ML060740088

From kanterella
Revision as of 07:55, 14 March 2020 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Specifications Bases Revisions 34, 35, and 36 Update
ML060740088
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 03/03/2006
From: Bauer S
Arizona Public Service Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
102-05428-SAB/TNW/RKR
Download: ML060740088 (232)


Text

Technical Specification 5.5.14 LZFIMS A subsidiary of Pinnacle W est Capital Corporation Scott A. Bauer Department Leader, Regulatory Affairs Tel. 623-393-5978 Mail Station 7636 Palo Verde Nuclear Fax 623-393-5442 PO Box 52034 Generating Station e-mail: sbauer@apsc.com Phoenix, Arizona 85072-2034 102-05428-SAB/TNW/RKR March 03, 2006 ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2 and 3 Docket Nos. STN 50-52815291530 Technical Specifications Bases Revisions 34, 35, and 36 Update Pursuant to PVNGS Technical Specification (TS) 5.5.14, "Technical Specifications Bases Control Program," Arizona Public service Company (APS) is submitting changes to the TS Bases incorporated into Revision 34, implemented on August 31, 2005, Revision 35, implemented November 30, 2005, and Revision 36, implemented on February 9, 2006. The Revision 34 insertion instructions and replacement pages are provided in Enclosure 1. The Revision 35 insertion instructions and replacement pages are provided in Enclosure 2. The Revision 36 insertion instructions and replacement pages are provided in Enclosure 3.

No commitments are being made to the NRC by this letter. Should you have any questions, please contact Thomas N. Weber at (623) 393-5764.

Sincerely, SAB/TNW/RKR/ca Ao 1m A member of the STAiRS (Strategic: Teaming and Resource Sharing) Alliance Callaway

  • Comanche Peak
  • Diablo Canyon
  • Palo Verde
  • Wolf Creek

U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Technical Specif.cations Bases Revisions 34, 35, and 36 Update Page 2

Enclosures:

1. PVNGS' Technical Specification Bases Revision 34 Insertion Instructions and Replacement Pages
2. PVNG', Technical Specification Bases Revision 35 Insertion Instructions and Replacement Pages
3. PVNG'S Technical Specification Bases Revision 36 Insertion Instructions and Replacement Pages cc: B. S. Mallett NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS

ENCLOSURE I PIVNGS Technical Specification Bases Revision 34 Insertion Instructions and Replacement Pages

PVNGS Technical Specifications Bases Revision 34 Insertion Instructions Remove Page: Insert New Page:

Cover page Cover page List of Effective Pages, List of Effective Pages, Pages 1/2 :hrough Pages 1/2 through List of Effective Pages, List of Effective Pages, Page 7/8 Page 7/8 B 3.1.7-3/3.1.7-4 B 3.1.7-3/3.1.7-4 B 3.1.11-3/3.1.11-4 B 3.1.11-3/3.1.11-4 B 3.3.1-9/3.3.1-10 B 3.3.1-9/3.3.1-10 B 3.3.1-17/3.3.1-18 B 3.3.1-17/3.3.1-18 B 3.3.5-27/.3.3.5-28 B 3.3.5-27/3.3.5-28 B 3.4.5-1/3.4.5-2 B 3.4.5-1/3.4.5-2 B 3.4.9-3/3.4.9-4 B 3.4.9-3/3.4.9-4 B 3.4.12-1/3.4.12-2 B 3.4.12-1/3.4.12-2 B 3.4.14-1/3.4.14-2 B 3.4.14-1/3.4.14-2 B 3.4.14-3/3.4.14-4 B 3.4.14-3/3.4.14-4 B 3.4.14-7/:'lank B 3.4.14-7/blank B 3.7.1-1/3.7.1-2 B 3.7.1-1/3.7.1-2 through through B 3.7.1-5/3.7.1-6 B 3.7.1-5/3.7.1-6 B 3.8.1-3/3.8.1-4 B 3.8.1-3/3.8.1-4 B 3.8.1-7/3.8.1-8 B 3.8.1-7/3.8.1-8 B 3.8.3-3/3.8.3-4 B 3.8.3-3/3.8.3-4 B 3.8.3-5/3.8.3-6 B 3.8.3-5/3.8.3-6 B 3.8.9-1/3.8.9-2 B 3.8.9-1/3.8.9-2 B 3.9.1-1/3.9.1-2 B 3.9.1-1/3.9.1-2 I

P V'NGS Palo Verde Nuclear GeneratingStation Units 1, 2, and 3 Tec.hnical opecification Bases Revision 34 August 31, 2005 P-

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

2.1.1-1 0 3.1.4-5 0 2.1.1-2 0 3 .1.5-1 0 2.1.1-3 21 3.1.5-2 28 2.1.1-4 21 3 .1.5-3 28 2.1. 1-5 23 3.1.5-4 28 2.1.2-1 0 3.1.5-5 28 2.1.2-2 31 3.1.5-6 28 2.1.2-3 0 3 .1.5-7 1 2.1.2-4 23 3.1.5-8 28 2.1.2-5 0 3 .1.5-9 28 3.0-1 0 3 .1.5-10 28 3.0-2 0 3 .1.5-11 28 3 .0-3 0 3 .1.6-1 0 3.0-4 0 3.1.6-2 0 3.0-5 0 3.1.6-3 0 3 .0-6 1 3.1.6-4 0 3.0-7 0 3.1.7-1 0 3.0-8 0 3.1.7-2 0 3.0-9 0 3.1.7-3 28 3 . 0-10 14 3.1.7-4 34 3 .0-11 14 3.1.7-5 25

3. 0-12 14 3.1.7-6 0 3.0-13 0 3.1.7-7 0 3.0-14 0 3.1.7-8 0 3.0-15 0 3.1.7-9 0 3.0-16 17 3 .1.8-1 28 3.0-17 17 3 .1.8-2 28 3.0-18 17 3 .1.8-3 28 3.0-19 17 3 .1.8-4 28 3 .1.1-1 28 3 .1.8-5 28 3.1.1-2 0 3.1.9-1 0 3.1.1-3 28 3.1.9-2 0 3.1.1-4 12 3.1.9-3 0 3.1.1-5 27 3.1.9-4 0 3 .1.1-6 31 3.1.9-5 28 3.1.2-1 28 3.1.9-6 1 3.1.2-2 0 3.1.10-1 0 3.1.2-3 31 3 .1.10-2 28 3.1.2-4 28 3 .1.10-3 0 3.1.2-5 0 3 .1.10-4 0 3.1.2-6 0 3.1.10-5 0 3.1.2-7 12 3 .1.10-6 0 3.1.2-8 0 3.1.11-1 0 3.1.2-9 0 3 .1.11-2 28 3 .1.3-1 0 3 .1.11-3 0 3 . 1.3-2 0 3 .1.11-4 34 3.1.3-3 0 3 .1.11-5 0 3.1.3-4 0 3.2.1-1 28 3.1.3-5 0 3.2.1-2 10 3.1.3-6 0 3.2.1-3 28 3.1.4-1 0 3.2.1-4 0 3.1.4-2 31 3 .2 .1-5 0 3.1.4-3 0 3.2.1-6 0 3.1.4-4 0 3 .2 .1-7 0 PALO VERDE UN]:TS 1, 2, AND 3 1 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3.2.1-8 0 B 3.3.1-20 25 3.2.2-1 28 B 3.3.1-21 28 3.2.2-2 10 B 3.3.1-22 28 3.2.2-3 0 B 3.3.1-23 25 3.2.2-4 28 B 3.3.1-24 25 3.2.2-5 1 B 3.3.1-25 25 3.2.2-6 0 B 3.3.1-26 25 3.2.2-7 0 B 3.3.1-27 25 3.2.3-1 28 B 3.3.1-28 25 3.2.3-2 10 B 3.3.1-29 25 3.2.3-3 0 B 3.3.1-30 27 3.2.3-4 28 B 3.3.1-31 27 3.2.3-5 0 B 3.3.1-32 27 3.2.3-6 0 B 3.3.1-33 27 3.2.3-7 0 B 3.3.1-34 27 3.2.3-8 0 B 3.3.1-35 25 3.2.3-9 0 B 3.3.1-36 27 3.2.3-10 0 B 3.3.1-37 25 3.2.4-1 28 B 3.3.1-38 25 3.2.4-2 10 B 3.3.1-39 27 3.2.4-3 0 B 3.3.1-40 25 3.2.4-4 28 B 3.3.1-41 25 3.2.4-5 25 B 3.3.1-42 25 3.2.4-6 25 B 3.3.1-43 25 3.2.4-7 27 B.3.3.1-44 25 3.2.4-8 31 B.3 .3.1-45 25 3.2.4-9 31 B.3.3.1-46 25 33.2.4-10 31 B.3 .3.1-47 25 3.2.5-1 28 B.3 .3.1-48 25 3.2.5-2 10 B.3 .3.1-49 30 3.2.5-3 0 B.3 .3.1-50 30 3.2.5-4 28 B.3.3.1-51 30 3.2.5-5 0 B.3.3.1-52 30 3.2.5-6 28 B.3 .3.1-53 30 3.2.5-7 0 B.3.3.1-54 25 3.3.1-1 0 B.3 .3.1-55 25 3 .3. 1-2 25 B.3 .3.1-56 25 3.3.1-3 25 B.3.3.1-57 27 3.3.1-4 25 B 3.3.2-1 0 3 .3.1-5 25 B 3.3.2-2 0 3.3.1-6 27 B 3.3.2-3 1 3.3.1-7 25 B 3.3.2-4 1 3.3.1-8 25 B 3.3.2-5 0 3.3.1-9 34 B 3.3.2-6 15 3.3.1-10 27 B 3.3.2-7 15 3.3.1-11 26 B 3.3.2-8 15 3.3.1-12 27 B 3.3.2-9 15 3.3.1-13 27 B 3.3.2-10 15 3.3.1-14 25 B 3.3.2-11 15 3.3.1-15 25 B 3.3.2-12 15 3.3.1-16 25 B 3.3.2-13 15 3.3.1-17 34 B 3.3.2-14 15 3.3.1-18 25 B 3.3.2-15 15 3.3.1-19 25 B 3.3.2-16 15 PALO VERDE UNITS 1, 2, AND 3 2 Revision. 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.3.2-17 15 3.3.5-18 0 B 3.3.3-1 25 3.3.5-19 0 B 3.3.3-2 27 3.3.5-20 1 B 3.3.3-3 25 3.3.5-21 0 B 3.3.3-4 25 3.3 .5-22 0 B 3.3.3-5 25 3 .3 .5-23 0 B 3.3.3-6 25 3.3.5-24 0 B 3.3.3-7 27 3.3.5-25 0 B 3.3.3-8 27 3.3.5-26 0 B 3.3.3-9 27 3 .3.5-27 34 B 3.3.3-10 25 3.3.5-28 10 B 3.3.3-11 25 3.3.5-29 10 B.3.3.3-12 25 3.3.6-1 0 B.3 .3.3-13 25 3.3.6-2 0 B.3 .3.3-14 25 3 .3 .6-3 0 B.3 .3.3-15 27 3 .3 . 6-4 0 B.3 .3.3-16 25 3.3.6-5 31 B.3 .3.3-17 25 3 .3 . 6-6 0 B.3 .3.3-18 25 3.3.6-7 27 B.3 .3.3-19 27 3.3.6-8 27 B.3.3.3-20 27 3.3.6-9 0 B.3 .3.3-21 27 3 .3 .6-10 0 B 3.3.4-1 0 3 .3 .6-11 0 B 3.3.4-2 0 3.3.6-12 0 B 3.3.4-3 0 3.3.6-13 0 B 3.3.4-4 0 3.3.6-14 0 B 3.3.4-5 0 3 .3. 6-15 0 B 3.3.4-6 31 3.3.6-16 0 B 3.3.4-7 0 3.3.6-17 27 B 3.3.4-8 0 3.3.6-18 0 B 3.3.4-9 0 3 .3 .6-19 0 B 3.3.4-10 0 3.3.6-20 0 B 3.3.4-11 0 3 .3 .6-21 1 B 3.3.4-12 0 3.3.6-22 1 B 3.3.4-13 0 3.3.7-1 2 B 3.3.4-14 0 3.3.7-2 2 B 3.3.4-15 0 3.3.7-3 0 B 3.3.5-1 0 3.3.7-4 0 B 3.3.5-2 0 3.3.7-5 0 B 3.3.5-3 0 3.3.7-6 0 B 3.3.5-4 0 3.3.7-7 0 B 3.3.5-5 0 3.3.7-8 0 B 3.3.5-6 0 3.3.7-9 2 B 3.3.5-7 0 3.3.8-1 0 B 3.3.5-8 31 3 .3 .8-2 0 B 3.3.5-9 0 3 . 3 . 8-3 0 B 3.3.5-10 0 3 .3 .8-4 0 B 3.3.5-11 0 3 .3 .8-5 0 B 3.3.5-12 1 3.3.8-6 1 B 3.3.5-13 0 3.3.8-7 0 B 3.3.5-14 0 3.3.8-8 0 B 3.3.5-15 0 3.3.9-1 0 B 3.3.5-16 0 3.3.9-2 2 B 3.3.5-17 0 3.3.9-3 21 PALO VERDE UN]:TS 1, 2, AND 3 3 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3.3.9-4 10 3.4.4-1 0 3.3.9-5 1 3.4.4-2 7 3.3 .9-6 0 3.4.4-3 7 3.3.9-7 0 3.4.4-4 0 3 .3 .10-1 0 3.4.5-1 0 3 .3 . 10-2 0 3.4.5-2 34 3.3.10-3 0 3.4.5-3 30 3.3.10-4 0 3 .4.5-4 0 3.3.10-5 18 3.4.5-5 6 3.3.10-6 0 3.4.6-1 0 3 .3 .10-7 0 3.4.6-2 6 3.3.10-8 14 3.4.6-3 6 3 .3 . 10-9 14 3.4.6-4 6 3.3.10-10 14 3.4.6-5 6 3 .3 .10-11 14 3.4.7-1 0 3.3.10-12 14 3.4.7-2 6 3.3.10-13 14 3.4.7-3 6 3.3.10-14 32 3.4.7-4 2 3.3.10-15 32 3.4.7-5 0 3.3.10-16 32 3.4.7-6 0 3 .3 .10-17 32 3.4.7-7 27 3.3.10-18 32 3.4.8-1 0 3 .3 .10-19 32 3.4.8-2 6 3.3.10-20 32 3.4.8-3 6 3.3.10-21 33 3.4.9-1 0 3.3.10-22 32 3.4.9-2 31 3 .3 . 11-1 0 3.4.9-3 34 3.3.11-2 2 3.4.9-4 0 3.3.11-3 2 3.4.9-5 0 3 .3 .11-4 2 3.4.9-6 0 3 .3 .11-5 19 3 .4.10-1 0 3.3.11-6 2 3 .4. 10-2 7 3.3.11-7 2 3 .4. 10-3 0 3 .3 .12-1 15 3 .4.10-4 0 3.3.12-2 15 3.4.11-1 0 3.3.12-3 5 3.4.11-2 7 3 .3 .12-4 5 3.4.11-3 0 3.3.12-5 6 3.4.11-4 0 3.3.12-6 6 3.4. 11-5 0 3 .4. 1-1 10 3.4.11-6 0 3 . 4 . 1-2 28 3 .4.12-1 1 3.4.1-3 0 3.4. 12-2 34 3 .4.1-4 0 3 .4.12-3 0 3.4.1-5 0 3.4.12-4 0 3.4.2-1 7 3 .4.12-5 31 3.4.2-2 1 3 .4.13-1 0 3.4.3-1 0 3.4.13-2 0 3.4.3-2 0 3.4.13-3 1 3.4.3-3 0 3.4.13-4 0 3.4.3-4 2 3.4. 13-5 0 3.4.3-5 2 3.4.13-6 0 3.4.3-6 0 3.4.13-7 2 3.4.3-7 0 3 .4.13-8 2 3.4.3-8 2 3.4. 13-9 0 PALO VERDE UNITS 1, 2, AND 3 4 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3 .4.13 -10 2 B 3.5.3-8 1 3 .4.14-1 0 B 3.5.3-9 0 3 .4.14-2 34 B 3.5.3-10 2 3.4.14-3 34 B 3.5.4-1 15 3.4 .14-4 7 B 3.5.4-2 0 3 .4 .14 -5 2 B 3.5.4-3 0 3 .4.14-6 2 B 3.5.5-1 0 3 .4.14-7 34 B 3.5.5-2 7 3.4.15-1 0 B 3.5.5-3 4 3 .4 .15-2 0 B 3.5.5-4 4 3 .4. 15-3 0 B 3.5.5-5 0 3 .4 .15-4 0 B 3.5.5-6 0 3 .4.15-5 0 B 3.5.5-7 0 3.4.15-6 0 B 3.5.6-1 0 3 .4 .15-7 0 B 3.5.6-2 1 3 .4.16-1 2 B 3.5.6-3 0 3 .4. 16-2 10 B 3.5.6-4 24 3 .4 .16-3 0 B 3.5.6-5 27 3.4. 16-4 0 B 3.6.1-1 0 3 .4. 16-5 0 B 3.6.1-2 25 3 .4. 16-6 0 B 3.6.1-3 0 3 .4. 17-1 0 B 3.6.1-4 29 3 .4.17-2 27 B 3.6.1-5 29 3 .4. 17-3 0 B 3.6.2-1 0 3 .4.17-4 0 B 3.6.2-2 25 3 .4. 17-5 0 B 3.6.2-3 0 3 .4. 17-6 0 B 3.6.2-4 0 3.5.1-1 0 B 3.6.2-5 0 3.5.1-2 0 B 3.6.2-6 0 3 . 5.1-3 7 B 3.6.2-7 20

3. 5. 1-4 0 B 3.6.2-8 0 3 . 5. 1-5 0 B 3.6.3-1 27 3.5.1-6 0 B 3.6.3-2 27 3.5. 1-7 1 B 3.6.3-3 27 3.5. 1-8 1 B 3.6.3-4 27
3. 5. 1-9 0 B 3.6.3-5 27 3 .5.1-10 1 B 3.6.3-6 27 3.5.2-1 0 B 3.6.3-7 27 3 .5.2-2 0 B 3.6.3-8 27 3.5.2-3 0 B 3.6.3-9 27 3.5.2-4 0 B 3.6.3-10 27 3.5.2-5 0 B 3.6.3-11 27 3.5.2-6 0 B 3.6.3-12 27 3.5.2-7 1 B 3.6.3-13 27 3.5.2-8 22 B 3.6.3-14 27 3.5.2-9 1 B 3.6.3-15 27 3.5.2-10 1 B 3.6.3-16 27 3.5.3-1 0 B 3.6.3-17 27 3.5.3-2 0 B.3.6.3-18 27 3 .5.3 -3 0 B.3.6.3-19 27 3.5.3-4 0 B 3.6.4-1 25 3.5.3-5 0 B 3.6.4-2 1 3 .5.3 -6 2 B 3.6.4-3 1 3 .5.3 -7 2 B 3.6.5-1 0 PALO VERDE UNITS 1, 2, AND 3 5 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.6.5-2 1 B 3.7.7-2 1 B 3.6.5-3 0 B 3.7.7-3 1 B 3.6.5-4 0 B 3.7.7-4 1 B 3.6.6-1 0 B 3.7.7-5 1 B 3.6.6-2 0 B 3.7.8-1 1 B 3.6.6-3 25 B 3.7.8-2 1 B 3.6.6-4 7 B 3.7.8-3 1 B 3.6.6-5 1 B 3.7.8-4 1 B 3.6.6-6 0 B 3.7.9-1 0 B 3.6.6-7 1 B 3.7.9-2 1 B 3.6.6-8 1 B 3.7.9-3 0 B 3.6.6-9 0 B 3.7.10-1 10 B 3.6.7-1 0 B 3.7.10-2 1 B 3.6.7-2 0 B 3.7.10-3 1 B 3.6.7-3 0 B 3.7.10-4 1 B 3.6.7-4 0 B 3.7.11-1 0 B 3.6.7-5 0 B 3.7.11-2 0 B 3.7.1-1 28 B 3.7.11-3 21 B 3.7.1-2 34 B 3.7.11-4 10 B 3.7.1-3 34 B 3.7.11-5 10 B 3.7.1-4 34 B 3.7.11-6 10 B 3.7.1-5 34 B 3.7.12-1 1 B 3.7.1-6 34 B 3.7.12-2 21 B 3.7.2-1 0 B 3.7.12-3 21 B 3.7.2-2 0 B 3.7.12-4 10 B 3.7.2-3 31 B 3.7.13-1 0 B 3.7.2-4 0 B 3.7.13-2 0 B 3.7.2-5 0 B 3.7.13-3 0 B 3.7.2-6 0 B 3.7.13-4 0 B 3.7.3-1 1 B 3.7.13-5 0 B 3.7.3-2 1 B 3.7.14-1 0 B 3.7.3-3 1 B 3.7.14-2 21 B 3.7.3-4 0 B 3.7.14-3 21 B 3.7.3-5 0 B 3.7.15-1 3 B 3.7.4-1 0 B 3.7.15-2 3 B 3.7.4-2 31 B 3.7.16-1 7 B 3.7.4-3 31 B 3.7.16-2 0 B 3.7.4-4 0 B 3.7.16-3 0 B 3.7.5-1 0 B 3.7.16-4 0 B 3.7.5-2 0 B 3.7.17-1 23 B 3.7.5-3 0 B 3.7.17-2 3 B 3.7.5-4 27 B 3.7.17-3 3 B 3.7.5-5 9 B 3.7.17-4 3 B 3.7.5-6 9 B 3.7.17-5 3 B 3.7.5-7 9 B 3.7.17-6 3 B 3.7.5-8 9 B 3.8.1-1 22 B 3.7.5-9 9 B 3.8.1-2 2 B 3.7.5-10 9 B 3.8.1-3 34 B.3.7.5-11 9 B 3.8.1-4 34 B 3.7.6-1 0 B 3.8.1-5 20 B 3.7.6-2 28 B 3.8.1-6 27 B 3.7.6-3 28 B 3.8.1-7 34 B 3.7.6-4 0 B 3.8.1-8 2 B 3.7.7-1 0 B 3.8.1-9 27 PALO VERDE UNITS 1, 2, AND 3 6 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.8.1-10 2 B 3.8.4-9 2 B 3.8.1-11 2 B 3.8.4-10 2 B 3.8.1-12 2 B 3.8.4-11 2 B 3.8.1-13 2 B 3.8.5-1 1 B 3.8.1-14 2 B 3.8.5-2 1 B 3.8.1-15 2 B 3.8.5-3 21 B 3.8.1-16 20 B 3.8.5-4 21 B 3.8.1-17 20 B 3.8.5-5 2 B 3.8.1-18 20 B 3.8.5-6 2 B 3.8.1-19 20 B 3.8.6-1 0 B 3.8.1-20 20 B 3.8.6-2 0 B 3.8.1-21 20 B 3.8.6-3 0 B 3.8.1-22 20 B 3.8.6-4 6 B 3.8.1-23 20 B 3.8.6-5 6 B 3.8.1-24 20 B 3.8.6-6 6 B 3.8.1-25 20 B 3.8.6-7 0 B 3.8.1-26 20 B 3.8.7-1 0 B 3.8.1-27 20 B 3.8.7-2 0 B 3.8.1-28 20 B 3.8.7-3 0 B 3.8.1-29 20 B 3.8.7-4 0 B 3.8.1-30 20 B 3.8.8-1 1 B 3.8.1-31 20 B 3.8.8-2 1 B 3.8.1-32 20 B 3.8.8-3 21 B 3.8.1-33 20 B 3.8.8-4 21 B 3.8.1-34 20 B 3.8.8-5 1 B 3.8.1-35 20 B 3.8.9-1 34 B 3.8.1-36 20 B 3.8.9-2 0 B 3.8.1-37 23 B 3.8.9-3 0 B 3.8.1-38 27 B 3.8.9-4 0 B 3.8.1-39 20 B 3.8.9-5 0 B 3.8.1-40 20 B 3.8.9-6 0 B 3.8.2-1 0 B 3.8.9-7 0 B 3.8.2-2 0 B 3.8.9-8 0 B 3.8.2-3 0 B 3.8.9-9 0 B 3.8.2-4 21 B 3.8.9-10 0 B 3.8.2-5 21 B 3.8.9-11 0 B 3.8.2-6 0 B 3.8.10-1 0 B 3.8.3-1 0 B 3.8.10-2 21 B 3.8.3-2 0 B 3.8.10-3 0 B 3.8.3-3 34 B 3.8.10-4 0 B 3.8.3-4 0 B 3.9.1-1 34 B 3.8.3-5 34 B 3.9.1-2 0 B 3.8.3-6 0 B 3.9.1-3 0 B 3.8.3-7 0 B 3.9.1-4 0 B 3.8.3-8 0 B 3.9.2-1 15 B 3.8.3-9 0 B 3.9.2-2 15 B 3.8.4-1 0 B 3.9.2-3 15 B 3.8.4-2 0 B 3.9.2-4 15 B 3.8.4-3 0 B 3.9.3-1 18 B 3.8.4-4 2 B 3.9.3-2 19 B 3.8.4-5 2 .B 3.9.3-3 27 B 3.8.4-6 2 B 3.9.3-4 19 B 3.8.4-7 2 B 3.9.3-5 19 B 3.8.4-8 2 B.3.9.3-6 19 PALO VERDE UN:[TS 1, 2, AND 3 7 Revision 34 August 31, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.9.4-1 0 B 3.9.4-2 1 B 3 .9.4-3 0 B 3.9.4-4 0 B 3 .9.5-1 0 B 3.9.5-2 16 B 3.9.5-3 27 B 3.9.5-4 16 B. 3.9.5-5 16 B 3.9. 6-1 0 B 3.9.6-2 0 B 3 .9.6-3 0 B 3.9.7-1 0 B 3.9.7-2 0 B 3.9.7-3 0 PALO VERDE UNITS 1, 2, AND 3 8 Revision 34 August 31, 2005

Regulating CEA Insertion Limits B 3.1.7 BASES BACKGROUND event of a CEA ejection accident, and the shutdown and (continued) regulating bank insertion limits ensure the required SDM is maintained.

Operation within the subject LCO limits will prevent fuel c adding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a LOCA, loss of flow, ejected CEA, or other accident requiring termination by a Reactor Protection Systemi trip function.

APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation (Condition I) and anticipated operational occurrences (Condition II). The acceptance criteria for the regulating CEA insertion, part length or part strength CEA I insertion, ASI, and Tq LCOs preclude core power distributions from occurring that would violate the following fuel design criteria:

a. During a large break LOCA, the peak cladding temperature must not exceed a limit of 2200 0 F, 10 CFR 50.46 (Ref. 2);
b. During CEA misoperation events, there must be at least a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition;
c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 3);

and

d. The CEAs must be capable of shutting down the reactor with a minimum required SDM, with the highest worth CEA stuck fully withdrawn, GDC 26 (Ref. 1).

Regulating CEA position, ASI. and Tq are process variables that together characterize and control the three dimensional power distribution of the reactor core.

Fuel cladding damage does not occur when the core is operated outside these LCOs during normal operation.

However, fuel cladding damage could result, should an (continued)

PALO VERDE UNITS 1.2.3 B 3.1.7-3 REVISION 28

Regulating CEA Insertion Limits B 3.1.7 BASES APPLICABLE accident occur with simultaneous violation of one or more of SAFETY ANALYSES these LCOs. Changes in the power distribution can cause (continued) increased power peaking and corresponding increased local LHRs.

The SDM requirement is ensured by limiting the regulating and shutdown CEA insertion limits, so that the allowable inserted worth of the CEAs is such that sufficient reactivity is available in the CEAs to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth CEA remains fully withdrawn upon trip (Ref. 4).

The most limiting SDM requirements for MODE 1 and 2 conditions at BOC are determined by the requirements of several transients, e.g., Loss of Flow, Seized Rotor, etc.

However, the most limiting SDM requirements for MODES 1 and 2 at EOC come from just one transient, Steam Line Break (SLB). The requirements of the SLB event at EOC for both the full power and no load conditions are significantly larger than those of any other event at that time in cycle and, also, considerably larger than the most limiting requirements at BOC.

Although the most limiting SDM requirements at EOC are much larger that those at BOC, the available SDM obtained via the scramming of the CEAs are also substantially larger due to the much lower boron concentration at EOC. To verify that adequate SDM are available throughout the cycle to satisfy the changing requirements, calculations are performed at both BOC and EOC. It has been determined that calculations at these two times in cycle are sufficient since the differences between available SDM and the limiting SDM requirements are the smallest at these times in the cycle.

The measurement of CEA bank worth performed as part of the Startup Testing Program demonstrates that the core has expected shutdown capability. Consequently, adherence to LCOs 3.1.6 and 3.1.7 provides assurance that the available SDM at any time in cycle will exceed the limiting SDM requirements at that time in the cycle.

(continued)

PALO VERDE UNITS 1,2,3 B 3.1.7-4 REVISION 34

STE-Reactivity Coefficient Testing B 3.1.11 BASES APPLICABLE The safety analysis (Ref. 6) requires that the LHR and the SAFETY ANALYSES departure from nucleate boiling (DNB) parameter be (continued) maintained within limits. The associated trip setpoints are required to ensure these limits are maintained.

The individual LCOs governing CEA group height, insertion and alignment, ASI, total planar radial peaking factor, total integrated radial peaking factor, and T , preserve the LHR limits. Additionally, the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature (T,),

and pressurizer pressure contribute to maintaining DNB parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 7). The criteria for the loss of forced reactor coolant flow accident are specified in Reference 7.

Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria.

During PHYSICS TESTS, one or more of the LCOs that normally preserve the LHR and DNB parameter limits may be suspended.

The results of the accident analysis are not adversely impacted, however, if LHR and DNB parameters are verified to be within their limits while the LCOs are suspended.

