

Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients. The Underfrequency RCP Bus trip Function is not credited in any safety analyses as the primary reactor trip.

The LCO requires three Underfrequency RCPs channels, one per bus, to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

Beaver Valley Units 1 and 2 B 3.3.1 - 23 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

14. Steam Generator Water Level - Low Low The SG Water level - Low Low trip Function Allowable Value in Table 3.3.1-1 is specified in % of narrow range instrument span for each SG. The SG Water Level - Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor.

The level transmitters provide input to the SG Level Control System.

Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Functional separation between the protection and control systems is accomplished by the use of a median selector switch. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.

The LCO requires three channels of SG Water Level - Low Low per SG to be OPERABLE. The trip Function is accomplished by a two-out-of-three trip logic on any SG.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level - Low Low trip must be OPERABLE. In MODE 3, 4, 5, or 6, the SG Water Level - Low Low Function does not have to be OPERABLE because the reactor is not operating or even critical.

15. Turbine Trip

a. Turbine Trip - Low Fluid Oil Pressure The Turbine Trip - Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, specified in the LRM, will not actuate a reactor trip. Three pressure switches monitor the Unit 1 Auto Stop oil pressure and three pressure switches monitor the Unit 2 Emergency Trip Header pressure. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not Beaver Valley Units 1 and 2 B 3.3.1 - 24 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sustain core damage or challenge the RCS pressure limitations.

Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizer safety valves. The Turbine Trip Function is not credited in any safety analyses as the primary reactor trip.

The LCO requires three channels of Turbine Trip - Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-9.

Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip - Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip - Turbine Stop Valve Closure The Turbine Trip - Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level above the P-9 setpoint specified in the LRM. Below the P-9 setpoint, the Turbine Trip Function will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor.

This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip - Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated. The Turbine Trip Function is not credited in any safety analyses as the primary reactor trip.

The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed. The setpoint for the Turbine Trip - Turbine Stop Valve Closure channels is the only RTS setpoint that is not a nominal trip setpoint with a calibration tolerance. The setpoint for this Function contains an inequality similar to the Allowable Value in Beaver Valley Units 1 and 2 B 3.3.1 - 25 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the Technical Specification. The trip setpoint is adjusted to be consistent with the trip setpoint value specified in the LRM in lieu of adjusting the setpoint to be within an established calibration tolerance band.

The LCO requires four Turbine Trip - Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-9. All four channels must trip to cause reactor trip.

Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip - Stop Valve Closure trip Function does not need to be OPERABLE.

16. Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. Typically, transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. The large break LOCA analysis does not rely upon rod insertion and credits the voiding of the core to shutdown the reactor.

Therefore, a reactor trip is initiated every time an SI signal is present.

As the requirements for the ESFAS instrument channels, including actuation logic and Allowable Values are specified separately in LCO 3.3.2, there are no trip setpoint and Allowable Values applicable to this RTS Function. The SI Input is provided by the ESFAS logic. Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

A reactor trip is initiated every time an SI signal is present.

Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.3.1 - 26 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

17. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:

a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip.

This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed, and

on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary.

In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

Beaver Valley Units 1 and 2 B 3.3.1 - 27 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low (low flow in two or more RCS loops),

RCPs Breaker Open (two or more RCPs),

Undervoltage RCPs (two or more RCP buses), and

Underfrequency RCPs (two or more RCP buses).

These reactor trips are only required when operating above the P-7 setpoint (as specified in the LRM for the P-10 and P-13 inputs to P-7). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low (low flow in two or more RCS loops),

RCP Breaker Position (two or more RCPs),

Undervoltage RCPs (two or more RCP buses), and

Underfrequency RCPs (two or more RCP buses).

Beaver Valley Units 1 and 2 B 3.3.1 - 28 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below the P-7 setpoint, which is in MODE 1.

c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock setpoint is specified in the LRM and is actuated by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow - Low (Single Loop) reactor trip on low flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than the P-8 setpoint. On decreasing power, the reactor trip on low flow in any loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

d. Power Range Neutron Flux, P-9 The Power Range Neutron Flux, P-9 interlock setpoint is specified in the LRM and is actuated by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure (Auto Stop (Unit 1) and Emergency Trip Header (Unit 2)) and Turbine Beaver Valley Units 1 and 2 B 3.3.1 - 29 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Trip - Turbine Stop Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1.

In MODE 1, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at a power level sufficient to have a load rejection beyond the capacity of the Steam Dump System.

e. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock setpoint is specified in the LRM and is actuated by two-out-of-four NIS power range detectors. If power level falls below the P-10 setpoint on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:

on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic (for Unit 2) and manual rod withdrawal,

on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux - Low reactor trip,

on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors,

the P-10 interlock provides one of the two inputs to the P-7 interlock, and

on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux - Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

Beaver Valley Units 1 and 2 B 3.3.1 - 30 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

f. Turbine First Stage Pressure, P-13 The turbine power (P-13) Allowable Value in Table 3.3.1-1 is specified in % RTP turbine first stage pressure equivalent. The Turbine First Stage Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than the P-13 setpoint specified in the LRM. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine First Stage Pressure, P-13 interlock to be OPERABLE in MODE 1.

The Turbine First Stage Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.

18. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of an OPERABLE RTB.

When an RTB bypass breaker is racked in and closed to bypass an RTB, the RTB is no longer capable of performing its safety function and the bypassed RTB is inoperable. The Action Condition for an inoperable RTB contains Notes that provide additional time for bypassing the RTB for surveillance testing and maintenance. A racked in and closed bypass breaker and the remaining operable RTB are actuated from the same train of RTS actuation logic.

Beaver Valley Units 1 and 2 B 3.3.1 - 31 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Therefore, when bypassing an RTB, the RTB trip Function is no longer single failure proof and the time an RTB can be bypassed is limited in accordance with the applicable RTB Action Condition Note. In addition, the bypass breaker is required to be OPERABLE prior to being placed in service in accordance with SR 3.3.1.4. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

19. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 18 above.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

20. Automatic Trip Logic The LCO requirement for the RTBs (Functions 18 and 19) and Automatic Trip Logic (Function 20) ensures that means are provided to automatically interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE trains ensures that random failure of a single logic train will not prevent reactor trip.

Beaver Valley Units 1 and 2 B 3.3.1 - 32 Revision 0

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. When the required channels in Table 3.3.1-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or trip device is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

Beaver Valley Units 1 and 2 B 3.3.1 - 33 Revision 0

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, ACTION C would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

C.1, C.2.1, and C.2.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted:

Manual Reactor Trip, RTBs, RTB Undervoltage and Shunt Trip Mechanisms, and Automatic Trip Logic.

This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within the same 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner.

With rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are no longer required.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

Beaver Valley Units 1 and 2 B 3.3.1 - 34 Revision 0

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

D.1.1, D.1.2, D.2.1, D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux - High Function.

One NIS power range detector provides input to the Rod Control System and (for Unit 2 only) the SG Water Level Control System and, therefore, a two-out-of-four trip logic is used. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A, Rev. 1 (Reference 7).

In addition to placing the inoperable channel in the tripped condition, THERMAL POWER must be reduced to 75% RTP within 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months .

Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost.

As an alternative to the above actions, the inoperable channel can be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and the QPTR monitored once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels 75% RTP. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is consistent with LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."

As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy-eight hours are allowed to place the plant in MODE 3. The 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months Completion Time includes 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for channel corrective maintenance, and an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for the MODE reduction required by Required Action D.3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 7.

Beaver Valley Units 1 and 2 B 3.3.1 - 35 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Required Action D.2.2 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using the movable incore detectors once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months may not be necessary.

E.1 and E.2 Condition E applies to the following reactor trip Functions:

Power Range Neutron Flux - Low,

Overtemperature T,

Overpower T,

Power Range Neutron Flux - High Positive Rate,

Pressurizer Pressure - High, and

SG Water Level - Low Low.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is justified in Reference 7.

If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 7.

Beaver Valley Units 1 and 2 B 3.3.1 - 36 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. This will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level.

The Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

Beaver Valley Units 1 and 2 B 3.3.1 - 37 Revision 0

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Required Action G.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management, temperature control or plant cooldown to exit the MODE of Applicability and place the plant in a safer condition) are not precluded by this Action, provided they are accounted for in the calculated SDM.

H.1 Condition H applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

Required Action H.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management, temperature control or plant cooldown to exit the MODE of Applicability and place the plant in a safer condition) are not precluded by this Action, provided they are accounted for in the calculated SDM.

I.1 Condition I applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions.

With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.

J.1, J.2.1, and J.2.2 Condition J applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions.

With one of the source range channels inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to restore it to an OPERABLE status. If the channel cannot be returned to Beaver Valley Units 1 and 2 B 3.3.1 - 38 Revision 0

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) an OPERABLE status, action must be initiated within the same 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour.

K.1 and K.2 Condition K applies to the following reactor trip Functions:

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low,

RCP Breaker Position,

Undervoltage RCPs, and

Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . For the Pressurizer Pressure - Low, Pressurizer Water Level - High, Undervoltage RCPs, Underfrequency RCPs, and RCP Breaker Position trip Functions, placing the channel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip.

For the Reactor Coolant Flow - Low (Two Loop) trip Function, placing the channel in the tripped condition when above the P-8 setpoint results in a partial trip condition in one loop requiring only one additional channel in the same loop to initiate a low flow signal for that loop. For the latter trip Function, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint. The pressurizer pressure low Function and RCS flow related Functions do not have to be OPERABLE below the P-7 setpoint because there is insufficient heat production to generate DNB conditions below the P-7 setpoint. The pressurizer water level Function is not required OPERABLE below the P-7 setpoint, because transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the channel in the tripped condition is justified in Reference 7. An additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Beaver Valley Units 1 and 2 B 3.3.1 - 39 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition K.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 7.

L.1 and L.2 Condition L applies to Turbine Trip on Low Fluid Oil Pressure or on Turbine Stop Valve Closure. With one channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . If placed in the tripped condition, this results in a partial trip condition. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowed for reducing power are justified in Reference 7 for Turbine Trip on Low Fluid Oil Pressure. Reference 8 justifies the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time allowed to place an inoperable channel in the tripped condition for Turbine Trip on Turbine Stop Valve Closure.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 7 for Turbine Trip on Low Fluid Oil Pressure, and Reference 8 for Turbine Trip on Turbine Stop Valve Closure.

M.1 and M.2 Condition M applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status (Required Action M.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Required Action M.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed to restore the inoperable RTS Automatic Trip Logic Train to OPERABLE status is justified in Reference 7.

Beaver Valley Units 1 and 2 B 3.3.1 - 40 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Required Action M.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE.

Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 7), Tier 2 insights must be included in the decision making process before removing an RTS logic train from service and implementing the extended (risk-informed) Completion Time for an RTS logic train approved in Reference 10. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTS logic train is inoperable.

Entry into Condition M for an inoperable RTS logic train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Condition M may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition M entry. In addition, it is possible that equipment failure may occur after the RTS logic train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable logic train and exit the Condition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Condition M when an RTS logic train is inoperable:

To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable.

Beaver Valley Units 1 and 2 B 3.3.1 - 41 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.

To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available.

N.1 and N.2 Condition N applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is justified in Reference 9. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE 3 results in ACTION C entry while RTB(s) are inoperable.

The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowed to bypass a train is justified in Reference 9.

Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-15376-P-A, Rev. 1 (Reference 9), Tier 2 insights must be included in the decision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train approved in Reference 10. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTB train is inoperable.

Beaver Valley Units 1 and 2 B 3.3.1 - 42 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Entry into Condition N for an inoperable RTB train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Condition N may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition N entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable RTB train and exit the Condition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Condition N when an RTB train is inoperable:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service; therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves), auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

Beaver Valley Units 1 and 2 B 3.3.1 - 43 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

O.1 and O.2 Condition O applies to the P-6 and P-10 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Verifying the interlock status manually accomplishes the interlock's Function. The interlock status may be verified by observation of the associated permissive annunciator/status window(s). The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

P.1 and P.2 Condition P applies to the P-7, P-8, P-9, and P-13 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The interlock status may be verified by observation of the associated permissive annunciator/status window(s). The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

Q.1 and Q.2 Condition Q applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time). The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. With the unit in MODE 3, ACTION C would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the Beaver Valley Units 1 and 2 B 3.3.1 - 44 Revision 10

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for the reasons stated under Condition N.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for Required Action Q.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

R.1 Condition R applies to one inoperable Power Range Neutron Flux - Low channel in MODE 2 with keff < 1.0, and all RCS cold leg temperatures 500°F, and RCS boron concentration the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal, or one or more rods not fully inserted, and in MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration is the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal, or one or more rods are not fully inserted. The inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Placing the channel in the tripped condition results in a partial trip condition requiring only a one-out-of-three logic for actuation of this reactor trip function. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to place the inoperable channel in the tripped condition is justified in Reference 7.

The Required Action is modified by a Note. The Note allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 7.

S.1.1, S.1.2, and S.2 If the inoperable channel can not be placed in the tripped condition within the specified Completion Time, or if two or more channels are inoperable, action must be initiated immediately to fully insert all rods, and to make the rods incapable of rod withdrawal. This action will preclude an uncontrolled RCCA bank withdrawal accident from occurring.

Required Action S.2 provides an alternative to Required Actions S.1.1 and S.1.2. If the inoperable channel can not be placed in the tripped condition within the specified Completion Time, or if two or more channels are inoperable, action must be initiated to borate the RCS to > the ARO critical boron concentration. Borating the RCS to > the ARO critical boron concentration would provide sufficient SHUTDOWN MARGIN, if an uncontrolled RCCA bank withdrawal accident were to occur.

Beaver Valley Units 1 and 2 B 3.3.1 - 45 Revision 10

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.1.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the calorimetric heat balance calculation results exceed the power range channel output by more than + 2% RTP, the power range is not declared inoperable, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceed the power range channel output by more than + 2% RTP. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

Beaver Valley Units 1 and 2 B 3.3.1 - 46 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

If the calorimetric is performed at part power (< 70% RTP when utilizing the venturis and < 30% RTP when utilizing the LEFM), adjusting the power range channel indication in the increasing power direction will assure a reactor trip below the safety analysis limit. Making no adjustment to the power range channel in the decreasing power direction due to a part power calorimetric assures a reactor trip consistent with the safety analyses. This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range channels are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (< 70% RTP when utilizing the venturis and < 30% RTP when utilizing the LEFM).

This action may introduce a non-conservative bias at higher power levels that may result in a Power Range Neutron Flux - High reactor trip above the safety analysis limit. The cause of the potential non-conservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error contributor to the instrument uncertainty for a secondary side power calorimetric measurement is the feedwater flow measurement, which is typically a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty increases as a square term. Thus a 1% flow error at 100% power can approach a 10%

flow error at 30% RTP even though the P error has not changed. This bias error is not present when using the leading edge flow meter (LEFM) to determine feedwater flow for performing the secondary side power calorimetric. However, when using the LEFM for performing the secondary side power calorimetric, the requirements of this SR assure a power range channel output and reactor trip function that are conservative with respect to the assumptions of the safety analyses described above. When using the LEFM for the performance of the secondary side power calorimetric, the Power Range Neutron Flux - High bistables may be reset to a nominal value specified in the LRM when confirmed based on a calorimetric performed 30% RTP.

An evaluation of extended operation at part power conditions would conclude that it is prudent to administratively adjust the setpoint of the Power Range Neutron Flux - High bistables to 85% RTP when: 1) the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below 70% RTP when utilizing the venturis and < 30% RTP when utilizing the LEFM; or 2) for a post refueling startup. The evaluation of extended operation at part power Beaver Valley Units 1 and 2 B 3.3.1 - 47 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) conditions would also conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the decreasing power direction is quite small, primarily to address operation in the intermediate range about P-10 (nominally 10% RTP) to allow enabling of the Power Range Neutron Flux - Low setpoint and the Intermediate Range Neutron Flux reactor trips. If the high flux setpoints were adjusted to 85% AND the Power Range gain was adjusted in the decreasing direction, then before the Power Range Neutron Flux - High bistables are reset to a nominal value specified in the LRM, the power range channel adjustment must be confirmed based on a calorimetric performed at 70% RTP when utilizing the venturis and 30% RTP when utilizing the LEFM. The Note clarifies that this Surveillance is required only if reactor power is 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed for performing the first Surveillance after reaching 15% RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference is 3%, the NIS channel is still OPERABLE, but must be readjusted (normalized) based on the incore surveillance data. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is 3%.

If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to periodically verify the f(I) input to the overtemperature T Function. The Surveillance is assigned to both the Power Range Neutron Flux High and OTT RTS Functions to assure all 4 NIS channels are verified and adjusted, if necessary.

A Note clarifies that the Surveillance is required when reactor power is 50% RTP and that 7 days are allowed to perform the Surveillance and channel adjustment, if necessary, after reaching 50% RTP. A power level of 50% RTP is consistent with the requirements of SR 3.3.1.9. The performance of SR 3.3.1.9 may be used to satisfy the requirements of SR 3.3.1.3. SR 3.3.1.9 may be performed in lieu of SR 3.3.1.3 since SR 3.3.1.9 calibrates (i.e., requires adjustment of) the excore channels based on incore surveillance data and therefore envelopes the performance of SR 3.3.1.3.

Beaver Valley Units 1 and 2 B 3.3.1 - 48 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

For each operating cycle, the initial channel normalization is performed in accordance with SR 3.3.1.9. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.12. The bypass breaker test shall include a local manual shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation.

Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.1 - 49 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.6 SR 3.3.1.6 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

Setpoints must be within the Allowable Values specified in Table 3.3.1-1 (excluding time constants which are verified during CHANNEL CALIBRATIONS).

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

For certain RTS Functions the required COT (SR 3.3.1.6 specified in Table 3.3.1-1) is modified by Notes (k) and (l). These Notes specify additional requirements for the affected instrument channels.

Note (k) specifies the following:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and

If the as-found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

The evaluation of channel performance required by Note (k) involves an assessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channel performance prior to returning the channel to service. In addition, if the "as found" trip setpoint value is non-conservative with respect to the Beaver Valley Units 1 and 2 B 3.3.1 - 50 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, the affected channel will be evaluated under the corrective action program.

Note (l) specifies the following:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; otherwise, the channel shall be declared inoperable, and

The nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band are specified in a document incorporated by reference into the Updated Final Safety Analysis Report.

For BVPS, the document containing the nominal trip setpoint, the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.

For the RTS Functions with a COT modified by Note (l), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by the direction of the inequality sign applied to the associated Allowable Value. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. If the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declared inoperable and the applicable ACTION is entered.

For the RTS Functions with a COT modified by Notes (k) and (l), the "as found" and "as left" setpoint data obtained during COTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channel is evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it is declared inoperable.

Beaver Valley Units 1 and 2 B 3.3.1 - 51 Revision 28

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.6 is modified by a Note that provides a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months delay in the requirement to perform this Surveillance for source range instrumentation after decreasing power below the P-6 interlock setpoint. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.6 is no longer required to be performed. If the unit is to be in MODE 2 below the P-6 setpoint or in MODE 3 with the RTBs closed for > 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months this Surveillance must be performed prior to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after decreasing power below the P-6 setpoint.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT as described in SR 3.3.1.6, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within the Frequency specified in the Surveillance Frequency Control Program prior to reactor startup and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reducing power below P-10. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the intermediate and power range low instrument channels. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reducing power below P-10 (applicable to intermediate and power range low channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reducing power below P-10. The MODE of Applicability for this surveillance is

< P-10 for the power range low and intermediate range channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , then the testing required by this surveillance must be performed prior to the expiration of the time limit. Twelve hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required.

This test ensures that the NIS intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10) for periods > 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.1 - 52 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.8 SR 3.3.1.8 is the performance of a TADOT and the Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.9 SR 3.3.1.9 is a calibration of the excore channels to the incore channels.

If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted (normalized),

the channels are declared inoperable. This Surveillance is performed at BOL to normalize the excore channel f(I) input to the overtemperature T Function for each new operating cycle. The Surveillance is assigned to both the Power Range Neutron Flux High and OTT RTS Functions to assure all 4 NIS channels are initially normalized to the new core.

A Note modifies SR 3.3.1.9. The Note states that this Surveillance is required only if reactor power is 50% RTP and that 7 days are allowed for performing the Surveillance after reaching 50% RTP.

The Frequency of once per fuel cycle is adequate to establish the initial cycle-specific calibration of the excore channels. It is based on industry operating experience, considering instrument reliability and the performance of SR 3.3.1.3 every 31 EFPD which verifies the excore channels remain within the required calibration tolerance.

SR 3.3.1.10 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

Beaver Valley Units 1 and 2 B 3.3.1 - 53 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

For certain RTS Functions the required CHANNEL CALIBRATION (SR 3.3.1.10 specified in Table 3.3.1-1) is modified by Notes (k) and (l).