Therefore, SRs are placed as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these Surveillances allows PHYSICS TESTS to be conducted without decreasing the margin of safety.

PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total planar radial peaking factor, total integrated radial peaking factor, Tq. and ASI, which represent initial condition input (power peaking) to the accident analysis.

Also involved are the shutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR.

(continued)

PALO VERDE UNITS 1,2,3 B 3.1.11-3 REVISION 0

STE-Reactivity Coefficient Testing B 3.1.11 BASES APPLICABLE PHYSICS TESTS meet the criteria for inclusion in the SAFETY ANALYSIS Technical Specifications, since the component and process (continued) variable LCOs suspended during PHYSICS TESTS meet Criteria 1. 2, and 3 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO permits Part Length or Part Strength CEAs and Regulating CEAs to be positioned outside of their normal group heights and insertion limits, and RCS cold leg temperature to be outside its limits during the performance of PHYSICS TESTS. These PHYSICS TESTS are required to determine the isothermal temperature coefficient (ITC). MTC, and power coefficient.

The requirements of LCO 3.1.7, LCO 3.1.8. and LCO 3.4.1, (for RCS cold leg temperature only) may be suspended during the performance of PHYSICS TESTS provided COLSS is in service.

APPLICABILITY This LCO is applicable in MODE 1 with THERMAL POWER > 20%

RTP because the reactor must be critical at THERMAL POWER levels > 20% RTP to perform the PHYSICS TESTS described in the LCO section.

ACTIONS A.1 With the LHR or DNBR outside the limits specified in the COLR. adequate safety margin is not assured and power must be reduced to restore LHR and DNBR to within limits. The I required Completion Time of 15 minutes ensures prompt action is taken to restore LHR or DNBR to within limits.

(continued)

PALO VERDE UNITS 1,2.3 B 3.1.11-4 REVISION 34

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Measurement Channels (After CPC Upgrade) (continued)

The CPPs transmit CEA position to the appropriate CEAC in all four CPC channels over optically isolated datalinks, such that CEAC 1 in all channels receives the position of all CEAs based upon RSPT 1. and CEAC 2 receives the position of all CEAs based upon RSPT 2. Thus the position of all CEAs is independently monitored by both CEACs in each CPC channel.

The CPCs display the position of each CEA to the operator on a separate single CEA Position Flat Panel Display. Each CPC channel is connected to the display by means of an optically isolated data link. The operator may select the channel for display. Selecting channel A or B will display CEA position based upon RSPT 1 on each CEA. whereas selecting channel C or D will display CEA position based upon RSPT 2 on each CEA.

CEACS are addressed in LCO 3.3.3.

Bistable Trip Units (Before CPC Upgrade)

Bistable trip units, mounted in the Plant Protection System (PPS) cabinet. receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

There are four ciannels of bistables. designated A, B. C.

and D. for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, tie Matrix Logic will generate a reactor trip (two-out-of-four logic).

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-9 REVISION 34

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Units (Before CPC Upgrade) (continued)

Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the CPC generated DNBR - Low and LPD - High trips. The CPC auxiliary trip functions (e.g., CPC VOPT algorithm) do not have any direct contact outputs to the PPS. The auxiliary trip functions act through the DNBR - Low and LPD - High trip contacts to de-energize the associated CPC initiation relays that provide a channel trip signal to the PPS parameters 3 and 4 bistable relays. Other CPC trip functions may also apply a penalty factor to cause a DNBR or LPD trip.

The trip setpoints used in the bistables are based on analytical limits derived from safety analyses (Ref. 5 and 8). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.1-1, in the accompanying LCO. are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in "Calculation of Trip Setpoint Values" (Ref. 7). The nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the interval between surveillances. A channel is inoperable if its actual setpoint is not within its Allowable Value.

To maintain the margins of safety assumed in the safety analyses, the calculations of the trip variables for the DNBR - Low and Local Power Density - High trips include the measurement, calculational, and processor uncertainties and dynamic allowances as defined in the latest applicable revision of CEN-305-P, "Functional Design Requirements for a Core Protection Calculator" (Ref. 10) and CEN-304-P," Functional Design Requirements for a Control Element Assembly Calculator," (Ref. 11). The safety (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-10 REVISION 27

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions.

Those functions *for which no credit is taken, termed equipment protective functions, are not needed from a safety perspective.

Each RPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each trip setpoint falls into one of three general categories:

Category 1: To ensure that the SLs are not exceeded during AO0s:

Category 2: To assist the ESFAS during accidents: and Category 3: --

o prevent material damage to major plant components (equipment protective).

The RPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTCBs are closed.

Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis are part of the NRC staff approved licensing basis for the plant.

Noncredited Functions include the Steam Generator #1 Level - High, and the Steam Generator #2 Level - High. These trips minimize tie potential for equipment damage.

The specific safety analysis applicable to each protective function is identified below:

1. Variable Over Power-High (RPS)

The Variable Over Power - High Trip (RPS-VOPT) is provided to protect the reactor core during positive reactivity addition excursions. Under steady state conditions the trip setpoint will stay above the neutron powver level signal by a preset value, called the band function. When the power level increases the setpoint will increase to attempt to maintain the separation defined by the Band function, however the (continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-17 REVISION 34

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES

1. Variable Over Power-High (RPS) (continued) rate of the setpoint change is limited by the rate function. If the power level signal increases faster than the setpoint, a trip will occur when the power level eventually equals the trip setpoint. The maximum value the setpoint can have is determined by the ceiling function.

A positive reactivity excursion transient will be detected by one or more RPS Functions. The Variable Over Power-High trip (RPS-VOPT) can provide protection against core damage during the following events:

  • Uncontrolled CEA Withdrawal From Subcritical and Low Power (AOO): and
  • CEA Ejection (Accident).
2. Logarithmic Power Level - High The Logarithmic Power Level - High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

In MODES 2, 3, 4, and 5. with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when logarithmic power is < 1E-4% NRTP. For events originating above this power level, other trips provide adequate protection.

MODES 3, 4, and 5, with the RTCBs closed, are addressed in LCO 3.3.2. "Reactor Protective System (RPS) Instrumentation - Shutdown."

In MODES 3, 4. or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE. The indication and alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12.

"Boron Dilution Alarm System (BDAS)".

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-18 REVISION 25

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 (con inued)

REQUIREMENTS The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

SR 3.3.5.3 CHANNEL CALIBRAT[ON is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

The 18 month frequency is based on operating experience which has shown these components usually pass the Surveillance when performed on the 18 month Frequency. With proper precautions the channel calibration can be performed with the reactor at power.

SR 3.3.5.4 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety analyses.

Response time testing acceptance criteria are included in Reference 1.

Response time may be verified by any series of sequential.

overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time (continued)

PALO VERDE UNITS 1.2,3 B 3.3.5-27 REVISION 34

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 (continued)

REQUIREMENTS Testing Requirements," (Ref. 10) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and re-verified after maintenance that may adversely affect the sensor response time.

ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every 18 months. The 18 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.5.5 SR 3.3.5.5 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2. except SR 3.3.5.5 is performed within 92 days prior to startup and is only applicable to operating bypass functions. Since the Pressurizer Pressure - Low operating bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13.

The CHANNEL FUNCTIONAL TEST for proper operation of the operating bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function.

Consequently, just prior to startup is the appropriate time to verify operating bypass function OPERABILITY. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2.

The allowance to conduct this test with 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9).

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-28 REVISION 10

RCS Loops - MODE 3 B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Loops - MODE 3 BASES BACKGROUND The primary func-:ion of the reactor coolant in MODE 3 is removal of decay heat and transfer of this heat, via the Steam Generators (SGs), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

In MODE 3. Reactor Coolant Pumps (RCPs) are used to provide forced circulation heat removal during heatup and cooldown.

The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to provide redundant paths for decay heat removal.

Only one RCP needs to be OPERABLE to declare the associated RCS loop OPERABLE.

Reactor coolant natural circulation is not normally used but is sufficient for core cooling. However, natural circulation does not provide turbulent flow conditions.

Therefore, boron reduction in natural circulation is prohibited because mixing to obtain a homogeneous concentration in all portions of the RCS cannot be ensured.

APPLICABLE Analyses have shown that the rod withdrawal event from SAFETY ANALYSES MODE 3 with one RCS loop in operation is bounded by the rod withdrawal initiated from MODE 2.

Failure to provide heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success oath that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

RCS Loops - MODE 3 satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

(continued)

PALO VERDE UNITS 1.2.3 B 3.4.5-1 REVISION 0

RCS Loops - MODE 3 B 3.4.5 BASES LCO The purpose of this LCO is to require two RCS loops to be available for heat removal, thus providing redundancy. The LCO requires the two loops to be OPERABLE with the intent of requiring both SGs to be capable (2 25% wide range water level) of transferring heat from the reactor coolant at a controlled rate. Forced reactor coolant flow is the required way to transport heat, although natural circulation flow provides adequate removal. A minimum of one running RCP meets the LCO requirement for one loop in operation.

The Note permits a limited period of operation without RCPs.

All RCPs may be de-energized for < 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period.

This means that natural circulation has been established.

When in natural circulation, a reduction in boron concentration is prohibited because an even concentration distribution throughout the RCS cannot be ensured. The intent is to stop any known or direct positive reactivity additions to the RCS due to dilution. Core outlet temperature is to be maintained at least 100 F below the saturation temperature so that no vapor bubble may form and possibly cause a natural circulation flow obstruction. The 10 degrees F is considered the actual value of the necessary difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure to be maintained during the time the pumps would be de-energized.

The instrument error associated with determining this difference is 27 degrees F. (The only restriction for instrumentation use is with pressurizer pressure less than or equal to 350 psia. and in that situation the narrow range pressurizer Pressure instrumentation must be used.)

Therefore, the indicated value of the difference between RCS core outlet temperature and the saturation temperature associated with RCS pressure must be greater than or equal to 37 degrees F in order to use the provisions of the Note allowing the pumps to be de-energized.

In MODE 3 it is sometimes necessary to stop all RCPs (e.g..

to perform surveillance or startup testing, or to avoid operation below the RCP minimum net positive suction head limit). The time period is acceptable because natural circulation is adequate for heat removal, or the reactor coolant temperature can be maintained subcooled and boron stratification affecting reactivity control is not expected.

An OPERABLE RCS loop (loop 1 or loop 2) consists of at least one associated OPERABLE RCP and an associated SG that is OPERABLE in accordance with the Steam Generator Tube (continued)

PALO VERDE UNITS 1.2,3 B 3.4.5-2 REVISION 34

Pressurizer B 3.4.9 BASES APPLICABLE The Class 1E pressurizer backup heaters are needed SAFETY ANALYSES to maintain subcooling in the long term during loss of (continued) offsite power, as indicated in NUREG-0737 (Ref. 1). The requirement for emergency power supplies is based on NUREG-0737 (Ref. 1). The intent is to keep the reactor coolant in a subcooled condition with natural circulation at hot, high pressure conditions for an undefined, but extended, time period after a loss of offsite power. While loss of offsite power is a coincident occurrence assumed in the accident analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses. The pressurizer satisfies Criterion 2 and Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requirement for the pressurizer to be OPERABLE with water level 2 27% indicated level (425 cubic feet) and < 56%

indicated level (948 cubic feet) ensures that a steam bubble exists. Limiting the maximum operating water level preserves the steam space for pressure control. The LCO has been established to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity Ž 125 kW and capable of being powered from an emergency power supply. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide subcooling margin to saturation can be obtained in the loops.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause tie greatest effect on RCS temperature resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, Applicability has been designated for MJDES 1 and 2. The Applicability is also provided for MODE 3. It is assumed pressurizer level is under steady state conditions. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational (continued)

PALO VERDE UNITS 1,2,3 B 3.4.9-3 REVISION 34

Pressurizer B 3.4.9 BASES APPLICABILITY perturbation, such as reactor coolant pump startup. The (continued) LCO does not apply to MODE 5 (Loops Fl led) because LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP)

System." applies. The LCO does not apply to MODES 5 and 6 with partial loop operation. Also, a Note has been added to indicate the limit on pressurizer level may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP.

In MODES 1, 2, and 3, there is the need to maintain the availability of pressurizer heaters capable of being powered from an emergency power supply. In the event of a loss of offsite power, the initial conditions of these MODES gives the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODES 4, 5. or 6. it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Shutdown Cooling System is in service and therefore the LCO is not applicable.

ACTIONS A.1 and A.2 With pressurizer water level not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to MODE 3, with the reactor trip breakers open, within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

This takes the plant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses.

Six hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. Further pressure and temperature reduction to MODE 4 brings the plant to a MODE where the LCO is not applicable. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time to reach the nonapplicable MODE is reasonable based on operating experience for that evolution.

(continued)

PALO VERDE UNITS 1,2,3 B 3.4.9-4 REVISION 0

Pressurizer Vents B 3.4.12 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.12 Pressurizer Vents BASES BACKGROUND The pressurizer vent is part of the reactor coolant gas vent system (RCGVS) as described in UFSAR 18.II.B.1 (Ref. 1). The pressurizer can be vented remotely from the control room through the following four paths (see UFSAR Figure 18.II.B-1):

1. From the pressurizer vent through SOV HV-103, then through SOV HV-105 to the reactor drain tank (RDT).
2. From the pressurizer vent through SOV HV-103, then through SOV HV-106 directly to the containment atmosphere.
3. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-105 to the reactor drain tank (RDT). I
4. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-106 directly to the containment atmosphere.

The RCGVS also includes the reactor head vent, which can be used along with the pressurizer vent to remotely vent gases that could inhibit natural circulation core cooling during post accident situations. However, this function does not meet the criteria of 10 CFR 50.36(c)(2)(ii) to require a Technical Specification LCO, and therefore the reactor head vent is not included in these Technical Specifications.

(continued)

PALO VERDE UNITS 1,2,3 B 3.4.12-1 REVISION 1

Pressurizer Vents B 3.4.12 BASES I APPLICABLE The requirement for the pressurizer vent path to be SAFETY ANALYSES OPERABLE is based on the steam generator tube rupture (SGTR) with loss of offsite power (SGTRLOP) and SGTR with loss of offsite power and single failure (SGTRLOPSF) analysis, as described in UFSAR 15.6.3 (Ref. 4). It is assumed that the auxiliary pressurizer spray system (APSS) is not available for this event. Instead, RCS depressurization is performed by venting the RCS via a pressurizer vent path and throttling HPSI flow. The analysis assumes venting to the containment atmosphere via path 4 as described below.

The results of the CENTS based analysis for SGTRLOP and SGTRLOPSF forwarded to the NRC in Reference 2 states that the auxiliary spray was assumed to be unavailable and use of pressurizer head vents was credited for de-pressurization.

The staff has reviewed and accepted the results of the analysis. The staff's detailed evaluation has been reported in Amendment No. 149, which increases power to 3990 MWt for Unit 2 and incorporates replacement steam generator (Ref. 3).

The pressurizer vent paths satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The LCO requires four pressurizer vent paths be OPERABLE.

The four vent paths are:

1. From the pressurizer vent through SOV HV-103, then through SOV HV-105 to the reactor drain tank (RDT).
2. From the pressurizer vent through SOV HV-103, then through SOV HV-106 directly to the containment atmosphere.
3. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-105 to the reactor drain tank (RDT).
4. From the pressurizer vent through SOVs HV-108 and HV-109, then through SOV HV-106 directly to the containment atmosphere.

(continued)

PALO VERDE UNITS 1.2,3 B 3.4.12-2 REVISION 34

RCS Operational LEAKAGE B 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.14 RCS ODerational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration.

The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

10 CFR 50, Appendix A, GDC 30 (Ref. 1). requires means for detecting and, to the extent practical. identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the facility and the public.

A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight.

Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS LEAKAGE detection.

This LCO deals with protection of the Reactor Coolant Pressure Boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analysis radiation release assumptions from being exceeded.

The consequences of violating this LCO include the possibility of a Loss Of Coolant Accident (LOCA).

(continued)

PALO VERDE UNITS 1,2.3 B 3.4.14-1 REVISION 0

RCS Operational LEAKAGE B 3.4.14 BASES (continued)

APPLICABLE The PVNGS safety analyses do not address RCS operational SAFETY ANALYSES LEAKAGE other than primary to secondary LEAKAGE. Analyses for events that result in a steam discharge from the secondary system to the atmosphere assume 1 gallon per minute (gpm) total primary secondary LEAKAGE at the time of event initiation. These analyses include the Inadvertent Opening of a Steam Generator Atmospheric Dump Valve (IOSGADV): Main Steam Line Break (MSLB); Feedwater Line Break (FWLB): Reactor Coolant Pump Sheared Shaft and Seized Rotor (SS/SR); Control Element Assembly Ejection (CEAE):

Steam Generator Tube Rupture (SGTR): Small Break Loss of Coolant Accident (SBLOCA); and an Anticipated Operational Occurrence (AOO) in combination with a Single Failure (i.e.

a loss of forced RCS flow initiated from the DNBR SAFDL).

While some events assume the 1 gpm LEAKAGE is in one steam generator, others assume 0.5 gpm per steam generator (lgpm total) as an initial condition. Therefore, the individual UFSAR event section must be reviewed to determine the assumed primary to secondary LEAKAGE for a specific transient or accident.

Although the Large Break Loss of Coolant Accident (LBLOCA) also results in a discharge from the secondary system to the atmosphere, the analysis for that event addresses releases from containment building through a depressurized secondary system, rather than 1 gpm primary to secondary LEAKAGE.

Primary to secondary LEAKAGE contaminates the secondary system and is therefore a contributor to radiological dose consequences. For PVNGS, a postulated SGTR in combination with a Loss of Offsite Power (LOP), a stuck open Atmospheric Dump Valve (ADV), and a Pre-accident Iodine Spike (PIS) yields the most severe offsite dose consequences (Ref. 3). whereas a postulated CEAE yields the most severe control room dose consequences (Ref. 4). The consequences resulting from these and other analyzed events, however, remain within the offsite dose limits of 10 CFR Part 100 (Ref. 5): the control room dose limits of 10 CFR 50, Appendix A, GDC19 (Ref. 6): or other NRC-approved, event-specific licensing bases (e.g., a small fraction of 10 CFR 100 limits).

The Technical Specification limit of 150 gallons per day (gpd) primary to secondary LEAKAGE through any one steam generator is significantly less than the initial conditions assumed in the safety analyses. The 150 gpd limit is based (continued)

PALO VERDE UNITS 1,2,3 B 3.4.14-2 REVISION 34

RCS Operational LEAKAGE B 3.4.14 BASES APPLICABLE on operating experience as an indication of one or more SAFETY ANALYSES propagating tube leak mechanisms. This leakage rate limit (continued) provides additional assurance against tube rupture at normal and faulted conditions and provides additional assurance that cracks will not propagate to burst prior to detection by leakage monitoring methods and commencement of plant shutdown.

RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36 (C)(2)(ii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE.

Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.
c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS makeup system. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources. but does not include pressure boundary LEAKAGE or controlled Reactor Coolant Pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system.

(continued)

PALO VERDE UNITS 1.2,3 B 3.4.14-3 REVISION 34

RCS Operational LEAKAGE B 3.4.14 BASES LCO LCO 3.4.15, "RCS Pressure Isolation Valve (PIV)

(continued) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leaktight. If both valves leak and result in a loss of mass from the RCS. the loss must be included in the allowable identified LEAKAGE.

d. Primary to Secondary LEAKAGE through Any One SG The maximum allowable operational primary to secondary LEAKAGE through any one SG of 150 gpd is based on operating experience as an indication of one or more propagating tube leak mechanisms. This operational limit is significantly less than the initial conditions assumed in the safety analyses.

The Steam Generator Tube Surveillance Program described in TS Section 5.5.9 ensures that the structural integrity of the SG tubes is maintained.

The 150 gpd leakage rate limit provides additional assurance against tube rupture at normal and faulted conditions and provides additional assurance that cracks will not propagate to burst prior to detection by leakage monitoring methods and commencement of plant shutdown. Primary to secondary LEAKAGE must be included in the total allowable limit for identified LEAKAGE.

APPLICABILITY In MODES 1. 2. 3. and 4. the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

(continued)

PALO VERDE UNITS 1,2.3 B 3.4.14-4 REVISION 7

RCS Operational LEAKAGE B 3.4.14 BASES SURVEILLANCE SR 3.4.14.1 (continued)

REQUIREMENTS An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. These leakage detection systems are specified in LCO 3.4.16, "RCS Leakage Detection Instrumentation."

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Frequency is a reasonable interval to trend LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents. A Note under the Frequency column states that this SR is required to be performed during steady state operation.

SR 3.4.14.2 This SR provides the means necessary to determine SG OPERABILITY in an operational MODE. The requirement to demonstrate SG tube integrity in accordance with the Steam Generator Tube Surveillance Program emphasizes the importance of SG tube integrity, even though this Surveillance cannot be performed at normal operating conditions.

REFERENCES 1. 10 CFR 50. Appendix A. GDC 30.

2. Regulatory Guide 1.45, May 1973.
3. UFSAR. Section 15.6.
4. UFSAR, Section 6.4.
5. 10 CFR Part 100.
6. 10 CFR 50, Appendix A, GDC19.

PALO VERDE UNITS 1.2,3 B 3.4.14-7 REVISION 34

" I z ,-

e .. .

i This page intentionally blank

MSSVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Safety Valves (MSSVs)

BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSVs also provide protection against overpressurizing the Reactor Coolant Pressure Boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available.

Five MSSVs are located on each of the four main steam lines, outside containment, upstream of the main steam isolation valves, as described in the UFSAR, Section 5.2 (Ref. 1). The MSSV rated capacity passes the full steam flow at 102% RTP (100% + 2% for instrument error) with the valves full open. This meets the requirements of the ASME Code,Section III (Ref. 2). The MSSV design includes staggered setpoints, according to Table 3.7.1-2, in the accompanying LCO, so that only the number of valves needed will actuate. Staggered setpoints reduce the potential for valve chattering if there is insufficient steam pressure to fully open all valves.

APPLICABLE The design basis for the MSSVs comes from Reference 2: its SAFETY ANALYSES purpose is to limit secondary system pressure to < 110% of design pressure when passing 100% of design steam flow. This design basis is sufficient to cope with any Anticipated Operational Occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.

The events that challenge the MSSV relieving capacity, and thus RCS pressure, are those characterized as decreased heat removal events, and are presented in the FSAR, Section 15.2 (Ref. 3). Of these, the full power Loss Of Condenser Vacuum (LOCV) event is the limiting AOO. An LOCV isolates the turbine and condenser, and terminates normal feedwater flow to the steam generators. Peak Main Steam System and Reactor Coolant System (RCS) pressure occur before delivery of auxiliary feedwater to the steam generators. The peak pressures become high enough to actuate both the Main Steam Safety Valves (MSSVs) and Pressurizer Safety Valves, but remain less than 110% of the design (1397 and 2750 psia for main steam system and RCS, respectively). The LOCV Secondary Peak Pressure event is the limiting decrease in heat removal transient for determining the maximum allowed thermal power with inoperable MSSVs. (continued)

PALO VERDE UNITS 1.2,3 B 3.7.1-1 REVISION 28

MSSVs B 3.7.1 BASES APPLICABLE SAFETY ANALYSES The limiting accident for peak RCS pressure is the full (continued) power feedwater line break (FWLB), inside containment, with the failure of the backflow check valve in the feedwater line from the affected steam generator. Water from the affected steam generator is assumed to be lost through the break with minimal additional heat transfer from the RCS.

With heat removal limited to the unaffected steam generator, the reduced heat transfer causes an increase in RCS temperature, and the resulting RCS fluid expansion causes an increase in pressure. The increase in Main Steam and Reactor Coolant System pressure is mitigated by the relief capacity of the Main Steam Safety Valves (MSSVs) and pressurizer safety valves. The peak pressures do not exceed 120% of the design pressure (1524 psia and 3000 psia for main steam and RCS, respectively). These results were found acceptable by the NRC based on the low probability of the event.

In MODE 3. one MSSV per steam generator (two total) have sufficient relieving capacity to dissipate core decay heat and reactor coolant pump heat to limit secondary system pressure to less than or equal to 110% of design pressure, as required by ASME Code,Section III (Ref. 2). A minimum of two MSSVs per steam generator are required to be operable in Mode 3 in case of a single failure of one of the valves in either steam generator.

The MSSVs satisfy Criterion 3 of 10CFR 50.36 (c)(2)(ii).

LCO This LCO requires all MSSVs to be OPERABLE in compliance with Reference 2, even though this is not a requirement of the DBA analysis. This is because operation with less than the full number of MSSVs requires limitations on allowable THERMAL POWER (to meet Reference 2 requirements), and adjustment to the Reactor Protection System trip setpoints in Modes 1 and 2. These limitations are according to those shown in Table 3.7.1-1 and Required Action A.2 in the accompanying LCO. Since the VOPT is not required to be operable in MODE 3 according to TSs 3.3.1 and 3.3.2, a note has been added to Table 3.7.1-1 stating that the VOPT setpoint is not required to be reset in MODE 3. An MSSV is considered inoperable if it fails to open upon demand.

The OPERABILITY of the MSSVs is defined as the ability to open within the setpoint tolerances, relieve steam generator (continued)

PALO VERDE UNITS 1,2,3 B 3.7.1-2 REVISION 34

MSSVs B 3.7.1 BASES LCO overpressure, and reseat when pressure has been reduced.

(continued) The OPERABILITY of the MSSVs is determined by periodic surveillance testing in accordance with the Inservice Testing Program.

The lift settings. according to Table 3.7.1-2 in the accompanying LCO. correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This LCO provides assurance that the MSSVs will perform their designed safety function to mitigate the consequences of accidents that could result in a challenge to the RCPB.

APPLICABILITY In MODES 1 and 2. a minimum of six MSSVs per steam generator are required to be OPERABLE (up to four allowed inoperable),

according to Table 3.7.1-1 in the accompanying LCO. which is I

limiting and bounds all lower MODES.

In MODE 3, a minimum of two MSSVs per steam generator are required to be operable (up to eight allowed inoperable) according to Table 3.7.1-1 in the accompanying LCO.

In MODES 4 and 5. there are no credible transients requiring the MSSVs.

The steam generators are not normally used for heat removal in MODES 5 and 6. and thus cannot be overpressurized; there is no requirement for the MSSVs to be OPERABLE in these MODES.

ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV.

A.1 and A.2 When 10 MSSVs are OPERABLE per steam generator (none inoperable), THERMAL POWER is limited to 100% RTP per the Operating Licenses, and the VOPT allowable trip setpoint is limited to 111.0% RTP per TS Table 3.3.1-1.

When one to four MSSVs per steam generator are inoperable in MODES 1 or 2. an alternative to restoring inoperable I (continued)

PALO VERDE UNITS 1.2.3 B 3.7.1-3 REVISION 34

MSSVs B 3.7.1 BASES ACTIONS A.1 and A.2 (continued)

(continued)

MSSV(s) to OPERABLE status is to reduce power in accordance with Table 3.7.1-1. These reduced power levels, derived from the transient analysis, compensate for degraded relieving capacity and ensure that the results of the transient analysis are acceptable.

The operator should limit the maximum steady state power level to the value determined from Table 3.7.1-1 to avoid an inadvertent overpower trip.

The Completion Time of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> for Required Action A.2 is based on a reasonable time to correct the MSSV inoperability, the time required to perform power reduction, operating experience in resetting all channels of a protective function and on the low probability of the occurrence of a transient that could result in steam generator overpressure during this period.

B.1 When one to four required MSSVs per steam generator are inoperable in MODES 1 or 2 and reactor power and the VOPT setpoint are not reduced to within the required values within the required Completion Times, or when five to eight MSSVs per steam generator are inoperable in MODES 1 or 2 an alternative to restoring inoperable MSSV(s) to OPERABLE status is to place the plant in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> so that the available MSSV relieving capacity meets Code requirements. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 If the plant is not placed in MODE 3 within the Completion Time for Required Action B.1., the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 4 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time, in conjunction with the Completion Time for Required Action B.1. is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

PALO VERDE UNITS 1.2,3 B 3.7.1-4 REVISION 34

MSSVs B 3.7.1 BASES ACTIONS D.1 (continued)

When more than eight required MSSVs per steam generator are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSSVs by the verification of each MSSV lift setpoints in accordance with the Inservice Testing Program. The ASME Code,Section XI (Ref. 4). requires that safety and relief valve tests be performed in accordance with ANSI/ASME OM-1-1987 (Ref. 5).

According to Reference 5, the following tests are required for MSSVs:

a. Visual examination:
b. Seat tightness determination;
c. Setpoint pressure determination (lift setting):
d. Compliance with owner's seat tightness criteria; and
e. Verification of the balancing device integrity on balanced valves.

The ASME Standard requires that all valves be tested every 5 years, and a minimum of 20% of the valves tested every 24 months. The ASME Code specifies the activities and frequencies necessary to satisfy the requirements.

Table 3.7.1-2 allows a +/- 3% setpoint tolerance for OPERABILITY: however, the valves are reset to +/- 1% during the Surveillance to allow for drift.

PALO VERDE UNITS 1,2,3 B 3.7.1-5 REVISION 34

MSSVs B 3.7.1 BASES SURVEILLANCE SR 3.7.1.1 (continued)

REQUIREMENTS (continued) This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This is to allow testing of the MSSVs at hot conditions. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure.

REFERENCES 1. UFSAR, Section 5.2.

2. ASME. Boiler and Pressure Vessel Code.Section III, Article NC-7000. Class 2 Components.
3. UFSAR, Section 15.2.
4. ASME, Boiler and Pressure Vessel Code.Section XI, Subsection IWV.
5. ANSI/ASME OM-1-1987.

PALO VERDE UNITS 1.2.3 B 3.7.1-6 REVISION 34

AC Sources - Operating B 3.8.1 BASES BACKGROUND certain anticipated operational occurrences (AOOs) and (continued) design basis accidents (DBAs). the voltage to ESF buses PBA-S03 and PBB-'304 would change as a result of one or more of the following three automatic operations: (1)tripping of the generating unit, (2)fast bus transfer of the non-Class lE distribution system to the startup transformers, and (3)powering of the ESF loads by the automatic load sequencer. Analyses have been performed to determine the magnitude of voltage change due to each of these operations. Under conditions where these voltage changes would result in either inadequate voltages to the ESF equipment or tripping of the degraded voltage relays.

the guidance from Regulatory Guide 1.93 (Ref. 6) is not met and the affected offsite circuit(s) do not meet their required capability.

Tripping of a Palo Verde unit can result in either a decrease or increase in the switchyard voltage due to the change in the flow of volt-amperes reactive (VARs) into or out of the electrical grid. If two or more of Palo Verde units are on line and available to regulate switchyard voltage, the voltage will not change significantly following tripping of one unit. If only one unit is on line, is not providing switchyard voltage support (generator gross MVAR output s 0). and it trips, the post-trip switchyard voltage will be equal to or greater than the pre-trip switchyard voltage. If it had been providing switchyard voltage support (generator gross MVAR output > 0) the post-trip switchyard voltage could be lower than the pre-trip switchyard voltage. In this case, adequate voltage to the Class 1E buses is assured by blocking fast bus transfer and thus minimizing the loading and voltage drop on the startup transformer secondary circuit.

Voltage analyses also conclude that the maximum switchyard voltage should not exceed 535.5 kV. However, even if this limit is exceeded, the offsite circuits still have the capability to effect a safe shutdown, mitigate the effects of an accident, and continue to meet the operability requirements of Regulatory Guide 1.93 (Ref. 6). Sustained switchyard overvoltages during startup transformer light loading conditions can cause accelerated thermal aging of some plant electrical equipment. However, this would not cause catastrophic equipment failure or unavailability. A high voltage alMam at the APS Energy Control Center (ECC) alerts the transmission grid operators of the need for corrective actions, which could involve adjustment of the MVAR output of the Palo Verde generator(s), adjustment of (continued)

PALO VERDE UNITS 1,2.3 B 3.8.1-3 REVISION 34

AC Sources - Operating B 3.8.1 BASES BACKGROUND the MVAR output of nearby cogeneration units, or switching (continued) of transmission system voltage control devices. Therefore.

there is no LCO for high switchyard voltage.

Grid frequency can also affect the operation of safety equipment. For example, sustained high frequency can result in an excessive differential pressure across motor operated valves, and sustained low frequency can result in substandard pump flow. There are no LCOs for offsite circuit frequency, because the grid frequency is continuously monitored and maintained within a tight tolerance by non-Palo Verde organizations. These organizations utilize various automatic and manual methods to control frequency, such as maintaining a spinning reserve, load shedding, and turbine-governor controls.

Analyses, as discussed in UFSAR Section 8.2.2 (Ref. 2), and operating experience have demonstrated that the tripping of a Palo Verde unit has a minimal effect on grid frequency.

APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES updated FSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5),

assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits: Section 3.4, Reactor Coolant System (RCS): and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and
b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii)

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-4 REVISION 34

AC Sources - Operating B 3.8.1 BASES APPLICABILITY The AC power requirements for MODES 5 and 6, and during (continued) movement of irradiated fuel assemblies are covered in LCO 3.8.2, "AC Sources - Shutdown."

ACTIONS Condition A applies only when the offsite circuit is unavailable to commence automatic load sequencing in the event of a design basis accident (DBA). In cases where the offsite circuit *isavailable for sequencing, but a DBA could cause actuation of the Degraded Voltage Relays, Condition G applies.

A.1 To ensure a highly reliable power source remains with the one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

However, if a second required circuit fails SR 3.8.1.1. the second offsite circuit is inoperable, and Condition C. for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the train (i.e.,

ESF bus) cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features. These features require Class 1E power from PBA-S03 or DBB-SO4 ESF buses to be OPERABLE, and include: charging pumps: radiation monitors Train A RU-29 and Train B RU-33 (TS 3.3.9), Train A RU-31 and Train B RU-145: pressurizer heaters (TS 3.4.9): ECCS (TS 3.5.3 and TS 3.5.4): containment spray (TS 3.6.6): containment isolation valves NCA-UV-402, NCB-UV-403, WCA-UV-62, and WCB-UV-61 (TS 3.6.3): containment hydrogen monitors (TS 3.3.10): hydrogen recombiners (TS .3.6.7); auxiliary feedwater system (TS 3.7.5): essential cooling water system (TS 3.7.7): essential spray pond system (TS 3.7.8): essential chilled water system (TS 3.7.10): control room essential filtration system (TS 3.7.11) control room emergency air temperature control (continued)

PALO VERDE UNITS 1.2.3 B 3.8.1-7 REVISION 34

AC Sources - Operating B 3.8.1 BASES ACTIONS A.2 (continued) system (TS 3.7.12): ESF pump room air exhaust cleanup system (TS 3.7.13): shutdown cooling subsystems (TS 3.4.6, 3.4.7, 3.4.8, and 3.4.15): and fuel building ventilation. Mode applicability is as specified in each appropriate TS section.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads:

and

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class lE Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.

Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

PALO VERDE UNITS 1,2.3 B 3.8.1-8 REVISION 2

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES APPLICABILITY air are required to be within limits when the associated DG (continued) is required to be OPERABLE.

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem are governed by separate Condition entry and application of associated Required Actions.

A.1 In this Condition (i.e.. < 80% indicated fuel level), the 7 day fuel oil supply (68.900 gallon of fuel) for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (59.800 gallons of fuel). These circumstances may be caused by events such as full load operation required after an inadvertent start while at minimum required level: or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (Ž 6 days or 2 71% indicated fuel level), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

B.1 With lube oil inventory < 2.5 inches visible in the sightglass, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply.

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.3-3 REVISION 34

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS B.1 (continued)

This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required volume prior to decl aring the DG inoperable. This period is acceptable based on the remaining capacity ( > 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

The normal level of lube oil is maintained at mid-scale visible on the sightglass which ensures sufficient lube oil to support at least 13.5 days of engine operation during periods when the DG is supplying maximum post-LOCA load demand as discussed in the FSAR (Ref. 1). This is based on a conservative lube oil consumption rate of 1.5 gallons per hour and 486 gallons of available lube oil between the top of the lube oil suction pipe in the engine crankcase (minimum available level) and the mid-scale position on the sightglass. 252 gallons or 7 days of available lube oil is actually indicated at 1 inch visible in the sightglass.

With Ž 2.5 inches visible in the sightglass, a conservative supply of lube oil is ensured for 7 days of full load operation.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.3-4 REVISION 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS D.1 (continued)

With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended functioi.

E.1 Each DG is OPERA3LE with one air receiver capable of delivering an operating pressure of Ž 230 psig indicated.

Although there are two independent and redundant starting air receivers per DG. only one starting air receiver is required for DG OPERABILITY. Each receiver is sized to accomplish 5 DG starts from its normal operating pressure of 250 psig. and eazh will start the DG in < 10 seconds with a minimum pressure of 185 psig. If the required starting air receiver is < 230 psig and 2 185 psig, the starting air system is degraded and a period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This 48-hour period is acceptable based on the minimum starting air capacity (>

185 psig), the fact that the DG start must be accomplished on the first attempt (there are no sequential starts in emergency mode). and the low probability of an event during this brief period. Calculation 13-JC-DG-203 (Ref. 9) supports the proposed values for receiver pressures.

F.1 With a Required Action and associated Completion Time not met, or one or more DGs with diesel fuel oil, lube oil, or starting air subsystem inoperable for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

(continued)

PALO VERDE UNITS 1.2,3 B 3.8.3-5 REVISION 34

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each DG's operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The 2.5 inches visible in the sightglass requirement is based on the DG manufacturer consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer recommended minimum level.

The 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the unit staff.

SR 3.8.3.3 The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the (continued)

PALO VERDE UNITS 1,2,3 B 3.8.3-6 REVISION 0

Distribution Systems - Operating B 3.8.9 B 3.8 ELECTRIC4L POWER SYSTEMS B 3.8.9 Distrijution Systems - Operating BASES BACKGROUND The onsite Class lE AC, DC, and AC vital instrument bus electrical power distribution systems are divided into two trains. Each train has redundant and independent AC, DC, and AC vital instrument bus electrical power distribution subsystems.

The AC primary electrical power distribution system consists of two 4.16 kV Engineered Safety Feature (ESF) buses.

Each 4.16 kV ESF bus is normally connected to an offsite source. If the offsite source is de-energized or disconnected, the onsite emergency DG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1. "AC Sources - Operating," and the Bases for LCO 3.8.4. "DC Sources - Operating."

The secondary AC electrical power distribution system for each train includes the safety related load centers, and motor control ceiters shown in Table B 3.8.9-1.

The 120 VAC vital instrument buses are arranged in two channels per subsystem and are normally powered from the inverters. There are four channels designated as A, B, C and D for each uiit. The alternate power supply for the vital instrument buses are Class lE constant voltage source regulators powered from train-related Class lE motor control centers and its ise is governed by LCO 3.8.7.

"Inverters - Operating."

There are two independent 125 VDC electrical power distribution subsystems (Train A and Train B). Each subsystem contaiis two DC power channels. There are four channels designated as A, B. C, and D for each unit.

The list of all required distribution buses is presented in Table B 3.8.9-1. The six electrical power distribution subsystems consist of those components identified by Table B 3.8.9-1. Load breakers not identified by this table do not impact this LCO but may impact supported system LCOs.

Load breakers that are required to maintain energized those buses identified by Table B 3.8.9.-i (e.g. PG to PH) do impact this LCO.

(continued)

PALO VERDE UNITS 1.2,3 B 3.8.9-1 REVISION 34

Distribution Systems - Operating B 3.8.9 BASES (continued)

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital instrument bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits: Section 3.4, Reactor Coolant System (RCS): and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital instrument bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power: and
b. A worst case single failure.

The distribution systems satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The six required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital instrument bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital instrument bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Train A and Train B AC, DC, and AC vital instrument bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.9-2 REVISION 0

Boron Concentration B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS) and the refueling canal, during refueling ensures that the reactor remains subcritical during MODE 6.

Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling.

The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Unit procedures ensure the specified boron concentration in order to maintain an overall core reactivity of keff < 0.95 during fuel handling. with control element assemblies (CEAs) and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by unit procedures.

GDC 26 of 10 CFR 50. Appendix A. requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration.

The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized. the vessel head is unbolted and the head is slowly removed. The refueling canal *isflooded with borated water from the refueling water -tank into the open reactor vessel by gravity feeding or by the use of the Shutdown Cooling (SDC) System pumps.

(continued)

PALO VERDE UNITS 1.2.3 B 3.9.1-1 REVISION 34

Boron Concentration B 3.9.1 BASES BACKGROUND The pumping action of the SDC System in the RCS and the (continued) natural circulation due to thermal driving heads in the reactor vessel and the refueling canal mix the water to obtain a uniform concentration. The SDC System is in operation during refueling (see LCO 3.9.4, "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level," and LCO 3.9.5. "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS and the refueling canal above the COLR limit.

APPLICABLE During refueling operations, the reactivity condition of the SAFETY ANALYSES core is consistent with the initial conditions assumed for the boron dilution accident in the accident analysis and is conservative for MODE 6. The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and the unit refueling procedures that demonstrate the correct fuel loading plan (including full core mapping) ensure the keff of the core will remain < 0.95 during the refueling operation. Hence.

at least a 5%Ak/k margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The limiting boron dilution accident analyzed occurs in MODE 5 (Ref. 2). A detailed discussion of this event is provided in B 3.1.2, "SHUTDOWN MARGIN - Reactor Trip Breakers Closed."

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

(continued)

PALO VERDE UNITS 1,2.3 B 3.9.1-2 REVISION 0

ENCLOSURE 2 PVNGS Technical Specification Bases Revision 35 Insertion Instructions and Replacement Pages

PVNGS Technical Specifications Bases Revision 35 InsertionL Instructions Remove Pae:- Insert New Page:

Cover page Cover page List of Effective Pages, List of Effective Pages, Pages 1/2 :hrough Pages 1/2 through List of Effective Pages, List of Effective Pages, Page 7/8 Page 7/8 B 3.3.1-1/3.3.1-2 B 3.3.1-1/3.3.1-2 B 3.3.1-9/3.3.1-10 B 3.3.1-9/3.3.1-10 through through B 3.3.1-57/blank B 3.3.1-59/3.3.1-60 B 3.3.2-1/3.3.2-2 B 3.3.2-1/3.3.2-2 through through B 3.3.2-17/blank B 3.3.2-17/3.3.2-18 B 3.3.5-3/3.3.5-4 B 3.3.5-3/3.3.5-4 B 3.3.5-15/3.3.5-16 B 3.3.5-15/3.3.5-16 through through B 3.3.5-29/blank B 3.3.5-29/3.3.5-30 B 3.4.9-3/3.4.9-4 B 3.4.9-3/3.4.9-4 B 3.4.15-5/3.4.15-6 B 3.4.15-5/3.4.15-6 B 3.4.15-7/blank B 3.4.15-7/blank B 3.5.1-1/3.5.1-2 B 3.5.1-1/3.5.1-2 B 3.5.1-9/3.5.1-10 B 3.5.1-9/3.5.1-10 B 3.5.2-1/3.5.2-2 B 3.5.2-1/3.5.2-2 B 3.5.2-9/3.5.2-10 B 3.5.2-9/3.5.2-10 B 3.6.1-1/3.6.1-2 B 3.6.1-1/3.6.1-2 B 3.6.2-1/3.6.2-2 B 3.6.2-1/3.6.2-2 B 3.6.4-1/3.6.4-2 B 3.6.4-1/3.6.4-2 B 3.6.6-3/3.6.6-4 B 3.6.6-3/3.6.6-4 B 3.7.1-5/3.7.1-6 B 3.7.1-5/3.7.1-6 B 3.8.1-1/3.8.1-2 B 3.8.1-1/3.8.1-2 I

PVNGS Technical Specifications Bases Revision 35 Insertion Instructions Remove Page (cont): Insert New Page (cont):

B 3.8.1-27/:3.8.1-28 B 3.8.1-27/3.8.1-28 through through B 3.8.1-39/:3.8.1-40 B 3.8.1-43/3.8.1-44 B 3.8.3-3/3.8.3-4 B 3.8.3-3/3.8.3-4 B 3.8.4-7/3.8.4-8 B 3.8.4-7/3.8.4-8 through through B 3.8.4-11/blank B 3.8.4-11/blank B 3.9.1-1/3.9.1-2 B 3.9.1-1/3.9.1-2 2

P V'NGS Palo Verde Nuclear GeneratingStation Units 1, 2, and 3 Technical Specification Bases Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 2.1.1-1 0 B 3.1.4-5 0 B 2.1.1-2 0 B 3.1.5-1 0 B 2.1.1-3 21 B 3.1.5-2 28 B 2.1.1-4 21 B 3.1.5-3 28 B 2.1.1-5 23 B 3.1.5-4 28 B 2.1.2-1 0 B 3.1.5-5 28 B 2.1.2-2 31 B 3.1.5-6 28 B 2.1.2-3 0 B 3.1.5-7 1 B 2.1.2-4 23 B 3.1.5-8 28 B 2.1.2-5 0 B 3.1.5-9 28 B 3.0-1 0 B 3.1.5-10 28 B 3.0-2 0 B 3.1.5-11 28 B 3.0-3 0 B 3.1.6-1 0 B 3.0-4 0 B 3.1.6-2 0 B 3.0-5 0 B 3.1.6-3 0 B 3.0-6 1 B 3.1.6-4 0 B 3.0-7 0 B 3.1.7-1 0 B 3.0-8 0 B 3.1.7-2 0 B 3.0-9 0 B 3.1.7-3 28 B 3.0-10 14 B 3.1.7-4 34 B 3.0-11 14 B 3.1.7-5 25 B 3.0-12 14 B 3.1.7-6 0 B 3.0-13 0 B 3.1.7-7 0 B 3.0-14 0 B 3.1.7-8 0 B 3.0-15 0 B 3.1.7-9 0 B 3.0-16 17 B 3.1.8-1 28 B 3.0-17 17 B 3.1.8-2 28 B 3.0-18 17 B 3.1.8-3 28 B 3.0-19 17 B 3.1.8-4 28 B 3.1.1-1 28 B 3.1.8-5 28 B 3.1.1-2 0 B 3.1.9-1 0 B 3.1.1-3 28 B 3.1.9-2 0 B 3.1.1-4 12 B 3.1.9-3 0 B 3.1.1-5 27 B 3.1.9-4 0 B 3.1.1-6 31 B 3.1.9-5 28 B 3.1.2-1 28 B 3.1.9-6 1 B 3.1.2-2 0 B 3.1.10-1 0 B 3.1.2-3 31 B 3.1.10-2 28 B 3.1.2-4 28 B 3.1.10-3 0 B 3.1.2-5 0 B 3.1.10-4 0 B 3.1.2-6 0 B 3.1.10-5 0 B 3.1.2-7 12 B 3.1.10-6 0 B 3.1.2-8 0 B 3.1.11-1 0 B 3.1.2-9 0 B 3.1.11-2 28 B 3.1.3-1 0 B 3.1.11-3 0 B 3.1.3-2 0 B 3.1.11-4 34 B 3.1.3-3 0 B 3.1.11-5 0 B 3.1.3-4 0 B 3.2.1-1 28 B 3.1.3-5 0 B 3.2.1-2 10 B 3.1.3-6 0 B 3.2.1-3 28 B 3.1.4-1 0 B 3.2.1-4 0 B 3.1.4-2 31 B 3.2.1-5 0 B 3.1.4-3 0 B 3.2.1-6 0 B 3.1.4-4 0 B 3.2.1-7 0 PALO VERDE UNITS 1, 2, AND 3 1 Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.2.1-8 0 B 3.3.1-20 35 B 3.2.2-1 28 B 3.3.1-21 35 B 3.2.2-2 10 B 3.3.1-22 35 B 3.2.2-3 0 B 3.3.1-23 35 B 3.2.2-4 28 B 3.3.1-24 35 B 3.2.2-5 1 B 3.3.1-25 35 B 3.2.2-6 0 B 3.3.1-26 35 B 3.2.2-7 0 B 3.3.1-27 35 B 3.2.3-1 28 B 3.3.1-28 35 B 3.2.3-2 10 B 3.3.1-29 35 B 3.2.3-3 0 B 3.3.1-30 35 B 3.2.3-4 28 B 3.3.1-31 35 B 3.2.3-5 0 B 3.3.1-32 35 B 3.2.3-6 0 B 3.3.1-33 35 B 3.2.3-7 0 B 3.3.1-34 35 B 3.2.3-8 0 B 3.3.1-35 35 B 3.2.3-9 0 B 3.3.1-36 35 B 3.2.3-10 0 B 3.3.1-37 35 B 3.2.4-1 28 B 3.3.1-38 35 B 3.2.4-2 10 B 3.3.1-39 35 B 3.2.4-3 0 B 3.3.1-40 35 B 3.2.4-4 28 B 3.3.1-41 35 B 3.2.4-5 25 B 3.3.1-42 35 B 3.2.4-6 25 B 3.3.1-43 35 B 3.2.4-7 27 B.3.3.1-44 35 B 3.2.4-8 31 B.3.3.1-45 35 B 3.2.4-9 31 B.3.3.1-46 35 B.3.2.4-10 31 B.3.3.1-47 35 B 3.2.5-1 28 B.3.3.1-48 35 B 3.2.5-2 10 B.3.3.1-49 35 B 3.2.5-3 0 B.3.3.1-50 35 B 3.2.5-4 28 B.3.3.1-51 35 B 3.2.5-5 0 B.3.3.1-52 35 B 3.2.5-6 28 B.3.3.1-53 35 B 3.2.5-7 0 B.3.3.1-54 35 B 3.3.1-1 35 B.3.3.1-55 35 B 3.3.1-2 25 B.3.3.1-56 35 B 3.3.1-3 25 B.3.3.1-57 35 B 3.3.1-4 25 B 3.3.1-58 35 B 3.3.1-5 25 B 3.3.1-59 35 B 3.3.1-6 27 B 3.3.1-60 35 B 3.3.1-7 25 B 3.3.2-1 35 B 3.3.1-8 25 B 3.3.2-2 0 B 3.3.1-9 34 B 3.3.2-3 1 B 3.3.1-10 35 B 3.3.2-4 35 B 3.3.1-11 35 B 3.3.2-5 35 B 3.3.1-12 35 B 3.3.2-6 35 B 3.3.1-13 35 B 3.3.2-7 35 B 3.3.1-14 35 B 3.3.2-8 35 B 3.3.1-15 35 B 3.3.2-9 35 B 3.3.1-16 25 B 3.3.2-10 35 B 3.3.1-17 35 B 3.3.2-11 35 B 3.3.1-18 35 B 3.3.2-12 35 B 3.3.1-19 35 B 3.3.2-13 35 PALO VERDE UNITS 1, 2, AND 3 2 Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.3.2-14 35 3 .3.5-14 0 B 3.3.2-15 35 3.3.5-15 35 B 3.3.2-16 35 3 .3 .5-16 35 B 3.3.2-17 35 3 .3 .5-17 35 B 3.3.2-18 35 3 .3 .5-18 35 B 3.3.3-1 25 3 .3 .5-19 35 B 3.3.3-2 27 3.3.5-20 35 B 3.3.3-3 25 3.3.5 -21 35 B 3.3.3-4 25 3 .3.5-22 35 B 3.3.3-5 25 3.3.5-23 35 B 3.3.3-6 25 3 .3 .5-24 35 B 3.3.3-7 27 3 .3 .5-25 35 B 3.3.3-8 27 3 .3 .5-26 35 B 3.3.3-9 27 3 .3.5-27 35 B 3.3.3-10 25 3 .3 .5-28 35 B 3.3.3-11 25 3 .3 .5-29 35 B.3.3.3-12 25 3 .3 .5-30 35 B .3.3. 3-13 25 3.3.6-1 0 B.3 .3.3-14 25 3.3.6-2 0 B.3 .3.3-15 27 3.3.6-3 0 B .3.3. 3-16 25 3.3.6-4 0 B .3.3.3 -17 25 3.3.6-5 31 B.3.3.3-18 25 3.3.6-6 0 B.3 .3.3-19 27 3.3.6-7 27 B .3.3.3-20 27 3.3.6 -8 27 B.3.3.3-21 27 3.3.6 -9 0 B 3.3.4-1 0 3.3.6-10 0 B 3.3.4-2 0 3.3.6 -11 0 B 3.3.4-3 0 3.3.6-12 0 B 3.3.4-4 0 3.3.6-13 0 B 3.3.4-5 0 3.3.6 -14 0 B 3.3.4-6 31 3.3.6-15 0 B 3.3.4-7 0 3.3.6-16 0 B 3.3.4-8 0 3.3.6 -17 27 B 3.3.4-9 0 3.3.6-18 0 B 3.3.4-10 0 3 .3.6-19 0 B 3.3.4-11 0 3 .3. 6-20 0 B 3.3.4-12 0 3.3 .6-21 1 B 3.3.4-13 0 3.3.6-22 1 B 3.3.4-14 0 3.3.7-1 2 B 3.3.4-15 0 3.3.7-2 2 B 3.3.5-1 0 3.3.7-3 0 B 3.3.5-2 0 3.3.7-4 0 B 3.3.5-3 0 3.3.7-5 0 B 3.3.5-4 35 3.3.7-6 0 B 3.3.5-5 0 3.3.7-7 0 B 3.3.5-6 0 3.3.7-8 0 B 3.3.5-7 0 3.3.7-9 2 B 3.3.5-8 31 3 .3 .8-1 0 B 3.3.5-9 0 3.3.8-2 0 B 3.3.5-10 0 3 .3 .8-3 0 B 3.3.5-11 0 3.3.8-4 0 B 3.3.5-12 1 3.3.8-5 0 B 3.3.5-13 0 3.3.8-6 1 PALO VERDE UNI:TS 1, 2, AND 3 3 Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.3.8-7 0 3.4.3-4 2 B 3.3.8-8 0 3.4.3-5 2 B 3.3.9-1 0 3.4.3-6 0 B 3.3.9-2 2 3.4.3-7 0 B 3.3.9-3 21 3.4.3-8 2 B 3.3.9-4 10 3.4.4-1 0 B 3.3.9-5 1 3.4.4-2 7 B 3.3.9-6 0 3.4.4-3 7 B 3.3.9-7 0 3.4.4-4 0 B 3.3.10-1 0 3.4.5-1 0 B 3.3.10-2 0 3.4.5-2 34 B 3.3.10-3 0 3.4.5-3 30 B 3.3.10-4 0 3.4.5-4 0 B 3.3.10-5 18 3.4.5-5 6 B 3.3.10-6 0 3.4.6-1 0 B 3.3.10-7 0 3.4.6-2 6 B 3.3.10-8 14 3 .4. 6-3 6 B 3.3.10-9 14 3.4.6-4 6 B 3.3.10-10 14 3 .4.6-5 6 B 3.3.10-11 14 3.4.7-1 0 B 3.3.10-12 14 3.4.7-2 6 B 3.3.10-13 14 3.4.7-3 6 B 3.3.10-14 32 3.4.7-4 2 B 3.3.10-15 32 3.4.7-5 0 B 3.3.10-16 32 3.4.7-6 0 B 3.3.10-17 32 3.4.7-7 27 B 3.3.10-18 32 3.4.8-1 0 B 3.3.10-19 32 3.4.8-2 6 B 3.3.10-20 32 3.4.8-3 6 B 3.3.10-21 33 3.4.9-1 0 B.3.3.10-22 32 3.4.9-2 31 B 3.3.11-1 0 3.4.9-3 34 Corrected B 3.3.11-2 2 3.4.9-4 0 B 3.3.11-3 2 3.4.9-5 0 B 3.3.11-4 2 3.4.9-6 0 B 3.3.11-5 19 3.4.10-1 0 B 3.3.11-6 2 3.4.10-2 7 B 3.3.11-7 2 3 .4.10-3 0 B 3.3.12-1 15 3 .4.10-4 0 B 3.3.12-2 15 3.4.11-1 0 B 3.3.12-3 5 3.4.11-2 7 B 3.3.12-4 5 3.4.11-3 0 B 3.3.12-5 6 3.4. 11-4 0 B 3.3.12-6 6 3 .4.11-5 0 B 3.4.1-1 10 3.4.11-6 0 B 3.4.1-2 28 3.4.12-1 1 B 3.4.1-3 0 3 .4.12-2 34 B 3.4.1-4 0 3.4.12-3 0 B 3.4.1-5 0 3.4. 12-4 0 B 3.4.2-1 7 3.4.12-5 31 B 3.4.2-2 1 3 .4. 13-1 0 B 3.4.3-1 0 3.4.13-2 0 B 3.4.3-2 0 3 .4.13-3 1 B 3.4.3-3 0 3 .4.13-4 0 PALO VERDE UNITS 1, 2, AND 3 4 Revision 35 November 30, 2005

TECHNICKU SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3 .4. 13-5 0 B 3.5.3-3 0 3.4.13-6 0 B 3.5.3-4 0 3 .4. 13-7 2 B 3.5.3-5 0 3 .4. 13-8 2 B 3.5.3-6 2 3.4.13-9 0 B 3.5.3-7 2 3 .4.13-10 2 B 3.5.3-8 1 3.4.14-1 0 B 3.5.3-9 0 3 .4.14-2 34 B 3.5.3-10 2 3 .4.14-3 34 B 3.5.4-1 15 3 .4.14-4 7 B 3.5.4-2 0 3.4. 14-5 2 B 3.5.4-3 0 3 .4.14-6 2 B 3.5.5-1 0 3.4.14-7 34 B 3.5.5-2 7 3 .4.15-1 0 B 3.5.5-3 4 3 .4.15-2 0 B 3.5.5-4 4 3 .4.15-3 0 B 3.5.5-5 0 3 .4.15-4 0 B 3.5.5-6 0 3 .4. 15-5 0 B 3.5.5-7 0 3 .4. 15-6 35 B 3.5.6-1 0 3 .4. 15-7 35 B 3.5.6-2 1 3.4.16-1 2 B 3.5.6-3 0 3.4.16-2 10 B 3.5.6-4 24 3 .4.16-3 0 B 3.5.6-5 27 3.4.16-4 0 B 3.6.1-1 0 3 .4. 16-5 0 B 3.6.1-2 35 3 .4. 16-6 0 B 3.6.1-3 0 3.4.17-1 0 B 3.6.1-4 29 3 .4.17-2 27 B 3.6.1-5 29 3 .4.17-3 0 B 3.6.2-1 0 3 .4 . 17-4 0 B 3.6.2-2 35 3.4.17-5 0 B 3.6.2-3 0 3 .4. 17-6 0 B 3.6.2-4 0 3 .5.1-1 0 B 3.6.2-5 0 3.5.1-2 35 B 3.6.2-6 0