These Notes specify additional requirements for the affected instrument channels.

Note (k) specifies the following:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and

If the as-found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

The evaluation of channel performance required by Note (k) involves an assessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channel performance prior to returning the channel to service. In addition, if the "as found" trip setpoint value is non-conservative with respect to the Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, the affected channel will be evaluated under the corrective action program.

Note (l) specifies the following:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; otherwise, the channel shall be declared inoperable, and Beaver Valley Units 1 and 2 B 3.3.1 - 54 Revision 10

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band are specified in a document incorporated by reference into the Updated Final Safety Analysis Report.

For BVPS, the document containing the nominal trip setpoint, the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.

For the RTS Functions with a CHANNEL CALIBRATION modified by Note (l), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by the direction of the inequality sign applied to the associated Allowable Value.

Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. If the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declared inoperable and the applicable ACTION is entered.

For the RTS Functions with a CHANNEL CALIBRATION modified by Notes (k) and (l), the "as found" and "as left" setpoint data obtained during COTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channel is evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it is declared inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.10 is modified by Note 1 stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. In addition, this SR is modified by Note 2 stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists Beaver Valley Units 1 and 2 B 3.3.1 - 55 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) of a normalization of the detectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector calibration data and establishing detector operating conditions in accordance with approved plant procedures. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors.

SR 3.3.1.11 SR 3.3.1.11 is the performance of a COT of RTS interlocks. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.12 SR 3.3.1.12 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip. For the SI input from ESFAS, this test verifies the SI logic output to the reactor trip system.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.1 - 56 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The SR is modified by a Note that excludes verification of setpoints from the TADOT. As the requirements for the ESFAS instrument channels, including actuation logic and Allowable Values are specified separately in LCO 3.3.2, the Functions affected by this SR have no setpoints associated with them.

SR 3.3.1.13 SR 3.3.1.13 is the performance of a TADOT of Turbine Trip Functions.

This TADOT is as described in SR 3.3.1.4, except that this test is performed prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock.

SR 3.3.1.14 SR 3.3.1.14 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in the LRM. Individual component response times are not modeled in the analyses. This Surveillance is only required for instrument channels with response times that are assumed in the safety analyses.

The LRM identifies instrument channels for which no response time is assumed in the safety analyses by indicating that the response time is not applicable.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,

control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, or by such means as utilizing a step change input signal, with the resulting measured response time compared to the response time specified in the LRM. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Beaver Valley Units 1 and 2 B 3.3.1 - 57 Revision 10

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

- NOTE -

The following alternate means for verifying response times (i.e.,

summation of allocated times) is only applicable to Unit 2.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," and WCAP-15413, "Westinghouse 7300A ASIC-Based Replacement Module Licensing Summary Report" provide the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter. WCAP-15413 provides bounding response times where 7300 cards have been replaced with ASICs cards.

As appropriate, each channel's response must be verified at the Frequency specified in the Surveillance Frequency Control Program.

Each verification shall include at least one logic train such that both logic trains are verified at least once per the stated Frequency specified in the Surveillance Frequency Control Program. Response times cannot be determined during unit operation because equipment operation is required to measure response times. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.1 - 58 Revision 29

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.14 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

REFERENCES 1. Westinghouse Setpoint Methodology for Protection Systems, WCAP-11419, Rev. 6 (Unit 1) and WCAP-11366, Rev. 7 (Unit 2).

2. UFSAR, Chapter 7 (Unit 1 and Unit 2).

3. UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).

4. IEEE-279-1971.

5. 10 CFR 50.49.

6. Westinghouse Nuclear Safety Advisory Letter NSAL-00-016, Rod Withdrawal from Subcritical Protection in Lower Modes, December 4, 2000.

7. WCAP-14333-P-A, Rev. 1, Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, October 1998.

8. WOG-06-17, WCAP-10271-P-A Justification for Bypass Test Time and Completion Time Technical Specification Changes for Reactor Trip on Turbine Trip, June 20, 2006.

9. WCAP-15376-P-A, Rev. 1, Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times, March 2003.

10. Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2),

December 29, 2008.

Beaver Valley Units 1 and 2 B 3.3.1 - 59 Revision 11

ESFAS Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS as well as specifying LCOs on other system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs when reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action may actually occur.

The nominal trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For each automatic protective device there is a setting beyond which the device would not be able to perform its function due, for example, to greater than expected drift. The value of this setting is specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value.

The Allowable Value specified in Table 3.3.2-1 serves as the OPERABILITY limit such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with the assumptions stated in Beaver Valley Units 1 and 2 B 3.3.2 - 1 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued) the BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 3). If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

In addition to the channel OPERABILITY guidance discussed above, the CHANNEL OPERATIONAL TEST (COT) and CHANNEL CALIBRATION Surveillance Requirements (SRs) specified on Table 3.3.2-1 for certain ESFAS Functions are modified by Notes (e) and (f) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.2-1 next to the numerical SR designations for the affected ESFAS Functions. The additional Technical Specification requirements for these ESFAS Functions include OPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominal trip setpoint or declare the affected channel inoperable.

These additional Technical Specification requirements are only applicable to the ESFAS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers on Table 3.3.2-1.

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured,

Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications, and

Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

Beaver Valley Units 1 and 2 B 3.3.2 - 2 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and in some cases as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the nominal trip setpoint. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. The safety analyses and associated ESFAS Functions are discussed in UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2) (Ref. 1). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable or other trip device is forwarded to the SSPS for decision evaluation.

Channel separation is maintained up to and through the input bays.

However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then Beaver Valley Units 1 and 2 B 3.3.2 - 3 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued) require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 2). However, exceptions to the requirement for four channels are part of the design and licensing basis of the ESFAS (e.g., steam generator level instrumentation). The number of channels required for each unit parameter is specified in Technical Specification Table 3.3.2-1.

Allowable Values, ESFAS Setpoints, and LSSS The nominal trip setpoints used in the bistables and other trip devices are based on the analytical limits stated in the BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 3). The selection of these nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. The nominal trip setpoints account for calibration tolerances, instrument uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4). The nominal trip setpoints are specified in the Licensing Requirements Manual (LRM). The Allowable Values specified in the Technical Specifications are determined by adding (or subtracting) the calibration accuracy of the trip device to the nominal trip setpoint in the non-conservative direction (i.e., toward or closer to the safety analysis limit) for the application. The Allowable Values remain conservative with respect to the analytical limits. For those channels that provide trip actuation via a bistable in the process racks, the calibration accuracy is defined by the rack calibration accuracy term. For a limited number of channels that provide trip actuation without being processed via the process racks (e.g., undervoltage relay channels) the Allowable Value is defined by device drift or repeatability (Ref. 3). The application of the calibration accuracy term (or device drift as applicable) to each ESFAS setpoint results in a "calibration tolerance band" for each setpoint. Thus, the trip setpoint value is considered a "nominal" value (i.e., expressed as a value with a calibration tolerance) for the purposes of the COT and CHANNEL CALIBRATION. The calibration tolerance band for each ESFAS setpoint is specified in plant procedures. A detailed description of the methodology used to calculate the Allowable Values and nominal trip setpoints including their explicit uncertainties, is provided in Reference 3 which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each nominal trip setpoint and corresponding Allowable Value. The nominal trip setpoint entered into the trip device is more conservative than that specified by the Allowable Value to account for Beaver Valley Units 1 and 2 B 3.3.2 - 4 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued) measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the channel is considered OPERABLE. As discussed earlier, for certain ESFAS Functions, the COT and CHANNEL CALIBRATION SR numbers specified on Table 3.3.2-1 are modified by Notes that impose additional Technical Specification requirements for channel OPERABILITY.

The nominal trip setpoints are the values at which the trip devices are set and are the expected values to be achieved during calibration. The nominal trip setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted to be within the calibration tolerance. Any trip device with a nominal trip setpoint is considered to be properly adjusted when the "as-left" setpoint value is within the calibration tolerance.

The nominal trip setpoint is based on the calculated total loop uncertainty per the plant specific methodology documented in the LRM. The setpoint methodology, used to derive the nominal trip setpoints, is based upon combining all of the uncertainties in the channels. Inherent in the determination of the nominal trip setpoints are the magnitudes of these channel uncertainties. Sensors and other instrumentation utilized in these channels should be capable of operating within the allowances of these uncertainty magnitudes. Occasional drift in excess of the allowance may be determined to be acceptable based on the other device performance characteristics. Device drift in excess of the allowance that is more than occasional, may be indicative of more serious problems and would warrant further investigation.

OPERABLE ESFAS Functions with setpoints maintained within the Allowable Values specified in the Technical Specifications ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

Each channel can be tested on line except for manual initiation channels and the trip of all main feedwater pump channels, to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 3. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Beaver Valley Units 1 and 2 B 3.3.2 - 5 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)

For most ESFAS Functions the Allowable Value specified on Table 3.3.2-1 is the LSSS required by 10 CFR 50.36. However, for certain ESFAS Functions, the COT and CHANNEL CALIBRATION SR numbers specified on Table 3.3.2-1 are modified by Notes (e) and (f) that impose additional Technical Specification Requirements for channel OPERABILITY and change the LSSS for the affected Functions. For each ESFAS Function in Table 3.3.2-1 with Notes modifying the required COT and CHANNEL CALIBRATION SR numbers, the nominal trip setpoint specified in the LRM is the LSSS.

This definition of the LSSS is consistent with the guidance issued to the industry through correspondence with Nuclear Energy Institute (NEI)

(Reference NRC-NEI Letter dated September 7, 2005). The definition of LSSS values continues to be discussed between the industry and the NRC, and further modifications to these Technical Specification Bases will be implemented as guidance is provided.

Table 3.3.2-1 Notes (e) and (f) are applicable to the COT and CHANNEL CALIBRATION SRs for specific instrument functions since changes to Allowable Values associated with these instrument functions were already under review by the NRC at the time the revised NRC setpoint criteria were documented and made available to the industry in an NRC letter to the NEI. Changes to the remaining instrument functions may be pursued after guidance endorsed by both the NRC and NEI is issued.

Solid State Protection System The SSPS equipment is used for the decision logic processing of inputs from field contacts, control board switches, and the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The input signals from field contacts, control board switches, and bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations Beaver Valley Units 1 and 2 B 3.3.2 - 6 Revision 0

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued) indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Each SSPS train has a built in testing device that can automatically test the selected decision logic matrix functions and partially test the actuation relays while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays that provide actuation signals to ESF components are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity.

The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. Functions not explicitly credited in the safety analysis, may be implicitly credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions not explicitly analyzed and may be anticipatory in nature or serve as backups to Functions that are explicitly credited in the accident analysis to provide defense in depth (Ref. 1).

Beaver Valley Units 1 and 2 B 3.3.2 - 7 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the calibration tolerance band of the nominal trip setpoint. A trip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to plant conditions provided that the +/- calibration tolerance band remains the same and the Allowable Value is administratively controlled accordingly in the conservative direction to meet the assumptions of the setpoint methodology. The conservative direction is established by the direction of the inequality applied to the Allowable Value. Failure of any instrument may render the affected channel(s) inoperable and reduces the reliability of the affected Functions.

In addition to the channel OPERABILITY guidance discussed above, the COT and CHANNEL CALIBRATION SRs specified on Table 3.3.2-1 for certain ESFAS Functions are modified by Notes (e) and (f) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.2-1 next to the numerical SR designations for the affected RTS Functions. The additional Technical Specification requirements for these ESFAS Functions include OPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specification requirements are only applicable to the ESFAS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers on Table 3.3.2-1.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

Beaver Valley Units 1 and 2 B 3.3.2 - 8 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. Safety Injection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to 2200°F), and

2. Boration to ensure recovery and maintenance of SDM (keff < 1.0).

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

Phase A Isolation,

Reactor Trip,

Turbine Trip,

Feedwater Isolation,

Start of auxiliary feedwater (AFW) pumps, and

Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump.

These other functions ensure:

Isolation of nonessential systems through containment penetrations,

Trip of the turbine and reactor to limit power generation,

Isolation of main feedwater (MFW) to limit secondary side mass losses,

Start of AFW to ensure secondary side cooling capability, and

Enabling ECCS suction switchover from the refueling water storage tank (RWST) to the containment sump on RWST Level Extreme Low to ensure continued cooling via use of the containment sump.

Beaver Valley Units 1 and 2 B 3.3.2 - 9 Revision 3

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals except for the Unit 1 automatic high head safety injection (HHSI) flow path isolation valves when LCO 3.4.12, "Overpressure Protection System," is applicable.

Consistent with the requirements of LCO 3.4.12, in MODE 4 when any RCS cold leg temperature is the enable temperature specified in the PTLR, the Unit 1 automatic HHSI flow path must be isolated with power removed from the isolation valves.

Therefore, when operating in the MODE 4 Applicability of LCO 3.4.12, the manual initiation of Unit 1 SI will require additional manual valve operation to establish an SI injection flow path.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one switch and the interconnecting wiring to the actuation logic cabinet. Each switch actuates both trains. This configuration does not allow testing at power.

b. Safety Injection - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

In the event an inadvertent SI is initiated, the block of the automatic actuation logic introduced by a reset of safety injection must be removed by resetting (closure) of the reactor trip breakers after the inadvertent initiation providing that all trip input signals have reset due to stable plant conditions. When the Automatic Actuation Logic is required OPERABLE and is blocked after an inadvertent SI, the affected train(s) of Automatic Actuation Logic are considered inoperable and the Technical Specification ACTIONS are applicable until the Automatic Actuation Logic is restored to OPERABLE status.

Beaver Valley Units 1 and 2 B 3.3.2 - 10 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support system level manual initiation.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High This signal provides protection against the following accidents:

SLB inside containment, and

Feed line break inside containment.

Containment Pressure - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

The high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

Containment Pressure - High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

Beaver Valley Units 1 and 2 B 3.3.2 - 11 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator (SG) relief or safety valve,

SLB,

A spectrum of rod cluster control assembly ejection accidents (rod ejection),

Inadvertent opening of a pressurizer relief or safety valve,

LOCAs, and

SG Tube Rupture.

The Pressurizer Pressure - Low protection Function provides no input to any control functions. Pressurizer pressure control is accomplished by two separate channels independent of the pressurizer pressure protection channels used for ESFAS.

Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

The transmitters could experience adverse environmental conditions (LOCA, SLB inside containment, rod ejection).

Therefore, the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure - High signal.

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE.

In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

Beaver Valley Units 1 and 2 B 3.3.2 - 12 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. Safety Injection - Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:

SLB,

Feed line break, and

Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low also provides input to steam generator level control; however, only three OPERABLE channels per steam line are provided. If a steam pressure sensor fails high or low, the steam generator level control system would eventually recover based upon the level input alone, assuming that a high level or low level trip setpoint is not reached. If the steam generator level setpoint is reached and protective action is required, a reactor trip (on low steam generator level) or turbine trip (on high steam generator level) occurs automatically. In this case, steam generator level is used to mitigate the event and not steam pressure. A single failure in a steam generator level channel could be assumed; however, the reactor trip would still occur on steam generator level. A second failure in another steam pressure transmitter would not preclude a trip from occurring on steam generator level. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on any steam line.

The Unit 1 transmitters will not experience adverse environmental conditions during a secondary side break. The Unit 2 transmitters are located where they may experience adverse environmental conditions during a secondary side break outside containment. However, for Unit 2, the safety analysis limit for the steam line break inside containment is more limiting than the safety analysis limit for the steam line break outside containment. As such, the Unit 2 Trip Setpoint is based on the more limiting result of the safety analysis for a steam line break inside containment which does not require an adverse environmental uncertainty. The magnitude of the difference between the inside and outside safety analysis limits is greater than or equal to the potential error that could result from an adverse environment. Therefore, the trip setpoints for both units only reflect steady state instrument uncertainties.

Beaver Valley Units 1 and 2 B 3.3.2 - 13 Revision 0

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is anticipatory in nature and has a lead/lag ratio of 50/5.

Steam Line Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P-11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines.

This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, feed line break is not a concern.

Inside containment SLB will be terminated by automatic steam line isolation via Containment Pressure-Intermediate High High, and outside containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray Systems Containment Spray provides five primary functions:

1. Lowers containment pressure and temperature after an HELB in containment,

2. Reduces the amount of radioactive iodine in the containment atmosphere,

3. Adjusts the pH of the water in the containment recirculation sump after a large break LOCA,

4. Mixes the containment atmosphere and minimizes the amount of hydrogen accumulation, and

5. Removes containment heat.

These functions are necessary to:

Ensure the pressure boundary integrity of the containment structure,

Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure,

Minimize corrosion of the components and systems inside containment following a LOCA,

Control subcompartment and general area hydrogen concentrations to less than 4% by volume, and Beaver Valley Units 1 and 2 B 3.3.2 - 14 Revision 3

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Remove decay heat to ensure that the containment gas and sump water temperatures are within the containment liner and piping thermal stress limits.

The containment spray actuation signal starts the Quench Spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is drawn from the RWST by the Quench Spray pumps. The Quench Spray pumps are manually stopped following receipt of a low RWST level alarm. The Recirculation Spray pumps are started automatically and take suction from the containment sump to continue containment spray. Sodium tetraborate is added to the recirculation spray solution as the sodium tetraborate storage baskets are submerged by water accumulating in the containment sump. Recirculation spray is actuated manually or by Containment Pressure - High High coincident with RWST Level Low.

a.(1) Quench Spray - Manual Initiation The operator can initiate quench spray at any time from the control room by simultaneously actuating two containment spray actuation switches in the same train. Because an inadvertent actuation of quench spray could have undesirable consequences, two switches must be actuated simultaneously to initiate quench spray. There are two sets of two switches each in the control room. Simultaneously actuating the two switches in either set will actuate quench spray in both trains in Unit 2 and one train in Unit 1. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Manual Initiation of quench spray also actuates Phase B containment isolation.

Note that manual initiation of containment spray will initiate a recirculation spray pump start if an RWST Level Low signal is present. Alternatively, an operator can individually start each recirculation spray pump using the control board pump switches.

a.(2) Quench Spray - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Manual and automatic initiation of quench spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is Beaver Valley Units 1 and 2 B 3.3.2 - 15 Revision 20

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA.

However, because of the large number of components actuated on a quench spray, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support manual initiation of quench spray. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

a.(3) Quench Spray - Containment Pressure - High High This signal provides protection against a LOCA or an SLB inside containment. The transmitters will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

This is one of two Functions that require the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate the containment spray systems.

Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

This Function uses four channels in a two-out-of-four logic configuration. Additional redundancy is warranted because this Function is energized to trip. Containment Pressure - High High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure - High High setpoints.

b.(1) Recirculation Spray - Automatic Actuation Logic This LCO requires two trains to be OPERABLE. The trains consist of the actuation logic and associated master relays for this Function. The actuation logic consists of all circuitry housed within the actuation subsystems. The LCO for this Function Beaver Valley Units 1 and 2 B 3.3.2 - 16 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) does not include requirements for slave relay OPERABILITY.

The SRs for this Function do not include a SLAVE RELAY TEST due to equipment safety concerns (inadvertent pump start) if such a test was performed at power. The verification of required slave relay OPERABILITY for this Function is included in LCO 3.6.7 Recirculation Spray System (SR 3.6.7.3.b). The Recirculation Spray System SR is a periodic Surveillance that allows the required SLAVE RELAY TEST to be performed safely. Therefore, LCO 3.6.7 addresses the OPERABILITY of the slave relays for this Function.

b.(2) Recirculation Spray - RWST Level Low coincident with Containment Pressure-High High This LCO requires three RWST Level Low channels and four Containment Pressure High High channels to be OPERABLE.

A Level Low in the RWST coincident with a Containment Pressure-High High signal automatically initiates recirculation spray. Recirculation spray is the primary method of heat removal from the containment environment following a LOCA.

The RWST Level Low Allowable Value has both upper and lower limits. The lower limit is selected to ensure that containment temperatures remain within safety analysis limits and that adequate NPSH is available to the LHSI pumps. The upper limit ensures adequate NPSH to the recirculation spray pumps.

The RWST Level Low Function uses three RWST level transmitters in a two out of three coincident logic. These transmitters provide no control functions. The transmitters will not experience any adverse environmental conditions and, therefore, the trip setpoint reflects only steady state instrument uncertainties. The RWST level logic is configured in a de-energize to trip configuration.

The Containment Pressure-High High signal is described in Quench Spray, Containment Pressure-High High (item 2.a(3)).

The RWST Level Low and Containment Pressure High High Functions must be OPERABLE in MODES 1, 2 and 3 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the recirculation spray pumps. These Functions are not required to be OPERABLE in MODES 4, 5 and 6 because there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure - High High setpoints.