3. 5. 1-3 7 B 3.6.2-7 0 3 .5.1-4 0 B 3.6.2-8 0 3 . 5.1-5 0 B 3.6.3-1 27 3 .5.1-6 0 B 3.6.3-2 27 3.5. 1-7 1 B 3.6.3-3 27 3.5.1-8 1 B 3.6.3-4 27 3.5. 1-9 0 B 3.6.3-5 27 3.5.1-10 35 B 3.6.3-6 27 3.5.2-1 0 B 3.6.3-7 27 3.5.2-2 35 B 3.6.3-8 27 3 .5.2-3 0 B 3.6.3-9 27 3 .5.2-4 0 B 3.6.3-10 27 3.5.2-5 0 B 3.6.3-11 27 3.5.2-6 0 B 3.6.3-12 27 3.5.2-7 1 B 3.6.3-13 27 3.5.2-8 22 B 3.6.3-14 27 3.5.2-9 1 B 3.6.3-15 27 3.5.2-10 35 B 3.6.3-16 27 3.5.3-1 0 B 3.6.3-17 27 3 . 5.3-2 0 B.3.6.3-18 27 PALO VERDE UN::TS 1, 2, AND 3 5 Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B.3.6.3-19 27 B 3.7.6-1 0 B 3.6.4-1 35 B 3.7.6-2 28 B 3.6.4-2 1 B 3.7.6-3 28 B 3.6.4-3 1 B 3.7.6-4 0 B 3.6.5-1 0 B 3.7.7-1 0 B 3.6.5-2 1 B 3.7.7-2 1 B 3.6.5-3 0 B 3.7.7-3 1 B 3.6.5-4 0 B 3.7.7-4 1 B 3.6.6-1 0 B 3.7.7-5 1 B 3.6.6-2 0 B 3.7.8-1 1 B 3.6.6-3 35 B 3.7.8-2 1 B 3.6.6-4 7 B 3.7.8-3 1 B 3.6.6-5 1 B 3.7.8-4 1 B 3.6.6-6 0 B 3.7.9-1 0 B 3.6.6-7 1 B 3.7.9-2 1 B 3.6.6-8 1 B 3.7.9-3 0 B 3.6.6-9 0 B 3.7.10-1 10 B 3.6.7-1 0 B 3.7.10-2 1 B 3.6.7-2 0 B 3.7.10-3 1 B 3.6.7-3 0 B 3.7. 10-4 1 B 3.6.7-4 0 B 3.7.11-1 0 B 3.6.7-5 0 B 3 .7.11-2 0 B 3.7.1-1 28 B 3.7.11-3 21 B 3.7.1-2 34 B 3.7.11-4 10 B 3.7.1-3 34 B 3.7.11-5 10 B 3.7.1-4 34 B 3.7.11-6 10 B 3.7.1-5 34 B 3 .7.12-1 1 B 3.7.1-6 28 Corrected B 3.7.12-2 21 B 3.7.2-1 0 B 3.7.12-3 21 B 3.7.2-2 0 B 3.7.12-4 10 B 3.7.2-3 31 B 3.7.13-1 0 B 3.7.2-4 0 B 3.7.13-2 0 B 3.7.2-5 0 B 3.7.13-3 0 B 3.7.2-6 0 B 3.7.13-4 0 B 3.7.3-1 1 B 3.7. 13-5 0 B 3.7.3-2 1 B 3.7.14-1 0 B 3.7.3-3 1 B 3.7.14-2 21 B 3.7.3-4 0 B 3.7.14-3 21 B 3.7.3-5 0 B 3.7.15-1 3 B 3.7.4-1 0 B 3.7.15-2 3 B 3.7.4-2 31 B 3.7.16-1 7 B 3.7.4-3 31 B 3.7. 16-2 0 B 3.7.4-4 0 B 3 .7. 16-3 0 B 3.7.5-1 0 B 3 .7.16-4 0 B 3.7.5-2 0 B 3 .7. 17-1 23 B 3.7.5-3 0 B 3 .7.17-2 3 B 3.7.5-4 27 B 3.7.17-3 3 B 3.7.5-5 9 B 3 .7. 17-4 3 B 3.7.5-6 9 B 3 .7.17-5 3 B 3.7.5-7 9 B 3.7.17-6 3 B 3.7.5-8 9 B 3.8.1-1 35 B 3.7.5-9 9 B 3.8.1-2 2 B 3.7.5-10 9 B 3 .8 . 1-3 34 B.3.7.5-11 9 B 3 .8.1-4 34 PALO VERDE UNITS 1, 2, AND 3 6 Revision 35 November 30, 2005

TECHNICA'h SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3. 8.1-5 20 B 3.8.3-9 0 3.8.1-6 27 B 3.8.4-1 0 3.8.1-7 34 B 3.8.4-2 0 3 .8.1-8 2 B 3.8.4-3 0 3 .8.1-9 27 B 3.8.4-4 2 3 .8. 1-10 2 B 3.8.4-5 2 3.8. 1-11 2 B 3.8.4-6 2 3.8. 1-12 2 B 3.8.4-7 35 3 .8.1-13 2 B 3.8.4-8 35
3. 8. 1-14 2 B 3.8.4-9 35 3.8.1-15 2 B 3.8.4-10 35 3.8.1-16 20 B 3.8.4-11 35 3 .8.1-17 20 B 3 .8.5-1 1 3.8.1-18 20 B 3.8.5-2 1 3.8.1-19 20 B 3.8.5-3 21 3 .8.1-20 20 B 3.8.5-4 21 3 .8. 1-21 20 B 3.8.5-5 2 3 .8.1-22 20 B 3 .8.5-6 2 3 .8.1-23 20 B 3 .8.6-1 0 3.8.1-24 20 B 3 .8.6-2 0 3.8.1-25 20 B 3.8.6-3 0 3.8.1-26 20 B 3.8.6-4 6 3 .8.1-27 35 B 3.8.6-5 6 3 .8. 1-28 35 B 3.8.6-6 6 3 .8 .1-29 35 B 3 . 8. 6-7 0 3 .8.1-30 35 B 3.8.7-1 0 3 .8.1-31 35 B 3.8.7-2 0 3 .8. 1-32 35 B 3.8.7-3 0 3.8.1-33 35 B 3.8.7-4 0
3. 8. 1-34 35 B 3.8.8-1 1 3 .8. 1-35 35 B 3 .8.8-2 1 3.8.1-36 35 B 3 .8.8-3 21 3 .8. 1-37 35 B 3.8.8-4 21 3.8.1-38 35 B 3.8.8-5 1 3.8.1-39 35 B 3.8.9-1 34 3.8.1-40 35 B 3 .8.9-2 0 3 .8. 1-41 35 B 3.8.9-3 0 3 .8. 1-42 35 B 3.8.9-4 0 3 .8. 1-43 35 B 3.8.9-5 0
3. 8. 1-44 35 B 3.8.9-6 0 3.8.2-1 0 B 3.8.9-7 0 3.8.2-2 0 B 3.8.9-8 0 3 .8.2-3 0 B 3.8.9-9 0 3.8.2-4 21 B 3 .8.9-10 0 3.8.2-5 21 B 3.8.9-11 0 3.8.2-6 0 B 3 .8.10-1 0 3 .8.3-1 0 B 3.8.10-2 21 3 . 8.3-2 0 B 3 .8.10-3 0 3 . 8.3-3 34 Corrected B 3 . 8.10-4 0 3 . 8 .3-4 0 B 3 .9 .1-1 34 Corrected 3 . 8.3-5 34 B 3 .9.1-2 0 3 .8.3-6 0 B 3 .9. 1-3 0 3.8.3-7 0 B 3.9.1-4 0 3 .8.3-8 0 B 3.9.2-1 15 PALO VERDE UN:ITS 1, 2, AND 3 7 Revision 35 November 30, 2005

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.9.2-2 15 B 3.9.2-3 15 B 3.9.2-4 15 B 3.9.3-1 18 B 3 .9.3-2 19 B 3.9.3-3 27 B 3.9.3-4 19 B 3.9.3-5 19 B. 3 .9.3-6 19 B 3.9.4-1 0 B 3.9.4-2 1 B 3.9.4-3 0 B 3.9.4-4 0 B 3 .9.5-1 0 B 3.9.5-2 16 B 3.9.5-3 27 B 3 .9 .5-4 16 B. 3 .9.5-5 16 B 3 .9.6-1 0 B 3.9.6-2 0 B 3 .9. 6-3 0 B 3.9.7-1 0 B 3.9.7-2 0 B 3.9.7-3 0 PALO VERDE UNITS 1, 2, AND 3 8 Revision 35 November 30, 2005

RPS Instrumentation - Operating B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features 'ESF) systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

Except for the T-ip Function 6 and 7. the LSSS defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs). For Trip Functions 6 and 7. the UFSAR Trip Setpoint is the LSSS.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);
  • Fuel centerline melting shall not occur; and

Maintaining the 3arameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of (continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-1 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event.

The RPS is segmented into four interconnected modules.

These modules are:

  • Measurement channels;
  • Bistable trip units:

This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal feature for those trips with operating bypasses. The RPS Logic and RTCBs are addressed in LCO 3.3.4. "Reactor Protective System (RPS) Logic and Trip Initiation." The CEACs are addressed in LCO 3.3.3, "Control Element Assembly Calculators (CEACs)."

Measurement Channels (Before CPC Upgrade)

Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

The excore nuclear instrumentation, the core protection calculators (CPCs), and the CEACs, though complex. are considered components in the measurement channels of the Variable Over Power - High, Logarithmic Power Level - High, DNBR - Low, and Local Power Density (LPD) - High trips.

Four identical measurement channels, designated channels A through D, with electrical and physical separation, are provided for each parameter used in the generation of trip signals, with the exception of the control element assembly (CEA) position indication used in the CPCs. Each measurement channel provides input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS)

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-2 REVISION 25

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Measurement Channels (After CPC Upgrade) (continued)

The CPPs transmi: CEA position to the appropriate CEAC in all four CPC channels over optically isolated datalinks, such that CEAC 1 in all channels receives the position of all CEAs based upon RSPT 1, and CEAC 2 receives the position of all CEAs based upon RSPT 2. Thus the position of all CEAs is independently monitored by both CEACs in each CPC channel.

The CPCs display the position of each CEA to the operator on a separate single CEA Position Flat Panel Display. Each CPC channel is connected to the display by means of an optically isolated data link. The operator may select the channel for display. Selecting channel A or B will display CEA position based upon RSPT 1 on each CEA, whereas selecting channel C or D will display CEA position based upon RSPT 2 on each CEA.

CEACS are addressed in LCO 3.3.3.

Bistable Trip Units (Before CPC Upgrade)

Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

There are four channels of bistables. designated A. B. C, and D, for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate a reactor trip (two-out-of-four logic).

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-9 REVISION 34

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Units (Before CPC Upgrade) (continued)

Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the CPC generated DNBR - Low and LPD - High trips. The CPC auxiliary trip functions (e.g., CPC VOPT algorithm) do not have any direct contact outputs to the PPS. The auxiliary trip functions act through the DNBR - Low and LPD - High trip contacts to de-energize the associated CPC initiation relays that provide a channel trip signal to the PPS parameters 3 and 4 bistable relays. Other CPC trip functions may also apply a penalty factor to cause a DNBR or LPD trip.

The trip setpoints used in the bistables are based on analytical limits derived from safety analyses (Ref. 5 and 8). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6). Allowable Values specified in Table 3.3.1-1, in the accompanying LCO. are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in "Calculation of Trip Setpoint Values" (Ref. 7). The UFSAR Trip Setpoints are based on the calculated total loop uncertainty consistent with the methodology as documented in the UFSAR (RG 1.105, Revision 1, November 1976) (Ref. 14). The general relationship among the PVNGS trip setpoint terms is as follows: The calculated Limiting Setpoint (LS p) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety limit is maintained.

A channel is inoperable if its actual setpoint is non-conservative with respect to its Allowable Value.

To maintain the margins of safety assumed in the safety analyses, the calculations of the trip variables for the (continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-10 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Unmts (Before CPC Upgrade) (continued)

DNBR - Low and Local Power Density - High trips include the measurement, calculational. and processor uncertainties and dynamic allowances as defined in the latest applicable revision of CEN-305-P. "Functional Design Requirements for a Core Protection Calculator" (Ref. 10) and CEN-304-P," Functional Design Requirements for a Control Element Assembly Calculator." (Ref. 11).

The safety analyses also credit the CPC auxiliary trip functions (VOPT. T-hot Saturation, ASGT, and Low RCS Pressure), which act through the DNBR - Low and LPD -

High trip contacts. to provide core protection during Anticipated Operational Occurrences and Design Basis Accidents (Ref. 5'and 8).

Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0. "SAFETY LIMITS (SLs),"

are not violated during AOOs. and the consequences of DBAs will be acceptable. providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS. except for Trip Functions 6 and 7. For Trip Functions 6 and 7. the UFSAR Trip Setpoint is the LSSS.

Functional testing of the entire RPS, from bistable input through the opening of individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. UFSAR. Section 7.2 (Ref. 8). provides more detail on RPS testing.

Processing transnitter calibration is normally performed on a refueling basis.

Bistable Trip Units (After CPC Upgrade)

Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-11 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Units (After CPC Upgrade) (continued)

There are four channels of bistables, designated A, B, C, and D, for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising and Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate a reactor trip (two-out-of-four logic).

Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the CPC generated DNBR - Low and LPD - High trips. The CPC auxiliary trip functions (e.g., CPC VOPT algorithm) do not have any direct contact outputs to the PPS. The auxiliary trip functions act through the DNBR - Low and LPD - High trip contacts to de-energize the associated CPC initiation relays that provide a channel trip signal to the PPS parameters 3 and 4 bistable relays. Other CPC trip functions may also apply a penalty factor to cause a DNBR or LPD trip.

The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref. 5). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6). Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in "Calculation of Trip Setpoint Values" (Ref. 7). The UFSAR Trip Setpoints are based on the calculated total loop uncertainty consistent with the methodology as documented in the UFSAR (RG 1.105, Revision 1, November 1976) (Ref. 14). The general relationship among the PVNGS trip setpoint terms is as follows: The calculated (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-12 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Units (After CPC Upgrade) (continued)

Limiting Setpoin: (LSp) is determined within the plant specific setpoin: analysis and is based on the Analytical Limit and the To:al Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in :he UFSAR. The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety limit is maintained.

A channel is inoperable if its actual setpoint is non-conservative with respect to its Allowable Value.

To maintain the margins of safety assumed in the safety analyses, the calculations of the trip variables for the DNBR - Low and Local Power Density - High trips include the measurement, calculational, and processor uncertainties and dynamic allowances as defined in the latest applicable revision of CEN-305-P, "Functional Design Requirements for a Core Protection Calculator" (Ref. 10) and CEN-304-P, "Functional Design Requirements for a Control Element Assembly Calcula.or," (Ref. 11). The safety analyses also credit the CPC auxiliary trip functions (VOPT, T-hot Saturation, ASGT, and Low RCS Pressure), which act through the DNBR - Low and LPD - High trip contacts, to provide core protection during Anticipated Operational Occurrences and Design Basis Accidents (Ref. 5 and 8).

Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0. "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable. providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in LCO 3.3.1. the Allowable Values of Table 3.3.1-1 are the LSSS, except for Trip Functions 6 and 7.

For Trip Functions 6 and 7, the UFSAR Trip Setpoint is the LSSS.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-13 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Bistable Trip Units (After CPC Upgrade) (continued)

Functional testing of the entire RPS, from bistable input through the opening of individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. CPC and CEAC functional testing is performed quarterly and during refueling.

UFSAR. Section 7.2 (Ref. 8). provides more detail on RPS testing. Processing transmitter calibration is normally performed on refueling basis.

RPS Logic The RPS Logic, addressed in LCO 3.3.4. consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic.

Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD. BC. BD. and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-14 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND RPS Logic (continued)

The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths. Each trip path provides power to one of the four normally energized RTCB initiation relays. The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six T-gic matrices indicate a coincidence condition.

Each trip path is responsible for opening one of the four RTCBs. The RTCB initiation relays, when de-energized.

interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the breakers. Actuation of either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs).

When a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four initiation relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all four RTCBs, tripping them open.

Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel.

The Initiation Logic consists of the trip path power source, matrix relays and their associated contacts. all interconnecting wiring, initiation relays, and the initiation relay contacts in the RTCB control circuitry.

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-15 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND RPS Logic (continued)

It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition.

Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel.

Trip channel bypassing is normally employed during maintenance or testing.

Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a trip condition.

In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. These bypasses are enabled manually in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied. Operating bypasses are normally implemented in the bistable, so that normal trip indication is also disabled. Trips with operating bypasses include Pressurizer Pressure - Low, Logarithmic Power Level - High, and CPC (DNBR - Low and LPD - High). Refer also to B 3.3.5 for ESFAS operating bypasses.

Reactor Trip Circuit Breakers (RTCBs)

The reactor trip switchgear, addressed in LCO 3.3.4, consists of four RTCBs. Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel, such that the loss of either MG set does not de-energize the CEDMs. Power is supplied from the MG sets to the CEDM's via two redundant paths (trip legs). Trip legs 1 and 3 are in parallel with Trip legs 2 and 4. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-16 REVISION 16

RPS Instrumentation - Operating B 3.3.1 BASES BACKGROUND Reactor Trip Circuit Breakers (RTCBs) (continued)

Each of the two -rip legs consists of two RTCBs in series.

The two RTCBs within a trip leg are actuated by separate initiation circuits.

Each RTCB is operated by either a manual reactor trip push button, a Supplementary Protection System (SPS) trip relay or an RPS actuated Initiation relay. There are four Manual Trip push buttons each push button operates one of the four RTCBs. Depressing either of the push buttons in both trip legs will result in a reactor trip.

When a Manual Trip is initiated using the control room push buttons, the RPS trip paths and Initiation relays are not utilized, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS.

Manual Trip circuitry includes the push button and interconnecting wiring to the RTCBs necessary to actuate both the undervoltage and shunt trip attachments but excludes the Initiation relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic.

Functional testing of the entire RPS, from bistable input through the opening of individual RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. UFSAR, Section 7.2 (Ref. 8). explains RPS testing in more detail.

APPLICABLE Design Basis Definition SAFETY ANALYSES The RPS is designed to ensure that the following operational criteria are met:

  • The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied;
  • Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the RPS instrumentation network.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-17 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions.

Those functions for which no credit is taken, termed equipment protective functions, are not needed from a safety perspective.

Each RPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each trip setpoint falls into one of three general categories:

Category 1: To ensure that the SLs are not exceeded during AOOs:

Category 2: To assist the ESFAS during accidents: and Category 3: To prevent material damage to major plant components (equipment protective).

The RPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTCBs are closed.

Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis are part of the NRC staff approved licensing basis for the plant.

Noncredited Functions include the Steam Generator #1 Level - High, and the Steam Generator #2 Level - High. These trips minimize the potential for equipment damage.

The specific safety analysis applicable to each protective function is identified below:

1. Variable Over Power-High (RPS)

The Variable Over Power - High Trip (RPS-VOPT) is provided to protect the reactor core during positive reactivity addition excursions. Under steady state conditions the trip setpoint will stay above the neutron power level signal by a preset value, called the band function. When the power level increases the setpoint will increase to attempt to maintain the separation defined by the Band function, however the (continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-18 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES

1. Variable Over Power-High (RPS) (continued) rate of the setpoint change is limited by the rate function. If the power level signal increases faster than the setpoint, a trip will occur when the power level eventually equals the trip setpoint. The maximum value the setpoint can have is determined by the ceiling function.

A positive reactivity excursion transient will be detected by one or more RPS Functions. The Variable Over Power-High trip (RPS-VOPT) can provide protection against core damage during the following events:

  • Uncontrolled CEA Withdrawal From Subcritical and Low Power (AOO); and
  • CEA Ejection (Accident).
2. Logarithmic Power Level - High The Logarithmic Power Level - High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

In MODES 2. 3. 4. and 5. with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when logarithmic power is < 1E-4% NRTP. For events originating above this power level, other trips provide adequate protection.

MODES 3, 4. and 5. with the RTCBs closed, are addressed in LCO 3.3.2. "Reactor Protective System (RPS) Instrumentation - Shutdown."

In MODES 3. 4. or 5. with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE. The indication and alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12, "Boron Dilution Alarm System (BDAS)".

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-19 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES

3. Pressurizer Pressure - High The Pressurizer Pressure - High trip provides protection for the high RCS pressure SL. In conjunction with the pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against overpressurization of the RCPB during the following events:
  • CEA Withdrawal From Low Power Conditions (AOO);
  • Chemical and Volume Control System Malfunction (AOO); and
4. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip is provided to trip the reactor to assist the ESF System in the event of loss of coolant accidents (LOCAs). During a LOCA, the SLs may be exceeded; however, the consequences of the accident will be acceptable. A Safety Injection Actuation Signal (SIAS) and a Containment Isolation Actuation Signal (CIAS) are initiated simultaneously.
5. Containment Pressure - High The Containment Pressure - High trip prevents exceeding the containment design pressure psig during a design basis LOCA or main steam line break (MSLB) accident.

During a LOCA or MSLB the SLs may be exceeded:

however. the consequences of the accident will be acceptable. An SIAS, CIAS. and MSIS are initiated simultaneously.

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-20 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES

i. 7. Steam Generator Pressure - Low The Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low trips provide protection against an excessive rate of heat extraction from the steam generators and resulting rapid, uncontrolled cooldown of the RCS. This trip is needed to shut down the reactor and assist the ESF System in the event of an MSLB or main feedwater line break accident. A main steam isolation signal (MSIS) is initiated simultaneously.

3, 9. Steam Generator Level - Low The Steam Generator #1 Level - Low and Steam Generator #2 Level - Low trips ensure that a reactor trip signal is generated for the following events to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink:

  • Loss ol' Condenser Vacuum (AOO):
  • Feedwal;er System Pipe Break (Accident): and
  • Single RCP Rotor Seizure (AOO) 10 11. Steam Generztor Level - High The Steam Generator #1 Level - High and Steam Generator #2 Level - High trips are provided to protect the turbine from excessive moisture carryover in case of a steam cienerator overfill event. A Main Steam Isolation Signal (MSIS) is initiated simultaneously.

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-21 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES 12, 13. Reactor Coolant Flow - Low The Reactor Coolant Flow Steam Generator #1-Low and Reactor Coolant Flow Steam Generator #2-Low trips provide protection against an RCP Sheared Shaft Event.

A trip is initiated when the pressure differential across the primary side of either steam generator decreases below a variable setpoint. This variable setpoint stays below the pressure differential by a reset value called the step function, unless limited by a preset maximum decreasing rate determined by the Ramp Function, or a set minimum value determined by the Floor Function. The setpoints ensure that a reactor trip occurs to limit fuel failure and ensure offsite doses are within 10 CFR 100 guidelines.

14. Local Power Density - High The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following AOOs and assist the ESF systems in the mitigation of the following accidents.

The LPD - High trip provides protection against fuel centerline melting due to the occurrence of excessive local power density peaks during the following AOOs:

  • Increased Main Steam Flow (not due to the steam line rupture) Without Turbine Trip:
  • Uncontrolled CEA Withdrawal From Low Power:
  • Uncontrolled CEA Withdrawal at Power: and
  • CEA Misoperation: Single Part Length CEA Drop (for Units that have Part Length CEAs).

For the events listed above (except CEA Misoperation; Single Part Length CEA Drop), DNBR - Low will trip the reactor first, since DNB would occur before fuel centerline melting would occur.

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-22 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE Design Basis Definition (continued)

SAFETY ANALYSES

15. Departure from Nucleate Boiling Ratio (DNBR) - Low The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following A00s and assist the ESF systems in the mitigation of the following accidents.

The DNBR - Low trip provides protection against core damage due to the occurrence of locally saturated conditions in the limiting (hot) channel during the following events and is the primary reactor trip (trips the reactor first) for these events:

  • Increased Main Steam Flow (not due to steam line rupture) With a Concurrent Single Failure of an Active Component:
  • Steam L.ine Break With Concurrent Loss of Offsite AC Power:
  • Loss of Normal AC Power:
  • Uncontrolled CEA Withdrawal From Low Power:
  • Uncontrolled CEA Withdrawal at Power;
  • CEA Misoperation: Part Length or Part Strength CEA Subgroup Drop:
  • Primary Sample or Instrument Line Break: and

In the above list. only the steam generator tube rupture, the RCP shaft seizure, and the sample or instrument line break are accidents. The rest are A00s.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-23 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE 15. Departure from Nucleate Boiling Ratio (DNBR)-Low SAFETY ANALYSES (continued)

In the safety analyses for transients involving reactivity and power distribution anomalies, credit may be taken for the CPC VOPT auxiliary trip algorithm in lieu of the RPS VOPT trip function. The exact trip credited (CPC or RPS) is documented in chapter 15 of the UFSAR under the individual event sections. The CPC VOPT auxiliary trip acts through the CPC DNBR-Low and LPD-High trip contacts to provide over power protection. When credit is taken for the CPC VOPT algorithm, the CPC VOPT setpoints installed in the plant are based on the safety analyses and may differ from the RPS VOPT allowable values and nominal setpoints. The setpoints associated with the CPC VOPT are controlled via Addressable Constants (TS Section 5.4.1) and Reload Data Block Constants (Ref. 8 and 13). The CPC VOPT auxiliary trip algorithm may provide protection against core damage during the following events:

  • Uncontrolled CEA Withdrawal From Low Power (AOO):
  • Uncontrolled CEA Withdrawal at Power (AOO):
  • Single CEA Withdrawal within Deadband (AOO);
  • CEA Ejection (Accident); and

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-24 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABLE 15. Departure from Nucleate Boiling Ratio (DNBR)-Low SAFETY ANALYSES (continued)

The DNBR algorithm used in the CPC is valid only within the limits indicated below and operation outside of these limits will result in a CPC initiated trip.

PARAMETER LIMITING VALUE RCS Cold Leg Temperature - Low 2 5050F RCS Cold Leg Tempereture - High

  • 5900F Axial Shape Index - Positive Not more positive than +0.5 Axial Shape Index - Negative Not more negative than -0.5 Pressurizer Pressure - Low 2 1860 psia Pressurizer Pressure - High < 2388 psia Integrated Radial Peaking Factor - Low 2 1.28 Integrated Radial Peaking Factor - High < 7.00 Quality Margin - Low > 0 Interlocks/Bypasses The operating bypasses and their Allowable Values are addressed in foo:notes to Table 3.3.1-1. They are not otherwise addressed as specific Table entries.

The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are no: bypassed. The basis for each of the operating bypasses is discussed under individual trips in the LCO section:

a. Logarithmic Power Level - High;
b. DNBR - Low and LPD - High.

The RPS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

(continued)

PALO VERDE UNITS 1.2,3 133.3.1-25 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR (Ref. 8). The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship will ensure that sufficient margin to the safety and/or analytical limit is maintained.

Only the Allowable Values (AVs) are specified for each RPS trip Function in the LCO. The AV is considered an operability limit for the channel. Nominal trip setpoints are specified in the plant specific setpoint calculations.

The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. If the as-found instrument setting is found to be non-conservative with respect to the AV, or the as-left instrument setting cannot be returned to a setting within As-Left Tolerance (ALT), or the instrument is not functioning as required: then the instrument channel shall be declared inoperable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-26 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO defined in the "Plant Protection System Selection of Trip (continued) Setpoint Values" (Ref. 7).

The Bases for the individual Function requirements are as follows:

1. Variable Over Power-High (RPS)

This LCO requires all four channels of Variable Over Power High (RPS) to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating eivelope that prevents unnecessary Variable Over Power High (RPS) reactor trips during normal plant operations. When the RPS VOPT trip function is credited in the safety analyses, the Allowable Value is based on the analyses and is low enough for the system to maintain a margin to unacceptable fuel or fuel cladding damage should a positive reactivity excursion event occur.

2. Logarithmic Power Level - High This LCO requires all four channels of Logarithmic Power Level - High to be OPERABLE in MODE 2.

In MODES 3, 4, or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal conditions are addressed in LCO 3.3.2.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-27 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO The Allowable Value is high enough to provide an (continued) operating envelope that prevents unnecessary Logarithmic Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.

The Logarithmic Power Level - High trip may be bypassed when logarithmic power is above 1E-4% NRTP to allow the reactor to be brought to power during a reactor startup. This operating bypass is automatically removed when logarithmic power decreases below 1E-4% NRTP. Above 1E-4% NRTP, the Variable Over Power - High and Pressurizer Pressure - High trips provide protection for reactivity transients.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function.

Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function.

Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4%

NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-28 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 2. Logarithmic Power Level - High (continued)

When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPJ automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending oi plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

3. Pressurizer Pressure - High This LCO requires four channels of Pressurizer Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these valves during normal plant operation. In the event of a loss of condenser vacuum at 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS.

4. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2.

The Allowable Value is set low enough to prevent a reactor trip during normal plant operation and pressurizer pressure transients. However, the setpoint is high enough that with a LOCA, the reactor trip will occur soon enough to allow the ESF systems to perform as expected in the analyses and mitigate the consequences of the accident.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-29 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 5. Containment Pressure - High (continued)

The LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. It is set low enough to initiate a reactor trip when an abnormal condition is indicated.

6, 7. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low to be OPERABLE in MODES 1 and 2.

This UFSAR Trip Setpoint is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core. If the moderator temperature coefficient is negative a reactor trip is required to offset that effect.

The trip setpoint may be manually decreased as steam generator pressure is reduced during controlled plant cooldown, provided the margin between steam generator pressure and the setpoint is maintained < 200 psia.

This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until the time is reached when the setpoints are no longer needed to protect the plant. The setpoint increases automatically as steam generator pressure increases until the specified trip setpoint is reached.

Footnote (aa), which is divided into two parts. Will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments in outside its As-Found Tolerance (AFT) but conservative with respect to the (continued)

PALO VERDE UNITS 1.2,3 B 3.3. 1-30 REVISION 35

RPS Instrumentation - Operating B 3.3.1 Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions.

The purpose of the assessment isto ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability.

Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends.

Part 2 requires that the as-left setting for the instrument De returned to within the ALT of the specified trip setpoint. The specified field installed trip setpoint is termed as the Design Setpoint (DSp) and is equal to or more conservative than the UFSAR Trip Setpoint. The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to tie safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting witnin the ALT, or the instrument is not functioning as required: then the instrument channel shall be declared inoperable.

3. 9. Steam Generator Level - Low This LCO requires four channels of Steam Generator #1 Level - Low and Steam Generator #2 Level - Low for each steam generator to be OPERABLE in MODES 1 and 2. The (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-31 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 8. 9. Steam Generator Level - Low (continued)

Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.

The input signal providing the reactor trip input also provides an input to a bistable that initiates auxiliary feedwater to the affected generator via the Auxiliary Feedwater Actuation Signal (AFAS). The trip setpoint ensures that there will be sufficient water inventory in the steam generator at the time of the trip to provide a margin of at least 10 minutes before auxiliary feedwater is required to prevent degraded core cooling. The reactor trip will remove the heat source (except decay heat), thereby conserving the reactor heat sink.

10, 11. Steam Generator Level - High This LCO requires four channels of Steam Generator #1 Level - High and Steam Generator #2 Level - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to allow for normal plant operation and transients without causing a reactor trip. It is set low enough to ensure a reactor trip occurs before the level reaches the steam dryers. Having steam generator water level at the trip value is indicative of the plant not being operated in a controlled manner.

12, 13. Reactor Coolant Flow - Low This LCO requires four channels of Reactor Coolant Flow Steam Generator #1-Low and Reactor Coolant Flow Steam Generator # 2-Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal plant operations while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event.

LCO 3.4.5. "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4." and LCO 3.4.7, "RCS Loops - MODE 5.

Loops Filled," ensure adequate RCS flow rate is maintained.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-32 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 14. Local Power Density - High (Before CPC Upgrade)

(continued)

This LCO requires four channels of LPD - High to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents age acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function.

The CPC channels may be manually bypassed below 1E-4% NRTP. as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%). the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable be ow 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-33 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 14. Local Power Density - High (Before CPC Upgrade)

(continued)

When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required.

These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.

14. LOCAL Power Density - High (After CPC Upgrade)

This LCO requires four channels of LPD - High to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function.

The CPC channel has many redundant features designed to improve channel reliability. A minimum subset of features must be functional in order for the CPC to be capable of performing its safety related trip function. Therefore, the channel may remain OPERABLE in the presence of a subset of channel failures, while maintaining the ability to provide the LPD-High trip function.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-34 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 14. Local Power Density - High (After CPC Upgrade)

(continued)

On line CPC channel diagnostics make use of redundant features to maintain channel operability to the extent possible aid provide alarm and annunciation of detectable failures.

Those detectable CPC channel failures resulting in a loss of protective function and channel inoperability will result in a CPC Fail indication and associated Low DNBR and High LPD channel trips. Input failures resulting in a sensor out of range affecting one or more CPC process inputs will result in a CPC Sensor Failure indication. In addition, since the CPC software limits the sensor value to the lower or upper range limit value, a CPC channel trip would be generated in most cases due to these extreme values.

Detectable failures, whether they result in a channel inoperability or not, are logged in a system event list.

Redundancy is demonstrated as follows:

a. Each CPC channel redundantly processes analog process and nuclear instrumentation inputs. Only one of the two redundant analog processing modules is required to maintain operability.
b. CEA position is redundantly processed by two CEA Position Processors (CPPs) in each CPC channel, and transmitted to the appropriate CEACs in all four CPC channels over one way fiber-optically isolated data links. Only one source of CEA position is required to maintain channel operability.
c. Each CPC channel has two redundant operator interface panels, a maintenance test panel (MTP) in the Core Protection Calculator System (CPCS) cabinet, and an Operator's Module (OM) in the control room. Neither is required for the CPC to perform its safety related function. However, one must be functional to assist personnel in performing certain surveillances. Upon failure of the OM, MTP. or both, the CPC channel will remain operable.

Each CPCS channel contains six processor modules.

Failures of these modules are treated as follows:

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-35 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 14. Local Power Density - High (After CPC Upgrade)

(continued)

  • CPC Processor Module failure - this failure results in a CPC channel inoperability. as addressed by this LCO.
  • Aux CPC Processor Module failure - this failure does not result in a CPC channel inoperability since this module does not perform any safety related functions.
  • CEAC 1 Processor Module failure - this failure is addressed in LCO 3.3.3.
  • CEAC 2 Processor Module failure - this failure is addressed in LCO 3.3.3.
  • CPP 1 Processor Module failure - this failure is addressed in LCO 3.3.3.
  • CPP 2 Processor Module failure - this failure is addressed in LCO 3.3.3.

The CPC channels may be manually bypassed below 1E-4% NRTP. as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%). the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, (continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-36 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 14. Local Power Density - High (After CPC Upgrade)

(continued) when the indicated Log power channel is failed low (below 1E-40) the automatic DNBR-LPD trip bypass removal feature in that channel cannot function.

Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

When a Log channel is INOPERABLE. both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE.

Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required.

These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

This operating bypass is required to perform a plant startup. since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. Italso allows system tests at low power with Pressurizer Pressure - ow or RCPs off.

15. Departure from Nucleate Boiling Ratio (DNBR) - Low (Before CPUpgrade)

This LCO requires four channels of DNBR - Low to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable.

A CPC is not considered inoperable ifCEAC inputs to the CPC are inoperable. The Required Actions required inthe event of CEAC channel failures ensure the CPCs are capable of performing their safety function.

The CPC channels may be manually bypassed below 1E-4% NRTP, as sensed by the logarithmic nuclear (continued)

PALO VERDE UNITS; 1.2.3 B 3.3.1-37 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (Before CPC Upgrade) (continued) instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%). the automatic Hi-Log power trip bypass removal feature in that channel cannot function.

Similarly, when the indicated Log power channel is failed low (below 1E-4%). the automatic DNBR-LPD trip bypass removal feature in that channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE.

requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE.

Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required.

These CR switches are administratively controlled via (continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-38 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (Before C C Upgrade) (continued) station procedure therefore, the requirements of C.1 are continuously met.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.

15. Departure from Nucleate Boiling Ratio (DNBR) - Low

{After CFC Jpgrade)

This LCO requires four channels of DNBR - Low to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function.

The CPC channel has many redundant features designed to improve channel reliability. A minimum subset of features must be functional in order for the CPC to be capable of oerforming its safety related trip function. Therefore, the channel may remain OPERABLE in the presence of a subset of channel failures. while maintaining the ability to provide the DNBR-Low trip function. On line CPC channel diagnostics make use of redundant features to maintain channel operability to the extent oossible. and provide alarm and annunciation of detectable failures.

Those detectable CPC channel failures resulting in a loss of protective function and channel inoperability will result in a CPC Fail indication and associated Low DNBR and High LPD channel trips. Input failures resulting in a sensor out of range affecting one or more CPC process inputs will result in a CPC Sensor Failure indication. In addition, since the CPC (continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-39 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (After CPC Upgrade) (continued) software limits the sensor value to the lower or upper range limit value, a CPC channel trip would be generated in most cases due to these extreme values.

Detectable failures, whether they result in a channel inoperability or not, are logged in a system event list.

Redundancy is demonstrated as follows:

a. Each CPC channel redundantly processes analog process and nuclear instrumentation inputs. Only one of the two redundant analog processing modules is required to maintain operability.
b. CEA position is redundantly processed by two CEA Position Processors (CPPs) in each CPC channel, and transmitted to the appropriate CEACs in all four CPC channels over one way fiber-optically isolated data links. Only one source of CEA position is required to maintain channel operability.
c. Each CPC channel has two redundant operator interface panels, a maintenance test panel (MTP) in the Core Protection Calculator System (CPCS) cabinet, and an Operator's Module (OM) in the control room. Neither is required for the CPC to perform its safety related function. However, one must be functional to assist personnel in performing certain surveillances. Upon failure of the OM, MTP, or both, the CPC channel will remain operable.

Each CPCS channel contains six processor modules.

Failures of these modules are treated as follows:

  • CPC Processor Module failure - this failure results in a CPC channel inoperability, as addressed by this LCO.
  • Aux CPC Processor Module failure - this failure does not result in a CPC channel inoperability since this module does not perform any safety related functions.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-40 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (ATter CPU Upgrade) (continued)

. CEAC 1 Processor Module failure - this failure is addressed in LCO 3.3.3.

  • CEAC 2 Processor Module failure - this failure is addressed in LCO 3.3.3.

. CPP 1 Processor Module failure - this failure is addressed in LCO 3.3.3.

  • CPP 2 Processor Module failure - this failure is addressed in LCO 3.3.3.

The CPC channels may be manually bypassed below 1E-4%

NRTP. as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%). the automatic DNBR-LPD trip bypass removal feature in that channel cannot function.

Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-41 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 15. Departure from Nucleate Boiling Ratio (DNBR) - Low (After CPC Upgrade) (continued)

When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE.

Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal periodic verification. etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.

Interlocks/Bypasses The LCO on operating bypass permissive removal channels requires that the automatic operating bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODEs addressed in the specific LCO for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

Refer also to B 3.3.5 for ESFAS operating bypasses.

This LCO applies to the operating bypass removal feature only. If the bypass enable function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level -

High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.

The interlock function Allowable Values are based upon analysis of functional requirements for the bypassed function. These are discussed above as part of the LCO discussion for the affected functions.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-42 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES APPLICABILITY This LCO is applicable to the RPS Instrumentation in MODES 1 and 2. LCO 3.3.2 is applicable to the RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal. The requirements for the CEACs in MODES 1 and 2 are addressed *inLCO 3.3.3. The RPS Matrix Logic, Initiation Logic, RTCBs, and Manual Trips in MODES 1. 2. 3.

4, and 5 are addressed in LCO 3.3.4.

Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical.

which maintains the SLs during AOOs and assists the ESFAS in providing acceptable consequences during accidents.

Most trips are not required to be OPERABLE in MODES 3, 4.

and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:

The Logarithmic Power Level - High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4.

and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events.

  • Steam Generator Pressure-Low trip, is required in MODE 3. witi the RTCBs closed to provide protection for steam line break events in MODE 3.

The Logarithmic Power Level - High trip, and the Steam Generator Pressure-Low trip in these lower MODES are addressed in LCO 3.3.2. The Logarithmic Power Level - High trip is bypassed prior to MODE 1 entry and is not required in MODE 1.

The upgraded CPC system consists of eight total CEACs instead of the two found in the CPC System prior to upgrade. To facilitate the difference in the number of CEACs as will as to support the enhanced features found in the upgraded CPC system, a second 3.3.1 Technical Specification has been developed. The determination on which Specification applies is based on whether or not the unit has received the upgraded CPCs. Each unit shall only use the Specification that reflects the status of their unit's CPC system (i.e., before or after CPC upgrade).

(continued)

PALO VERDE UNITS 1,2,3 EB3.3.1-43 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less conservative than the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable. and the unit must enter the Condition for the particular protection Function affected.

When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

One Note has been added to the ACTIONS. Note 1 has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-44 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS With a channel process measurement circuit that affects (continued) multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below:

Process Measurement Circuit Functional Unit (Bypassed or Tripped)

1. Linear Powe, Variable Overpower (RPS)

(Subchannel or Linear) Local Power Density-High (RPS)

DNBR-Low (RPS)

2. Pressurizer Pressure-High Pressurizer Pressure-High (RPS)

(Narrow Range) Local Power Density-High (RPS)

DNBR-Low (RPS)

3. Steam Generator Pressure-Low Steam Generator Pressure-Low (RPS)

Steam Generator #1 Level-Low (ESF)

Steam Generator #2 Level-Low (ESF)

4. Steam Generator Level-Low Steam Generator Level-Low (RPS)

(Wide Range: Steam Generator #1 Level-Low (ESF)

Steam Generator #2 Level-Low (ESF)

5. Core Protection Calculator Local Power Density-High (RPS)

DNBR-Low (RPS)

A.1 and A.2 Condition A applies to the failure of a single trip channel or associated instrument channel inoperable in any RPS (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-45 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS A.1 and A.2 (continued) automatic trip Function. RPS coincidence logic is two-out-of-four.

If one RPS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel in bypass. the coincidence logic is now in a two-out-of-three configuration.

The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip.

B.1 Condition B applies to the failure of two channels in any RPS automatic trip Function.

The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES, even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic: but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-46 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS B.1 (continued)

This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

One of the two inoperable channels will need to be restored to operable status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3.

C.1, C.2.1. and C(2.2 Condition C applies to one automatic bypass removal channel inoperable. If the inoperable operating bypass removal channel for any operating bypass channel cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the affected automatic trip channel placed in maintenance (trip channel) bypass or trip. The operating bypass removal channel and the automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A.

D.1 and D.2 Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the operating bypass either removed or one automatic trip channel placed in maintenance (trip channel) bypass and the other in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-47 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS D.1 and D.2 (continued)

The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant must shut down per LCO 3.0.3 as explained in Condition B.

The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

E.1 (Before CPC Upgrade)

Condition E applies if any CPC cabinet receives a high temperature alarm. There are redundant temperature sensors in each of the four CPC bays. Since CPC bays B and C also house CEAC calculators 1 and 2, respectively, a high temperature in either of these bays requires entry into LCO 3.3.3, Condition C.

If a CPC cabinet high temperature alarm is received, it is possible for an OPERABLE CPC to be affected and not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST must be performed on OPERABLE CPCs within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is adequate considering the low probability of undetected failure, the consequences of a single channel failure, and the time required to perform a CHANNEL FUNCTIONAL TEST.

E.1 (After CPC Upgrade)

Condition E is entered when the Required Action and associated Completion Time of Condition A, B. C, or D are not met.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Time, the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-48 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES ACTIONS F.1 (Before CPC Upgrade)

Condition F applies if an OPERABLE CPC has three or more autorestarts in a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period.

CPCs and CEACs will attempt to autorestart if they detect a fault condition, such as a calculator malfunction or loss of power. A successful autorestart restores the calculator to operation; however, excessive autorestarts might be indicative of a calculator problem. The autorestart periodic test restart (Code 30), and normal system load (Code 33) are no: included in the total.

If a nonbypassed CPC has three or more autorestarts, it may not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST must be performed on the CPC to ensure it is functioning properly. Based on plant operating experience, the Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate and reasonable to perform the test while still keeping the risk of operating in :his condition at an acceptable level, since overt channel failure will most likely be indicated and annunciated inthe control room by CPC online diagnostics.

G.1 (Before CPC Upgrade)

Condition G is entered when the Required Action and associated Completion Time of Condition A, B, C, D, E, or F are not met.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Time.

the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR REQUIREMENTS column of Table :3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-49 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.

In the case of RPS trips with multiple inputs, such as the DNBR and LPD inputs to the CPCs. a CHANNEL CHECK must be performed on all inputs.

SR 3.3.1.2 The RCS flow rate indicated by each CPC is verified, as required by a Note, to be less than or equal to the actual RCS total flow rate, determined by either using the reactor coolant pump differential pressure instrumentation or by calorimetric calculations, every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> when THERMAL POWER is 2 70% RTP. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 70% RTP is (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-50 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS for plant stabilization, data taking, and flow verification. This check (and if necessary, the adjustment of the CPC addressable constant flow coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications, as determined by the Core Operating Limits Supervisory System (COLSS).

The flow measurement uncertainty may be included in the BERRK term in the CPC and is equal to or greater than 4%.

SR 3.3.1.3 (Be-ore CPC Upgrade)

The CPC autorestart count is checked every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to monitor the CPC and CEAC for normal operation. If three or more autorestarts of a nonbypassed CPC occur within a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period, the CPC may not be completely reliable.

Therefore, the Required Action of Condition F must be performed. The auto restart periodic tests restart (Code 30) and normal system load (Code 33) are not included in this total. The Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> interval.

SR 3.3.1.3 (Af.er CPC Upgrade)

The CPC System Event Log is checked every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to monitor the CPC channel performance, including redundant features not required for the CPC to perform its safety related trip function. The system event log provides a historical record of the last thirty detected CPC channel error conditions. A detected error condition may not render a channel inoperable, unless it is accompanied by a CPC Fail indication.

The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is based upon the nature of the surveillance in detecting many non-critical error conditions, and considers that detectable failures resulting in a channel inoperability will result in a CPC Fail condition.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-51 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS A daily calibration (heat balance) is performed when THERMAL POWER is > 20%. The Linear Power Level signal and the CPC addressable constant multipliers are adjusted to make the CPC AT power and nuclear power calculations agree with the calorimetric calculation if the absolute difference is > 2%

when THERMAL POWER is 2 80% RTP, and -0.5% to 10% when THERMAL POWER is between 20% and 80%. The value of 2% when THERMAL POWER is > 80% RTP, and -0.5% to 10% when THERMAL POWER is between 20% and 80% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the Linear Power Level signal and the CPC addressable constant coefficients) are adequate to ensure that the accuracy of these CPC calculations is maintained within the analyzed error margins. The power level must be > 20% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.

The tolerance between 20% and 80% RTP is +10% to reduce the number of adjustments required as the power level increases.

The -0.5% tolerance between 20% and 80% RTP is based on the reduced accuracy of the calorimetric data inputs at low power levels. Performing a calorimetric calibration with a -0.5%

tolerance at low power levels ensures the difference will remain within -2.0% when power is increased above 80% RTP.

If a calorimetric calculation is performed above 80% RTP, it will use accurate inputs to the calorimetric calculation available at higher power levels. When the power level is decreased below 80% RTP an additional performance of the SR to the -0.5% to 10% tolerance is not required if the SR has been performed above 80% RTP. During any power ascension from below 80% to above 80% RTP, the calibration requirements of ITS SR 3.3.1.4 must be met (except during PHYSICS TESTS, as allowed by the Note in SR 3.3.1.4). This is accomplished by performing SR 3.3.1.4 between 75% and 80% RTP during power ascension with an acceptance criteria of -0.5% to <2% to bound the requirements for both below and above 80% RTP.

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience and takes into account indications and alarms located in the control room to detect deviations in channel outputs. The Frequency is modified by a Note indicating this Surveillance need only be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 20% RTP.

The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 20% RTP is required for plant stabilization, data taking. and flow verification. The secondary calorimetric is inaccurate at lower power levels.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-52 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 (continued)

REQUIREMENTS A second Note in the SR indicates the SR may be suspended during PHYSICS TESTS. The conditional suspension of the daily calibrations under strict administrative control is necessary to allow special testing to occur.

SR 3.3.1.5 The RCS flow rate indicated by each CPC is verified to be less than or equal to the RCS total flow rate every 31 days.

The Note indicates the Surveillance is performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after THERMAL POWER is 2 70% RTP. This check (and, if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications as determined either using the reactor coolant pump differential pressure instrumentation and the ultrasonic flow meter adjusted pump curves or by a calorimetric calculation. Operating experience has shown the specified Frequency is adequate, as instrument drift is minimal and changes in actual flow rate are minimal over core life.

SR 3.3.1.6 The three vertically mounted excore nuclear instrumentation detectors in each channel are used to determine APD for use in the DNBR and LPD calculations. Because the detectors are mounted outside the reactor vessel, a portion of the signal from each detector is from core sections not adjacent to the detector. This is termed shape annealing and is compensated for after every refueling by performing SR 3.3.1.11, which adjusts the gains of the three detector amplifiers for shape annealing. SR 3.3.1.6 ensures that the preassigned gains are still proper. When power is < 15% the CPCs do not use the excore generated signals for axial flux shape information. The Note allowing 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 15%

RTP is required for plant stabilization and testing. The 31 day Frequency is adequate because the demonstrated long term drift of the instrument channels is minimal.

SR 3.3.1.7 A CHANNEL FUNCTIONAL TEST on each channel is performed every 92 days to ensure the entire channel will perform its (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-53 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS intended function when needed. The SR is modified by two Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level - High channels to be performed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after logarithmic power drops below 1E-4% NRTP.

The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 8. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis.

The requirements for this review are outlined in Reference 9.

Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trip Path Tests Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic (continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-54 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE Trip Path Tests 'continued)

REQUIREMENTS tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize. thereby opening the affected RTCB. The RTCB must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9).

The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.

The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.

The power range excore test signal is inserted at the drawer input, since there is no preamplifier.

The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using software. This software includes preassigned addressable constant values that may differ from the current values.

Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants.

SR 3.3.1.8 A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. A CHANNEL CALIBRATION of the power range neutron flux channels every 92 days ensures that the channels are reading accurately and within tolerance (Ref. 9). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests.

CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the interval (continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-55 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.8 (continued)

REQUIREMENTS between surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators.

SR 3.3.1.9 SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 18 months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

The Frequency is based upon the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical 18 month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6).

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-56 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.10 REQUIREMENTS (continued) Every 18 months, a CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions.

The basis for the 18 month Frequency is that the CPCs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.

This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function. Operating experience has shown that undetected CPC or CEAC failures do not occur in any given 18 month interval.

SR 3.3.1.11 The three excore detectors used by each CPC channel for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core.

although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using the predetermined shape annealing matrix elements in the CPC software.

After refueling, it is necessary to re-establish or verify the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings.

This is necessary because refueling could possibly produce a significant change in the shape annealing matrix coefficients.

Incore detectors are inaccurate at low power levels.

THERMAL POWER should be significant but < 70% to perform an accurate axial shape calculation used to derive the shape annealing matrix elements.

By restricting power to < 70% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided. Operating experience has shown this Frequency to be acceptable.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-57 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.12 REQUIREMENTS (continued) SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is applicable only to operating bypass functions and is performed once within 92 days prior to each startup. Proper operation of operating bypass permissives is critical during plant startup because the operating bypasses must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify operating bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9).

Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST. SR 3.3.1.7.

Therefore, further testing of the operating bypass function after startup is unnecessary.

SR 3.3.1.13 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an 18 month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 18 months, where n is the number of channels in the function. The Frequency of 18 months is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Response time testing may be performed at power on a single channel or during plant outages when the equipment is not required to be operable.

Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-58 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.13 (continued)

REQUIREMENTS Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from the records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, 'Elimination of Pressure Sensor Response Time Testing Requirements." (Ref. 12) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report.

Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4)

REFERENCES 1. 10 CFR 50, Appendix A. GDC 21

2. 10 CFR 100.
3. NRC Safety Evaluation Report. July 15, 1994.
4. UFSAR. Chapter 7
5. UFSAR. Chapters 6 and 15.
6. 10 CFR 50.49.
7. "Calculation of Trip Setpoint Values, Plant Protection System". CEN-286(v), or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip function.
8. UFSAR. Section 7.2, Tables 7.2-1 and 7.3-11A.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-59 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES REFERENCES 9. CEN-327, June 2. 1986, including Supplement 1, (continued) March 3, 1989, and Calculation 13-JC-SB-200.

10. CEN-305-P, "Functional Design Requirements for a Core Protection Calculator."
11. CEN-304-P. "Functional Design Requirements for a Control Element Assembly Calculator."
12. CEOG Topical Report CE NPSD-1167-A. "Elimination of Pressure Sensor Response Time Testing Requirements."
13. CEN-323-P-A, "Reload Data Block Constant Installation Guidelines", Combustion Engineering, Inc.. September, 1986.
14. UFSAR Section 1.8, "Regulatory Guide 1.105:

Instrument Setpoints (Revision 1, November 1976)

PALO VERDE UNITS 1,2,3 B 3.3. 1-60 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 B 3.3 INSTRUMEfTATION B 3.3.2 Reacto' Protective System (RPS) Instrumentation - Shutdown BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and reactor coolant pressure boundary (RCPB) integrity during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS. as well as LCOs on other reactor system parameters and equipment performance.

Except for trip Functions 2 and 3. the LSSS defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents MDBAs). For Trip Functions 2 and 3. the UFSAR Trip Setpoint is the LSSS.

During AOOs, which are those events expected to occur one or more times during the plant life. the acceptable limits are:

The departure from nucleate boiling ratio shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; Fuel centerline melting shall not occur; and The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event.

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.2-1 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES BACKGROUND (continued) The RPS is segmented into four interconnected modules.

These modules are:

  • Measurement channels:
  • Bistable trip units:

This LCO applies to the Logarithmic Power Level - High trip in MODES 3. 4, and 5 with the RTCBs closed and the CEAs capable of withdrawal. In MODES 1 and 2. this trip function is addressed in LCO 3.3.1, "Reactor Protective System (RPS)

Instrumentation - Operating." LCO 3.3.12, "Boron Dilution Alarm System (BDAS)," applies when the RTCBs are open.

This LCO applies to the Steam Generator #1 and the Steam Generator #2 Pressure-Low trip in MODE 3, with the RTCBs closed and the CEAs capable of withdrawal. In MODES 1 and 2.

this trip function is addressed in LCO 3.3.1. "Reactor Protective System (RPS) Instrumentation-Operating."

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-2 REVISION 0

RPS Instrumentation - Shutdown B 3.3.2 BASES BACKGROUND Measurement Chaniels and Bistable Trip Units (continued)

The measurement channels providing input to the Logarithmic Power Level - High trip consist of the four logarithmic nuclear instrumentation channels detecting neutron flux leakage from the reactor vessel. Other aspects of the Logarithmic Power Level - High trip are similar to the other measurement chaniels and bistables. These are addressed in the Background section of LCO 3.3.1.

Functional testing of the entire RPS. from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation can be similarly tested. UFSAR. Section 7.2 (Ref. 3), provides more detail on RPS testing.

APPLICABLE The RPS functions to maintain the SLs during AOOs and SAFETY ANALYSES mitigates the consequence of DBAs in all MODES in which the RTCBs are closed.

Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. Noncredited Functions include the Steam Generator Water Level - High Trip. The Steam Generator Water Level - High Trip is purely equipment protective, and its use minimizes the potential for equipment damage.

The Logarithmic Power Level - High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

The Steam Generator Pressure-Low trip function provides shutdown margin to prevent or minimize the return to power, following a large Main Steam Line Break (MSLB) in MODE 3.

With less than 4 RCPs running the trip setpoint for the Logarithmic Power Level-High trip is reduced to < 104%

NRTP. The lower setpoint is required for a bank CEA withdrawal with less than 4 RCPs running.

(continued)

PALO VERDE UNIIS 1,2,3 B 3.3.2-3 REVISION 1

RPS Instrumentation - Shutdown B 3.3.2 BASES APPLICABLE In MODES 2, 3, 4. and 5. with the RTCBs closed, and the SAFETY ANALYSES Control Element Assembly (CEA) Drive System capable of CEA (continued) withdrawal, protection is required for CEA withdrawal events, and excessive cooldown due to a MSLB originating when logarithmic power is < 1E-4% NRTP. For events originating above this power level, other trips provide adequate protection.

MODES 3, 4, and 5, with the RTCBs closed, are addressed in this LCO. MODE 2 is addressed in LCO 3.3.1.

In MODES 3, 4, or 5. with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE. The indication and alarm functions required to indicate a boron dilution event are addressed in LCO 3.3.12 "Boron Dilution Alarm System (BDAS)".

Interlock/Bypasses The operating bypasses and their Allowable Values are addressed in footnotes to Table 3.3.2-1. They are not otherwise addressed as specific Table entries.

The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The basis for the Logarithmic Power Level -High operating bypass is discussed under individual trips in the LCO section.

The RPS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

The LCO requires the Logarithmic Power Level - High, the Steam Generator #1 Pressure-Low, and the Steam Generator #2 Pressure-Low, RPS Functions to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Function.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-4 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES LCO Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values (AVs) are specified for this RPS trip Function in the LCO. The AV is considered an operability limit for the channel. If the as-found instrument setting is found to be non-conservative with respect to the AlV, or the as-left instrument setting cannot be returned to a setting within As-Left Tolerance (ALT), or the instrument is not functioning as required: then the instrument channel shall be declared inoperable. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoint is selected to ensure the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Opera,:ion with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with -he assumptions of the plant specific setpoint calcula'ions. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function.

These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 4). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

This LCO requires all four channels of the Logarithmic Power Level - High to be OPERABLE MODES in 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.

A CEA is considered capable of withdrawal when power is applied to the Control Element Drive Mechanisms (CEDMs).

There are severa methods used to remove power from the CEDMs, such as de-energizing the CEDM MGs, opening the CEDM MG output breakers, opening the Control Element Assembly Control System (CEDMCS) CEA breakers, opening the RTCBs, or disconnecting the power cables from the CEDMs. Any method (continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-5 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES LCO that removes power from the CEDMs may be used. The CEAs are (continued) still capable of withdrawal if the CEDMCS withdrawal circuits are disabled with power applied to the CEDMs because failures in the CEDMCS could result in CEA withdrawal.

This LCO requires all four channels of Steam Generator #1 Pressure-Low, and Steam Generator #2 Pressure-Low, to be OPERABLE in MODE 3. when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal. These RPS functions are not required in MODES 4 and 5 because the Steam Generator temperature is low, therefore the energy release and resulting cooldown following a large MSLB in MODES 4 and 5 is not significant.

Footnote (e). which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments is outside its As-Found Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

Initial evaluation will be performed by the technician performing the surveillance with will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures. entry into the corrective action program will require review and documentation of the condition for operability. Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends.

Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint.

The specified field installed trop setpoint is termed as the Design Setpoint (DSp) and is equal to or more conservative than the UFSAR Trip Setpoint. The general relationship among the PVNGS trip setpoint terms is as follows: The calcul ated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is (continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-6 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES LCO equal to or more conservative than the LSp and is specified (continued) in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint.

This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within the ALT, or the instrument is not functioning as required; then the instrument channel shall be declared inoperable.

The Allowable Values are high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level - High reactor trips during normal plant operations.

The Allowable Values are low enough for the system to maintain a safety margin for unacceptable fuel cladding damage should a ("EA withdrawal or MSLB event occur.

The Logarithmic Power Level - High trip may be bypassed when logarithmic power is above 1E-4% NRTP to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when logarithmic power decreases below 1E-4% NRTP. Above 1E-4% NRTP, the Variable Over Power - High and Pressurizer Pressure - High trips provide protection for reactivity transients.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable.