Beaver Valley Units 1 and 2 B 3.3.2 - 17 Revision 29

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW) and cooling water to the containment air recirculation fan cooling coils, and the Unit 1 containment instrument air, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation relays. CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and motors. The cooling water to the containment air recirculation fan cooling coils is not isolated by a Phase A signal to allow continued containment cooling. The Unit 1 containment instrument air is not isolated by a Phase A signal to allow instrument air to be available to support valve operation inside containment (e.g., CCW valves). All process lines required to be isolated under accident conditions and not equipped with automatic isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4 (except when open under administrative controls).

Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.

The Phase B signal isolates CCW and cooling water to the containment air recirculation fan cooling coils and containment instrument air (for Unit 1 only). This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an Beaver Valley Units 1 and 2 B 3.3.2 - 18 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating these additional systems at the higher pressure does not pose a challenge to the containment boundary because the systems are closed loops inside containment. The systems are continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of system design and Phase B isolation ensures the systems are not a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure

- High High, or manually, via the automatic actuation relays, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High High, a LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are actuated simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains in Unit 2 and one train in Unit 1.

a. Containment Isolation - Phase A Isolation (1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains.

(2) Phase A Isolation - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE.

Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Beaver Valley Units 1 and 2 B 3.3.2 - 19 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation - Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2.a(3). The Containment Pressure actuation of Phase B Containment Isolation is energized to actuate in order to minimize the potential of spurious actuations that may damage the RCPs.

(1) Phase B Isolation - Manual Initiation The manual Phase B Containment Isolation is accomplished by the manual Containment Spray switches described in Function 2.a(1).

Beaver Valley Units 1 and 2 B 3.3.2 - 20 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Phase B Isolation - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE.

Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur.

Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation.

There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation - Containment Pressure - High High The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.a(3) above.

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG.

For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.

For Unit 2 which does not have steam line check valves, Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

Beaver Valley Units 1 and 2 B 3.3.2 - 21 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Steam Line Isolation - Manual Initiation (Unit 2 only)

Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches per train in the control room and simultaneous actuation of both switches in a train can initiate a system level action to immediately close all MSIVs. The LCO requires two channels per train to be OPERABLE. The Unit 1 design does not include a system level manual steam line isolation capability. Unit 1 manual isolation of the MSIVs can be accomplished via the individual manual control switches for each MSIV. The capability to manually actuate each MSIV is an OPERABILITY requirement of Technical Specification 3.7.2, "MSIVs."

b. Steam Line Isolation - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

c. Steam Line Isolation - Containment Pressure - Intermediate High High This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least two unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. Containment Pressure - Intermediate High High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. The transmitters and electronics will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument uncertainties.

Beaver Valley Units 1 and 2 B 3.3.2 - 22 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Pressure - Intermediate High High must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function must be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure -

Intermediate High High setpoint.

d. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLB to maintain two unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump. Steam Line Pressure - Low was discussed previously under SI Function 1.e.

The Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - Intermediate High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate -

High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

Beaver Valley Units 1 and 2 B 3.3.2 - 23 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Steam Line Pressure - Negative Rate - High Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain two unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure - Negative Rate - High signal is automatically enabled. Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy requirements with a two-out-of-three logic on any steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant quantities of energy to cause a cooldown of the RCS.

While the transmitters may experience elevated ambient temperatures due to an SLB, the Function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.

5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system.

The SG high water level is due to excessive feedwater flows.

Beaver Valley Units 1 and 2 B 3.3.2 - 24 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Function is actuated by an SI signal or when the level in any SG exceeds the high high setpoint, and performs the following functions:

Trips the main turbine,

Trips the MFW pumps, and

Initiates feedwater isolation.

a. Turbine Trip and Feedwater Isolation - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

b. Turbine Trip and Feedwater Isolation - Steam Generator Water Level - High High (P-14)

The Allowable Value for this Function is specified in percent of narrow range instrument span. This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Three OPERABLE channels on each SG satisfy the requirements with a two-out-of-three logic on any SG. Three channels are acceptable in this application because functional separation between the protection and control systems is accomplished by the use of a median signal selector switch.

The transmitters do not experience a severe environment and therefore, the trip setpoint reflects only steady state instrument uncertainties.

c. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Beaver Valley Units 1 and 2 B 3.3.2 - 25 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1, 2, and 3 except when all Main Feedwater Lines are isolated by either closed and deactivated MFIVs, or MFRVs and associated bypass valves, or closed manual valves. In these MODES the MFW System and turbine generator may be in service.

In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available.

The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.

The normal source of water for the AFW System is the Primary Plant Demineralized Water Storage Tank. The River Water (Unit 1) and Service Water (Unit 2) systems provide a backup source of water for the AFW System. The AFW System is aligned so that upon a pump start, flow is initiated to the SGs immediately.

a. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

b. Auxiliary Feedwater - Steam Generator Water Level - Low Low The Allowable Value for this Function is specified in percent of narrow range instrument span. SG Water Level - Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. The actuation of two-out-of-three channels of SG Low-Low Level on any one SG will start the turbine-driven AFW pump. The actuation of two-out-of-three channels of SG Low-Low Level on any two SGs will start the motor-driven AFW pumps. SG Water Level - Low Low provides input to the SG Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the Beaver Valley Units 1 and 2 B 3.3.2 - 26 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) protection function actuation. Three OPERABLE channels per SG are required to satisfy the requirements with two-out-of-three logic. Three channels are acceptable in this application because functional separation between the protection and control systems is accomplished by the use of a median signal selector switch.

With the transmitters possibly experiencing adverse environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

c. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Functions 6.a through 6.c must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor.

AFW pump start is described on previous page. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

d. Auxiliary Feedwater - Undervoltage Reactor Coolant Pump A loss of power on the buses that provide power to the RCPs provides indication of a pending loss of RCP forced flow in the RCS. A loss of power on two or more RCPs, will start the turbine driven AFW pump to ensure that two SGs contain enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

e. Auxiliary Feedwater - Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. The MFW pumps are equipped with Beaver Valley Units 1 and 2 B 3.3.2 - 27 Revision 6

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) a breaker position sensing device. An open supply breaker indicates that the pump is not running. A trip of all running MFW pumps (two-out-of-two MFW pump breakers open with either pump control switch in the after-start position) starts the motor driven AFW pumps to ensure that two SGs are available with water to act as the heat sink for the reactor.

For Unit 1 only, the A and B MFW pumps each have tandem electric motors. The circuits that accomplish starting of both motor driven AFW pumps upon the tripping of both MFW pumps include a cell switch contact on each of the four tandem motor pump breakers. Actuation of the MFW pump motor breakers cell switches results in the closure of two series contacts in the start circuit for each motor driven AFW pump. The motor driven AFW pump start signals are then generated provided that either MFW pump control switch is in the after-start position. Although there are two actuation channels per MFW pump, Table 3.3.2-1 Function 6.e requires one channel per MFW pump to be OPERABLE. The combination of these cell switches and associated circuitry that comprise the required channels of one per pump must be capable of initiating a start signal to at least one of the two motor driven AFW pumps upon the tripping of both MFW pumps. Therefore, a Table 3.3.2-1 Function 6.e required channel consists of a motor breaker cell switch on one of the tandem motors breakers and the required circuitry (including MFW pump control switches contacts) up to and including the series contact in the motor driven AFW pump actuation circuit. If one or both MFW pump trip channels associated with the start of the same train of motor driven AFW pump are inoperable, the required channels of one per pump continues to be met provided that the remaining trip channels are OPERABLE and capable of generating a start signal for the other motor driven AFW pump train.

For Unit 2 only, the A and B MFW pumps each have tandem electric motors. The circuits that accomplish starting of both motor driven AFW pumps upon the tripping of both MFW pumps consist of a pump motor breaker cell switch contact on the designated A MFW pump motor and a breaker cell switch contact on the designated B MFW pump motor. The other A and B MFW pump motor cell switches are not utilized to directly start the motor driven AFW pumps. Actuation of the A and B MFW pump motor breakers cell switches results in the closure of two series contacts and the generation of a start signal for the A and B motor driven AFW pumps provided that either MFW pump control switch is in the after-start position.

Beaver Valley Units 1 and 2 B 3.3.2 - 28 Revision 22

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

There is a one per pump actuation channel associated with the designated A MFW pump motor breaker cell switch and a one per pump actuation channel associated with the designated B MFW pump motor breaker cell switch. Therefore, in order to meet the one per pump requirement specified in Table 3.3.2-1, a channel consisting of a motor breaker cell switch for A MFW pump motor and a motor breaker cell switch for the B MFW pump motor and the required circuitry (including MFW pump control switches contacts) up to and including the series contacts in the motor driven AFW pumps actuation circuits must be OPERABLE.

Functions 6.d and 6.e must be OPERABLE in MODES 1 and 2. This ensures that two SGs are provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. In Unit 1, the low head SI (LHSI) pumps and containment recirculation spray (RS) pumps draw water from the containment sump. The RS pumps pump the water through the RS heat exchanger to the recirculation spray headers. The LHSI pumps circulate the water back to the reactor and provide suction to the High Head SI (HHSI) pumps. In Unit 2, during the recirculation phase, one RS pump per train provides the low head injection function and suction to the HHSI pump and one RS pump per train provides the recirculation spray function. Both the Unit 2 RS pumps on each train draw water from the containment sump and pump water through an RS heat exchanger. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

Beaver Valley Units 1 and 2 B 3.3.2 - 29 Revision 22

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Automatic Switchover to Containment Sump - Automatic Actuation Logic This LCO requires two trains to be OPERABLE. The trains consist of the actuation logic and associated master relays for this Function. The actuation logic consists of all circuitry housed within the actuation subsystems. The LCO for this Function does not include requirements for slave relay OPERABILITY.

The SRs for this Function do not include a SLAVE RELAY TEST due to equipment safety concerns if such a test was performed at power. The verification of required slave relay OPERABILITY for this Function is included in LCO 3.5.2, ECCS - Operating (SRs 3.5.2.5 and 3.5.2.6). These ECCS SRs are Surveillances that allow the required SLAVE RELAY TEST to be performed safely. Therefore, LCO 3.5.2 addresses the OPERABILITY of the slave relays for this Function.

b. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level Extreme Low Coincident With Safety Injection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A Level Extreme Low in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The SI interlock is maintained by latching relays until reset manually. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability due to the energize to trip design of these channels.

The RWST Level Extreme Low Allowable Value has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The upper limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction.

The transmitters will not experience any adverse environmental conditions and, therefore, the trip setpoint reflects only steady state instrument uncertainties.

Beaver Valley Units 1 and 2 B 3.3.2 - 30 Revision 29

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Automatic switchover occurs only if the RWST Level Extreme Low signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

a. Engineered Safety Feature Actuation System Interlocks -

Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Although SI actuation may be manually reset after a 75 second delay, if P-4 is enabled, subsequent automatic SI initiation is blocked until P-4 is reset (RTBs closed). This Function allows operators to take manual control of SI systems after the initial phase of injection is complete without further automatic SI actuations taking place. The functions of the P-4 interlock are:

Beaver Valley Units 1 and 2 B 3.3.2 - 31 Revision 22

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Trip the main turbine, Isolate MFW Regulating Valves with coincident low Tavg, Prevent automatic reactuation of SI after a manual reset of SI, and Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level - High High with low Tavg.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power or could result in an SI actuation.

To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip and isolation of the MFW Regulating Valves coincident with low Tavg Functions are explicitly assumed since they are an immediate consequence of the reactor trip Function. However, none of the P-4 Functions listed above associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a trip setpoint and Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an excessive cooldown transient.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels Beaver Valley Units 1 and 2 B 3.3.2 - 32 Revision 22

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset switches. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

c. Engineered Safety Feature Actuation System Interlocks -

Tavg - Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock provides an arming signal to the Steam Dump System. On a decreasing temperature, the P-12 interlock removes the arming signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System. Although the P-12 interlock Function provides protection that helps prevent an excessive cooldown event, it is not credited in any safety analysis as the primary actuation instrumentation necessary to mitigate a design basis accident.

Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. These channels are used in two-out-of-three logic. Although Tavg is used for control system input, three channels are acceptable in this application because functional separation between the protection and control systems is accomplished by the use of a median signal selector.

Beaver Valley Units 1 and 2 B 3.3.2 - 33 Revision 22

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function must be OPERABLE in MODES 1, 2, and 3 when a malfunction of the Steam Dump System could result in an excessive cooldown of the RCS. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an excessive RCS cooldown event.

The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

SI, Containment Spray, Beaver Valley Units 1 and 2 B 3.3.2 - 34 Revision 22

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

Phase A Isolation, and Phase B Isolation.

In addition, Condition B applies to the Automatic Actuation Logic for the Automatic Switchover to the Containment Sump Function. This action addresses the train orientation of the SSPS for the functions listed above.

If a channel or train is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable. Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each manual Function, and the low probability of an event occurring during this interval. In the case of the Automatic Actuation Logic for the Containment sump switchover, the Completion Time is reasonable considering that the other automatic actuation logic train is OPERABLE and that manual actions may be taken to align the required equipment to the containment sump. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time) and in MODE 5 within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1, C.2.1, and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:

SI, Containment Spray, Phase A Isolation, and Phase B Isolation.

This Action Condition is intended to address an inoperability of the actuation logic or relays associated with an ESFAS train that affects the integrated ESFAS response to an actuation signal. The Completion Time of this ACTION (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) is based on the assumption that multiple ESF Beaver Valley Units 1 and 2 B 3.3.2 - 35 Revision 22

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) components within a train are affected by the failure of the actuation logic or relays. Therefore, the Completion Time of this Action is appropriate and applicable whenever more than one ESF System is affected by the inoperable train of logic or relays.

However, if one or more inoperable actuation relays in an ESFAS train only affect a single ESF component or system, the applicable Actions Condition for the affected ESF component or system should be entered and the Completion Time of this Action Condition is not appropriate or applicable.

This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring the inoperable train to OPERABLE status is justified in Reference 6. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months total time) and in MODE 5 within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Reference 5) that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform train surveillance.

Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 6), Tier 2 insights must be included in the decision making process before removing a logic train from service and implementing the extended (risk-informed) Completion Time for a logic train approved in Reference 7. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time a logic train is inoperable.

Beaver Valley Units 1 and 2 B 3.3.2 - 36 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

Entry into Condition C for an inoperable logic train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Condition C may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition C entry. In addition, it is possible that equipment failure may occur after the logic train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable logic train and exit the Condition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Condition C when a logic train is inoperable:

To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable.

To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.

To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available.

Beaver Valley Units 1 and 2 B 3.3.2 - 37 Revision 22

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

D.1, D.2.1, and D.2.2 Condition D applies to:

Containment Pressure - High,

Pressurizer Pressure - Low,

Steam Line Pressure - Low,

Containment Pressure - Intermediate - High High,

Steam Line Pressure - Negative Rate - High,

SG Water level - Low Low,

SG Water level - High High (P-14), and

RWST Level Low.

If one channel is inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. For the Functions listed above, other than RWST Level Low, the 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 6. For RWST Level Low, the 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 7.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for testing, are justified in References 6 and 7.

Beaver Valley Units 1 and 2 B 3.3.2 - 38 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

E.1, E.2.1, and E.2.2 Condition E applies to:

Containment Spray Containment Pressure - High High, and

Containment Phase B Isolation Containment Pressure - High High.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or to place it in the bypassed condition is justified in Reference 6. The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows one channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for testing purposes is acceptable based on the results of Reference 6.

Beaver Valley Units 1 and 2 B 3.3.2 - 39 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

F.1, F.2.1, and F.2.2 Condition F applies to:

The Unit 2 Manual Initiation of Steam Line Isolation, and P-4 Interlock.

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a train or channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

G.1, G.2.1, and G.2.2 Condition G applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Turbine Trip and Feedwater Isolation, and AFW actuation Functions.

This Action Condition is intended to address an inoperability of the actuation logic or relays associated with an ESFAS train that affects the integrated ESFAS response to an actuation signal. The Completion Time of this ACTION (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) is based on the assumption that multiple ESF components within a train are affected by the failure of the actuation logic or relays. Therefore, the Completion Time of this Action is appropriate and applicable whenever more than one ESF System is affected by the inoperable train of logic or relays.

However, if one or more inoperable actuation relays in an ESFAS train only affect a single ESF component or system, the applicable Actions Condition for the affected ESF component or system should be entered and the Completion Time of this Action Condition is not appropriate or applicable.

Beaver Valley Units 1 and 2 B 3.3.2 - 40 Revision 22

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring the inoperable train to OPERABLE status is justified in Reference 6. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Reference 5) assumption that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform train surveillance.

Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 6), Tier 2 insights must be included in the decision making process before removing a logic train from service and implementing the extended (risk-informed) Completion Time for a logic train approved in Reference 7. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time a logic train is inoperable.

Entry into Condition G for an inoperable logic train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Condition G may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition G entry. In addition, it is possible that equipment failure may occur after the logic train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of unplanned equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(4) require assessment of the emergent condition with Beaver Valley Units 1 and 2 B 3.3.2 - 41 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable logic train and exit the Condition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Condition G when a logic train is inoperable:

To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable.

To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.

To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available.

H.1 and H.2 Condition H applies to:

Undervoltage Reactor Coolant Pump.

If one channel is inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months requires the unit to be placed in MODE 3 within Beaver Valley Units 1 and 2 B 3.3.2 - 42 Revision 22

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 6.

I.1 and I.2 Condition I applies to the motor driven AFW pump start on trip of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the motor driven AFW System pumps.

For Unit 1 only, the Required Action for Condition I to restore the channel to OPERABLE status is applicable when (three out of the four MFW pumps trip channels are inoperable) or (two out of four channels not associated with the same motor driven AFW pump are inoperable). In these two cases, a start of either motor driven AFW pump can no longer be initiated due to a trip of all MFW pumps. A detailed description of the actuation circuit(s) is provided in the Bases for Function 6.e of this Specification.

For Unit 2 only, the Required Action for Condition I to restore the channel to OPERABLE status is applicable when one MFW pumps trip channel is inoperable. In this case, a start of either motor driven AFW pump can no longer be initiated due to a trip of all MFW pumps. A detailed description of the actuation circuit is provided in the Bases for Function 6.e of this Specification.

If a channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to return the train to an OPERABLE status is justified in Reference 5.

Beaver Valley Units 1 and 2 B 3.3.2 - 43 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

J.1, J.2.1, and J.2.2 Condition J applies to:

RWST Level Extreme Low Coincident with Safety Injection.

RWST Level Extreme Low Coincident with SI provides actuation of switchover to the containment sump. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function. However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required. Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed low). If the channel cannot be returned to OPERABLE status or placed in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the unit must be brought to MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within the next 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.

The Required Actions are modified by a Note that allows placing a channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to place a channel in bypass and the total of 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months to reach MODE 3 and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for a second channel to be bypassed are justified in Reference 7.

K.1, K.2.1, and K.2.2 Condition K applies to the P-11 and P-12 interlocks.

With one or more channels inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. This action manually accomplishes the function of the interlock.

Beaver Valley Units 1 and 2 B 3.3.2 - 44 Revision 29

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

Determination must be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and may be made by observation of the associated permissive annunciator window(s)

(bistable status lights or computer checks). The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.

SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column of REQUIREMENTS Table 3.3.2-1.

A Note has been added to the SR Table stating that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is performed only on those channels that have channel parameter displays available.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Beaver Valley Units 1 and 2 B 3.3.2 - 45 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.3 SR 3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The time allowed for the testing (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) is justified in Reference 5. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.2 - 46 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1 (excluding time constants which are verified during CHANNEL CALIBRATIONS). A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

For certain ESFAS Functions the required COT (SR 3.3.2.4 specified in Table 3.3.2-1) is modified by Notes (e) and (f). These Notes specify additional requirements for the affected instrument channels.

Note (e) specifies the following:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and If the "as-found" instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

The evaluation of channel performance required by Note (e) involves an assessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channel performance prior to returning the channel to service. In addition, if the "as found" trip setpoint value is non-conservative with respect to the Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, the affected channel will be evaluated under the corrective action program.

Beaver Valley Units 1 and 2 B 3.3.2 - 47 Revision 22

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Note (f) specifies the following:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; otherwise, the channel shall be declared inoperable, and

The nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band are specified in a document incorporated by reference into the Updated Final Safety Analysis Report.

For BVPS, the document containing the nominal trip setpoint, the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.

For the ESFAS Functions with a COT modified by Note (f), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by the direction of the inequality sign applied to the associated Allowable Value. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. If the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declared inoperable and the applicable ACTION is entered.

For the ESFAS Functions with a COT modified by Notes (e) and (f), the "as found" and "as left" setpoint data obtained during COTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channel is evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it is declared inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.2 - 48 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.5 SR 3.3.2.5 is the performance of a TADOT. This test is a check of the Undervoltage RCP Function. The Function is tested up to the SSPS logic circuit. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements.