Footnotes (a) and (b) in Table 3.3.1-1 and (d) in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%), the automatic Hi-Log power trip bypass removal feature in that channel cannot function. Similarly, when the indicated Log power channel is failed low (below 1E-4%), the automatic DNBR-LPD trip bypass removal feature *inthat channel cannot function. Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4% NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-7 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES LCO When a Log channel is INOPERABLE, both the Hi-Log power and (continued) DNBR/LPD automatic trip bypass removal features in that channel are also INOPERABLE. requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending on plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification, etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

APPLICABILITY This LCO is applicable to the RPS Instrumentation in MODES 3, 4, and 5 with any RTCB closed and any CEA capable of withdrawal. LCO 3.3.1 is applicable to the RPS Instrumentation in MODES 1 and 2. The requirements for the CEACs in MODES 1 and 2 are addressed in LCO 3.3.3. The RPS Matrix Logic, Initiation Logic, RTCBs, and Manual Trips in MODES 1, 2, 3, 4, and 5 are addressed in LCO 3.3.4.

Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, which maintains the SLs during ADOs and assists the Engineered Safety Features Actuation System (ESFAS) in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5.

In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:

The Logarithmic Power Level - High trip. RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. The Logarithmic Power Level - High trip in these lower MODES is addressed in this LCO. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.4, "Reactor Protective System (RPS) Logic and Trip Initiation."

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-8 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES APPLICABILITY (continued)

and 5 is addressed in LCO 3.3.4, Reactor Protection System (RPS) Logic and Trip Initiation.

The applicability for the Logarithmic Power Level-High function is modified by a Note that allows the trip to be bypassed when logarithmic power is > 1E-4% NRTP, and the bypass is automatically removed when logarithmic power is

< 1E-4% NRTP.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. '[f the trip setpoint is less conservative than the Allowable Value stated in the LCO, the channel is declared inoperable immediately, and the appropriate Condition(s) mus: be entered immediately.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value. or the excore logarithmic power channel or RPS bistable trip unit is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the unit must enter the Condition for the particular protection Function affected.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-9 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES ACTIONS With a channel process measurement circuit that affects (continued) multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below:

PROCESS MEASUREMENT CIRCUIT FUNCTIONAL UNIT (Bypassed or Tripped)

Steam Generator Pressure-Low Steam Generator Pressure - Low (RPS)

Steam Generator #1 Level - Low (ESF)

Steam Generator #2 Level - Low (ESF)

When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered, if applicable in the current MODE of operation.

A.1, and A.2 Condition A applies to the failure of a single trip channel or associated instrument channel inoperable in any RPS function.

The RPS coincidence logic is two-out-of-four. If one channel is inoperable, operation in MODES 3, 4, and 5 is allowed to continue, providing the inoperable channel is placed in bypass or trip in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel while ensuring that the risk involved in operating with the failed channel is acceptable.

The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is now in a two-out-of-three configuration. The Completion Time is based on adequate channel to channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-10 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES ACTIONS B.1 (continued)

Condition B applies to the failure of two trip channels or associated instrument channels, in any RPS automatic trip function. Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time is sufficient to allow the operator to take all appropriate actions for the wailed channels and still ensures the risk involved in operating with the failed channels is acceptable.

With one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic: but with another channel failed, the RPS may be operating in a two-out-of-two logic.

This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reacdor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3.

The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

C.1, C.2.1, and (.2.2 Condition C applies to one automatic operating bypass removal channel inoperable. If the operating bypass removal channel for the high logarithmic power level operating bypass cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, (continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-11 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES ACTIONS C.1, C.2.1 and C.2.2 (continued) the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise. the affected RPS channel must be declared inoperable, as in Condition A, and the operating bypass either removed or the affected automatic channel placed in trip or maintenance (trip channel) bypass. Both the operating bypass removal channel and the associated automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A.

D.1 and D.2 Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the associated RPS channel may be considered OPERABLE only if the operating bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B. and the operating bypass either removed or one automatic trip channel placed in maintenance (trip channel) bypass and the other in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST or the plant must shut down per LCO 3.0.3, as explained in Condition B. Completion Times are consistent with Condition B.

The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

E.1 Condition E is entered when the Required Actions and associated Completion Times of Condition A, B. C, or D are not met.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.2-12 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES ACTIONS E.1 (continued)

If Required Actions associated with these Conditions cannot be completed within the required Completion Time, all RTCBs must be opened. placing the plant in a condition where the RPS trip channels are not required to be OPERABLE. A Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is a reasonable time to perform the Required Action. which maintains the risk at an acceptable level while having one or two channels inoperable.

SURVEILLANCE The SR's for any particular RPS function are found in the SR REQUIREMENTS column of Table 3.3.2-1 for that function. The SRs are an extension of those listed in LCO 3.3.1. listed here because of their Applicability in these MODES.

SR 3.3.2.1 SR 3.3.2.1 is the performance of a CHANNEL CHECK of each RPS channel. This SR is identical to SR 3.3.1.1. Only the Applicability differs.

Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure: thus. it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limits.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-13 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES SURVEILLANCE SR 3.3.2.1 (continued)

REQUIREMENTS The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.

Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on each channel, except power range neutron flux, is performed every 92 days to ensure the entire channel will perform its intended function when needed. This SR is identical to SR 3.3.1.7. Only the Applicability differs.

The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in the UFSAR, Section 7.2 (Ref. 3). These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs.

They include:

Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 6.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.2-14 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES SURVEILLANCE Matrix Logic Tests REQUIREMENTS (continued) Matrix Logic Tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state.

This test will detect any short circuits around the bistable contacts in the (coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trip Path Test Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize. opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327. "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 6). The excore channels use preassigned test signals to verify proper channel alignment.

The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.

SR 3.3.2.3 SR 3.3.2.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.2.2. except SR 3.3.2.3 is applicable only to operating bypass functions and is performed once within 92 days prior to each startup. This SR is identical to SR 3.3.1.12. Only the Applicability differs.

Proper operation of operating bypass permissives is critical during plant startup cause the operating by passes must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips. Consequently. the appropriate time to verify operating bypass removal function (continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-15 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES SURVEILLANCE SR 3.3.2.3 (continued)

REQUIREMENTS OPERABILITY is just Prior to startup. The allowance to conduct this Surveillance within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 6). Once the operating bypasses are removed, the operating bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.2.2. Therefore, further testing of the operating bypass function after startup is unnecessary.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is identical to SR 3.3.1.9. Only the Applicability differs.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor (the sensor is excluded for the Logarithmic Power Level Function). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 6.

The Frequency is based upon the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 18 month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and (continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-16 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES SURVEILLANCE SR 3.3.2.4 (continued)

REQUIREMENTS because of the difficulty of simulating a meaningful signal.

Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4).

SR 3.3.2.5 This SR ensures -that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an 18 month STAGGERE-D TEST BASIS. This results in the interval between successive tests of a given channel of n x 18 months, where n is the number of channels in the Function. The 18 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Response time testing may be performed at power on a single channel or during plant outages when the equipment is not required to be operable.

Testing may be performed in one measurement or in overlapping segments. with verification that all components are tested.

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements," (Ref. 7) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.2-17 REVISION 35

RPS Instrumentation - Shutdown B 3.3.2 BASES A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4).

REFERENCES 1. 10 CFR 50.

2. 10 CFR 100.
3. UFSAR, Section 7.2 Tables 7.2-1 and 7.3-11A.
4. "Calculation of Trip Setpoint Values Plant Protection System, CEN-286(v)", or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip Function.
5. NRC Safety Evaluation Report, July 15, 1994.
6. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989, and Calculation 13-JC-SB-200.
7. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

PALO VERDE UNITS 1,2,3 B 3.3.2-18 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES BACKGROUND Measurement Channels (continued)

Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4).

Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic for each ESFAS Function. They also provide local trip indication and remote annunciation.

There are four channels of bistables, designated A through D, for each ESFAS Function, one for each measurement channel. In cases where two ESF Functions share the same input and trip setpoint (e.g., containment pressure input to CIAS and SIAS), the same bistable may be used to satisfy both Functions. Similarly, bistables may be shared between the RPS and ESFAS (e.g., Pressurizer Pressure - Low input to the RPS and SIAS'. Bistable output relays de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate an ESF actuation (two-out-of-four logic).

(continued)

PALO VERDE UNITS 1,2.3 133.3.5-3 REVISION 0

ESFAS Instrumentation B 3.3.5 BASES BACKGROUND Bistable Trip Units (continued)

The trip setpoints and Allowable Values used in the bistables are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances. instrumentation uncertainties, instrument drift, and severe environment effects, for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.5-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. The UFSAR Trip Setpoints are based on the calculated total loop uncertainty consistent with the methodology as documented in the UFSAR (RG 1.05, Revision 1.

November 1976) (Ref. 11). The general relationship among the PVNGS trip setpoint terms is as follows: The calculated Limiting Setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and the Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The Design Setpoint (DSp) is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety limit is maintained. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). A channel is inoperable if its actual trip setpoint is non-conservative with respect to its required Allowable Value.

Setpoints in accordance with the Allowable Value will ensure that Safety Limits of LCO Section 2.0. "Safety Limits," are not violated during AOOs and the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Functional testing of the ESFAS, from the bistable input through the opening of initiation relay contacts in the ESFAS Actuation Logic, can be performed either at power or at shutdown and is normally performed on a quarterly basis.

UFSAR, Section 7.2 (Ref. 8). provides more detail on ESFAS testing. Process transmitter calibration is normally performed on a refueling basis. SRs for the channels are specified in the Surveillance Requirements section.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-4 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO Bypass Removal (continued)

This LCO applies to the operating bypass removal feature only. If the operating bypass enable function is failed so as to prevent entering a operating bypass condition, operation may continue. Because the trip setpoint has a floor value of 100 psia, a channel trip will result if ressure is decreased below this setpoint without DPassing1.

The operating bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity than that which can be compensated for by required SDM.

4. Main Steam Isolation Signal The LCO is applicable to the MSIS in MODES 1. 2 and 3 except when al associated valves are closed.
a. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator Pressure - Low to be OPERABLE in MODES 1, 2 and 3.

The UFSAR Trip Setpoint for this trip is set below the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the setting is high enough to provide an MSIS (Function 4) during an excessive steam demand event. An excessive steam demand event causes the RCS to cool down, resulting in a positive reactivity addition to the core.

MSIS limits this cooldown by isolating both steam generators if the pressure in either drops below the trip setpoint. An RPS trip on Steam Generator Pressure - Low is initiated simultaneously, using the same bistable.

(continued)

PALO VERDE UNITS 1,2.3 3 3.3.5-15 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO a. Steam Generator Pressure - Low (continued)

The Steam Generator Pressure - Low trip setpoint may be manually decreased as steam generator pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual steam generator pressure and the trip setpoint must be maintained less than or equal to the specified value of 200 psia to ensure a reactor trip and MSIS will occur when required.

Footnote (d), which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments is outside its As-Found Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance with will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability.

Additional evaluation and potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends.

Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint. The specified field installed trop setpoint is termed as the Design Setpoint (DSp) and is equal to or more (continued)

PALO VERDE UNITS 1.2,3 B 3.3.5-16 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO conservative than the UFSAR Trip Setpoint. The (continued) general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint.

This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained.

If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within -the ALT, or the instrument is not functioning as required: then the instrument channel shall be declared inoperable.

b. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1, 2 and
3. The Containment Pressure - High signal is shared among the SIAS (Function 1). CIAS (Function 3), and MSIS (Function 4).

The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents.

c. Steam Generator Level-High This LCO requires four channels of Steam Generator Level-High to be OPERABLE in MODES 1, 2 and 3.

The allowable value for this trip is set high enough -to ensure it does not interfere with (continued)

PALO VERDE UNITS 1,2,3 133.3. 5-17 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO c. Steam Generator Level-High (continued) normal plant operation. The setting is low enough to prevent moisture damage to secondary plant components in the case of a steam generator overfill event.

5. Recirculation Actuation Signal
a. Refueling Water Tank Level - Low This LCO requires four channels of RWT Level - Low to be OPERABLE in MODES 1, 2, and 3.

The upper limit on the Allowable Value for this trip is set low enough to ensure RAS does not initiate before sufficient water is transferred to the containment sump.

Premature recirculation could impair the reactivity control function of safety injection by limiting the amount of boron injection.

Premature recirculation could also damage or disable the recirculation system if recirculation begins before the sump has enough water to prevent air entrainment in the suction.

The lower limit on the RWT Level - Low trip Allowable Value is high enough to transfer suction to the containment sump prior to emptying the RWT.

6, 7. Auxiliary Feedwater Actuation Signal SG #1 and SG #2 (AFAS-1 and AFAS-2)

AFAS-1 is initiated to SG #1 by either a low steam generator level coincident with no differential pressure trip present or by a low steam generator level coincident with a differential pressure between the two generators with the higher pressure in SG #1.

AFAS-2 is similarly configured to feed SG #2.

The steam generator secondary differential pressure is used, as an input of the AFAS logic where it is used to determine if a generator is intact. The AFAS logic inhibits feeding a steam generator if the pressure in that steam generator is less than the pressure in the other steam generator by the Steam Generator Pressure Difference (SGPD) - High setpoint.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-18 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO 6, 7. Auxiliary Feedwater Actuation Signal SG #1 and SG #2 (AFAS-i and FAS-2) (continued)

The SGPD setpoint is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation.

The following LCO description applies to both AFAS signals.

a. Steam Generator Level - Low This LCO requires four channels of Steam Generator Level - Low to be OPERABLE for each AFAS in MODES 1, 2, and 3.

The Steam Generator Level - Low AFAS input is shared with the Steam Generator Level-Low RPS function. The Steam Generator Level-Low AFAS and RPS use separate bistables. This allows the AFAS setpoin: to be set lower than the RPS setpoint.

The allowable value is high enough to ensure the steam generator is available as a heat sink. The setting is low enough to prevent inadvertent AFAS actuations during plant transients. This setpoin: provides allowance that there will be sufficient inventory in the steam generator at the time of the RPS trip to provide a margin of at leas: 10 minutes before auxiliary feedwater is required to prevent degraded core cooling.

b. SG Pressure Difference - High (SG #1 > SG #2) or TSG #2 :hSG #1)

This LCO requires four channels of SG Pressure Difference - High to be OPERABLE for each AFAS in MODES 1. 2. and 3.

The Allowable Value for this trip is high enough to allow for small pressure differences and normal -instrumentation errors between the steam generator channels during normal operation without an actuation. The setting is low enough (continued)

PALO VERDE UNITS 1.2.3 E33.3.5-19 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES LCO b. SG Pressure Difference-HiQh (SG #1 > SG #2) or (SG #2 > SG #1) (continued) to detect and inhibit feeding of a faulted (MSLB or FWLB) steam generator in the event of an MSLB or FWLB, while permitting the feeding of the intact steam generator.

APPLICABILITY In MODES 1, 2 and 3 there is sufficient energy in the primary and secondary systems to warrant automatic ESF System responses to:

  • Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB: and
  • Actuate ESF systems to ensure sufficient borated water inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident.

In MODES 4. 5 and 6 automatic actuation of these Functions is not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required, as addressed by LCO 3.3.6.

Several trips have operating bypasses, discussed in the preceding LCO section. The interlocks that allow these ypasses shall be OPERABLE whenever the RPS Function they support is OPERABLE.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.5-20 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. Determination of setpoint drift is generally mad? during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification.

In the event a ciannel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics.

or ESFAS bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and tie LCO Condition entered for the particular protection Function affected.

With a channel process measurement circuit that affects multiple functional units inoperable or in test, bypass or trip all associated functional units as listed below.

Process MeasureTent Circuit

1. Steam Generator Pressure-Low Steam Generator Pressure-Low Steam Generator Level 1-Low (ESF)

Steam Generator Level 2-Low (ESF)

2. Steam Generator Level Steam Generator Level-Low (RPS)

(Wide Range) Steam Generator Level 1-Low (ESF)

Steam Generator Level 2-Low (ESF)

With a Steam Generator Pressure Difference-High channel inoperable or in test, bypass or trip the associated Steam Generator Level-Low (ESF) function.

When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be entered immediately, if applicable in the current MODE of operation.

A Note has been added to the ACTIONS. The Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-21 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS A.1 and A.2 (continued)

Condition A applies to the failure of a single channel of one or more input parameters in the following ESFAS Functions:

1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low
2. Containment Spray Actuation Signal Containment Pressure - High High
3. Containment Isolation Actuation Signal Containment Pressure - High Pressurizer Pressure - Low
4. Main Steam Isolation Signal Steam Generator #1 Pressure - Low Steam Generator #2 Pressure - Low Steam Generator #1 Level-High Steam Generator #2 Level-High Containment Pressure - High
5. Recirculation Actuation Signal Refueling Water Storage Tank Level - Low
6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1)

Steam Generator #1 Level - Low SG Pressure Difference (SG #2 > SG #1) - High

7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2)

Steam Generator #2 Level - Low SG Pressure Difference (SG #1 > SG #2) - High ESFAS coincidence logic is normally two-out-of-four.

If one ESFAS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-22 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS A.1 and A.2 (continued)

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass.

or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable.

The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is now in a two-out-of-three configuration. The Completion Time of nrior to entering MODE 2 following the next MODE 5 entry is Eased on adequate channel to channel independence, which allows a two-out-of-three channel operation, since no single failure will cause or prevent an ESF actuation.

B.1 The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

Condition B applies to the failure of two channels of one or more input parameters in the following ESFAS automatic trip Functions:

1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low
2. Containment Spray Actuation Signal Containment Pressure - High High
3. Containment Isolation Actuation Signal Containment Pressure - High Pressurizer Pressure - Low (continued)

PALO VERDE UNITS 1,2.3 133.3.5-23 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS B.1 (continued)

4. Main Steam Isolation Signal Steam Generator #1 Pressure - Low Steam Generator #2 Pressure - Low Steam Generator #1 Level-High Steam Generator #2 Level-High Containment Pressure-High
5. Recirculation Actuation Signal Refueling Water Storage Tank Level - Low
6. Auxiliary Feedwater Actuation Signal SG #1 (AFAS-1)

Steam Generator #1 Level - Low SG Pressure Difference (SG #2 > SG #1) - High

7. Auxiliary Feedwater Actuation Signal SG #2 (AFAS-2)

Steam Generator #2 Level - Low SG Pressure Difference (SG #1 > SG #2) - High With two inoperable channels, power operation may continue, provided one inoperable channel is placed in bypass and the other channel is placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. With one channel of protective instrumentation bypassed, the ESFAS Function is in two-out-of-three logic in the bypassed input parameter, but with another channel failed, the ESFAS may be operating with a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected.

To correct the problem, the second channel is placed in trip. This places the ESFAS Function in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, ESFAS actuation will occur.

One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one ESFAS channel, and placing a second channel in trip will result in an ESFAS actuation. Therefore, if one ESFAS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-24 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS C.1. C.2.1, and C.2.2 (continued)

Condition C applies to one automatic operating bypass removal channel inoperable. The only automatic operating bypass removal on an ESFAS is on the Pressurizer Pressure - Low signal. This operating bypass removal is shared with the RPS Pressurizer Pressure - Low bypass removal.

If the bypass removal channel for any operating bypass cannot be restored to OPERABLE status, the associated ESFAS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected ESFAS channel must be declared inoperable, as in Condition A, and the operating bypass either removed or the bypass removal channel repaired. The Bases for the Required Actions and required Completion Times are consistent with Condition A.

D.1 and 0.2 The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.

Condition D applies to two inoperable automatic operating bypass removal channels. If the operating bypass removal channels for two operating bypasses cannot be restored to OPERABLE status, the associated ESFAS channel may be considered OPERA13LE only if the operating bypass is not in effect. Otherwise, the affected ESFAS channels must be declared inoperable, as in Condition B. and either the operating bypass removed or the bypass removal channel repaired. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST or the plant must shut down per LCO 3.0.3. as explained in Condition B. Completion Times are consistent with Condition B.

(continued)

PALO VERDE UNITS 1,2.3 3 3.3.5-25 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES ACTIONS (continued) E.1 and E.2 If the Required Actions and associated Completion Times of Condition A, B. C, or D cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status. the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure: thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.5-26 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.1 (continued)

REQUIREMENTS The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of displays associated with the LCO required channels.

SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perform its intended function when needed.

The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays.

These overlapping tests are described in Reference 1.

SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgrou) relays are capable of actuating their respective ESF components when de-energized.

These tests verify that the ESFAS is capable of performing its intended fun tion, from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed in LCO 3.3.6. SR 3.3.5.2 includes bistable tests.

A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.5-27 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 (continued)

REQUIREMENTS The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

SR 3.3.5.3 CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference 9.

The 18 month frequency is based on operating experience which has shown these components usually pass the Surveillance when performed on the 18 month Frequency. With proper precautions the channel calibration can be performed with the reactor at power.

SR 3.3.5.4 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety analyses.

Response time testing acceptance criteria are included in Reference 1.

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time (continued)

PALO VERDE UNITS 1,2,3 B 3.3.5-28 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 (continued)

REQUIREMENTS Testing Requirements." (Ref. 10) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by zest. The allocation of sensor response times must be verified prior to placing a new component in operation and re-verified after maintenance that may adversely affect the sensor response time.

ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every 18 months. The 18 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.5.5 SR 3.3.5.5 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2. except SR 3.3.5.5 is performed within 92 days prior to startup and is only applicable to operating bypass functions. Since the Pressurizer Pressure - Low operating bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13.

The CHANNEL FUNCTIONAL TEST for proper operation of the operating bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function.

Consequently. just prior to startup is the appropriate time to verify operating bypass function OPERABILITY. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2.

The allowance to conduct this test with 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9).

(continued)

PALO VERDE UNITS 1.2.3 B 3.3.5-29 REVISION 35

ESFAS Instrumentation B 3.3.5 BASES REFERENCES 1. UFSAR, Section 7.3.

2. 10 CFR 50. Appendix A.
3. NRC Safety Evaluation Report, July 15, 1994
4. IEEE Standard 279-1971.
5. UFSAR, Chapter 15.
6. 10 CFR 50.49.
7. "Calculation of Trip Setpoint Valves Plant Protection System". CEN-286(v), or Calculation 13-JC-SG-203 for the Low Steam Generator Pressure Trip Function.
8. UFSAR, Section 7.2, Tables 7.2-1 and 7.3-H1A I
9. CEN-327, May 1986, including Supplement 1. March 1989, and Calculation 13-JC-SB-200.
10. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."
11. UFSAR Section 1.8, "Regulatory Guide 1.105: Instrument Setpoints (Revision 1, November 1976)"

PALO VERDE UNITS 1,2,3 B 3.3.5-30 REVISION 35

Pressurizer B 3.4.9 BASES APPLICABLE The Class 1E pressurizer backup heaters are needed SAFETY ANALYSES to maintain subcooling in the long term during loss of (continued) offsite power, as indicated in NUREG-0737 (Ref. 1). The requirement for emergency power supplies is based on NUREG-0737 (Ref. 1). The intent is to keep the reactor coolant in a subcooled condition with natural circulation at hot, high pressure conditions for an undefined, but extended, time period after a loss of offsite power. While loss of offsite power is a coincident occurrence assumed in the accident analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses. The pressurizer satisfies Criterion 2 and Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requirement for the pressurizer to be OPERABLE with water level Ž 27% indicated level (425 cubic feet) and < 56%

indicated level (948 cubic feet) ensures that a steam bubble exists. Limiting the maximum operating water level reserves the steam space for pressure control. The LCO has been established to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 2 125 kW and capable of being powered from an emergency power supply. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure I near the operating conditions, a wide subcooling margin to saturation can be obtained in the loops.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, Applicability has been designated for MDDES 1 and 2. The Applicability is also provided for MODE 3. It is assumed pressurizer level is under steady state conditions. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational (continued)

PALO VERDE UNITS 1,2,3 B 3.4.9-3 REVISION 34 CORRECTED PAGE

Pressurizer B 3.4.9 BASES APPLICABILITY perturbation, such as reactor coolant pump startup. The (continued) LCO does not apply to MODE 5 (Loops Filled) because LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP)

System," applies. The LCO does not apply to MODES 5 and 6 with partial loop operation. Also, a Note has been added to indicate the limit on pressurizer level may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP.

In MODES 1, 2. and 3, there is the need to maintain the availability of pressurizer heaters capable of being powered from an emergency power supply. In the event of a loss of offsite power, the initial conditions of these MODES gives the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODES 4, 5, or 6, it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Shutdown Cooling System is in service and therefore the LCO is not applicable.

ACTIONS A.1 and A.2 With pressurizer water level not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to MODE 3,with the reactor trip breakers open, within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

This takes the plant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses.

Six hours is reasonable, based on operating experience, to reach MODE 3 from full power inan orderly manner and without challenging plant systems. Further pressure and temperature reduction to MODE 4 brings the plant to a MODE where the LCO isnot applicable. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time to reach the nonapplicable MODE is reasonable based on operating experience for that evolution.

(continued)

PALO VERDE UNITS 1,2,3 B 3.4.9-4 REVISION 0

RCS PIV Leakage B 3.4.15 BASES SURVEILLANCE SR 3.4.15.1 (continued)

REQUIREMENTS For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.

Testing is to be performed every 9 months, but may be extended up to 13 months, a typical refueling cycle, if the plant does not go into MODE 5 for at least 7 days. The 18 month Frequency is consistent with 10 CFR 50.55a(g)

(Ref. 8). is within frequency allowed by the American Society of Mechanical Engineers (ASME) Code,Section XI (Ref. 7). and is based on the need to perform the Surveillance under conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

In addition, testing must be performed once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance shoild also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the valve has been reseated. Within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable and practical time limit for performing this test after opening or reseating a valve.

The SDC PIVs excepted in two of the three FREQUENCIES are UV-651, UV-652, JV-653. and UV-654, due to position indication of the valves in the control room.

Although not explicitly required by SR 3.4.15.1, performance of leakage testing to verify leakage is below the specified limit must be performed prior to returning a valve to service following maintenance, repair or replacement work on the valve in order to demonstrate operability.

The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES with lower pressures.

(continued)

PALO VERDE UNITS 1.2,3 B 3.4.15-5 REVISION 0

RCS PIV Leakage B 3.4.15 BASES SURVEILLANCE SR 3.4.15.1 (continued)

REQUIREMENTS Entry into MODES 3 and 4 is allowed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows this provision is complimentary to the Frequency of prior to entry into MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the SDC System when the SDC System is aligned to the RCS in the shutdown cooling mode of operation. PIVs contained in the SDC shutdown cooling flow path must be leakage rate tested after SDC is secured and stable unit conditions and the necessary differential pressures are established.

SR 3.4.15.2 Verifying that the SDC open permissive interlocks are OPERABLE, when tested as described in Reference 10, ensures that RCS pressure will not pressurize the SDC system beyond 125% of its design pressure of 485 psig. The interlock setpoint that prevents the valves from being opened is set so the actual RCS pressure must be <410 psia to open the valves. This setpoint ensures the SDC design pressure will not be exceeded and the SDC relief valves (Reference 9) will not lift. The 18 month Frequency is based on the need to perform this Surveillance under conditions that apply during a plant outage. The 18 month Frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment.

(continued)

PALO VERDE UNITS 1.2,3 B 3.4.15-6 REVISION 35

RCS PIV Leakage B 3.4.15 BASES (continued)

REFERENCES 1. 10 CFR 50.2.

2. 10 CFR 50.55a(c).
3. 10 CFR 50, Appendix A.Section V, GDC 55.
4. WASH-1400 (NUREG-75/014). Appendix V. October 1975.
5. NUREG-0677. May 1980.
6. UFSAR. Section 3.9.6.2
71. ASME, Boiler and Pressure Vessel Code,Section XI.
8. 10 CFR 50.55a(g).
9. T.S. LCO 3.4.13 (LTOP)
10. UFSAR Section 7.6.2.2.1. (4.10).

PALO VERDE UNIIS 1.2.3 B 3.4.15-7 REVISION 35

w d . .

?S3

  • n  ;-

. 7.,

7 . . .

. , A\ .

e....

-' ^! . . .

S.. .

This page intentionally blank

SITs-Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.1 Safety Injection Tanks (SITs) - Operating BASES BACKGROUND The functions of the four SITs are to supply water to the reactor vessel during the blowdown phase of a Loss of Coolant Accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.

The refill phase of a LOCA follows immediately where reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of the SITs' inventory is then available to help fill voids in the lower Plenum and reactor vessel downcomer to establish a recovery evel at the bottom of the core and ongoing reflood of the core with the addition of Safety Injection (SI) water.

The SITs are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The SITs are passive components, since no operator or control action is required for them to perform their function. Internal tank pressure is sufficient to discharge the contents to the RCS, if RCS pressure decreases below the SIT pressure.

Each SIT is piped into one RCS cold leg via the injection lines utilized by the High Pressure Safety Injection and Low Pressure Safety Injection (HPSI and LPSI) Systems. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The motor operated isolation valves are normally open. with power removed from the valve motor to prevent inadvertent closure prior to or during an accident.

(continued)

PALO VERDE UNIIS 1.2,3 B 3.5.1-1 REVISION 0

SITs-Operating B 3.5.1 BASES BACKGROUND Additionally, the isolation valves are interlocked with the (continued) pressurizer pressure instrumentation channels to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. The valves also receive a Safety Injection Actuation Signal (SIAS) to open. These features ensure that the valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 (Ref. 1) for "operating bypasses" and that the SITs will be available for injection without reliance on operator action.

During operations at RCS pressure greater than 430 psia the SIT isolation valves are procedurally locked open and motive power is removed with the breakers locked open.

The open and closure interlocks are tested as described in UFSAR 7.6.2.2.2 (Reference 7). The open interlock is functionally tested per Reverence 8 (TRM. T3.5 (ECCS): TSR 3.5.200.4). The SIAS function to open these valves is tested per Reference 8 using the method described in Reference 7.