The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

The Surveillance Frequency contained in the Surveillance Frequency Control Program specifies the separate Unit 1 and Unit 2 test Frequencies.

SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the P-4 interlock, Manual Actuation Functions and AFW pump start on trip of all MFW pumps. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Beaver Valley Units 1 and 2 B 3.3.2 - 49 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Specifications Surveillance Requirements. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT, since these Functions have no associated setpoints.

SR 3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

For certain ESFAS Functions the required CHANNEL CALIBRATION (SR 3.3.2.8 specified in Table 3.3.2-1) is modified by Notes (e) and (f).

These Notes specify additional requirements for the affected instrument channels.

Note (e) specifies the following:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and

If the "as-found" instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

The evaluation of channel performance required by Note (e) involves an assessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channel performance prior to returning the channel to service. In addition, if the "as found" trip setpoint value is non-conservative with respect to the Beaver Valley Units 1 and 2 B 3.3.2 - 50 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, the affected channel will be evaluated under the corrective action program.

Note (f) specifies the following:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; otherwise, the channel shall be declared inoperable, and The nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band are specified in a document incorporated by reference into the Updated Final Safety Analysis Report.

For BVPS, the document containing the nominal trip setpoint, the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.

For the ESFAS Functions with a CHANNEL CALIBRATION modified by Note (f), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by the direction of the inequality sign applied to the associated Allowable Value.

Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. If the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declared inoperable and the applicable ACTION is entered.

For the ESFAS Functions with a CHANNEL CALIBRATION modified by Notes (e) and (f), the "as found" and "as left" setpoint data obtained during COTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channel is evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it is declared inoperable.

Beaver Valley Units 1 and 2 B 3.3.2 - 51 Revision 22

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.2.9 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response Time testing acceptance criteria are included in the Licensing Requirements Manual. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position). Each verification shall include at least one logic train such that both logic trains are verified at least once per the stated Frequency specified in the Surveillance Frequency Control Program.

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one or by such means as utilizing a step change input with the resulting measured response time compared to the response time specified in the LRM. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

- NOTE -

The following alternate means for verifying response times (i.e.,

summation of allocated times) is only applicable to Unit 2.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

Beaver Valley Units 1 and 2 B 3.3.2 - 52 Revision 29

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," dated January 1996, provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," and WCAP-15413, "Westinghouse 7300A ASIC-Based Replacement Module Licensing Summary Report" provide the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter. WCAP-15413 provides bounding response times where 7300 cards have been replaced with ASICs cards.

Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after reaching 600 psig in the secondary side of the SGs.

Beaver Valley Units 1 and 2 B 3.3.2 - 53 Revision 29

ESFAS Instrumentation B 3.3.2 BASES REFERENCES 1. UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).

2. IEEE-279-1971.

3. Westinghouse Setpoint Methodology for Protection Systems, WCAP-11419, Rev. 6 (Unit 1) and WCAP-11366, Rev. 7 (Unit 2).

4. 10 CFR 50.49.

5. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

6. WCAP-14333-P-A, Rev. 1, Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, October 1998.

7. Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2),

December 29, 2008.

Beaver Valley Units 1 and 2 B 3.3.2 - 54 Revision 29

PAM Instrumentation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit parameters to monitor and to assess unit status and behavior following an accident.

The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by unit specific documents (Ref. 1) addressing the recommendations of Regulatory Guide 1.97 (Ref. 2) as required by Supplement 1 to NUREG-0737 (Ref. 3).

The instrument channels required to be OPERABLE by this LCO include Regulatory Guide 1.97 Type A and Category I variables as well as other Regulatory Guide 1.97 variables that provide important information for post accident monitoring. Certain Regulatory Guide 1.97 Type A and Category 1 variables, as determined by the Unit specific Regulatory Guide 1.97 analyses (Ref. 1), are not included in LCO 3.3.3 because other instrumentation required by this LCO provide the necessary information to the control room operators.

Type A variables are included in this LCO because they provide the primary information required for the control room operator to take specific manually controlled actions for which no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs.

Category I variables are the key variables deemed risk significant because they are needed to:

Determine whether other systems important to safety are performing their intended functions, Provide information to the operators that will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release, and Beaver Valley Units 1 and 2 B 3.3.3 - 1 Revision 0

PAM Instrumentation B 3.3.3 BASES BACKGROUND (continued)

Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.

These key variables are identified by the unit specific Regulatory Guide 1.97 analyses (Ref. 1).

The specific instrument Functions listed in Table 3.3.3-1 are discussed in the LCO section.

APPLICABLE The PAM instrumentation ensures OPERABILITY of the required SAFETY Regulatory Guide 1.97 variables so that the control room operating staff ANALYSES can:

Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to preplanned actions for the primary success path of DBAs), e.g., loss of coolant accident (LOCA),

Take the specified, pre-planned, manually controlled actions, for which no automatic control is provided, and that are required for safety systems to accomplish their safety function, Determine whether systems important to safety are performing their intended functions, Determine the likelihood of a gross breach of the barriers to radioactivity release, Determine if a gross breach of a barrier has occurred, and Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.

PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii). Category I, non-Type A, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents.

Therefore, Category I, non-Type A, variables are important for reducing public risk.

Beaver Valley Units 1 and 2 B 3.3.3 - 2 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO The PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide 1.97 Type A monitors, which provide information required by the control room operators to perform certain manual actions specified in the unit Emergency Operating Procedures. These manual actions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide 1.97 instruments that have been designated Category I, non-Type A and other Regulatory Guide 1.97 instruments that provide important information for post accident monitoring.

The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with the recommendations of Reference 1.

LCO 3.3.3 requires two OPERABLE channels for most Functions. Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident. Therefore, where plant design permits, the two channels required OPERABLE by the LCO should be supplied from different trains of electrical power.

Furthermore, OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. For some PAM Functions, Table 3.3.3-1 specifies one or three required channels. The following are exceptions to the two-channel requirement:

Three channels of steam generator (SG) wide range level instrumentation are required to be OPERABLE. Each SG has one installed wide range channel that assures the ability to monitor SG level during operating conditions when the level may not be in the normal range. In many accident analyses, two SGs are assumed to be available to provide the necessary heat removal capacity. The requirement for three OPERABLE channels of wide range level indication (one per SG) helps to assure adequate wide range SG level indication remains available (assuming one indication channel fails or a SG is faulted) to monitor SG level and support maintaining the necessary heat removal capacity.

Only one channel of high head safety injection (HHSI) total automatic injection header flow is required to be OPERABLE. The normal SI injection flow path (automatically initiated on an SI signal) has a single installed Regulatory Guide 1.97 flow instrument that indicates total SI flow in the control room. This indicator is used to confirm automatic SI flow initiation. The single HHSI total flow indication is adequate considering the alternate control room indications available to confirm the operation of the Beaver Valley Units 1 and 2 B 3.3.3 - 3 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

SI System. An alternate method of verifying SI initiation can be provided by the High Head SI pump amperage indication, the High Head SI header pressure indication, and the SI automatic valve position indication.

Another exception to the two channel requirement is the Penetration Flow Path Containment Isolation Valve (CIV) Position. In this case, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active CIV. Active CIVs are those valves associated with an unisolated penetration and designed with control room indication per the Table 3.3.3-1 footnotes modifying the required channels of CIV position indication. The active CIVs addressed by this LCO only include valves designed to close on a Phase A or Phase B containment isolation signal. Valves that open on a Phase A or Phase B containment isolation signal are not required to have their position verified to confirm adequate containment isolation. This is sufficient to redundantly verify the isolation status of each required isolable penetration (required to be isolated during accident conditions) either via indicated status of the active valve or the reliability of CIVs without control room indication (i.e., automatic check valves and relief valves that are not dependent on an external power source or closure signal) or prior knowledge of a passive valve, or via closed system boundary status. If a normally active CIV is known to be closed and deactivated or open under administrative controls in accordance with the provisions of the CIV Technical Specification, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

Type A and Category I variables are generally required to meet Regulatory Guide 1.97 Category I (Ref. 2) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessible display, continuous readout, and recording of display.

The following are discussions of the specified instrument Functions listed in Table 3.3.3-1.

1, 2, 3. Power, Intermediate, and Source Range Neutron Flux Neutron Flux indication is provided to verify reactor shutdown.

The three ranges are necessary to cover the full range of flux that may occur post accident.

The required channels of Source Range indication on Table 3.3.3-1 are modified by footnote (f) which provides an Beaver Valley Units 1 and 2 B 3.3.3 - 4 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued) exception that allows the source range neutron detectors to be de-energized above the P-6 Intermediate Range Neutron Flux Interlock. Source Range channel OPERABILITY, when the associated detector is de-energized, consists of being capable of performing its intended function once power is restored to the associated neutron detector. When the source range detectors are de-energized, the source range channels are also considered de-energized and SR 3.3.3.1 is not applicable. Similarly, the required channels for Intermediate and Power Range indication on Table 3.3.3-1 are modified by footnote (g) which provides an exception to the MODE 3 OPERABILITY requirement for this indication. In MODE 3, the Source Range channels are adequate to provide the required reactivity monitoring function. The Intermediate and Power Range indication channels serve to confirm reactor shutdown in a post reactor trip condition from power operation.

Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.

Neutron flux is classified as a Category 1 variable.

4, 5. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range)

RCS Hot and Cold Leg Temperatures are Type A and Category I variables provided for verification of core cooling and long term surveillance.

RCS hot and cold leg temperatures are used to determine RCS subcooling margin. RCS subcooling margin will allow termination of safety injection (SI), if still in progress, or reinitiation of SI if it has been stopped. RCS subcooling margin is also used for unit stabilization and cooldown control.

In addition, RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.

6. Reactor Coolant System Pressure (Wide Range)

RCS wide range pressure is a Type A and Category I variable provided for verification of core cooling and RCS integrity long term surveillance.

The LCO requirement for two OPERABLE indication channels can be met by using any combination of the RCS Pressure (Wide Range) indication channels or the RCS Pressure indication Beaver Valley Units 1 and 2 B 3.3.3 - 5 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued) channels associated with the Reactor Vessel Water Level Indicating System which also provide a qualified wide range RCS pressure indication.

RCS pressure can be used to verify delivery of SI flow to RCS from at least one train when the RCS pressure is below the pump shutoff head. RCS pressure may also be used to verify closure of manually closed spray line valves and pressurizer power operated relief valves (PORVs).

In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of SI, if still in progress, or reinitiation of SI if it has been stopped. RCS pressure can also be used:

to determine whether to terminate actuated SI or to reinitiate stopped SI,

to determine when to reset SI and shut off low head SI,

to manually restart low head SI,

as reactor coolant pump (RCP) trip criteria, and

to make a determination on the nature of the accident in progress and where to go next in the procedure.

RCS subcooling margin is also used for unit stabilization and cooldown control.

RCS pressure is also related to three decisions about depressurization. They are:

to determine whether to proceed with primary system depressurization,

to verify termination of depressurization, and

to determine whether to close accumulator isolation valves during a controlled cooldown/depressurization.

A final use of RCS pressure is to determine whether to operate the pressurizer heaters.

Beaver Valley Units 1 and 2 B 3.3.3 - 6 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

RCS pressure is a Type A variable because the operator uses this indication to monitor the cooldown of the RCS following a steam generator tube rupture (SGTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication.

Furthermore, RCS pressure is one factor that may be used in decisions to terminate RCP operation.

7. Reactor Vessel Water Level Reactor vessel water level is classified as a Category 1 variable for Unit 1 and Category 2 variable for Unit 2.

Reactor Vessel Water Level is provided for verification and long term surveillance of core cooling. It is also used for accident diagnosis and to determine reactor coolant inventory adequacy.

The Reactor Vessel Water Level Monitoring System provides a direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core.

Measurement of the collapsed water level is selected because it is a direct indication of the water inventory.

8. Containment Sump Water Level (Wide Range)

Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.

Containment Sump Water Level is used to determine:

containment sump level accident diagnosis,

when to begin the recirculation procedure (to confirm automatic initiation or if manual operation is necessary), and

whether to terminate SI, if still in progress.

9. Containment Pressure (Wide Range)

Containment Pressure (Wide Range) is classified as a Category 1 variable.

Containment Pressure (Wide Range) is provided for verification of RCS cooling and containment OPERABILITY (i.e., integrity).

Beaver Valley Units 1 and 2 B 3.3.3 - 7 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

The significant post accident use of containment pressure indication is to indicate the potential loss of a fission product boundary for the Emergency Action Levels in the E-Plan.

Containment pressure is a key indicator in the declaration of a General Emergency level and the potential need for offsite protective action recommendations. The wide range containment pressure instrumentation provides an adequate range and sensitivity for this purpose.

10. Containment Area Radiation (High Range)

Containment Area Radiation (High Range) is classified as a Type A and Category 1 variable.

Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Containment radiation level is used to identify a loss of one or more fission product barriers.

11. Pressurizer Level Pressurizer Level is classified as a Type A and Category 1 variable.

Pressurizer Level is used to determine whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped.

Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that the unit is maintained in a safe shutdown condition.

12. Steam Generator Water Level (Wide Range)

SG Water Level (Wide Range) is classified as a Category 1 variable for Unit 1 and as a Type A and Category 1 variable for Unit 2.

SG Water Level (Wide Range) indication is provided to monitor operation of decay heat removal via the SGs. SG Water Level (Wide Range) indication is used to:

identify the faulted SG following a steam generator tube rupture, Beaver Valley Units 1 and 2 B 3.3.3 - 8 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

verify that the intact SGs are an adequate heat sink for the reactor,

determine the nature of the accident in progress (e.g., verify a steam generator tube rupture),

verify unit conditions for the termination of SI during secondary side HELBs outside containment, and

verify SG tubes are covered before terminating AFW to the faulted SG to assure iodine scrubbing and design basis iodine partitioning in the event of a steam generator tube rupture.

Controlling SG level to maintain a heat sink and the diagnosis of a steam generator tube rupture based on SG level are operator actions assumed in the design basis accident analysis for which no automatic actuation is provided. In addition, the PRA shows that SG Wide Range Level indication can be important to safety by providing information for the initiation of operator actions to establish bleed and feed for a loss of heat sink event.

13 a), b), c). Steam Generator (SG) Pressure SG Pressure is classified as a Type A and Category 1 variable.

SG Pressure provides a target indication for RCS depressurization for the steam generator tube rupture accident to terminate the RCS inventory loss. In the event of a steam generator tube rupture accident, the EOPs instruct the operators to depressurize the RCS to a pressure below the secondary side pressure in the ruptured steam generator. RCS depressurization to a pressure less than the steam generator pressure terminates the RCS inventory loss and terminates the steam generator inventory gain, preventing overfill of the steam generator. The termination of the break flow is an operator action assumed in the design basis steam generator tube rupture analysis for which no automatic action is provided.

14. Primary Plant Demineralized Water Storage Tank (PPDWST)

Level The PPDWST level is classified as a Category 1 variable for Unit 1 and a Type A and Category 1 variable for Unit 2.

Beaver Valley Units 1 and 2 B 3.3.3 - 9 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

The PPDWST Level is provided to ensure water supply for auxiliary feedwater (AFW). The PPDWST provides the ensured safety grade water supply for the AFW System. The PPDWST Level indication is used for the diagnosis of the need to refill the tank to provide a long term steam generator heat sink for decay heat removal.

PPDWST Level is considered a Type A variable (for Unit 2) because the control room meter and annunciator are considered the primary indication used by the operator.

The PPDWST is the initial source of water for the AFW System.

However, as the PPDWST is depleted, manual operator action is necessary to replenish the PPDWST or align suction to the alternate AFW pump suction supply.

15. Refueling Water Storage Tank (RWST) Level (Wide Range)

The RWST Level is classified as a Type A and Category 1 variable for Unit 1 and a Category 2 variable for Unit 2.

RWST Level provides an indication of the water inventory remaining for use by containment spray and safety injection for core cooling and containment cooling. No operator actions in the design basis accident analysis are based on the RWST Level indication. The switchover from the RWST to the containment sump is performed automatically.

In the event of an accident in which the RCS inventory losses are outside of containment (e.g., steam generator tube rupture or interfacing system LOCA), the remaining RWST level is an important indication for choosing the appropriate operator actions to maintain core cooling in the EOPs. The RWST Level is important in diagnosing the need for implementing RWST refill to maintain a sufficient inventory for long term core cooling following these events.

16. Penetration Flow Path Containment Isolation Valve (CIV) Position Penetration Flow Path CIV Position indication is classified as a Category 1 variable for Unit 1 and a Category 2 variable for Unit 2.

This indication is provided for verification of Containment Phase A and Phase B isolation. The E-Plan identifies that an elevated emergency action level should be declared following an accident in the event of a failure of automatic containment isolation.

Beaver Valley Units 1 and 2 B 3.3.3 - 10 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

This requirement only applies to containment isolation valves which receive a Phase A and Phase B containment isolation closure signal. This requirement is not applicable to valves that open on receipt of a Containment Phase A or B signal. When used to verify Phase A and Phase B isolation, the important information is the isolation status of the containment penetrations.

The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves that have control room position indication. For containment penetrations with only one active CIV having control room indication, footnote (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve with control room indication and the reliability of containment isolation valves without control room indication (i.e., automatic check valves and relief valves that are not dependent on an external power source or closure signal),

or prior knowledge of a passive valve, or via closed system boundary status. If a normally active CIV is known to be closed and deactivated or open under administrative controls in accordance with the provisions of the CIV Technical Specification, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. Footnote (a) to the Required Channels states that the Function is not required for isolation valves whose associated penetration is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured. Each penetration is treated separately and each penetration flow path is considered a separate function. Therefore, separate Condition entry is allowed for each inoperable penetration flow path.

17 a), b), c), d) Core Exit Temperature Core Exit Temperature is classified as a Category 1 variable for Unit 1 and a Type A and Category 1 variable for Unit 2.

Core Exit Temperature indication is provided for verification and long term surveillance of core cooling. The Core Exit Temperature indication provides information for the operators to initiate RCS depressurization following a steam generator tube rupture. Core Exit Temperature indication is important to safety because it provides information necessary to maintain subcooling Beaver Valley Units 1 and 2 B 3.3.3 - 11 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued) for RCS cooldown and depressurization following steam generator tube rupture and other small break LOCA events. It is also used as an indication for the transfer from the EOPs to the Severe Accident Management Guidance, where a greater focus is maintained on preserving the remaining fission product barriers.

Table 3.3.3-1 requires two OPERABLE channels of Core Exit Temperature per core quadrant. Footnote (c) to Table 3.3.3-1 requires a Core Exit Temperature channel to consist of two core exit thermocouples. Two sets of two thermocouples ensure that a single failure will not affect the ability to determine whether an inadequate core cooling condition exists.

18. Secondary Heat Sink Indication Secondary Heat Sink Indication is comprised of two different types of indications (instruments). Footnote (d) to this Function explains that the two required channels per SG can be satisfied by using any combination of SG Water Level (Narrow Range) channels and Auxiliary Feedwater (AFW) Flow Channels such that two channels are OPERABLE for each SG.

SG Water Level (Narrow Range) is classified as a Type A and Category 1 variable. AFW Flow is classified as a Category 2 variable for Unit 1 and a Type A and Category 1 variable for Unit 2.

This indication provides confirmation of adequate SG inventory to ensure the required heat sink(s) are available. The availability of SG(s) for heat removal is important to safety to ensure adequate core cooling. This indication can also be used by the operator to confirm that the AFW System is in operation and delivering sufficient flow to each SG. AFW System initiation is important to safety because it provides information necessary for operator action to initiate alternate feedwater sources in the event of a failure of the AFW System.

19. High Head Safety Injection (SI) Flow High Head Safety Injection (SI) Flow is classified as a Category 2 variable.

High Head SI Flow indication is used to confirm automatic safety injection initiation following a design basis accident. Therefore, the required flow indicator for this PAM Function is the total flow indicator installed in the automatic High Head SI flow path.

Beaver Valley Units 1 and 2 B 3.3.3 - 12 Revision 0

PAM Instrumentation B 3.3.3 BASES LCO (continued)

Failure to manually initiate SI flow when the automatic initiation fails can lead to a significant increase in core damage frequency.

Operator action is based on the ECCS flow indication in the control room. Only high head safety injection is important for all accident sequences except the unlikely double-ended guillotine rupture of the largest reactor coolant pipe. Therefore, only the High Head SI Flow indication is required.

This instrumentation was not designed to meet Regulatory Guide 1.97 Category 1 or Type A requirements. Only a single channel is available and required OPERABLE for each unit. The requirement for a single OPERABLE channel of this indication is acceptable due to design requirements for this instrument (i.e., not Category 1) and the additional information available in the control room to confirm high head SI initiation. For example, if the total High Head SI Flow indication is not available, alternate methods of verifying SI initiation can be provided by the High Head SI pump amperage indication, the High Head SI header pressure indication, and the SI automatic valve position indication.

As only one channel of High Head SI Flow indication is required OPERABLE, the information associated with this Function on Table 3.3.3-1 is modified by footnote (e). Footnote (e) clarifies that Action Condition B is the only applicable Action Condition for Functions with only one required channel that can not be restored to OPERABLE status within the Completion Time specified in Action Condition A. As Footnote (e) and Condition B are in the Table column for Conditions referenced from Required Action D.1, this Table notation also clarifies that Action Conditions C, D, E, and F are not applicable to Functions that only require a single OPERABLE channel.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3.

These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not required to be OPERABLE in these MODES.

Beaver Valley Units 1 and 2 B 3.3.3 - 13 Revision 0

PAM Instrumentation B 3.3.3 BASES ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 Condition B applies when the Required Action and associated Completion Time for Condition A are not met. This Required Action specifies the immediate initiation of actions in Specification 5.6.5, which requires a written report to be submitted to the NRC within the following 14 days.

This report discusses the results of the evaluation into the cause of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.

C.1 Condition C applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function).

Required Action C.1 requires restoring one channel in the Function(s) to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

Beaver Valley Units 1 and 2 B 3.3.3 - 14 Revision 0

PAM Instrumentation B 3.3.3 BASES ACTIONS (continued)

D.1 Condition D applies when the Required Action and associated Completion Time of Condition C are not met. Required Action D.1 requires entering the appropriate Condition referenced in Table 3.3.3-1 for the channel immediately. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met and Table 3.3.3-1 directs entry into Condition E, the unit must be brought to a MODE where the requirements of this LCO do not apply.

To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

F.1 Alternate means of monitoring Reactor Vessel Water Level and Containment Area Radiation have been developed and tested. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the unit but rather to follow the directions of Specification 5.6.5, in the Administrative Controls section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

The following are examples of acceptable alternate indication methods for Reactor Vessel Water Level and Containment Area Radiation:

Reactor Vessel Water provides information to indicate whether the core cooling safety function is being accomplished. As such, the core exit temperature and subcooling (RCS Pressure and Temperature) indications may be used in lieu of Reactor Vessel Water indication.

Beaver Valley Units 1 and 2 B 3.3.3 - 15 Revision 0

PAM Instrumentation B 3.3.3 BASES ACTIONS (continued)

Radiation monitor RM-1RM-201 (Unit 1) and 2RMR-RQ202B (Unit 2) or a portable radiation monitor (with appropriate multiplier if necessary) can be used as an alternate method of indication for Containment Area Radiation High Range.

SURVEILLANCE A Note has been added to the SR Table to clarify that SR 3.3.3.1 and REQUIREMENTS SR 3.3.3.2 apply to each PAM instrumentation Function in Table 3.3.3-1 except as noted in SR 3.3.3.2.

SR 3.3.3.1 Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

In addition, it is not necessary to place a system or component in service that is not normally in service (e.g., initiate AFW flow to the SGs) in order to perform the required CHANNEL CHECK. In cases where the required instrumentation may be energized but only a single channel is available (e.g., HHSI Flow) or where there may be no flow (e.g., AFW Flow), the CHANNEL CHECK may be accomplished by comparing the indicated value to the known plant condition (e.g., zero flow). In the case of CIVs, the CHANNEL CHECK may be accomplished by comparing the indicated valve position to the known or expected valve position based on current plant conditions.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability as applicable. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.

Beaver Valley Units 1 and 2 B 3.3.3 - 16 Revision 29

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by Note 1 that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." In addition, this SR is modified by Note 2 that states the CHANNEL CALIBRATION surveillance is not applicable to the Penetration Flow Path Containment Isolation Valve Position Indication Function. The required valve position indication channels are verified by a Trip Actuating Operational Test (TADOT) in lieu of a CHANNEL CALIBRATION. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the Core Exit thermocouple sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.3 This Surveillance requires the performance of a TADOT. The TADOT is only required for the Penetration Flow Path Containment Isolation Valve Position Function on Table 3.3.3-1. The TADOT is adequate to verify the OPERABILITY of the required containment isolation valve position indication channels.

A Note modifies the SRs to specify that SR 3.3.3.3 is only applicable to the Penetration Flow Path Containment Isolation Valve Position Function.

Due to the design of the instrument circuits involved, the TADOT, rather than the CHANNEL CALIBRATION, provides the more appropriate defined test to verify the OPERABILITY of these indication channels.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.3 - 17 Revision 29

PAM Instrumentation B 3.3.3 BASES REFERENCES 1. Unit 1 Regulatory Guide 1.97 Submittals: (1) Duquesne Light Letter dated 10/13/86,

Subject:

Regulatory Guide 1.97, Revision 2, Supplemental Report (Complete RG 1.97 report attached),

(2) Duquesne Light Letter dated 4/22/87,

Subject:

RG 1.97, Revision 2, Response to Interim Review Results, (Item 10, Type A classification of the Primary Plant Demineralized Water Storage Tank Level removed), (3) Duquesne Light Letter dated 12/18/89,

Subject:

Response to NRC RG 1.97 Concerns, (Page 4, A1 classification of AFW Flow removed).

Unit 1 NRC Regulatory Guide 1.97 Safety Evaluation Reports (SERs): (1) NRC Letter dated 11/20/89,

Subject:

Completion of Review of Regulatory Guide 1.97 Conformance (TAC No. 51071),

(2) NRC Letter dated 12/30/91,

Subject:

Emergency Response Capability - Conformance to Regulatory Guide 1.97 (TAC No.

M75944), (3) NRC Letter dated 6/15/92,

Subject:

Emergency Response Capability - Conformance To Regulatory Guide 1.97 (TAC No. M75944), (4) NRC Letter dated 11/17/95,

Subject:

Conformance to Regulatory Guide 1.97, Revision 2, Post-Accident Neutron Flux Monitoring Instrumentation for BVPS Unit 1 (TAC No.

M81201).

Unit 2 Regulatory Guide 1.97 Submittal: UFSAR Table 7.5-1.

Unit 2 NRC Regulatory Guide 1.97 SER: NUREG-1057, Supplement No. 1, Section 7.5, May 1986 (original Unit 2 SER).

2. Regulatory Guide 1.97, Rev. 2, December 1980.

3. NUREG-0737, Supplement 1, "TMI Action Items."

Beaver Valley Units 1 and 2 B 3.3.3 - 18 Revision 0

Remote Shutdown System B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient indications and controls to maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator (SG) atmospheric dump valves (ADVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.

If the control room becomes inaccessible, the operators can establish control utilizing the Remote Shutdown System. The Remote Shutdown System indications and controls necessary to maintain the unit in a safe shutdown condition (MODE 3) are specified in Table B 3.3.4-1 and are physically located on the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2). The unit automatically reaches MODE 3 following a unit trip and can be maintained safely in MODE 3 for an extended period of time. Plant procedures assure the reactor is manually tripped and safely shutdown prior to transferring control to the Emergency Shutdown Panel.

The OPERABILITY of the remote shutdown control and indication functions ensures there is sufficient information available on selected unit parameters to maintain the unit in MODE 3 should the control room become inaccessible.

APPLICABLE The Remote Shutdown System is required to provide equipment at SAFETY appropriate locations outside the control room with a capability to ANALYSES maintain the unit in a safe condition in MODE 3.

There are no specific design basis accident safety analysis assumptions (i.e., single active failures) that would require redundant Remote Shutdown System indications or controls be maintained OPERABLE by the Technical Specifications. Therefore, Table B 3.3.4-1 only specifies that a single channel of each indication and control function be OPERABLE in order to meet the requirements of the LCO.

Beaver Valley Units 1 and 2 B 3.3.4 - 1 Revision 0

Remote Shutdown System B 3.3.4 BASES APPLICABLE SAFETY ANALYSES (continued)

The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).

The Remote Shutdown System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The Remote Shutdown System LCO provides the OPERABILITY requirements for the indications and controls necessary to maintain the unit in MODE 3 from the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2). The indications and controls required are listed in Table B 3.3.4-1. Each control channel specified in Table B 3.3.4-1 consists of both the control switch and associated transfer switch if applicable.

The controls, indications, and transfer switches are required for:

Core reactivity control,

RCS pressure control,

Decay heat removal via the AFW System and the SG ADVs,

RCS inventory control via charging flow, and

Safety support systems for the above Functions, including Component Cooling Water, Unit 1 River Water, and Unit 2 Service Water.

A Function of a Remote Shutdown System is OPERABLE if all indication and control channels needed to support the Remote Shutdown System Function are OPERABLE. However, not all indication and control circuits associated with the systems identified in Table B 3.3.4-1 are required OPERABLE in order to support the required Remote Shutdown System Function. Table B 3.3.4-1 only specifies 1 required channel for each indication and control instrument associated with each Remote Shutdown System Function. For example, the capability to remotely operate a single AFW pump and control its flow and the control of one associated SG ADV provide the necessary control channels to accomplish the decay heat removal Function specified in Table B 3.3.4-1. All the AFW pump and flow controls do not have to be OPERABLE to accomplish the decay heat removal Function required OPERABLE by the LCO. Similarly, the control for a single letdown orifice isolation valve is sufficient to meet the requirement of the RCS Inventory Function for 1 channel of letdown flow control.

Beaver Valley Units 1 and 2 B 3.3.4 - 2 Revision 0

Remote Shutdown System B 3.3.4 BASES LCO (continued)

The remote shutdown indication and control channels covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the indication and control channels will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.

This is required so that the unit can be maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

ACTIONS A Remote Shutdown System Function is inoperable when 1 or more required channel(s) of indication or control are inoperable. The required channels of indication and control for each Remote Shutdown System Function are specified on Table B 3.3.4-1.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are inoperable. This includes the control and transfer switches for any required Function.

The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

Beaver Valley Units 1 and 2 B 3.3.4 - 3 Revision 0

Remote Shutdown System B 3.3.4 BASES ACTIONS (continued)

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of indication instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

As specified in the Surveillance, a CHANNEL CHECK is only required for those indication channels which are normally energized. In addition, it is not necessary to place a system or component in service that is not normally in service (e.g., initiate AFW flow to the SGs) in order to perform the required CHANNEL CHECK of a Remote Shutdown System indication channel. In cases where the required instrumentation may be energized but only a single channel is available or where there may be no flow (e.g., AFW Flow), the CHANNEL CHECK may be accomplished by comparing the indicated value to the known plant condition (e.g., zero flow).

Beaver Valley Units 1 and 2 B 3.3.4 - 4 Revision 29

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.2 CHANNEL CALIBRATION is a complete check of an indication instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

This SR is modified by a Note that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation."

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.3 SR 3.3.4.3 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be maintained in MODE 3 from the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.

Beaver Valley Units 1 and 2 B 3.3.4 - 5 Revision 29

Remote Shutdown System B 3.3.4 Table B 3.3.4-1 (page 1 of 1)

Remote Shutdown System Indications and Controls Emergency Shutdown Panels PNL-SHUTDN (Unit 1) and PNL-2SHUTDN (Unit 2)

REMOTE SHUTDOWN SYSTEM FUNCTION REQUIRED INDICATIONS AND CONTROLS NUMBER OF CHANNELS

1. Reactivity Control Function

a. Source Range Neutron Flux (indication) 1(a)

b. Boric Acid Transfer Pump (control) 1

2. Reactor Coolant System (RCS) Pressure Control Function

a. Pressurizer Pressure (indication) 1 or RCS Wide Range Pressure (indication) (Unit 2 only)

b. Pressurizer heater (control) 1

3. Decay Heat Removal via Steam Generators (SGs) Function

a. RCS Hot Leg Temperature (indication) 1

b. RCS Cold Leg Temperature (indication) 1

c. SG Pressure (indication) 1/SG

d. SG Level (indication) 1/SG

e. AFW Flow (indication) 1/SG

f. SG Atmospheric Dump Valve (control) 1 or Residual Heat Release Valve (control) (Unit 2 only)

g. AFW pump (control) 1

h. AFW Flow (control) 1

4. RCS Inventory Control Function

a. Pressurizer Level (indication) 1

b. Charging Pump (control) 1

c. Charging Flow (control) 1

d. Letdown Flow (control) 1

5. Support Systems

a. Component Cooling Water pump (control) 1

b. River Water pump (control) (Unit 1 only) 1

c. Service Water pump (control) (Unit 2 only) 1 (a) Source Range neutron detectors are not required to be energized above the P-6 Intermediate Range Neutron Flux Interlock.

Beaver Valley Units 1 and 2 B 3.3.4 - 6 Revision 0

LOP DG Start and Bus Separation Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start and Bus Separation Instrumentation BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation.

The LOP instrumentation ensures a reliable source of emergency power by providing the following Functions: 1) An automatic DG start on emergency bus undervoltage, and 2) Separation of the emergency buses on undervoltage and degraded voltage conditions.

Loss of Voltage Protection Unit 1 The Unit 1 loss of voltage protection consists of two relays for each of the 4160 V emergency buses. One relay actuates to open the normal supply breakers for the associated emergency buses (bus separation). The other loss of voltage relay provides a start signal for the DG associated with the bus. Both loss of voltage relays have the same nominal trip setpoint and Allowable Value (with different time delays).

Unit 2 The Unit 2 loss of voltage protection consists of three relays for each 4160 V emergency bus. Two relays on each bus actuate to open the normal supply breakers for the associated emergency buses (with a two-out-of-two logic per bus) to provide the bus separation function. The other loss of voltage relay provides a start signal for the associated DG.

All three loss of voltage relays have the same nominal trip setpoint and Allowable Value (with different time delays).

Degraded Voltage Protection In addition to the loss of voltage protection, degraded voltage protection for both Units is provided by two relays on each 4160 V emergency bus and two relays on each 480 V emergency bus. The two relays on each bus actuate upon a reduced voltage condition that exists for an extended time. The relays actuate (in a two-out-of-two logic per bus) to open the normal supply breakers and separate the affected emergency bus from the degraded voltage supply. The two-out-of-two logic helps prevent a spurious relay actuation from causing bus separation.

The Unit 1 and Unit 2 LOP instrumentation is described in UFSAR Chapter 8 (Ref. 1).

Beaver Valley Units 1 and 2 B 3.3.5 - 1 Revision 0

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES BACKGROUND (continued)

The Allowable Value in conjunction with the nominal trip setpoint and LCO establishes the threshold for the LOP instrumentation capability to provide the required loss of voltage and degraded voltage protection that assures a reliable source of emergency power. The nominal trip setpoints are specified in the Licensing Requirements Manual (LRM).

The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found to satisfy the applicable Allowable Value requirements specified in Table 3.3.5-1 during the CHANNEL CALIBRATION. Note that although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to within the established calibration tolerance band of the setpoint in accordance with uncertainty assumptions stated in the referenced setpoint methodology, (as-left-criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

Allowable Values and LOP DG Start Instrumentation Setpoints The allowances used to develop the nominal trip setpoints for the loss of voltage and degraded voltage relays are described in the unit specific setpoint methodology (Ref. 2). The selection of the nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account.

Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the operation of the LOP Instrumentation will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.

Allowable Values are specified for each Function in Table 3.3.5-1.

Nominal trip setpoints are specified in the LRM. The nominal trip setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the unit specific setpoint methodology (Ref. 2).

APPLICABLE The LOP instrumentation is required for the Engineered Safety Features SAFETY (ESF) Systems to function in any accident with a loss of offsite power.

ANALYSES Its design basis is that of the ESF Actuation System (ESFAS).

Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident (LOCA). The actual DG start has Beaver Valley Units 1 and 2 B 3.3.5 - 2 Revision 0

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES APPLICABLE SAFETY ANALYSIS (continued) historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

The required channels of LOP instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference 3, in which a loss of offsite power is assumed.

The delay times assumed in the safety analysis for the ESF equipment include the 10 second DG start delay, and the appropriate sequencing delay. The response times for ESFAS actuated equipment in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"

include the appropriate DG loading and sequencing delay where applicable.

The LOP instrumentation channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO for LOP instrumentation requires that the loss of voltage and degraded voltage instrument channels specified in Table 3.3.5-1 be OPERABLE in MODES 1, 2, 3, and 4 when the LOP instrumentation supports safety systems associated with the ESFAS. In MODES 5, 6, and during fuel movement, the LOP instrumentation must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure a reliable source of emergency power is available when needed. A channel is OPERABLE provided the trip setpoint "as-found" value satisfies the applicable Allowable Value requirements specified in Table 3.3.5-1 and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the nominal trip setpoint. A trip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to plant conditions provided that the +/- calibration tolerance band remains the same and the Allowable Value is administratively controlled accordingly in the conservative direction to meet the assumptions of the setpoint methodology. The conservative direction is established by the direction of the inequality applied to the Allowable Value. Loss of the LOP Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. For example, during the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.

Beaver Valley Units 1 and 2 B 3.3.5 - 3 Revision 0

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES APPLICABILITY The LOP Instrumentation Functions are required in MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5, 6, and during fuel movement is required whenever the required DG must be OPERABLE so that it can perform its function for a loss of voltage or degraded voltage condition on an emergency bus.

ACTIONS In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.

Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function specified in Table 3.3.5-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to all LOP instrument functions specified in Table 3.3.5-1. Condition A addresses the situation where one or more channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.5-1 and to take the applicable Required Actions for the LOP functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 Condition B applies to the LOP Functions with one loss of voltage or one degraded voltage channel per bus inoperable. The Condition is applicable to a single inoperable channel on one bus or a single inoperable channel on each bus.

If one channel is inoperable, Required Action B.1 requires that channel to be placed in trip within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With a channel in trip, the LOP instrumentation channels are configured to provide a one-out-of-one logic to initiate the LOP protection function.

A Note is added to allow bypassing an inoperable channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels provided the corresponding instrument channels, electrical bus, and DG in the other Beaver Valley Units 1 and 2 B 3.3.5 - 4 Revision 10

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES ACTIONS (continued) train are OPERABLE. This allowance is made where bypassing the channel does not cause an actuation and where the other electrical train remains OPERABLE to supply emergency power if required.

The specified Completion Time and time allowed for bypassing one channel are justified in Reference 4.

C.1 Condition C applies when more than one loss of voltage or more than one degraded voltage channel per bus are inoperable. The Condition is applicable to two inoperable channels on one bus or two inoperable channels on each bus.

Required Action C.1 requires restoring one channel per bus to OPERABLE status. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP instrument actuation during this interval.

D.1 Condition D applies when one loss of voltage channel per bus is inoperable and is applicable only to those LOP Functions on Table 3.3.5-1 with a single loss of voltage channel per bus. The Condition is applicable to a single inoperable channel on one bus or a single inoperable channel on each bus.

Required Action D.1 requires restoring the inoperable channel to OPERABLE status. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring a LOP instrument actuation during this interval.

E.1 Condition E applies to each of the LOP instrument Functions when the Required Action and associated Completion Time for Condition A, B, C, or D are not met.

In these circumstances the Conditions specified in LCO 3.8.1, "AC Sources - Operating," or LCO 3.8.2, "AC Sources - Shutdown," for the DG made inoperable by failure of the LOP instrumentation are required to be entered immediately. The actions of those LCOs provide for adequate compensatory actions to assure unit safety.

Beaver Valley Units 1 and 2 B 3.3.5 - 5 Revision 10

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 is the performance of a TADOT. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The test checks trip devices that provide actuation signals directly, bypassing the analog process control equipment. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that excludes verification of setpoint from the TADOT. The SR applies to the loss of voltage and degraded voltage relays for the 4160 V and 480 V emergency buses and setpoint verification requires removal of the relay and a bench calibration.

Therefore, relay calibration and setpoint verification are accomplished during the CHANNEL CALIBRATION.

SR 3.3.5.2 SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as specified in the LRM.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. For Unit 1 only, the time delay specified for the 4160 V emergency bus loss of voltage DG start relay, includes auxiliary relay times.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.5 - 6 Revision 29

LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.3 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

The response time acceptance criteria for instrument channels with a required response time are specified in the LRM. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment reaches the required functional state. Response time may be verified by any series of sequential, overlapping or total channel measurement such that the entire response time is measured.

The Bases for Surveillance Requirement 3.3.2.9 in LCO 3.3.2, "ESFAS Instrumentation" contains a more detailed description of how the required response time verification may be accomplished. The SR 3.3.2.9 Bases is applicable to SR 3.3.5.3 including the Unit 2 option to use the summation of allocated response times.

The final actuation device response time, which makes up the bulk of the total response time, is included in the verification of each channel. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 and Unit 2 UFSAR, Chapter 8.

2. Westinghouse Setpoint Methodology for Protection Systems, WCAP-11419, Rev. 6 (Unit 1) and WCAP-11366, Rev. 7 (Unit 2).

3. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

4. Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2),

December 29, 2008.