The SIT gas and water volumes, gas pressure, and outlet pipe size are selected to allow three of the four SITs to partially recover the core before significant clad melting or zirconium water reaction can occur following a LOCA. The need to ensure that three SITs are adequate for this function is consistent with the LOCA assumption that the entire contents of one SIT will be lost via the break during the blowdown phase of a LOCA.

APPLICABLE The SITs are taken credit for in both the large and small SAFETY ANALYSES break LOCA analyses at full power (Ref. 2). These are the Design Basis Accidents (DBAs) that establish the acceptance limits for the SITs. Reference to the analyses for these DBAs is used to assess changes to the SITs as they relate to the acceptance limits.

In performing the LOCA calculations, conservative assumptions are made concerning the availability of SI flow. These assumptions include signal generation time, equipment starting times, and delivery time due to system piping. In the early stages of a LOCA with a loss of offsite power, the SITs provide the sole source of makeup water to the RCS. (The assumption of a loss of offsite power is required by regulations.) This is because the LPSI pumps and HPSI pumps cannot deliver flow until the Diesel Generators (DGs) start, come to rated speed, and go through their timed loading sequence. In cold leg breaks, the entire contents of one SIT are assumed to be lost through the break during the blowdown and reflood phases.

The limiting large break LOCA is a double ended guillotine cold leg break at the discharge of the reactor coolant pump.

(continued)

PALO VERDE UNITS 1,2,3 B 3.5.1-2 REVISION 35

SITs-Operating B 3.5.1 BASES (continued)

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITs are available for injection and ensures timely discovery if a valve should be partially closed. If an isolation valve -isnot fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. A :L2 hour Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.

SR 3.5.1.2 and SR 3.5.1.3 SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> in order to ensure adequate injection during a LOCA. Due to the static design of the SITs, a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency usually allows the operator sufficient time to identify changes before the limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.

SR 3.5.1.4 Thirty-one days is reasonable for verification to determine that each SIT's boron concentration is within the required limits, because the static design of the SITs limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage.

Verification of boron concentration by performing a calculation based on level increase, RCS boron concentration, and last sample results; or by sampling the affected SIT within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, whenever a SIT is drained to maintain contained borated water level will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the SIT boron concentration requirements. This is consistent with the recommendations of NUREG-1366 (Ref. 5).

(continued)

PALO VERDE UNITS 1,2.3 B 3.5.1-9 REVISION 0

SITs-Operating B 3.5.1 BASES (continued)

SURVEILLANCE SR 3.5.1.5 REQUIREMENTS (continued) Verification every 31 days that power is removed from each SIT isolation valve operator ensures that an active failure could not result in the undetected closure of a SIT motor operated isolation valve. If this were to occur, only two SITs would be available for injection, given a single failure coincident with a LOCA. Since installation and removal of power to the SIT isolation valve operators is conducted under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.

SR 3.5.2.5 allows power to be supplied to the motor operated isolation valves when RCS pressure is < 1500 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA.

REFERENCES 1. IEEE Standard 279-1971.

2. UFSAR, Section 6.
3. 10 CFR 50.46.
4. UFSAR, Chapter 15.
5. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements." December 1992.
6. CE NPSD-994. "CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," May 1995.
7. UFSAR Section 7.6.2.2.2.
8. TRM T3.5 (ECCS); TSR 3.5.200.4 PALO VERDE UNITS 1,2,3 B 3.5.1-10 REVISION 35

SITs - Shutdown B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.2 SITs - Shutdown BASES The functions of the four SITs are to supply water to the reactor vessel during the blowdown phase of a Loss of Coolant Accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.

The refill phase of a LOCA follows immediately where reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of the SITs' inventory is then available to help fill voids in the lower lenum and reactor vessel downcomer to establish a recovery evel at the bottom of the core and ongoing reflood of the core with the addition of Safety Injection (SI) water.

The SITs are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The SITs are passive components, since no operator or control action is required for them to perform their function. Internal tank pressure is sufficient to discharge the contents to the RCS, if RCS pressure decreases below the SIT pressure.

(continued)

PALO VERDE UNITS 1,2,3 B 3.5.2-1 REVISION 0

SITs - Shutdown B 3.5.2 BASES BACKGROUND Each SIT is piped into one RCS cold leg via the injection (continued) lines utilized by the High Pressure Safety Injection and Low Pressure Safety Injection (HPSI and LPSI) Systems. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The motor operated isolation valves are normally open, with power removed from the valve motor to prevent inadvertent closure prior to or during an accident.

Additionally, the SIT motor operated isolation valves are interlocked with the pressurizer pressure instrumentation channels to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. The valves also receive a Safety Injection Actuation Signal (SIAS) to open.

These features ensure that the valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 (Ref. 1) for "operating bypasses" and that the SITs will be available for injection without reliance on operator action.

During operations at RCS Pressure greater than 430 psia the SIT isolation valves are procedurally locked open and motive power is removed with the breakers locked open.

The open and closure interlocks are tested as described in UFSAR 7.6.2.2.2 (Reference 6). The open interlock is tested per TRM T3.5 (ECCS); TSR 3.5.200.4 (Reference 7).

The SIAS function to open these valves is tested by Reference 7 using the method described in Reference 6.

The SIT gas and water volumes, gas pressure. and outlet pipe size are selected to allow one less than the required SITs to partially recover the core before significant clad melting or zirconium water reaction can occur following a LOCA. The need to ensure that one less than the required SITs are adequate for this function is consistent with the LOCA assumption that the entire contents of one SIT will be lost via the break during the blowdown phase of a LOCA.

APPLICABLE Due to the reduced decay heat removal requirements in MODES SAFETY 3 and 4, and the reduced probability of a Design Basis ANALYSES Accident (DBA). the SITS operational requirements are reduced. The operational requirement allows either three or four SITs to be OPERABLE with a reduced borated water volume.

(continued)

PALO VERDE UNITS 1.2.3 B 3.5.2-2 REVISION 35

SITs - Shutdown B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> that each required SIT isolation valve is fully open when pressurizer pressure is 2 430 psia as indicated in she control room, ensures that the required SITs are available for injection and ensures timely discovery if a valve should be partially closed. If a required isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. A 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.

SR 3.5.2.2 and SR 3.5.2.3 Borated water volume and nitrogen cover pressure for the required SITs should be verified to be within specified limits every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> in order to ensure adequate injection during a LOCA. Due to the static design of the SITs, a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency usually allows the operator sufficient time to identify changes before the limits are reached.

Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.

SR 3.5.2.4 Thirty-one days is reasonable for verification to determine that each required SIT's boron concentration is within the required limits, because the static design of the SITs limits the ways in which the concentration can be changed.

The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. Verification of boron concentration by performing a calculation based on level increase, RCS boron concentration, and last sample results; or sampling the affected SIT within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> whenever a SIT is drained to maintain contained borated water level will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water is from the RWT, (continued)

PALO VERDE UNIIS 1.2.3 B 3.5.2-9 REVISION 1

SITs - Shutdown B 3.5.2 BASES SURVEILLANCE SR 3.5.2.4 (continued)

REQUIREMENTS because the water contained in the RWT is within the SIT boron concentration requirements. This is consistent with the recommendations of NUREG-1366 (Ref. 4).

SR 3.5.2.5 Verification every 31 days that power is removed from each required SIT isolation valve operator when the pressurizer pressure is 2 1500 psia ensures that an active failure could not result in the undetected closure of a SIT motor operated isolation valve. If this were to occur, two less than the required SITs would be available for injection, given a single failure coincident with a LOCA.

Since installation and removal of power to the SIT isolation valve operators is conducted under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.

This SR allows power to be supplied to the motor operated isolation valves when pressurizer pressure is < 1500 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA.

REFERENCES 1. IEEE Standard 279-1971.

2. 10 CFR 50.46.
3. UFSAR, Chapter 15.
4. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements," December 1992.
5. CE NPSD-994, "CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," May 1995.
6. UFSAR Section 7.6.2.2.2
7. TRM T3.5 (ECCS); TSR 3.5.200.4 PALO VERDE UNITS 1,2,3 B 3.5.2-10 REVISION 35

Containment B 3.6.1 B 3.6 CONTAINMI:NT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment consists of the concrete Containment Building (CB), its steel liner, and the penetrations through this structure. The structure is designed to contain radioactive material that may be released from the reactor core following a design basis Loss of Coolant Accident.

Additionally, this structure provides shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof. The cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed utilizing a two way pattern of tendons. whici are an extension of the continuous vertical tendons. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions.

The concrete CB is required for structural integrity of the containment under Design Basis Accident (DBA) conditions.

The steel liner and its penetrations establish the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment.

SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50.

Appendix J. Option B (Ref. 1). as modified by approved exemptions.

The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either:
1. capable of being closed by an OPERABLE automatic containment isolation system, or (continued)

PALO VERDE UNITS 1.2,3 B 3.6.1-1 REVISION 0

Containment B 3.6.1 BASES (continued)

BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.3, "Containment Isolation Valves":

b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks": and
c. All equipment hatches are closed.

APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

The DBAs that result in a release of radioactive material within containment are a Loss Of Coolant Accident (LOCA), a Main Steam Line Break (MSLB), a feedwater line break, and a control element assembly ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.1% of containment air mass per day (Ref. 3). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated maximum peak containment pressure (Pa) of 52.0 psig for units operating at 3876 MWt RTP, 58.0 psig for unit operating at 3990 MWt RTP, which results from the limiting design basis LOCA.

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii)

LCO Containment OPERABILITY is maintained by limiting leakage to

< 1.0 La, except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.1-2 REVISION 35

Containment Air Locks B 3.6.2 B 3.6 CONTAINMI-NT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder, 9 ft.-6 inches in diameter, with a door at each end. The doors are interlocked to prevent simultaneous opening.

During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in containment internal pressure results in increased sealing force on each door).

Each personnel air lock is provided with limit switches on both doors that 'Drovide local indication of door position.

The containment air locks form part of the containment pressure boundar~y. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate witiin limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.2-1 REVISION 0

Containment Air Locks B 3.6.2 BASES (continued)

APPLICABLE The DBAs that result in a release of radioactive material SAFETY ANALYSES within containment are a Loss Of Coolant Accident (LOCA), a Main Steam Line Break (MSLB), a feedwater line break, and a control element assembly (CEA) ejection accident (Ref. 2).

In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.1% of containment air mass per day (Ref. 3). This leakage rate is defined in 10 CFR 50, Appendix J. Option B. as the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa [52.0 psig for units operating at 3876 MWt RTP, and 58.0 psig for unit operating at 3990 MWt RTP],

following a design basis LOCA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.

The containment air locks satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE.

Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events.

Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or exit from containment.

(continued)

PALO VERDE UNITS 1,2.3 B 3.6.2-2 REVISION 35

Containment Pressure B 3.6.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.4 Containment Pressure BASES BACKGROUND The containment pressure is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a Loss Of Coolant Accident (LOCA) or Main Steam Line Break (MSLB). These limits also prevent the containment pressure from exceeding the containment design negative pressure differential with respect to the outside atmosphere in the event of inadvertent actuation of the Containment Spray System.

Containment pressure is a process variable that is monitored and controlled. The containment pressure limits are derived from the input conditions used in the containment functional analyses and the containment structure external pressure analysis. Should operation occur outside these limits coincident with a Design Basis Accident (DBA), post accident containment pressures could exceed calculated values.

APPLICABLE Containment internal pressure is an initial condition used SAFETY ANALYSES in the DBA analyses to establish the maximum peak containment internal pressure. The limiting DBAs considered for determining the maximum contairment internal pressure (Pa) are the LOCA and MSLB. A double encded discharge line break LOCA with maximum ECCS results in the highest calculated internal containment pressure of 52.0 psig for units operating at 3876 MWt RTP, and 58.0 psig for unit operating at 3990 MWt RTP, which is below the internal design pressure of 60 psig. The postulated DBAs are analyzed assuming degraded containment Engineered Safety Feature (ESF) Systems (i.e., assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train of the Containment Spray System being rendered inoperable). It is this maximum containment pressure that is used to ensure that the licensing basis dose limitations are met.

The initial pressure condition used in the containment analysis bounds the containment pressure allowed during normal operation.

The LCO limit of 2.5 psig ensures that, in the event of an accident, the maximum peak containment internal pressure, 52.0 psig for units operating at 3876 MWt RTP, and 58.0 psig for unit operating at 3990 MWt RTP, and the maximum accident design pressure for containment, 60 psig, are not exceeded.

(continued)

PALO VERDE UNITS 'L,2,3 Ed3.6.4-1 REVISION 35

Containment Pressure B 3.6.4 BASES APPLICABLE The containment was also designed for an excess external SAFETY ANALYSES pressure of 4.0 psig to withstand the resultant pressure (continued) drop from an accidental actuation of the Containment Spray System. The maximum external pressure that would occur as a result of this transient is -3.5 psig based on an initial containment pressure of -1.0 psig (the lower Technical Specification limit plus instrument uncertainty) and the calculated pressure drop of 2.5 psi.

The upper LCO limit of 2.5 psig does not compensate for any instrument inaccuracies. Use of an indicated limit of 1.8 psig ensures that the actual limit of 2.5 psig will not be exceeded.

The lower LCO limit of -0.3 psig has been derived to account for instrument inaccuracies. The indicated limit of

-0.3 psig ensures that the actual limit of -1.0 psig will not be exceeded.(Ref. 3)

Containment pressure satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO Maintaining containment pressure less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will remain below the containment design pressure. Maintaining containment pressure greater than or equal to the LCO lower pressure limit ensures that the containment will not exceed the design negative pressure differential following the inadvertent actuation of the Containment Spray System.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure within limits is essential to ensure initial conditions assumed in the accident analysis are maintained, the LCO is applicable in MODES 1, 2, 3, and 4.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment pressure within the limits of the LCO is not required in MODE 5 or 6.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.4-2 REVISION 1

Containment Spray System B 3.6.6 BASES BACKGROUND The Containment Sp ray System accelerates the air mixing (continued) process between The upper dome space of the containment atmosphere during LOCA operations. It also prevents any hot spot air pockets during the containment cooling mode and avoids any hydrogen concentration in pocket areas.

APPLICABLE The Containment Spray System limits the temperature and SAFETY ANALYSES pressure that could be experienced following a DBA. The Containment Spray System is required to be capable of reducing containment pressure to 1/2 the peak pressure within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following a DBA. The limiting DBAs considered relative to containment temperature and pressure are the Loss Of Coolant Accident (LOCA) and the Main Steam Line Break (MSLB). The DBA LOCA and MSLB are analyzed using computer codes designed to predict the resultant containment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed with regard to containment ESF systems, assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train of the Containment Spray System being rendered inoperable.

The analysis and evaluation show that under the worst case scenario, the highest peak containment pressure is 52.0 psig for units operating at 3876 MWt RTP, and 58.0 psig for unit operating at 3990 MWt RTP (experienced during a LOCA). The analysis shows that the peak containment vapor temperature is 405.65 0F (experienced during a MSLB). Both results are within the design. (See the Bases for Specifications 3.6.4, "Containment Pressure," and 3.6.5, "Containment Air Temperature." for a detailed discussion.) The analyses and evaluations assume a power level of 102% RTP, one containment spray train operating, and initial (pre-accident) conditions of 120 0F and 16.7 psia (LOCA) and 13.22 psia (MSLB). The analyses also assume a response time delayed initiation in order to provide a conservative calculation of peak containment pressure and temperature responses.

The effect of an inadvertent containment spray actuation has been analyzed. An inadvertent spray actuation reduces the containment pressure to -2.6 psig due to the sudden cooling effect in the interior of the air tight containment.

Additional discussion is provided in the Bases for Specification 3.6.4.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.6-3 REVISION 35

Containment Spray System B 3.6.6 BASES APPLICABLE The modeled Containment Spray System actuation from the SAFETY ANALYSES containment analysis is based upon a response time (continued) associated with exceeding the containment High-High pressure setpoint to achieve full flow through the containment spray nozzles. The Containment Spray System total response time includes diesel generator startup (for loss of offsite power), block loading of equipment, containment spray pump startup, and spray line filling (Ref. 2).

The Containment Spray System mixes the containment atmosphere to provide a uniform hydrogen concentration.

Hydrogen may accumulate in containment following a LOCA as a result of:

a. A metal steam reaction between the zirconium fuel rod cladding and the reactor coolant:
b. Radiolytic decomposition of water in the Reactor Coolant System (RCS) and the containment sump:
c. Hydrogen in the RCS at the time of the LOCA (i.e..

hydrogen dissolved in the reactor coolant and hydrogen gas in the pressurizer vapor space): or

d. Corrosion of metals exposed to Containment Spray System and Emergency Core Cooling Systems solution.

To evaluate the potential for hydrogen accumulation in containment following a LOCA. the hydrogen generation as a function of time following the initiation of the accident is calculated. Conservative assumptions recommended by Reference 8 are used to maximize the amount of hydrogen calculated.

The Containment Spray System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO During a DBA. one containment spray train is required to maintain the containment peak pressure and temperature below the design limits (Ref. 5). to remove iodine from the containment atmosphere to maintain concentrations below those assumed in the safety analysis, and provide hydrogen mixing. To ensure that these requirements are met, two containment spray trains must be OPERABLE. Each spray train must be capable of taking suction from the RWT on a (continued)

PALO VERDE UNITS 1.2,3 B 3.6.6-4 REVISION 7

MSSVs B 3.7.1 BASES ACTIONS D.1 (continued)

When more than eight required MSSVs per steam generator are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSSVs by the verification of each MSSV lift setpoints in accordance with the Inservice Testing Program. The ASME Code,Section XI (Ref. 4). requires that safety and relief valve tests be performed in accordance with ANSI/ASME OM-1-1987 (Ref. 5).

According to Reference 5, the following tests are required for MSSVs:

a. Visual examination:
b. Seat tightness determination:
c. Setpoint pressure determination (lift setting):
d. Compliance with owner's seat tightness criteria; and
e. Verificaticn of the balancing device integrity on balanced valves.

The ASME Standard requires that all valves be tested every 5 years, and a minimum of 20% of the valves tested every 24 months. The ASME Code specifies the activities and frequencies necessary to satisfy the requirements.

Table 3.7.1-2 allows a +/- 3% setpoint tolerance for OPERABILITY: however, the valves are reset to +/- 1% during the Surveillance to allow for drift.

PALO VERDE UNITS 1.2,3 B 3.7.1-5 REVISION 34

MSSVs B 3.7.1 BASES SURVEILLANCE SR 3.7.1.1 (continued)

REQUIREMENTS (continued) This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This is to allow testing of the MSSVs at hot conditions. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure.

REFERENCES 1. UFSAR, Section 5.2.

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NC-7000, Class 2 Components.
3. UFSAR, Section 15.2.
4. ASME, Boiler and Pressure Vessel Code,Section XI, Subsection IWV.
5. ANSI/ASME OM-1-1987.

PALO VERDE UNITS 1,2,3 B 3.7.1-6 REVISION 28 CORRECTED PAGE

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class lE Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources: normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by 10 CFR 50. Appendix A, GDC 17 (Ref. 1). the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Features (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to two preferred offsite power sources (normal and alternate) and a single DG.

Offsite power is supplied to the unit switchyard from the transmission network by seven transmission lines. From the I switchyard, two electrically and physically separated circuits provide AC power. through ESF service transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class lE ESF buses is found in the updated FSAR, Chapter 8 (Ref. 2).

An offsite circuit consists of all breakers, transformers.

switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus or buses.

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer (NBN-X03 and NBN-X04) supplying offsite power to the onsite Class 1E Distribution System. Within 30 seconds after the initiating signal is received, all permanently connected and auto-connected emergency loads needed to recover the unit or maintain it in a safe condition are returned to service via the automatic load sequencer.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-1 REVISION 35

AC Sources - Operating B 3.8.1 BASES BACKGROUND The onsite standby power source for each 4.16 kV ESF bus is (continued) dedicated DG. DG-A and DG-B are dedicated to ESF buses PBA-S03 and PBB-S04, respectively. A DG starts automatically (in emergency mode) on a safety injection actuation signal (SIAS) (i.e.. low pressurizer pressure or high containment pressure signals), auxiliary feedwater actuation signals (AFAS-1 and AFAS-2) (e.g., low steam generator level), or on a loss of power (an ESF bus degraded voltage or undervoltage signal). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a SIAS or AFAS signal. Following the loss of offsite power, the sequencer sheds nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

The DGs will also start and operate in the standby mode (running unloaded) without tying to the ESF bus on a SIAS or AFAS.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within 40 seconds after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 5500 kW with 10% overload permissible for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in the updated FSAR, Chapter 8 (Ref. 2).

Offsite power sources must have the capability to effect a safe shutdown and to mitigate the effects of an accident as specified in Regulatory Guide 1.93 (Ref. 6). As a result of (continued)

PALO VERDE UNITS 1,2,3 B 3.8. 1-2 REVISION 2

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.6 (continued)

This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

Since the design of the fuel transfer system is such that pumps will operate automatically in order to maintain an adequate volume of fuel oil in the day tank during or following DG testing, a 31 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the auto-connected emergency loads. The 18 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the surveillance in MODE 1 or 2 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated

- (continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-27 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.8 (continued)

OPERABILITY OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance: as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load, or equivalent load, without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. Train A Normal Water Chiller (at 842 kW) and Train B AFW pump (at 936 kW) are the bounding loads for the DG A and DG B to reject, respectively. These values were established in reference 14.

This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while solely supplying the bus; or
b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As required by IEEE-308 (Ref. 11). the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-28 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS (continued) The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals.

The 3 seconds specified is equal to 60% of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are the voltage and frequency values the system must meet, within three seconds, following load rejection. The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3).

This SR is modified by a Note. The reason for the Note is that performing this SR would remove a required offsite circuit from service, perturb the EDS. and challenge safety systems. This Sk is performed in emergency mode (not paralleled to the grid) ensuring that the DG is tested under load conditions that are as close to design basis conditions as possible.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

(continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-29 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed using design basis kW loading and maximum kVAR loading permitted during testing. These loads represent the inductive loading that the DG would experience to the extent practicable and is consistent with the guidance of Regulatory Guide 1.9 (Ref. 3). Consistent with the guidance provided in the Regulatory Guide 1.9 full-load rejection test description, the 4950 - 5500 kW band will demonstrate the DG's capability to reject a load equal to 90 to 100 percent of its continuous rating.

Administrative limits have been placed upon the Class 1E 4160 V buses due to high voltage concerns. As a result power factors deviating much from unity are currently not possible when the DG runs parallel to the grid. To the extent practicable, VARs will be provided by the DG during this SR.

The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.8 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is that during operation with the reactor critical, performance of this SR could cause perturbation to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3).

paragraph 2.2.4. this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power. including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time.

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.1-30 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS The DG auto-start time of 10 seconds is derived from requirements of -the accident analysis. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The requirement to verify the connection and power supply of permanent and auto-connected emergency loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or shutdowi cooling (SDC) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified to the extent possible ensuring power is available to the component.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by four Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3. and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, (continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-31 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with the failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system within they are tied together or operated independently for the partial surveillance: as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that momentary voltage and frequency transients induced by load changes do not invalidate this test. Note 4 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are 2 4000 and s 4377.2 volts and the analyzed values for the steady-state diesel generator frequency limits are 2 59.7 and : 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 2 4080 and s 4300 volts (Ref. 12). and

> 59.9 and s 60.5 hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits.

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis accident signal (LOCA) signal, and subsequently achieves steady state required voltage and frequency ranges, and operates for 2 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and auto-connected emergency loads (auto-connected through the (continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-32 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS automatic load sequencer) are energized from the offsite electrical power system on an ESF signal without loss of offsite power.

The requirement to verify the connection of permanent and auto-connected erergency loads is intended to satisfactorily show the relationship of these loads to the offsite circuit loading logic. Zn certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or SDC systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the offsite circuit system to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or zotal steps so that the entire connection and loading sequence is verified to the extent possible ensuring power is available to the component.

The Frequency of 18 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-33 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing this SR would remove a required offsite circuit from service, perturb the EDS, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance.

corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1. 2, 3. or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are 2 4000 and s 4377.2 volts and the analyzed values for the steady-state diesel generator frequency limits are 2 59.7 and 5 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error are 2 4080 and s 4300 volts (Ref. 12). and 2 59.9 and s 60.5 hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits.

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.1-34 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 REQUIREMENTS (continued) This Surveillance demonstrates that DG and its associated 4.16 KV output breaker noncritical protective functions (e.g.. high jacket water temperature) are bypassed on a loss of voltage signa concurrent with an ESF actuation test signal, and critical protective functions (engine overspeed, generator differential current, engine low lube oil pressure, and manual emergency stop trip). trip the DG to avert substantial damage to the DG unit. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The 18 month Frequency is based on engineering judgment.

taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3). paragraph 2.2.9, requires demonstration once per 18 months that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. 2 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of which is at a load equivalent to 103, to110% of the continuous rating of the DG (5775 - 6050 kW) and 2 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> at a load equivalent to 90 to 100% of the continuous duty rating of the DG (4950 - 5500 kW). The DG starts for this Surveillance can be performed either from normal keep-warm or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR (Note 3 and Note 4).

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.1-35 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing is performed using design basis kW loading and maximum kVAR loading permitted during testing. These loads represent the inductive loading that the DG would experience to the extent practicable and is consistent with the intent of Regulatory Guide 1.9 (Ref. 3). Administrative limits have been placed upon the Class 1E 4160 V buses due to high voltage concerns. As a result, power factors deviating much from unity are currently not possible when the DG runs parallel to the grid. To the extent practicable, VARs will be provided by the DG during this SR.

The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3),

paragraph 2.2.9, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by four Notes. Note 1 states that momentary variations due to changing bus loads do not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2. and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR (Note 3 and Note 4).

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 10 seconds, and subsequently achieves steady state required voltage and frequency ranges. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3),

paragraph 2.2.10.

(continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-36 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued)

REQUIREMENTS This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Per the guidance in Regulatory Guide 1.9. this SR would demonstrate the hot restart functional capability at full-load temperature conditions, after the DG has operated for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (or until operating temperatures have stabilized) at full load.

Momentary transients due to changing bus loads do not invalidate the test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy.

The analyzed values for the steady-state diesel generator voltage limits are 2 4000 and

  • 4377.2 volts and the analyzed values *for the steady-state diesel generator frequency limits are 2 59.7 and s 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 2 4080 and 5 4300 volts (Ref. 12). and 2 59.9 and s 60.5 hertz (Ref. 13).

respectively. If digital Maintenance and Testing Equipment (M&TE) is used iistead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits.

SR 3.8.1.16 As required by Regulatory Guide 1.9 (Ref. 3).

paragraph 2.2.11. this Surveillance ensures that the manual synchronization and load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, in standby operation (running unloaded), the output breaker is open and can receive an autoclose signal on bus undervoltage. and the load sequence timers are reset.

(continued)

PALO VERDE UNIIS 1.2.3 B 3.8.1-37 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued)

REQUIREMENTS The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), and takes into consideration unit conditions required to perform the Surveillance.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1. 2, 3, and 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance: as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to ready-to-load operation if a LOCA actuation signal (e.g., simulated SIAS) is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage, in standby operation (running unloaded) with the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 12), paragraph 6.2.6(2) and Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.13.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-38 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS The requirement :o automatically energize the emergency loads with offsi:e power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance. and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is that performing :he Surveillance would remove a required offsite circuit from service, perturb the electrical distribution sys-em, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following correc ive maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPE-RABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall. as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of :he offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

(continued)

PALO VERDE UNITS 1,2,3 133.8. 1-39 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 REQUIREMENTS (continued) Under accident and loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents.

The 1 second load sequence time tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. FSAR. Chapter 8 (Ref. 2) provides a summary of the automatic loading of ESF buses.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3).

paragraph 2.2.4. takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2. 3. and 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification.

deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance: as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

(continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-40 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 REQUIREMENTS (continued) In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal inconjunction with an ESF actuation signal. Inlieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions isacceptable. This testing may include any series of sequen ial, overlapping, or total steps so that the entire connection and loading sequence isverified. The Frequency of 18 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 18 months.

This SR ismodified by three Notes. The reason for Note 1 isto minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is,with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. The reason for Note 2 isthat performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance inMODE 1,2.3, and 4 isfurther amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety ismaintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance: as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety ismaintained or enhanced when portions of the surveillance are performed inMODE 1,2,3, (continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-41 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 (continued)

REQUIREMENTS or 4. Risk insights or deterministic methods may be used for this assessment. Note 3 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyze values for the steady-state diesel generator voltage limits are 2 4000 and s 4377.2 volts and the analyzed values for the steady-state diesel generator frequency limits are 2 59.7 and s 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 2 4080 and

  • 4300 volts (Ref.12), and 2 59.9 and 5 60.5 hertz (Ref.13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), paragraph 2.3.2.4 and Regulatory Guide 1.137 (Ref. 9).

This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. Note 2 states that the steady state voltage and frequency limits are analyzed values and have not been adjusted for instrument accuracy. The analyzed values for the steady-state diesel generator voltage limits are 2 4000 and (continued)

PALO VERDE UNITS 1.2,3 B 3.8.1-42 REVISION 35

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued)

REQUIREMENTS s 4377.2 volts and the analyzed values for the steady-state diesel generator frequency limits are 2 59.7 and 5 60.7 hertz. The indicated steady state diesel generator voltage and frequency limits, using the panel mounted diesel generator instrumentation and adjusted for instrument error, are 2 4080 and s 4300 volts (Ref. 12). and 2 59.9 and s 60.5 hertz (Ref. 13), respectively. If digital Maintenance and Testing Equipment (M&TE) is used instead of the panel mounted diesel generator instrumentation, the instrument error may be reduced, increasing the range for the indicated steady state voltage and frequency limits.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17

2. Updated FSAR, Chapter 8
3. Regulatory Guide 1.9, Revision 3, "Selection, Design, Qualification and Testing of Emergency Diesel Generator Units Used as Class lE Onsite Electric Power Systems at Nuclear Power Plants." July 1993.
4. Updated FSAR, Chapter 6
5. Updated FSAR. Chapter 15
6. Regulatory Guide 1.93, "Availability of Electric Power Sources." Revision 0. December 1974.
7. GL 84-15. "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2. 1984.
8. 10 CFR 50, Appendix A, GDC 18
9. Regulatory Guide 1.137, "Fuel Oil Systems for Standby Diesel Generators," Revision 1. October 1979.
10. ANSI C84.1-1982
11. IEEE Standard 308-1974, "IEEE Standard Criteria for Class 1E Pcwer Systems for Nuclear Power Generating Stations."