Beaver Valley Units 1 and 2 B 3.3.5 - 7 Revision 29

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Unit 2 Containment Purge and Exhaust Isolation Instrumentation BASES BACKGROUND The Unit 2 containment purge and exhaust isolation instrumentation closes the 42 inch containment isolation valves in the Purge and Exhaust System. This action isolates the containment atmosphere from the environment to minimize releases of radioactivity in the event of a fuel handling accident involving recently irradiated fuel.

Two gaseous (Xe-133) radiation monitoring channels (2HVR-RQ104A&B) are provided as input to the containment purge and exhaust isolation.

The radiation monitors have a measurement range of 10-6 to 10-1 Ci/cc.

The Purge and Exhaust System has inner and outer containment isolation valves in its supply and exhaust ducts. A high radiation signal from the 2HVR-RQ104A gaseous radiation monitor closes the outer isolation valves in each penetration and a high radiation signal from the 2HVR-RQ104B gaseous monitor closes the inner isolation valves in each penetration.

In addition to the automatic closure provided by the high radiation signal each containment purge and exhaust isolation valve may be closed manually by its individual control switch.

APPLICABLE During refueling operations, the postulated event that results in the most SAFETY severe radiological consequences is a fuel handling accident (Ref. 1).

ANALYSES The limiting fuel handling accident analyzed in Reference 1, includes dropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiated fuel assembly resulting in both assemblies being damaged. The analysis assumes a 100-hour decay time prior to moving irradiated fuel.

The applicable limits for offsite and control room dose from a fuel handling accident are specified in 10 CFR 50.67. Standard Review Plan, Section 15.0.1, Rev 0 (Ref. 2) provides an additional offsite dose criteria of 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.

The water level requirements of LCO 3.9.6, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months prior to irradiated fuel movement, ensure that the resulting offsite and control room dose from the limiting fuel handling accident is within the limits required by 10 CFR 50.67 and within the acceptance criteria of Beaver Valley Units 1 and 2 B 3.3.6 - 1 Revision 0

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 BASES APPLICABLE SAFETY ANALYSES (continued)

Reference 2 without the need for containment purge and exhaust isolation.

Therefore, the instrumentation requirements of LCO 3.3.6 "Containment Purge and Exhaust Isolation Instrumentation" are only applicable during refueling operations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ).

Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel. However, the requirements for containment purge and exhaust isolation instrumentation are retained in the Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel.

The containment purge and exhaust isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requirements ensure that the instrumentation necessary to initiate Containment Purge and Exhaust Isolation, listed in Table 3.3.6-1, is OPERABLE for Unit 2.

The LCO is modified by a Note that states "This specification is only applicable to Unit 2." Unit 1 relies on filtration of the Containment Purge and Exhaust System effluent by an OPERABLE train of Supplemental Leak Collection and Release System (SLCRS) instead of isolation. Unit 1 must rely on filtration due to the design of the Unit 1 Containment Purge and Exhaust System ductwork where the radiation monitors are located.

The Unit 1 ductwork is not designed to withstand a seismic event (Ref. 3).

1. Manual Initiation The LCO requires one manual initiation channel per Purge and Exhaust System isolation valve to be OPERABLE. Containment Purge and Exhaust Isolation may be initiated at any time by using the individual valve control switches in the control room. Each channel consists of a manual switch and interconnecting circuits to the valve actuator.

2. Containment Radiation The LCO specifies two required channels of gaseous radiation monitors to ensure that the radiation monitoring instrumentation necessary to initiate Containment Purge and Exhaust Isolation remains OPERABLE.

Beaver Valley Units 1 and 2 B 3.3.6 - 2 Revision 0

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 BASES LCO (continued)

The required gaseous monitors are an in-line type and are mounted directly in the exhaust ductwork. An OPERABLE radiation monitor channel consists of the monitor and includes any associated circuitry necessary to provide the required isolation function.

APPLICABILITY The containment purge and exhaust isolation instrument requirements are applicable during movement of recently irradiated fuel assemblies or the movement of fuel assemblies over recently irradiated fuel assemblies within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements (including the purge and exhaust isolation valves) are addressed by LCO 3.6.3, "Containment Isolation Valves" and LCO 3.6.1, "Containment OPERABILITY." In MODES 5 and 6, when movement of irradiated fuel assemblies within containment is not being conducted, the potential for a fuel handling accident does not exist.

Additionally, due to radioactive decay, a fuel handling accident that does not involve recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) will result in doses that are well within the guideline values specified in 10 CFR 50.67 even without containment closure capability. Therefore, under these conditions no requirements are placed on the Containment Purge and Exhaust Isolation Instrumentation.

Although movement of recently irradiated fuel is not currently permitted, the requirements for containment purge and exhaust isolation instrumentation are retained in the Technical Specifications in case these requirements are necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel consistent with the guidance of Ref. 4.

ACTIONS If the Trip Setpoint is less conservative than specified in Table 3.3.6-1, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.6-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

Beaver Valley Units 1 and 2 B 3.3.6 - 3 Revision 29

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 BASES ACTIONS (continued)

A.1 Condition A applies to the failure of one containment purge isolation radiation monitor channel. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval, and recognition that the remaining channel will isolate the purge and exhaust lines on high radiation.

B.1 and B.2 Condition B applies to all Containment Purge and Exhaust Isolation Functions. It addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1. If one or more manual initiation channels are inoperable, or two radiation monitor channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action to place and maintain containment purge and exhaust isolation valves in their closed position is met or the applicable Conditions of LCO 3.9.3, "Containment Penetrations," are met for each valve made inoperable by failure of isolation instrumentation. The Completion Time for these Required Actions is Immediately.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.6-1 REQUIREMENTS determines which SRs apply to which Containment Purge and Exhaust Isolation Functions.

SR 3.3.6.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

Beaver Valley Units 1 and 2 B 3.3.6 - 4 Revision 29

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.6.2 A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications Surveillance Requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This test verifies the capability of the instrumentation to provide the containment purge and exhaust system isolation. The setpoint shall be left consistent with the current unit specific calibration procedure tolerance.

SR 3.3.6.3 SR 3.3.6.3 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual Actuation Function is tested for each valve. The test includes actuation of the end device (i.e., valve cycles).

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.4 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.3.6 - 5 Revision 29

Unit 2 Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 BASES REFERENCES 1. Unit 2 UFSAR 15.7.4.

2. NUREG-0800, Section 15.0.1, Rev. 0, July 2000.

3. NRC Safety Evaluation Report for Unit 1 Amendment 23, 12/12/79.

4. NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2001.

Beaver Valley Units 1 and 2 B 3.3.6 - 6 Revision 29

CREVS Actuation Instrumentation B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Control Room Emergency Ventilation System (CREVS) Actuation Instrumentation BASES BACKGROUND The CREVS provides an enclosed common control room environment from which both units can be operated following an uncontrolled release of radioactivity. During normal operation, the Control Room Ventilation System recirculates the control room air and provides unfiltered makeup air and cooling. Upon receipt of a CREVS actuation signal from either unit, the Unit 1 and 2 control room ventilation intake and exhaust ducts are isolated to prevent unfiltered makeup air from entering the control room. In addition, the CREVS actuation signal from either unit will also automatically start one Unit 2 CREVS fan to provide filtered makeup air to pressurize the control room. If the preferred Unit 2 CREVS fan does not start, the backup Unit 2 fan will automatically start. Unit 1 may take credit for the operation of one or both of the Unit 2 CREVS fans and filters. One of the two Unit 1 CREVS fans and single filter must be manually aligned and placed in service if required. Once the control room ventilation intake and exhaust ducts are isolated, and the CREVS fan is providing filtered makeup, control room ventilation is in the emergency pressurization mode of operation. The CREVS is described in the Bases for LCO 3.7.10, "Control Room Emergency Ventilation System."

The CREVS actuation instrumentation consists of redundant control room area radiation monitors for each unit, Containment Isolation - Phase B (CIB) signal from each unit, and two train related manual switches (pushbuttons) in each unit's control room. A high radiation signal from the radiation monitors in either unit, a CIB from either unit, or manual switch actuation from either unit such that both trains of CREVS receive an actuation signal, will initiate the CREVS actuation sequence described above. The CIB Function is discussed in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation."

APPLICABLE The control room must be kept habitable for the operators stationed there SAFETY during accident recovery and post accident operations. The CREVS acts ANALYSES to terminate the supply of unfiltered outside air to the control room, initiate intake air filtration, and pressurize the control room. These actions are necessary to ensure the control room is kept habitable for the operators stationed there during accident recovery and post accident operations by minimizing the radiation exposure of control room personnel.

The applicable safety analyses for all design basis accidents considered in MODES 1, 2, 3, and 4 (except LOCA) assume manual initiation of the emergency pressurization mode of operation of control room ventilation (i.e., control room ventilation isolation, filtered makeup, and Beaver Valley Units 1 and 2 B 3.3.7 - 1 Revision 0

CREVS Actuation Instrumentation B 3.3.7 BASES APPLICABLE SAFETY ANALYSES (continued) pressurization). The LOCA accident analysis assumes an automatic Control Room Ventilation System isolation on a CIB signal and subsequent manual initiation of a CREVS fan for filtered makeup and pressurization of the control room. Although the CIB signal will automatically start a CREVS fan and filtered flow path, a 30-minute delay to allow for manual initiation of a CREVS fan and filtered flow path is specifically assumed in all analyses to permit the use of a Unit 1 CREVS fan and filtration flow path which require manual operator action to place in service (Ref. 1).

The current safety analyses do not assume the control room area radiation monitors provide a CREVS actuation signal for any design basis accident. However, requirements for the radiation monitors to be OPERABLE are retained in case the monitors are required to support the assumptions of a fuel handling accident analysis for the movement of recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) or the movement of fuel over recently irradiated fuel consistent with the guidance of Ref. 2.

The CREVS actuation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requirements ensure that instrumentation necessary to initiate the CREVS is OPERABLE.

1. Manual Initiation The LCO requires two trains OPERABLE. The operator can initiate the CREVS at any time by using either of two switches (pushbuttons) in the control room. This action will cause actuation of all components in the same manner as a single train of the automatic actuation signals (i.e., isolate control room ventilation and start one Unit 2 CREVS fan aligned for filtration and pressurization).

However, when Unit 1 is relying on the Unit 1 CREVS train, as one of the two required trains, only one of the Unit 1 manual pushbuttons is required to start a Unit 2 Fan, but both Unit 1 pushbuttons must be capable of isolating the control room. In this case, the Unit 1 requirement (on Table 3.3.7-1) for two trains of manual initiation is met by one train of manual initiation that is capable of isolating the control room and starting a Unit 2 fan and one train of manual initiation that is capable of isolating the control room. The capability to manually place the Unit 1 CREVS fan and filtered flow path in service is addressed by the OPERABILITY requirements for the Unit 1 CREVS equipment contained in LCO 3.7.10, "Control Room Emergency Ventilation System."

Beaver Valley Units 1 and 2 B 3.3.7 - 2 Revision 0

CREVS Actuation Instrumentation B 3.3.7 BASES LCO (continued)

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each manual initiation train consists of a switch (pushbutton) in the control room, and the interconnecting wiring to the actuating relays.

2. Control Room Radiation The LCO specifies two required Control Room Area Radiation Monitors to ensure that the radiation monitoring instrumentation necessary to initiate the CREVS remains OPERABLE.

The required Unit 1 radiation monitors are designated RM-1RM-218 A & B with a measurement range of 10-2 to 103 mR/hr. The required Unit 2 radiation monitors are designated 2RMC-RQ201 & 202 with a measurement range of 10-2 to 103 mR/hr.

3. Containment Isolation Phase B (CIB)

Refer to LCO 3.3.2, Function 3.b, for all initiating Functions and requirements.

If one or more of the CIB functions becomes inoperable in such a manner that only the CREVS function is affected, the Conditions applicable to their CIB function need not be entered. The less restrictive Actions specified for inoperability of the CREVS Functions specify sufficient compensatory measures for this case.

APPLICABILITY The CREVS manual actuation instrumentation must be OPERABLE in MODES 1, 2, 3, and 4 to provide the required CREVS initiation assumed in the applicable safety analyses. In MODES 5 and 6, when no fuel movement involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) is taking place, there are no requirements for CREVS instrumentation OPERABILITY consistent with the safety analyses assumptions applicable in these MODES. In addition, both manual and radiation monitor instrument channels are required OPERABLE when moving recently irradiated fuel or moving fuel over recently irradiated fuel.

Although the movement of recently irradiated fuel is not currently permitted, these requirements are retained in the Technical Specifications in case the CREVS instrumentation is necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel, consistent with the guidance of Reference 2.

Beaver Valley Units 1 and 2 B 3.3.7 - 3 Revision 0

CREVS Actuation Instrumentation B 3.3.7 BASES APPLICABILITY (continued)

The Applicability for the CREVS actuation on the ESFAS CIB Functions are specified in LCO 3.3.2. Refer to the Bases for LCO 3.3.2 for discussion of the CIB Function Applicability.

ACTIONS If the Trip Setpoint is less conservative than required in Table 3.3.7-1, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.7-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the radiation monitor channel Functions, and the manual initiation train Functions.

If one train is inoperable, or one radiation monitor channel is inoperable in one or more Functions, 7 days are permitted to restore it to OPERABLE status. The 7 day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this Completion Time is the same as provided in LCO 3.7.10. If the channel/train cannot be restored to OPERABLE status, one CREVS train must be placed in the emergency pressurization mode of operation as described in LCO 3.7.10 bases. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation.

B.1 and B.2 Condition B applies to the failure of two radiation monitor channels, or two manual trains. The first Required Action is to place one CREVS train in the emergency pressurization mode of operation immediately. This accomplishes the actuation instrumentation Function that may have been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO 3.7.10 must also be entered for the remaining CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.10.

Beaver Valley Units 1 and 2 B 3.3.7 - 4 Revision 0

CREVS Actuation Instrumentation B 3.3.7 BASES ACTIONS (continued)

C.1 and C.2 Condition C applies when the Required Action and associated Completion Time for Condition A or B have not been met and the unit is in MODE 1, 2, 3, or 4. The unit must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 and D.2 Condition D applies when the Required Action and associated Completion Time for Condition A or B have not been met when moving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) or fuel assemblies over recently irradiated fuel. Fuel movement involving recently irradiated fuel assemblies must be suspended immediately to reduce the risk of accidents that would require CREVS actuation.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.7-1 REQUIREMENTS determines which SRs apply to which CREVS Actuation Functions.

SR 3.3.7.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

Beaver Valley Units 1 and 2 B 3.3.7 - 5 Revision 29

CREVS Actuation Instrumentation B 3.3.7 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.7.2 A COT is performed on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREVS actuation. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications Surveillance Requirements. The setpoints shall be left consistent with the unit specific calibration procedure tolerance.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.3 SR 3.3.7.3 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual Actuation Function is tested.

A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications Surveillance Requirements.

The test may either include actuation of the end device (i.e., dampers close, and fan starts, etc.), or test up to the point of overlap with other tests that demonstrate actuation of the end devices.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

Beaver Valley Units 1 and 2 B 3.3.7 - 6 Revision 29

CREVS Actuation Instrumentation B 3.3.7 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.7.4 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Table 14.1-1A and Unit 2 UFSAR Table 15.0-13.

2. NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2001.

Beaver Valley Units 1 and 2 B 3.3.7 - 7 Revision 29

Boron Dilution Detection Instrumentation B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Boron Dilution Detection Instrumentation BASES BACKGROUND The purpose of the Boron Dilution Detection Instrumentation is to monitor core reactivity and provide indication of a boron dilution event in the Reactor Coolant System (RCS) when the reactor is in a shutdown condition (i.e., MODES 3, 4, and 5) with all rods fully inserted and the Rod Control System incapable of rod withdrawal.

The required Boron Dilution Detection Instrumentation consists of one of the two channels of OPERABLE source range instrumentation. The requirement for an OPERABLE source range channel ensures the capability to monitor core reactivity and detect a boron dilution event. In order to promptly detect a boron dilution event in MODE 3, the required source range instrumentation must provide both visual and audible (count rate) indication. The audible count rate helps to assure the prompt detection of an ongoing dilution event. In MODES 4 and 5, a boron dilution event is prevented by the requirements of LCO 3.1.8, "Unborated Water Source Isolation Valves." LCO 3.1.8 requires that unborated water source isolation valves be verified closed which precludes a dilution event (Ref. 1). Therefore, in MODES 4 and 5 the single channel of source range instrumentation required OPERABLE by this LCO is only used to monitor core reactivity and is required to provide visual indication only.

As the requirements of LCO 3.1.8 preclude a boron dilution event in MODES 4 and 5, the audible count rate is not required for prompt detection of an inadvertent boron dilution in these MODES.

For Unit 1, two spare source range detectors are installed (N-33 and N-34). These alternate detectors may be substituted for detectors (N-31 and N-32). For Unit 2, alternate detectors (i.e., Gamma-Metrics NE-52A and NE-52B) may also be used to meet the requirements of the LCO.

The alternate detectors must be capable of providing the required indication (described above) in order to be considered OPERABLE.

APPLICABLE The Boron Dilution Detection Instrumentation specifies the OPERABILITY SAFETY of instrumentation necessary to detect an inadvertent boron dilution event ANALYSES and monitor core reactivity.

The primary means of preventing an inadvertent boron dilution event during MODES 4 and 5 is the requirements of LCO 3.1.8. LCO 3.1.8 provides assurance the unborated water sources are maintained isolated to prevent dilution of the RCS (Ref. 1). In MODES 4 and 5, the requirement for an OPERABLE source range channel only serves to Beaver Valley Units 1 and 2 B 3.3.8 - 1 Revision 0

Boron Dilution Detection Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES (continued) ensure the capability to monitor changes in core reactivity is maintained available. In MODES 4 and 5, no specific safety analysis assumptions are associated with the capability to monitor core reactivity. However, the capability to directly monitor core reactivity with the source range instrumentation provides valuable assurance that the core continues to be maintained in a safe condition.

In MODE 3, the requirements of LCO 3.1.8 to maintain unborated water source valves isolated is not applicable. In addition, with all rods fully inserted and the Rod Control System is incapable of rod withdrawal, the trip functions of LCO 3.3.1, "Reactor Trip System" are not required OPERABLE. Therefore, in this plant condition, an OPERABLE source range channel that includes both visual and audible (count rate) indication is required to ensure prompt indication of an inadvertent boron dilution.

The prompt notification of a boron dilution event in progress (via an increasing audible count rate) allows time for operator action to stop the dilution prior to criticality.

The Boron Dilution Detection Instrumentation satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO LCO 3.3.8 specifies the OPERABILITY requirements for the instrumentation necessary to detect a boron dilution event and monitor core reactivity. In the applicable plant condition (all rods fully inserted and the Rod Control System incapable of rod withdrawal) the specified instrumentation only provides a core reactivity monitoring function and is not required to provide a reactor trip function. Therefore, in MODE 3, a single OPERABLE source range channel with both visual and audible (count rate) indication is required to provide prompt indication of an inadvertent boron dilution. In MODES 4 and 5, a single OPERABLE source range channel with visual indication is required to provide the necessary core reactivity monitoring function. In MODE 3 operation, with the Rod Control System capable of rod withdrawal, the requirements of LCO 3.3.1, "Reactor Trip System Instrumentation," are applicable and the requirements of LCO 3.3.8, including the audible count rate, are not applicable and no longer required to provide protection from an inadvertent boron dilution.

An alternate source range detector may be used to meet the requirements of the LCO as long as it is capable of providing the required indication(s) described above.

Beaver Valley Units 1 and 2 B 3.3.8 - 2 Revision 0

Boron Dilution Detection Instrumentation B 3.3.8 BASES APPLICABILITY The Boron Dilution Detection Instrumentation must be OPERABLE in MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal. The requirements of this LCO ensure the capability to detect an inadvertent boron dilution of the RCS in MODE 3 and provide a means for monitoring core reactivity in MODES 4 and 5.

In MODES 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted the nuclear instrumentation requirements of LCO 3.3.1, "Reactor Trip System Instrumentation," are applicable and specify that two source range channels must be OPERABLE with reactor trip capability. In addition, in MODE 3, operation with the Rod Control System capable of rod withdrawal is transitory in preparation for startup operations and manually controlled involving the close monitoring of core reactivity and dilution operations by the operating staff. Therefore, in MODE 3, with the Rod Control System capable of rod withdrawal, the requirements of LCO 3.3.8, including the audible count rate, are no longer applicable and not required to provide protection from an inadvertent boron dilution.

In MODES 4, 5, or 6 a dilution event is precluded by the requirements of LCO 3.1.8, " Unborated Water Source Isolation Valves" (Ref. 1).

Therefore, in MODES 4, 5, and 6, the required source range instrumentation provides an indication of core reactivity. LCO 3.9.2, "Nuclear Instrumentation" addresses the source range instrument requirements in MODE 6.

During MODE 1 operation, the source range instrumentation is normally de-energized. In MODE 1, the Overtemperature T Trip Function required OPERABLE in LCO 3.3.1, "Reactor Trip System," and the requirements of LCO 3.1.6, "Control Bank Insertion Limits" provide for the necessary protection from, and detection of, an inadvertent boron dilution event at power (Ref. 1).

In MODE 2, the RCS is intentionally diluted and the rods withdrawn in order to achieve criticality and power operation. Operation in MODE 2 is transitory and manually controlled involving the close monitoring of core reactivity and dilution operation by the operating staff. As such, an inadvertent dilution of the RCS in this mode of operation is unlikely.

However, in order to increase power during startup, the source range Trip Function required OPERABLE by LCO 3.3.1, must be manually blocked to prevent a reactor trip upon power escalation. If power escalation proceeds in an uncontrolled manner (due to inadvertent dilution) the Source Range Trip would not be blocked and would cause a reactor shutdown and provide protection and detection of an inadvertent dilution (Ref. 1).

Beaver Valley Units 1 and 2 B 3.3.8 - 3 Revision 0

Boron Dilution Detection Instrumentation B 3.3.8 BASES ACTIONS A.1 and A.2 With the required channel inoperable, the initial action is to suspend all operations involving positive reactivity additions immediately. This includes withdrawal of control or shutdown rods and intentional boron dilution. A Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is provided to restore the required channel to OPERABLE status.

As an alternate to restoring the required channel to OPERABLE status Required Action A.2.2.1 requires valves addressed in LCO 3.1.8, "Unborated Water Source Isolation Valves" to be closed to prevent the flow of unborated water into the RCS. Once it is recognized that the required channel is inoperable, the operators will be aware of the possibility of a boron dilution, and the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is adequate to complete the requirements of LCO 3.1.8.

Required Action A.2.2.2 accompanies Required Action A.2.2.1 to verify the SDM according to SR 3.1.1.1 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter. This backup action is intended to confirm that no unintended boron dilution has occurred while the required channel was inoperable, and that the required SDM has been maintained. The specified Completion Time takes into consideration sufficient time for the initial determination of SDM and other information available in the control room related to SDM.

Required Action A.1 is modified by a Note which permits plant temperature changes provided the temperature change is accounted for in the calculated SDM. Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM.

SURVEILLANCE The required channel is subject to a CHANNEL CHECK and a CHANNEL REQUIREMENTS CALIBRATION. The Surveillance Requirements of this LCO need not be performed on alternate detectors until connected and required OPERABLE in order to meet this LCO.

SR 3.3.8.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two Beaver Valley Units 1 and 2 B 3.3.8 - 4 Revision 29

Boron Dilution Detection Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.2 SR 3.3.8.2 is the performance of a CHANNEL CALIBRATION.

CHANNEL CALIBRATION is a complete check of the instrument loop, except for the source range neutron detectors which are excluded from the CHANNEL CALIBRATION as stated in the Note that modifies the Surveillance. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation."

The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Section 14.1.4 and Unit 2 UFSAR Section 15.4.6.

Beaver Valley Units 1 and 2 B 3.3.8 - 5 Revision 29

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)

Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed in the safety analyses.

The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope. The limits placed on RCS pressure, temperature, and flow rate ensure that the minimum departure from nucleate boiling ratio (DNBR) will be met for each of the transients analyzed.

The design method utilized to meet the DNB design criterion for the Robust Fuel Assemblies is the Revised Thermal Design Procedure (RTDP) with the WRB-2M DNB correlation. The design method utilized to meet the DNB design criterion for the VANTAGE 5H fuel assemblies is the RTDP with the WRB-1 DNB correlation. Uncertainties in plant operating parameters, nuclear and thermal parameters, fuel fabrication parameters, computer codes, and DNB correlation predictions are considered statistically to obtain DNB uncertainty factors in the RTDP methodology. RTDP design limit DNBR values are determined in order to meet the DNB design criterion based on the DNB uncertainty factors.

The RTDP design limit DNBR values are 1.22 for the typical and thimble cells for the Robust Fuel Assemblies, and 1.23 and 1.22 for the typical and thimble cells, respectively, for the VANTAGE 5H fuel assemblies.

Additional DNBR margin is maintained by performing the safety analyses to DNBR limits that are higher than the design limit DNBR values. This margin between the design and safety analysis limit DNBR values is used to offset known DNBR penalties (e.g., rod bow, instrumentation biases, etc.), and to provide DNBR margin for design and operating flexibility.

The Standard Thermal Design Procedure (STDP) is used for those analyses where RTDP is not applicable. The parameters used in these analyses are treated in a conservative way from a DNBR standpoint in the STDP methodology. The parameter uncertainties are applied directly to the safety analyses input values to give the lowest minimum DNBR.

The design DNBR limit for STDP is the 95/95 limit for the appropriate DNB correlation. Additional DNBR margin is maintained in the safety analyses to offset the applicable DNBR penalties.

Beaver Valley Units 1 and 2 B 3.4.1 - 1 Revision 0

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES BACKGROUND (continued)

The 95/95 DNBR correlation limit is 1.14 for the WRB-2M DNB correlation, and 1.17 for the WRB-1 and WRB-2 DNB correlations. The WRB -1, WRB-2, or W-3 DNB correlations are used where the WRB-2M DNB correlation is not applicable. The W-3 DNB correlation is used where the WRB-1 and WRB-2 DNB correlations are not applicable. The WRB-2M, WRB-1, and WRB-2 DNB correlations were developed based on mixing vane data, and therefore are only applicable in the heated rod spans above the first mixing vane grid. The W-3 DNB correlation, which does not take credit for mixing vane grids, is used to calculate the DNBR values in the heated region below the first mixing vane grid. The W-3 DNB correlation is applied in the analysis of accident conditions where the system pressure is below the range of the primary correlation. The W-3 DNBR correlation limit is 1.45 for system pressures in the range of 500 to 1,000 psia. The W-3 DNBR correlation limit is 1.30 for system pressures greater than 1,000 psia.

The WRB-1 and WRB-2M DNB correlations are associated with transients that could impact the reactor core safety limits. These correlations, along with the WRB-2 and W-3 DNB correlations, are used in support of the licensing basis transient analyses.

APPLICABLE The requirements of this LCO represent the initial conditions for DNB SAFETY limited transients analyzed in the plant safety analyses (Ref. 1). The ANALYSES safety analyses have shown that transients initiated from the limits of this LCO will result in meeting the applicable DNBR criteria. The applicable DNBR criteria provide the acceptance limits for the RCS DNB parameters. Changes to the unit that could impact these parameters must be assessed for their impact on the applicable DNBR criteria. Key transients analyzed for DNB concerns include loss of coolant flow events and dropped or stuck rod events. A key assumption in the analyses of these events is that the core power distribution is within the limits of LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."

The pressurizer pressure limit and RCS average temperature limit specified in the COLR correspond to the analytical limits used in the safety analyses, with allowance for measurement uncertainty. The analytical values include measurement uncertainties for the non-RTDP events. The measurement uncertainties are included in the DNBR limit for the RTDP events.

The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.4.1 - 2 Revision 0

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES LCO This LCO specifies limits on the monitored process variables - pressurizer pressure, RCS average temperature, and RCS total flow rate - to ensure the core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle. However, the minimum RCS flow, based on maximum analyzed steam generator tube plugging, is retained in the TS LCO. The RCS flow value retained in the LCO is an analytical limit used in the safety analysis. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.

In order to verify the analytical RCS flow value specified in the LCO, the measured RCS total flow rate is adjusted for measurement error based on performing a precision heat balance and using the result to calibrate the RCS flow rate indicators.

The numerical values for pressure, temperature, and flow rate specified in the COLR are given for the measurement location and have been adjusted for instrument error.

APPLICABILITY In MODE 1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. In all other MODES, the power level is low enough that DNB is not a concern.

A Note has been added to indicate the limit on pressurizer pressure is not applicable during short term operational transients such as a THERMAL POWER ramp increase > 5% RTP per minute or a THERMAL POWER step increase > 10% RTP. These conditions represent short term perturbations where actions to control pressure variations might be counterproductive. Also, since they represent transients initiated from power levels < 100% RTP, an increased DNBR margin exists to offset the temporary pressure variations.

The DNBR limit is provided in SL 2.1.1, "Reactor Core SLs." The conditions which define the DNBR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether or not an SL may have been exceeded.

Beaver Valley Units 1 and 2 B 3.4.1 - 3 Revision 0

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES ACTIONS A.1 RCS pressure and RCS average temperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be taken to restore parameter(s).

RCS total flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the indicated RCS total flow rate is below the LCO limit, power must be reduced, as required by Required Action B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for restoration of the parameters provides sufficient time to adjust plant parameters, to determine the cause for the off normal condition, and to restore the readings within limits, and is based on plant operating experience.

B.1 If Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In MODE 2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable to reach the required plant conditions in an orderly manner.

SURVEILLANCE SR 3.4.1.1 REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.2 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.3 The Surveillance for RCS total flow rate is performed using the installed flow instrumentation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.4.1 - 4 Revision 29

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.1.4 Measurement of RCS total flow rate by performance of a precision calorimetric heat balance allows the installed RCS flow instrumentation to be calibrated and verifies the actual RCS flow rate is greater than or equal to the minimum required RCS flow rate.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 7 days after 95% RTP. This exception is appropriate since the heat balance requires the plant to be close to 100% RTP to obtain the required RCS flow accuracies. The Surveillance shall be performed within 7 days after reaching 95% RTP.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.1 - 5 Revision 29

RCS Minimum Temperature for Criticality B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.

The first consideration is moderator temperature coefficient (MTC),

LCO 3.1.3, "Moderator Temperature Coefficient (MTC)." In the transient and accident analyses, the MTC is assumed to be in a range from slightly positive to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the plant is operated consistent with these assumptions.

The second consideration is the protective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is chosen to ensure proper indication and response while the reactor is critical.

The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.

The fourth consideration is that the reactor vessel is above its minimum nil ductility reference temperature when the reactor is critical.

APPLICABLE The RCS minimum temperature for criticality is not itself an initial SAFETY condition assumed in Design Basis Accidents (DBAs). However, the ANALYSES closely aligned temperature for hot zero power (HZP) is a process variable that is an initial condition of DBAs. DBAs that assume the HZP temperature as an initial condition include the rod cluster control assembly (RCCA) withdrawal from subcritical, RCCA ejection, and main steam line break. Each of these events assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

Beaver Valley Units 1 and 2 B 3.4.2 - 1 Revision 0

RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE SAFETY ANALYSES (continued)

All low power safety analyses assume initial RCS loop temperatures the HZP temperature of 547°F (Ref. 1). The minimum temperature for criticality limitation provides a small band, 6°F, for critical operation below HZP. This band allows critical operation below HZP during plant startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality.

The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (keff 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.

APPLICABILITY In MODE 1 and MODE 2 with keff 1.0, LCO 3.4.2 is applicable since the reactor can only be critical (keff 1.0) in these MODES.

The special test exception of LCO 3.1.9, "PHYSICS TESTS Exceptions -

MODE 2," permits PHYSICS TESTS to be performed at 5% RTP with RCS loop average temperatures slightly lower than normally allowed so that fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be necessary to operate outside the normal restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to fall below Tno load, which may cause RCS loop average temperatures to fall below the temperature limit of this LCO.

ACTIONS A.1 If the parameters that are outside the limit cannot be restored, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 2 with Keff < 1.0 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable, based on operating experience, to reach MODE 2 with Keff < 1.0 in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.4.2 - 2 Revision 0

RCS Minimum Temperature for Criticality B 3.4.2 BASES SURVEILLANCE SR 3.4.2.1 REQUIREMENTS RCS loop average temperature is required to be verified at or above 541°F. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, operators are trained to be sensitive to RCS temperature during approach to criticality and will ensure that the minimum temperature for criticality is met as criticality is approached.

REFERENCES 1. UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.2 - 3 Revision 29

RCS P/T Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.

The PTLR contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) testing, and data for the maximum rate of change of reactor coolant temperature (Ref. 1).

Each P/T limit curve defines an acceptable region for normal operation.

The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristics and operating functions.

10 CFR 50, Appendix G (Ref. 2), requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. Reference 2 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code,Section XI, Appendix G (Ref. 3).

The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.

The actual shift in the RTNDT of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 4) and Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide 1.99 (Ref. 6).

Beaver Valley Units 1 and 2 B 3.4.3 - 1 Revision 0

RCS P/T Limits B 3.4.3 BASES BACKGROUND (continued)

The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.

The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.

The criticality limit curve includes the Reference 2 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for ISLH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality."

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.

The ASME Code,Section XI, Appendix E (Ref. 7), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.

APPLICABLE The P/T limits are not derived from Design Basis Accident (DBA)

SAFETY analyses. They are prescribed during normal operation to avoid ANALYSES encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. The methodology for determining the P/T limits is identified in Reference 1.

Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.4.3 - 2 Revision 0

RCS P/T Limits B 3.4.3 BASES LCO The two elements of this LCO are:

a. The limit curves for heatup, cooldown, and ISLH testing and

b. Limits on the rate of change of temperature.

The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follow:

a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature,

b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced), and

c. The existences, sizes, and orientations of flaws in the vessel material.

APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 2). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.

During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," LCO 3.4.2, "RCS Minimum Temperature for Criticality," and Safety Limit 2.1, "Safety Limits," also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

Beaver Valley Units 1 and 2 B 3.4.3 - 3 Revision 0

RCS P/T Limits B 3.4.3 BASES ACTIONS A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 7), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. In reduced pressure and temperature conditions, the possibility of propagation with undetected flaws is decreased.

Beaver Valley Units 1 and 2 B 3.4.3 - 4 Revision 0

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.

Pressure and temperature are reduced by bringing the plant to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 with RCS pressure < 500 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified by stress analysis.

The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 7), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

Beaver Valley Units 1 and 2 B 3.4.3 - 5 Revision 0

RCS P/T Limits B 3.4.3 BASES SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within the PTLR limits is required when RCS pressure and temperature conditions are undergoing planned changes.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.

This SR is modified by a Note that only requires this SR to be performed during system heatup, cooldown, and ISLH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement.

REFERENCES 1. Pressure and Temperature Limits Report (PTLR).

2. 10 CFR 50, Appendix G.

3. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix G.

4. ASTM E 185-82, July 1982.

5. 10 CFR 50, Appendix H.

6. Regulatory Guide 1.99, Revision 2, May 1988.

7. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix E.

Beaver Valley Units 1 and 2 B 3.4.3 - 6 Revision 29

RCS Loops - MODES 1 and 2 B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 RCS Loops - MODES 1 and 2 BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.

The secondary functions of the RCS include:

a. Moderating the neutron energy level to the thermal state, to increase the probability of fission,

b. Improving the neutron economy by acting as a reflector,

c. Carrying the soluble neutron poison, boric acid,

d. Providing a second barrier against fission product release to the environment, and

e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown.

The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow and temperature instrumentation for both control and protection. The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary coolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulation of the reactor coolant ensures mixing of the coolant for proper boration and chemistry control.

APPLICABLE Safety analyses contain various assumptions for the design bases SAFETY accident initial conditions including RCS pressure, RCS temperature, ANALYSES reactor power level, core parameters, and safety system setpoints. The important aspect for this LCO is the reactor coolant forced flow rate, which is represented by the number of RCS loops in service.

All of the safety analyses performed at full rated thermal power assume that all three RCS loops are in operation as an initial condition (Ref. 1).

Some safety analyses have been performed at zero power conditions assuming only two RCS loops are in operation to conservatively bound lower MODES of operation. The events which assume that two RCPs are in operation are the uncontrolled RCCA (Bank) withdrawal from Beaver Valley Units 1 and 2 B 3.4.4 - 1 Revision 0

RCS Loops - MODES 1 and 2 B 3.4.4 BASES APPLICABLE SAFETY ANALYSES (continued) subcritical, and the zero power rod ejection events. While all safety analyses performed at full rated thermal power assume that all RCS loops are in operation, certain events examine the effects resulting from the loss of an RCS loop. These events include the partial loss of forced RCS flow and the RCP rotor seizure/shaft break. It is demonstrated that all applicable acceptance criteria are met for each of these events. The remaining safety analyses assume operation of all three RCS loops during the event, up to the time of reactor trip, to ensure that all applicable acceptance criteria are met. The events analyzed beyond the time of reactor trip were examined assuming that a loss of offsite power occurs, which results in the coastdown of the RCPs.

Plant operation with all RCS loops in operation in MODES 1 and 2 ensures adequate heat transfer between the reactor coolant and the fuel cladding.

RCS Loops - MODES 1 and 2 satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNB, three pumps are required at rated power.

An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG.

APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage.

In MODES 3, 4, and 5, the decay heat production rate is much lower than the full power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES 3, 4, and 5.

Operation in other MODES is covered by:

LCO 3.4.5, "RCS Loops - MODE 3,"

LCO 3.4.6, "RCS Loops - MODE 4,"

LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled,"

LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled,"

Beaver Valley Units 1 and 2 B 3.4.4 - 2 Revision 0

RCS Loops - MODES 1 and 2 B 3.4.4 BASES APPLICABILITY (continued)

LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level" (MODE 6), and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level" (MODE 6).

ACTIONS A.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the plant to MODE 3. The reactor shutdown reduces the core heat removal needs and minimizes the possibility of violating DNB limits.

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging safety systems.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification that each RCS loop is in operation.

Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal while maintaining the margin to DNB. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.4 - 3 Revision 29

RCS Loops - MODE 3 B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Loops - MODE 3 BASES BACKGROUND In MODE 3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat, via the steam generator (SG), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The reactor vessel contains the clad fuel. The SGs provide the heat sink. The RCPs circulate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage.

In MODE 3, RCPs are used to provide forced circulation for heat removal during heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, one additional RCS loop is required to be OPERABLE to ensure redundant capability for decay heat removal.

APPLICABLE Whenever the reactor trip breakers (RTBs) are in the closed position and SAFETY the control rod drive mechanisms (CRDMs) are energized and the Rod ANALYSES Control System is capable of withdrawing rods, an inadvertent rod withdrawal from subcritical, resulting in a power excursion, is possible.

Such a transient could be caused by a malfunction of the rod control system. In addition, the possibility of a power excursion due to the ejection of an inserted control rod is possible with the breakers closed or open. Such a transient could be caused by the mechanical failure of a CRDM.

Therefore, in MODE 3 with the Rod Control System capable of rod withdrawal, accidental control rod withdrawal from subcritical is postulated and requires at least two RCS loops to be OPERABLE and in operation to ensure that the accident analyses limits are met. For those conditions when the Rod Control System is not capable of rod withdrawal, two RCS loops are required to be OPERABLE, but only one RCS loop is required to be in operation to be consistent with MODE 3 accident analyses.

Beaver Valley Units 1 and 2 B 3.4.5 - 1 Revision 0

RCS Loops - MODE 3 B 3.4.5 BASES APPLICABLE SAFETY ANALYSES (continued)

Failure to provide decay heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

RCS Loops - MODE 3 satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require that at least two RCS loops be OPERABLE. In MODE 3 with the Rod Control System capable of rod withdrawal, two RCS loops must be in operation. Two RCS loops are required to be in operation in MODE 3 with the Rod Control System capable of rod withdrawal due to the postulation of a power excursion because of an inadvertent control rod withdrawal. The required number of RCS loops in operation ensures that the Safety Limit criteria will be met for all of the postulated accidents.

When the Rod Control System is not capable of rod withdrawal, only one RCS loop in operation is necessary to ensure removal of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop is required to be OPERABLE to ensure that a redundant RCS loop is available for decay heat removal.

The Note permits all RCPs to be removed from operation for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to perform tests that are designed to validate various accident analyses values. One of these tests is validation of the pump coastdown curve. Pump coastdown is modeled in a number of accident analyses, including a loss of flow accident. This test is generally performed in MODE 3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values of the coastdown curve must be revalidated by conducting the test again. Another test performed during the startup testing program is the validation of rod drop times during cold conditions, both with and without flow.

The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to perform this test and validate the assumed analysis values. As with the validation of the pump coastdown curve, this test should be performed only once unless the flow characteristics of the RCS are changed. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period specified is adequate to perform the desired tests, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.

Beaver Valley Units 1 and 2 B 3.4.5 - 2 Revision 0

RCS Loops - MODE 3 B 3.4.5 BASES LCO (continued)

Utilization of the Note is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations less than required to assure the SDM of LCO 3.1.1, thereby maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation and

b. Core outlet temperature is maintained at least 10°F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

An OPERABLE RCS loop consists of one OPERABLE RCP and one OPERABLE SG, which has the minimum water level specified in SR 3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.

APPLICABILITY In MODE 3, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing.

The most stringent condition of the LCO, that is, two RCS loops OPERABLE and two RCS loops in operation, applies to MODE 3 with the Rod Control System capable of rod withdrawal. The least stringent condition, that is, two RCS loops OPERABLE and one RCS loop in operation, applies to MODE 3 with the Rod Control System not capable of rod withdrawal.

Operation in other MODES is covered by:

LCO 3.1.10, "RCS Boron Limitations < 500°F,"

LCO 3.4.4, "RCS Loops - MODES 1 and 2,"

LCO 3.4.6, "RCS Loops - MODE 4,"

LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled,"

LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled,"

LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level" (MODE 6), and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level" (MODE 6).

Beaver Valley Units 1 and 2 B 3.4.5 - 3 Revision 0

RCS Loops - MODE 3 B 3.4.5 BASES ACTIONS A.1 If one required RCS loop is inoperable, redundancy for heat removal is lost. The Required Action is restoration of the required RCS loop to OPERABLE status within the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This time allowance is a justified period to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat produced in the reactor core and because of the low probability of a failure in the remaining loop occurring during this period.

B.1 If restoration for Required Action A.1 is not possible within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the unit must be brought to MODE 4. In MODE 4, the unit may be placed on the Residual Heat Removal System. The additional Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is compatible with required operations to achieve cooldown and depressurization from the existing plant conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 If one required RCS loop is not in operation, and the Rod Control System is capable of rod withdrawal, the Required Action is either to restore the required RCS loop to operation or to place the Rod Control System in a condition incapable of rod withdrawal (e.g., de-energize all CRDMs by opening the RTBs or de-energizing the motor generator (MG) sets or by opening all of the individual rod lift coil disconnect switches). When the Rod Control System is capable of rod withdrawal, it is postulated that a power excursion could occur in the event of an inadvertent control rod withdrawal. This mandates having the heat transfer capacity of two RCS loops in operation. If only one loop is in operation, the Rod Control System must be rendered incapable of rod withdrawal. The Completion Times of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , to restore the required RCS loop to operation or defeat the Rod Control System is adequate to perform these operations in an orderly manner without exposing the unit to risk for an undue time period.

D.1, D.2, and D.3 If two required RCS loops are inoperable or no RCS loop is in operation, except during conditions permitted by the Note in the LCO section, the Rod Control System must be placed in a condition incapable of rod withdrawal (e.g., all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets or by opening all of the individual rod lift coil disconnect switches). All operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM Beaver Valley Units 1 and 2 B 3.4.5 - 4 Revision 0

RCS Loops - MODE 3 B 3.4.5 BASES ACTIONS (continued) of LCO 3.1.1 must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets or by opening all of the individual rod lift coil disconnect switches removes the possibility of an inadvertent rod withdrawal.

Suspending the introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification that the required loops are in operation.

Verification includes flow rate, temperature, and pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.5.2 SR 3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 28% (Unit 1) or 15.5% (Unit 2) for required RCS loops. If the SG secondary side narrow range water level is not within the required limit, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink for removal of the decay heat. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.5.3 Verification that each required RCP is OPERABLE ensures that safety analyses limits are met. The requirement also ensures that an additional RCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to each required RCP not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.4.5 - 5 Revision 29

RCS Loops - MODE 3 B 3.4.5 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES None.

Beaver Valley Units 1 and 2 B 3.4.5 - 6 Revision 0

RCS Loops - MODE 4 B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Loops - MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the component cooling water via the residual heat removal (RHR) heat exchangers. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.

In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that two paths be available to provide redundancy for decay heat removal.

APPLICABLE In MODE 4, RCS circulation is required for decay heat removal. The SAFETY RCS and RHR loops provide this circulation.

ANALYSES RCS Loops - MODE 4 satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and RHR loops. Any one loop in operation provides enough flow to remove the decay heat from the core with forced circulation. An additional loop is required to be OPERABLE to provide redundancy for heat removal.

Note 1 permits all RCPs or RHR pumps to be removed from operation for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to permit pump swapping or tests such as those designed to validate various accident analyses values or confirm equipment operability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period is adequate to perform pump swaps and most tests that may be necessary in MODE 4, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.

Beaver Valley Units 1 and 2 B 3.4.6 - 1 Revision 0

RCS Loops - MODE 4 B 3.4.6 BASES LCO (continued)

Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed by the test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant with boron concentrations less than required to meet SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation and

b. Core outlet temperature is maintained at least 10°F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

Note 2 requires that the secondary side water temperature of each non-isolated SG be < 50°F above each of the non-isolated RCS cold leg temperatures before the start of the first RCP with any non-isolated RCS cold leg temperature the enable temperature specified in the PTLR.

This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.

An OPERABLE RCS loop comprises an OPERABLE RCP and an OPERABLE SG, which has the minimum water level specified in SR 3.4.6.2.

Similarly for the RHR System, an OPERABLE RHR loop comprises an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR pumps are OPERABLE if they are capable of being powered and are able to provide forced flow if required.

APPLICABILITY In MODE 4, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing.

One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS and RHR loops are required to be OPERABLE to meet single failure considerations.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops - MODES 1 and 2,"

LCO 3.4.5, "RCS Loops - MODE 3,"

LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled,"

Beaver Valley Units 1 and 2 B 3.4.6 - 2 Revision 0

RCS Loops - MODE 4 B 3.4.6 BASES APPLICABILITY (continued)

LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled,"

LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level" (MODE 6), and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level" (MODE 6).

ACTIONS A.1 If one required loop is inoperable, redundancy for heat removal is lost.

Action must be initiated to restore a second RCS or RHR loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availability of two loops for heat removal.

A.2 If restoration is not accomplished and an RHR loop is OPERABLE, the unit must be brought to MODE 5 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Bringing the unit to MODE 5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundancy for decay heat removal is lost and, in the event of a loss of the remaining RHR loop, it would be safer to initiate that loss from MODE 5 rather than MODE 4. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging plant systems.

This Required Action is modified by a Note which indicates that the unit must be placed in MODE 5 only if a RHR loop is OPERABLE. With no RHR loop OPERABLE, the unit is in a condition with only limited cooldown capabilities. Therefore, the actions are to be concentrated on the restoration of a RHR loop, rather than a cooldown of extended duration.

B.1 and B.2 If two required loops are inoperable or a required loop is not in operation, except during conditions permitted by Note 1 in the LCO section, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable Beaver Valley Units 1 and 2 B 3.4.6 - 3 Revision 0

RCS Loops - MODE 4 B 3.4.6 BASES ACTIONS (continued) margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification that the required RCS or RHR loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.6.2 SR 3.4.6.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is 28% (Unit 1) or 15.5% (Unit 2). If the SG secondary side narrow range water level is less than the required limit, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink necessary for removal of decay heat. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.6.3 Verification that each required pump is OPERABLE ensures that an additional RCS or RHR pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to each required pump not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES None.

Beaver Valley Units 1 and 2 B 3.4.6 - 4 Revision 29

RCS Loops - MODE 5, Loops Filled B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 RCS Loops - MODE 5, Loops Filled BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) secondary side coolant via natural circulation (Ref. 1) or the component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heat removal is via the RHR System, the SGs via natural circulation (Ref. 1) are specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water. As long as the SG secondary side water is at a lower temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

In MODE 5 with RCS loops filled, the reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, and appropriate flow and temperature instrumentation for control and indication. One RHR pump circulates the water through the RCS at a sufficient rate to prevent boric acid stratification.

The number of loops in operation can vary to suit the operational needs.

The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and transport. The flow provided by one RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that a second path be available to provide redundancy for heat removal.

The LCO provides for redundant paths of decay heat removal capability.

The first path can be an RHR loop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop or maintaining at least one unisolated SG with a secondary side water level of 28% for Unit 1 or 15.5% for Unit 2 to provide an alternate method for decay heat removal via natural circulation (Ref.1).

APPLICABLE In MODE 5, RCS circulation is required for decay heat removal. The SAFETY RHR loops provide this circulation.

ANALYSES RCS Loops - MODE 5 (Loops Filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.4.7 - 1 Revision 0

RCS Loops - MODE 5, Loops Filled B 3.4.7 BASES LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or one unisolated SG with a narrow range secondary side water level 28% for Unit 1 or 15.5% for Unit 2. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. An additional RHR loop is required to be OPERABLE to meet single failure considerations. However, if the standby RHR loop is not OPERABLE, an acceptable alternate method is one unisolated SG with a narrow range secondary side water level 28%

for Unit 1 or 15.5% for Unit 2. Should the operating RHR loop fail, the SG could be used to remove the decay heat via natural circulation.

Implicit in the provision of this LCO that allows the reliance on a SG for natural circulation are the requirements for an adequate secondary side makeup water supply to maintain the SG level, an adequate steam relief capability to remove decay heat, and for the capability to control RCS pressure to assure the RCS remains pressurized and subcooled during natural circulation. These additional requirements for natural circulation are consistent with the generic recommendations of Reference 1 and the more detailed BVPS Unit 1 and Unit 2 specific recommendations of Reference 2.

Note 1 permits all RHR pumps to be removed from operation 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to permit pump swapping or tests such as those designed to validate various accident analyses values or confirm equipment operability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period is adequate to perform pump swaps and most tests that may be necessary in MODE 5, and operating experience has shown that boron stratification is not likely during this short period with no forced flow.

Utilization of Note 1 is permitted provided the following conditions are met, along with any other conditions imposed by the test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant with boron concentrations less than required to meet SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation, and

b. Core outlet temperature is maintained at least 10°F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

Note 2 allows one RHR loop to be inoperable for a period of up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed when Beaver Valley Units 1 and 2 B 3.4.7 - 2 Revision 0

RCS Loops - MODE 5, Loops Filled B 3.4.7 BASES LCO (continued) the testing results in the required RHR loop being rendered inoperable.

The remaining OPERABLE RHR loop is adequate to provide the required cooling during the time allowed by Note 2.

Note 3 requires that the secondary side water temperature of each non-isolated SG be < 50°F above each of the non-isolated RCS cold leg temperatures before the start of the first reactor coolant pump (RCP) with a non-isolated RCS cold leg temperature the enable temperature specified in the PTLR. This restriction is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.

Note 4 provides for an orderly transition from MODE 5 to MODE 4 during a planned heatup by permitting removal of RHR loops from operation when at least one RCS loop is in operation. This Note provides for the transition to MODE 4 where an RCS loop is permitted to be in operation and replaces the RCS circulation function provided by the RHR loops. By permitting the removal of the RHR loops from operation this Note also eliminates the LCO requirement for an RCS loop to provide cooling via natural circulation.

RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required. A SG can perform as a heat sink via natural circulation when it has an adequate water level and is OPERABLE.

APPLICABILITY In MODE 5 with at least one RCS loop unisolated and filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of RHR provides sufficient circulation for these purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least one unisolated SG is required to be 28% for Unit 1 or 15.5% for Unit 2.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops - MODES 1 and 2;"

LCO 3.4.5, "RCS Loops - MODE 3;"

LCO 3.4.6, "RCS Loops - MODE 4;"

LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled;"

LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level" (MODE 6), and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level" (MODE 6).

Beaver Valley Units 1 and 2 B 3.4.7 - 3 Revision 0

RCS Loops - MODE 5, Loops Filled B 3.4.7 BASES ACTIONS A.1, A.2, B.1 and B.2 If one RHR loop is OPERABLE and either the required SG has a secondary side water level that is not within the required limit, or one required RHR loop is inoperable, redundancy for heat removal is lost.

Action must be initiated immediately to restore a second RHR loop to OPERABLE status or to restore the required SG secondary side water level. Either Required Action will restore redundant heat removal loops.

The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

C.1 and C.2 If a required RHR loop is not in operation, except during conditions permitted by Notes 1 and 4, or if no required loop is OPERABLE, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RHR loop to OPERABLE status and operation must be initiated. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for heat removal.

SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This SR requires verification that the required loop is in operation.

Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.7.2 Verifying that at least one unisolated SG is OPERABLE by ensuring the secondary side narrow range water level is 28% for Unit 1 or 15.5%

for Unit 2 ensures an alternate decay heat removal method via natural circulation in the event that the second RHR loop is not OPERABLE. If both RHR loops are OPERABLE, this Surveillance is not needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.4.7 - 4 Revision 29

RCS Loops - MODE 5, Loops Filled B 3.4.7 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.7.3 Verification that each required RHR pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to each required RHR pump not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability. If secondary side water level is 28% for Unit 1 or 15.5% for Unit 2 in at least one unisolated SG, this Surveillance is not needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES 1. NRC Information Notice 95-35, "Degraded Ability of Steam Generators to Remove Decay Heat by Natural Circulation."

2. Westinghouse Letter # FENOC-04-228, "Beaver Valley Units 1 and 2 Mode 5, Loops Filled Natural Circulation Cooling Assessment,"

dated January 31, 2005.

Beaver Valley Units 1 and 2 B 3.4.7 - 5 Revision 29

RCS Loops - MODE 5, Loops Not Filled B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 RCS Loops - MODE 5, Loops Not Filled BASES BACKGROUND In MODE 5 with the RCS loops not filled or isolated, the primary function of the reactor coolant is the removal of decay heat generated in the fuel, and the transfer of this heat to the component cooling water via the residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled or isolated. The secondary function of the reactor coolant is to act as a carrier for the soluble neutron poison, boric acid.

In MODE 5 with loops not filled or isolated, only RHR pumps can be used for coolant circulation. The number of pumps in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one RHR pump for decay heat removal and transport and to require that two loops be available to provide redundancy for heat removal.

APPLICABLE In MODE 5, RCS circulation is required for decay heat removal. The SAFETY RHR loops provide this circulation. The flow provided by one RHR loop ANALYSES is adequate for heat removal and for boron mixing.

RCS loops in MODE 5 (loops not filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transferring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the RHR System unless forced flow is used. A minimum of one running RHR pump meets the LCO requirement for one loop in operation. An additional RHR loop is required to be OPERABLE to meet single failure considerations.

Note 1 permits all RHR pumps to be removed from operation for 15 minutes when switching from one loop to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet temperature is maintained > 10°F below saturation temperature. The Note prohibits boron dilution with coolant at boron concentrations less than required to assure SDM of LCO 3.1.1 is maintained or draining operations when RHR forced flow is stopped.

Beaver Valley Units 1 and 2 B 3.4.8 - 1 Revision 0

RCS Loops - MODE 5, Loops Not Filled B 3.4.8 BASES LCO (continued)

Note 2 allows one RHR loop to be inoperable for a period of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , provided that the other loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed when the testing results in the required RHR loop being rendered inoperable. The remaining OPERABLE RHR loop is adequate to provide the required cooling during the time allowed by Note 2.

An OPERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger.

RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required.

APPLICABILITY In MODE 5 with loops not filled or isolated, this LCO requires core heat removal and coolant circulation by the RHR System.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops - MODES 1 and 2,"

LCO 3.4.5, "RCS Loops - MODE 3,"

LCO 3.4.6, "RCS Loops - MODE 4,"

LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled,"

LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation -

High Water Level" (MODE 6), and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level" (MODE 6).

ACTIONS A.1 If one required RHR loop is inoperable, redundancy for RHR is lost.

Action must be initiated to restore a second loop to OPERABLE status.

The immediate Completion Time reflects the importance of maintaining the availability of two loops for heat removal.

B.1 and B.2 If no required loop is OPERABLE or the required loop is not in operation, except during conditions permitted by Note 1, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE status and operation. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure Beaver Valley Units 1 and 2 B 3.4.8 - 2 Revision 0

RCS Loops - MODE 5, Loops Not Filled B 3.4.8 BASES ACTIONS (continued) continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal.

The action to restore must continue until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This SR requires verification that the required loop is in operation.

Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.8.2 Verification that each required pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to each required pump not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES None.

Beaver Valley Units 1 and 2 B 3.4.8 - 3 Revision 29

Pressurizer B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining required primary system pressure during steady state operation, and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normal load transients.

The pressure control components addressed by this LCO include the pressurizer water level, the required heaters, and their controls and emergency power supplies. Pressurizer safety valves and pressurizer power operated relief valves are addressed by LCO 3.4.10, "Pressurizer Safety Valves," and LCO 3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.

The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of potential overpressure transients. The presence of a steam bubble is consistent with analytical assumptions. Relatively small amounts of noncondensible gases can inhibit the condensation heat transfer between the pressurizer spray and the steam, and diminish the spray effectiveness for pressure control.

Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressurizer at saturation temperature and maintain a constant operating pressure. A minimum required available capacity of pressurizer heaters ensures that the RCS pressure can be maintained. The capability to maintain and control system pressure is important for maintaining subcooled conditions in the RCS and ensuring the capability to remove core decay heat by either forced or natural circulation of reactor coolant. Unless adequate heater capacity is available, the hot, high pressure condition cannot be maintained indefinitely and still provide the required subcooling margin in the primary system. Inability to control the system pressure and maintain subcooling under conditions of natural circulation flow in the primary system could lead to a loss of single phase natural circulation and decreased capability to remove core decay heat.

Beaver Valley Units 1 and 2 B 3.4.9 - 1 Revision 0

Pressurizer B 3.4.9 BASES APPLICABLE In MODES 1, 2, and 3, the LCO requirement for a steam bubble is SAFETY reflected implicitly in the accident analyses. Safety analyses performed ANALYSES for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of noncondensible gases normally present.

Safety analyses presented in the UFSAR (Ref. 1) do not take credit for pressurizer heater operation; however, an implicit initial condition assumption of the safety analyses is that the RCS is operating at normal pressure. Although the safety analyses do not take credit for pressurizer heater operation, the pressurizer heaters are modeled in any transient where pressurizer heater operation could lead to more limiting results (e.g., pressurizer filling events).

The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Although the heaters are not specifically used in accident analysis, the need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-0737 (Ref. 2), is the reason for providing an LCO.

LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume 1235 cubic feet, which is equivalent to 92%, ensures that a steam bubble exists. Limiting the LCO maximum operating water level preserves the steam space for pressure control. The LCO has been established to ensure the capability to establish and maintain pressure control for steady state operation and to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two sets of OPERABLE pressurizer heaters, each with a capacity 150 kW, capable of being powered from the emergency power supply. There are four groups of backup pressurizer heaters powered from emergency busses. Two groups of backup heaters are supplied from each train of emergency power. The LCO requirement for a set of heaters per emergency bus may be met by using any combination of heaters in the two groups powered from the same emergency bus that total 150 kW of heater capacity. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide margin to subcooling can be obtained in the loops.

The amount needed to maintain pressure is dependent on the heat losses.

Beaver Valley Units 1 and 2 B 3.4.9 - 2 Revision 0

Pressurizer B 3.4.9 BASES APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has been designated for MODES 1 and 2. The applicability is also provided for MODE 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational perturbation, such as reactor coolant pump startup.

In MODES 1, 2, and 3, there is need to maintain the availability of pressurizer heaters, capable of being powered from an emergency power supply. In the event of a loss of offsite power, the initial conditions of these MODES give the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODE 4, 5, or 6, it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Residual Heat Removal (RHR) System is available or in service, and therefore, the LCO is not applicable.

ACTIONS A.1, A.2, A.3, and A.4 Pressurizer water level control malfunctions or other plant evolutions may result in a pressurizer water level above the nominal upper limit, even with the plant at steady state conditions. Normally the plant will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level - High Trip.

If the pressurizer water level is not within the limit, action must be taken to bring the plant to a MODE in which the LCO does not apply. To achieve this status, within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months the unit must be brought to MODE 3 with all rods fully inserted and incapable of withdrawal. Additionally, the unit must be brought to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This takes the unit out of the applicable MODES.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

B.1 If one required set of pressurizer heaters is inoperable, restoration is required within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pressure control will continue to be maintained during this time using the remaining OPERABLE heaters.

Beaver Valley Units 1 and 2 B 3.4.9 - 3 Revision 0

Pressurizer B 3.4.9 BASES ACTIONS (continued)

C.1 and C.2 If one set of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required Action B.1, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper limit to provide a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.9.2 The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer heaters are verified to be at the required kW capacity. The Surveillance verifies that a total heater capacity of at least 150 kW is available from each emergency bus. Each required set of heaters may be comprised of any combination of heaters in the two groups powered from the same emergency bus. This may be done by testing the power supply output and by performing an electrical check on heater element continuity and resistance or by energizing the heaters and measuring current. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).

2. NUREG-0737, November 1980.

Beaver Valley Units 1 and 2 B 3.4.9 - 4 Revision 29

ML20160A079

Contents

Text

Subject:

Subject:

Subject:

Subject:

Subject:

Subject:

Subject:

Navigation menu

ML20160A079

Text

Subject:

Subject:

Subject:

Subject:

Subject:

Subject:

Subject:

Navigation menu

Search