(continued)

PALO VERDE UNITS 1,2.3 B 3.8.1-43 REVISION 35

AC Sources - Operating B 3.8.1 BASES REFERENCE 12. Calculation 13-EC-PE-123. "Diesel Generator voltage (continued) meter loop E-PEN-EI-G01/G02 uncertainty calculation."

13. Calculation 13-EC-PE-124. "Diesel Generator frequency meter loop E-PEN-SI-G01/G02 uncertainty calculation."
14. Calculation 13-MC-DG-401 PALO VERDE UNITS 1.2,3 B 3.8.1-44 REVISION 35

Diesel Fuel Oil, Lube Oil. and Starting Air B 3.8.3 BASES APPLICABILITY air are required to be within limits when the associated DG (continued) is required to be OPERABLE.

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation.

and subsequent inoperable DG subsystem are governed by separate Condition entry and application of associated Required Actions.

A.1 In this Condition (i.e., < 80% indicated fuel level), the 7 day fuel oil supply (68,900 gallon of fuel) for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (59.800 gallons of fuel). These circumstances may be caused by events such as full load operation required after an inadvertent star-: while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (2 6 days or 2 71% indicated fuel level), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

B.1 With lube oil inventory < 2.5 inches visible in the sightglass, sufficient lubricating oil to support 7 days of continuous DG op2ration at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.3-3 REVISION 34 CORRECTED PAGE

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS B.1 (continued)

This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity ( > 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

The normal level of lube oil is maintained at mid-scale visible on the sightglass which ensures sufficient lube oil to support at least 13.5 days of engine operation during periods when the DG is supplying maximum post-LOCA load demand as discussed in the FSAR (Ref. 1). This is based on a conservative lube oil consumption rate of 1.5 gallons per hour and 486 gallons of available lube oil between the top of the lube oil suction pipe in the engine crankcase (minimum available level) and the mid-scale position on the sightglass. 252 gallons or 7 days of available lube oil is actually indicated at 1 inch visible in the sightglass.

With 2 2.5 inches visible in the sightglass, a conservative supply of lube oil is ensured for 7 days of full load operation.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.3-4 REVISION 0

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.2 REQUIREMENTS (continued) Visual inspection to detect corrosion of the battery cells and connections, or measurement of the resistance of each inter-cell, inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The limits established for this SR are based on calculation 1,2,3ECPK207 which states that if every terminal connection were to degrade to 150E-6 ohms, there would be sufficient battery capacity to satisfy the DBA Duty Cycle (Ref. 13).

The Surveillance Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is considered acceptable based on operating experience related to detecting corrosion trends.

SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

This SR is consistent with IEEE-450 (Ref. 9), which recommends detailed visual inspection of cell condition and rack integrity. The 18 month Surveillance Frequency is consistent with expected fuel cycle length, minimizing battery testing while on line that could result in rendering the batteries inoperable.

SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provide an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anticorrosion material is used to help ensure good electrical connections and to reduce terminal deterioration.

(continued)

PALO VERDE UNIIS 1,2,3 B 3.8.4-7 REVISION 35

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 (continued)

REQUIREMENTS (continued) The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR provided visible corrosion is removed during performance of SR 3.8.4.4.

The connection resistance limits for SR 3.8.4.5 is based on calculation 1.2,3ECPK207 which states that if every terminal connection were to degrade to 150E-6 ohms there would be sufficient battery capacity to satisfy the DBA Duty Cycle (Ref. 13).

The Surveillances are consistent with IEEE-450 (Ref. 9),

which recommends cell to cell and terminal connection resistance measurement. The 18 month Surveillance Frequency is consistent with expected fuel cycle length.

minimizing battery testing while on line that could result in rendering the batteries inoperable.

SR 3.8.4.6 This SR requires that each required battery charger be capable of supplying 400 amps for batteries A and B and 300 amps for batteries C and D. and 125 V for 2 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. These requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 10). the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied.

The Surveillance Frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 18 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle length.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance on the charger credited for (continued)

PALO VERDE UNITS 1.2,3 B 3.8.4-8 REVISION 35

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.6 (continued)

REQUIREMENTS OPERABILITY would perturb the electrical distribution system and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, and 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3. or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.4.7 A battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate aid test length should correspond to the design duty cycle requirements as specified in Reference 4.

The Surveillance Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.32 (Ref. 10) and Regulatory Guide 1.129 (Ref. 11). which state that the battery service test should be performed during refueling operations, or at some other outage, with intervals between tests not to exceed 18 months.

This SR is modified by two Notes. Note 1 allows the performance of a battery performance discharge test or a modified performance discharge test in SR 3.8.4.8 in lieu of a service test since both performance discharge test parameters envelope the service test. The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

(continued)

PALO VERDE UNITS 1.2.3 B 3.8.4-9 REVISION 35

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 REQUIREMENTS A battery performance discharge test is a test of constant current capacity of a battery, normally done in the "as found" condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.

The modified performance discharge test is a simulated duty cycle consisting of just two rates: the one minute rate published for the battery or the largest current load of the duty cycle (but in no case lower than the performance test rate), followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8. In addition, either of the performance discharge tests may be used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time, because the test parameters envelope the service test described in SR 3.8.4.7.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% (low specific gravity cells) or 90% (AT&T) shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The surveillance Frequency for this test is normally 60 months. If the battery shows degradation, or if the (continued)

PALO VERDE UNITS 1.2,3 B 3.8.4-10 REVISION 35

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued)

REQUIREMENTS battery has reached 85% of its expected life and capacity is

< 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Survei-lance Frequency is only reduced to 24 months for batteries that retain capacity 2 100% of the manufacturer's rating. Degradation is indicated when the battery capacity drops by more than 10% (low specific gravity cells) or, 5% (AT&T) relative to its capacity on the previous performance test, or when it is 2 10% (low specific gravity cells) or 2 5% (AT&T) below the manufacturer's rating.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

REFERENCES 1. 10 CFR.50, Appendix A, GDC 17.

2. Regulatory Guide 1.6, March 10, 1971.
3. IEEE-308-1974.
4. UFSAR, Chapter 8.3.2.
5. IEEE-485-1933, June 1983.
6. UFSAR, Chapter 6.
7. UFSAR, Chapter 15.
8. Regulatory Guide 1.93, December 1974.
9. IEEE-450-1980.
10. Regulatory Guide 1.32, Revision 0, August 11. 1972.
11. Regulatory Guide 1.129, Revision 1, February 1978.
12. Design Basis Manual "Class lE 125 VDC Power System".
13. Calculation 1,2,3ECPK207 PALO VERDE UNITS 1,2,3 B 3.8.4-11 REVISION 35

C  : s

- w

- i i; -

- 6
  • l r-

+ + + .

W I

. I':; '

Ok:.. .

;f it .

This page intentionally blank

Boron Concentration B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS) and the refueling canal, during refueling ensures that the reactor remains subcritical during MODE 6.

Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling.

The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Unit procedures ensure the specified boron concentration in order to maintain an overall core reactivity of keff < 0.95 during fuel handling, with control element assemblies (CEAs) and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by unit procedures.

GDC 26 of 10 CFR 50, Appendix A. requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration.

The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized. the vessel head is unbolted and the head is slowly removed. The refueling canal is flooded with borated water from the refueling water :ank into the open reactor vessel by gravity feeding or by the use of the Shutdown Cooling (SDC) System pumps.

(continued)

PALO VERDE UNITS 1.2.3 B 3.9.1-1 REVISION 34 CORRECTED PAGE

Boron Concentration B 3.9.1 BASES BACKGROUND The pumping action of the SDC System in the RCS and the (continued) natural circulation due to thermal driving heads in the reactor vessel and the refueling canal mix the water to obtain a uniform concentration. The SDC System is in operation during refueling (see LCO 3.9.4. "Shutdown Cooling (SDC) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Shutdown Cooling (SDC) and Coolant Circulation - Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS and the refueling canal above the COLR limit.

APPLICABLE During refueling operations, the reactivity condition of the SAFETY ANALYSES core is consistent with the initial conditions assumed for the boron dilution accident in the accident analysis and is conservative for MODE 6. The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and the unit refueling procedures that demonstrate the correct fuel loading plan (including full core mapping) ensure the keff of the core will remain < 0.95 during the refueling operation. Hence, at least a 5% Ak/k margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The limiting boron dilution accident analyzed occurs in MODE 5 (Ref. 2). A detailed discussion of this event is provided in B 3.1.2, "SHUTDOWN MARGIN - Reactor Trip Breakers Closed."

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

(continued)

PALO VERDE UNITS 1,2.3 B 3.9.1-2 REVISION 0

ENCLOSURE 3 PVNGS Technical Specification Bases Revision 36 Insertion Instructions and Replacement Pages

PVNGS Technical Specifications Bases Revision 36 Insertion. Instructions Remove Page: Insert New Page:

Cover page Cover page List of Effective Pages, List of Effective Pages, Pages 1/2 through Pages 1/2 through List of Effective Pages, List of Effective Pages, Page 7/8 Page 7/8 B 3.3.1-27/3.3.1-28 B 3.3.1-27/3.3.1-28 through through B 3.3.1-31/3.3.1-32 B 3.3.1-31/3.3.1-32 B 3.6.3-1/3.6.3-2 B 3.6.3-1/3.6.3-2 through through B 3.6.3-5/3.6.3-6 B 3.6.3-5/3.6.3-6 I

P V'NGS Palo Verde Nuclear GeneratingStation Units 1, 2, and 3 echnica Specification Bases Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 2.1.1-1 0 B 3.1.4-5 0 B 2.1.1-2 0 B 3.1.5-1 0 B 2.1.1-3 21 B 3.1.5-2 28 B 2.1.1-4 21 B 3.1.5-3 28 B 2.1.1-5 23 B 3.1.5-4 28 B 2.1.2-1 0 B 3.1.5-5 28 B 2.1.2-2 31 B 3.1.5-6 28 B 2.1.2-3 0 B 3.1.5-7 1 B 2.1.2-4 23 B 3.1.5-8 28 B 2.1.2-5 0 B 3.1.5-9 28 B 3.0-1 0 B 3.1.5-10 28 B 3.0-2 0 B 3.1.5-11 28 B 3.0-3 0 B 3.1.6-1 0 B 3.0-4 0 B 3.1.6-2 0 B 3.0-5 0 B 3.1.6-3 0 B 3.0-6 1 B 3.1.6-4 0 B 3.0-7 0 B 3.1.7-1 0 B 3.0-8 0 B 3.1.7-2 0 B 3.0-9 0 B 3.1.7-3 28 B 3.0-10 14 B 3.1.7-4 34 B 3.0-11 14 B 3.1.7-5 25 B 3.0-12 14 B 3.1.7-6 0 B 3.0-13 0 B 3.1.7-7 0 B 3.0-14 0 B 3.1.7-8 0 B 3.0-15 0 B 3.1.7-9 0 B 3.0-16 17 B 3.1.8-1 28 B 3.0-17 17 B 3.1.8-2 28 B 3.0-18 17 B 3.1.8-3 28 B 3.0-19 17 B 3.1.8-4 28 B 3.1.1-1 28 B 3.1.8-5 28 B 3.1.1-2 0 B 3.1.9-1 0 B 3.1.1-3 28 B 3.1.9-2 0 B 3.1.1-4 12 B 3.1.9-3 0 B 3.1.1-5 27 B 3.1.9-4 0 B 3.1.1-6 31 B 3.1.9-5 28 B 3.1.2-1 28 B 3.1.9-6 1 B 3.1.2-2 0 B 3.1.10-1 0 B 3.1.2-3 31 B 3.1.10-2 28 B 3.1.2-4 28 B 3.1.10-3 0 B 3.1.2-5 0 B 3.1.10-4 0 B 3.1.2-6 0 B 3.1.10-5 0 B 3.1.2-7 12 B 3.1.10-6 0 B 3.1.2-8 0 B 3.1.11-1 0 B 3.1.2-9 0 B 3.1.11-2 28 B 3.1.3-1 0 B 3.1.11-3 0 B 3.1.3-2 0 B 3.1.11-4 34 B 3.1.3-3 0 B 3.1.11-5 0 B 3.1.3-4 0 B 3.2.1-1 28 B 3.1.3-5 0 B 3.2.1-2 10 B 3.1.3-6 0 B 3.2.1-3 28 B 3.1.4-1 0 B 3.2.1-4 0 B 3.1.4-2 31 B 3.2.1-5 0 B 3.1.4-3 0 B 3.2.1-6 0 B 3.1.4-4 0 B 3.2.1-7 0 PALO VERDE UNITS 1, 2, AND 3 1 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3.2.1-8 0 B 3.3.1-20 35 3.2.2-1 28 B 3.3.1-21 35 3.2.2-2 10 B 3.3.1-22 35 3.2.2-3 0 B 3.3.1-23 35 3.2.2-4 28 B 3.3.1-24 35 3.2.2-5 1 B 3.3.1-25 35 3.2.2-6 0 B 3.3.1-26 35 3.2.2-7 0 B 3.3.1-27 35 3.2.3-1 28 B 3.3.1-28 35 Corrected 3.2.3 -2 10 B 3.3.1-29 35 3.2.3-3 0 B 3.3.1-30 35 Corrected 3.2.3-4 28 B 3.3.1-31 35 Corrected 3.2.3-5 0 B 3.3.1-32 35 Corrected 3.2.3-6 0 B 3.3.1-33 35 3.2.3-7 0 B 3.3.1-34 35 3.2.3-8 0 B 3.3.1-35 35 3.2.3-9 0 B 3.3.1-36 35 3.2.3-10 0 B 3.3.1-37 35 3.2.4-1 28 B 3.3.1-38 35 3.2.4-2 10 B 3.3.1-39 35 3 .2.4-3 0 B 3.3.1-40 35 3.2.4-4 28 B 3.3.1-41 35 3.2.4-5 25 B 3.3.1-42 35 3.2.4-6 25 B 3.3.1-43 35 3.2.4-7 27 B.3 .3.1-44 35 3.2.4-8 31 B.3 .3.1-45 35 3.2.4-9 31 B.3.3.1-46 35

,3.2.4-10 31 B.3.3. 1-47 35 3.2.5-1 28 B.3 .3.1-48 35 3.2.5-2 10 B.3.3.1-49 35 3.2.5-3 0 B.3 .3.1-50 35 3.2.5-4 28 B.3 .3.1-51 35 3.2.5-5 0 B.3.3.1-52 35 3.2.5-6 28 B.3.3.1-53 335 3.2.5-7 0 B.3 .3.1-54 35 3 .3.1-1 35 B.3.3.1-55 35 3.3.1-2 25 B.3 .3.1-56 35 3.3.1-3 25 B.3 .3.1-57 35 3.3.1-4 25 B 3.3.1-58 35 3.3.1-5 25 B 3.3.1-59 35 3.3.1-6 27 B 3.3.1-60 35 3.3.1-7 25 B 3.3.2-1 35 3.3.1-8 25 B 3.3.2-2 0 3.3.1-9 34 B 3.3.2-3 1 3 .3.1-10 35 B 3.3.2-4 35 3.3.1-11 35 B 3.3.2-5 35 3 .3.1-12 35 B 3.3.2-6 35 3.3.1-13 35 B 3.3.2-7 35 3.3.1-14 35 B 3.3.2-8 35 3 .3.1-15 35 B 3.3.2-9 35 3.3.1-16 25 B 3.3.2-10 35 3.3.1-17 35 B 3.3.2-11 35 3.3.1-18 35 B 3.3.2-12 35 3.3.1-19 35 B 3.3.2-13 35 PALO VERDE UNITS 1, 2, AND 3 2 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.3.2-14 35 3.3.5-14 0 B 3.3.2-15 35 3.3.5-15 35 B 3.3.2-16 35 3 .3.5-16 35 B 3.3.2-17 35 3.3.5-17 35 B 3.3.2-18 35 3.3.5-18 35 B 3.3.3-1 25 3 .3.5-19 35 B 3.3.3-2 27 3 .3 .5-20 35 B 3.3.3-3 25 3 .3.5-21 35 B 3.3.3-4 25 3.3.5-22 35 B 3.3.3-5 25 3.3.5-23 35 B 3.3.3-6 25 3.3.5-24 35 B 3.3.3-7 27 3.3.5-25 35 B 3.3.3-8 27 3.3.5-26 35 B 3.3.3-9 27 3.3.5-27 35 B 3.3.3-10 25 3.3.5-28 35 B 3.3.3-11 25 3.3.5-29 35 B.3.3.3-12 25 3.3.5-30 35 B.3.3.3-13 25 3.3.6-1 0 B.3.3.3-14 25 3.3.6-2 0 B.3.3.3-15 27 3 .3. 6-3 0 B.3.3.3-16 25 3 . 3 . 6-4 0 B.3.3.3-17 25 3.3.6-5 31 B.3.3.3-18 25 3.3.6-6 0 B.3.3.3-19 27 3 . 3 . 6-7 27 B.3 .3.3-20 27 3 .3.6-8 27 B.3.3.3-21 27 3.3.6-9 0 B 3.3.4-1 0 3.3.6-10 0 B 3.3.4-2 0 3 .3.6-11 0 B 3.3.4-3 0 3.3.6-12 0 B 3.3.4-4 0 3.3.6-13 0 B 3.3.4-5 0 3 .3. 6-14 0 B 3.3.4-6 31 3 .3.6-15 0 B 3.3.4-7 0 3.3.6-16 0 B 3.3.4-8 0 3 .3 .6-17 27 B 3.3.4-9 0 3.3.6-18 0 B 3.3.4-10 0 3 .3 .6-19 0 B 3.3.4-11 0 3.3.6-20 0 B 3.3.4-12 0 3.3 .6-21 1 B 3.3.4-13 0 3.3.6-22 1 B 3.3.4-14 0 3.3.7-1 2 B 3.3.4-15 0 3.3.7-2 2 B 3.3.5-1 0 3.3 .7-3 0 B 3.3.5-2 0 3.3.7-4 0 B 3.3.5-3 0 3.3.7-5 0 B 3.3.5-4 35 3.3.7-6 0 B 3.3.5-5 0 3.3.7-7 0 B 3.3.5-6 0 3.3.7-8 0 B 3.3.5-7 0 3.3.7-9 2 B 3.3.5-8 31 3 .3 .8-1 0 B 3.3.5-9 0 3.3.8-2 0 B 3.3.5-10 0 3 .3 .8-3 0 B 3.3.5-11 0 3.3.8-4 0 B 3.3.5-12 1 3.3.8-5 0 B 3.3.5-13 0 3.3.8-6 1 PALO VERDE UNITS 1, 2, AND 3 3 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3.3.8-7 0 3.4.3-4 2 3.3.8-8 0 3.4.3-5 2 3 .3 .9-1 0 3.4.3-6 0 3.3.9-2 2 3.4.3-7 0 3.3.9-3 21 3.4.3-8 2 3.3.9-4 10 3.4.4-1 0 3.3.9-5 1 3.4.4-2 7 3.3.9-6 0 3.4.4-3 7 3.3.9-7 0 3.4.4-4 0 3.3.10-1 0 3.4.5-1 0 3.3.10-2 0 3.4.5-2 34 3.3.10-3 0 3 .4.5-3 30 3 .3 .10-4 0 3.4.5-4 0 3.3.10-5 18 3.4.5-5 6 3.3.10-6 0 3.4.6-1 0 3.3.10-7 0 3 .4.6-2 6 3.3.10-8 14 3.4.6-3 6 3.3.10-9 14 3.4.6-4 6 3.3.10-10 14 3 .4.6-5 6 3 .3 .10-11 14 3.4.7-1 0 3 .3 .10-12 14 3 .4.7-2 6 3.3.10-13 14 3.4.7-3 6 3.3.10-14 32 3.4.7-4 2 3.3.10-15 32 3.4.7-5 0 3.3.10-16 32 3.4.7-6 0 3.3.10-17 32 3.4.7-7 27 3.3.10-18 32 3.4.8-1 0 3.3.10-19 32 3.4.8-2 6 3.3.10-20 32 3.4.8-3 6 3 .3 .10-21 33 3.4.9-1 0 3 .3 .10-22 32 3.4.9-2 31 3.3.11-1 0 3.4.9-3 34 Corrected 3.3.11-2 2 3.4.9-4 0 3.3.11-3 2 3 .4.9-5 0 3 .3 . 11-4 2 3.4.9-6 0 3 .3 . 11-5 19 3.4.10-1 0 3 .3 .11-6 2 3.4.10-2 7 3.3.11-7 2 3 .4.10-3 0 3.3.12-1 15 3.4.10-4 0 3.3.12-2 15 3.4.11-1 0 3 .3 .12-3 5 3.4. 11-2 7 3.3.12-4 5 3.4.11-3 0 3.3.12-5 6 3.4.11-4 0 3.3.12-6 6 3.4.11-5 0 3.4.1-1 10 3 .4. 11-6 0 3.4.1-2 28 3.4. 12-1 1 3.4.1-3 0 3.4.12-2 34 3.4.1-4 0 3.4.12-3 0 3 .4.1-5 0 3.4.12-4 0 3.4.2-1 7 3 .4. 12-5 31 3.4.2-2 1 3 .4. 13-1 0 3.4.3-1 0 3.4. 13-2 0 3.4.3-2 0 3.4. 13-3 1 3.4.3-3 0 3.4. 13-4 0 PALO VERDE UNITS 1, 2, AND 3 4 Revision 36 February 9, 2006

TECHNICALJ SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3 .4 . 13-5 0 B 3.5.3-3 0 3.4.13-6 0 B 3.5.3-4 0 3 .4. 13-7 2 B 3.5.3-5 0 3 .4. 13-8 2 B 3.5.3-6 2 3 .4. 13-9 0 B 3.5.3-7 2 3.4.13-10 2 B 3.5.3-8 1 3.4.14-1 0 B 3.5.3-9 0 3.4.14-2 34 B 3.5.3-10 2 3.4.14-3 34 B 3.5.4-1 15 3.4.14-4 7 B 3.5.4-2 0 3 .4.14-5 2 B 3.5.4-3 0 3.4.14-6 2 B 3.5.5-1 0 3.4.14-7 34 B 3.5.5-2 7 3 .4. 15-1 0 B 3.5.5-3 4 3.4.15-2 0 B 3.5.5-4 4 3 .4 .15-3 0 B 3.5.5-5 0 3.4.15-4 0 B 3.5.5-6 0 3 .4. 15-5 0 B 3.5.5-7 0 3 .4.15-6 35 B 3.5.6-1 0 3 .4.15-7 35 B 3.5.6-2 1 3 .4. 16-1 2 B 3.5.6-3 0 3 .4. 16-2 10 B 3.5.6-4 24 3.4.16-3 0 B 3.5.6-5 27 3 .4.16-4 0 B 3.6.1-1 0 3 .4.16-5 0 B 3.6.1-2 35 3 .4. 16-6 0 B 3.6.1-3 0 3.4.17-1 0 B 3.6.1-4 29 3.4.17-2 27 B 3.6.1-5 29 3 .4.17-3 0 B 3.6.2-1 0 3 .4.17-4 0 B 3.6.2-2 35 3.4.17-5 0 B 3.6.2-3 0 3.4.17-6 0 B 3.6.2-4 0

3. 5.1-1 0 B 3.6.2-5 0 3 . 5. 1-2 35 B 3.6.2-6 0
3. 5. 1-3 7 B 3.6.2-7 0 3.5.1-4 0 B 3.6.2-8 0 3.5.1-5 0 B 3.6.3-1 36 3 . 5. 1-6 0 B 3.6.3-2 27 3 .5.1-7 1 B 3.6.3-3 27 3.5.1-8 1 B 3.6.3-4 36 3.5.1-9 0 B 3.6.3-5 36 3.5.1-10 35 B 3.6.3-6 27 3.5.2-1 0 B 3.6.3-7 27 3.5.2-2 35 B 3.6.3-8 27 3.5.2-3 0 B 3.6.3-9 27 3.5.2-4 0 B 3.6.3-10 27 3.5.2-5 0 B 3.6.3-11 27 3.5.2-6 0 B 3.6.3-12 27 3.5.2-7 1 B 3.6.3-13 27 3.5.2-8 22 B 3.6.3-14 27 3.5.2-9 1 B 3.6.3-15 27 3.5.2-10 35 B 3.6.3-16 27 3.5.3-1 0 B 3.6.3-17 27 3 . 5.3-2 0 B.3.6.3-18 27 PALO VERDE UN:ETS 1, 2, AND 3 5 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B.3 .6.3-19 27 3.7.6-1 0 B 3.6.4-1 35 3.7.6-2 28 B 3.6.4-2 1 3.7.6-3 28 B 3.6.4-3 1 3.7.6-4 0 B 3.6.5-1 0 3.7.7-1 0 B 3.6.5-2 1 3.7.7-2 1 B 3.6.5-3 0 3.7.7-3 1 B 3.6.5-4 0 3.7.7-4 1 B 3.6.6-1 0 3.7.7-5 1 B 3.6.6-2 0 3.7.8-1 1 B 3.6.6-3 35 3.7.8-2 1 B 3.6.6-4 7 3.7.8-3 1 B 3.6.6-5 1 3.7.8-4 1 B 3.6.6-6 0 3.7.9-1 0 B 3.6.6-7 1 3.7.9-2 1 B 3.6.6-8 1 3.7.9-3 0 B 3.6.6-9 0 3.7.10-1 10 B 3.6.7-1 0 3.7.10-2 1 B 3.6.7-2 0 3.7.10-3 1 B 3.6.7-3 0 3 .7. 10-4 1 B 3.6.7-4 0 3.7.11-1 0 B 3.6.7-5 0 3 .7 .11-2 0 B 3.7.1-1 28 3.7.11-3 21 B 3.7.1-2 34 3.7.11-4 10 B 3.7.1-3 34 3.7.11-5 10 B 3.7.1-4 34 3 .7. 11-6 10 B 3.7.1-5 34 3.7.12-1 1 B 3.7.1-6 28 Corrected 3.7.12-2 21 B 3.7.2-1 0 3.7.12-3 21 B 3.7.2-2 0 3 .7.12-4 10 B 3.7.2-3 31 3.7.13-1 0 B 3.7.2-4 0 3.7.13-2 0 B 3.7.2-5 0 3.7.13-3 0 B 3.7.2-6 0 3 .7.13-4 0 B 3.7.3-1 1 3 .7. 13-5 0 B 3.7.3-2 1 3.7.14-1 0 B 3.7.3-3 1 3.7.14-2 21 B 3.7.3-4 0 3.7.14-3 21 B 3.7.3-5 0 3.7.15-1 3 B 3.7.4-1 0 3.7.15-2 3 B 3.7.4-2 31 3.7.16-1 7 B 3.7.4-3 31 3.7.16-2 0 B 3.7.4-4 0 3.7.16-3 0 B 3.7.5-1 0 3.7.16-4 0 B 3.7.5-2 0 3.7.17-1 23 B 3.7.5-3 0 3.7.17-2 3 B 3.7.5-4 27 3.7.17-3 3 B 3.7.5-5 9 3.7.17-4 3 B 3.7.5-6 9 3.7. 17-5 3 B 3.7.5-7 9 3.7.17-6 3 B 3.7.5-8 9 3 .8.1-1 35 B 3.7.5-9 9 3. 8. 1-2 2 B 3.7.5-10 9 3 .8. 1-3 34 B.3.7.5-11 9 3.8.1-4 34 PALO VERDE UNITS 1, 2, AND 3 6 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

3.8.1-5 20 B 3.8.3-9 0 3 .8.1-6 27 B 3.8.4-1 0

3. 8. 1-7 34 B 3.8.4-2 0 3 .8.1-8 2 B 3.8.4-3 0 3.8.1-9 27 B 3.8.4-4 2 3 . 8.1-10 2 B 3.8.4-5 2 3 .8. 1-11 2 B 3.8.4-6 2
3. 8. 1-12 2 B 3.8.4-7 35
3. 8.1-13 2 B 3.8.4-8 35 3 .8.1-14 2 B 3.8.4-9 35 3.8.1-15 2 B 3.8.4-10 35 3.8.1-16 20 B 3.8.4-11 35
3. 8. 1-17 20 B 3.8.5-1 1 3 .8.1-18 20 B 3 . 8.5-2 1 3 .8.1-19 20 B 3.8.5-3 21 3 .8. 1-20 20 B 3.8.5-4 21 3.8.1-21 20 B 3 .8.5-5 2 3 .8.1-22 20 B 3.8.5-6 2 3 .8.1-23 20 B 3.8.6-1 0 3 .8.1-24 20 B 3 . 8. 6-2 0 3 .8.1-25 20 B 3 . 8. 6-3 0 3.8.1-26 20 B 3 .8.6-4 6 3 .8. 1-27 35 B 3.8.6-5 6 3 .8.1-28 35 B 3 .8.6-6 6 3.8.1-29 35 B 3 .8.6-7 0 3 .8. 1-30 35 B 3.8.7-1 0 3 .8.1-31 35 B 3.8.7-2 0 3 .8.1-32 35 B 3.8.7-3 0 3 .8.1-33 35 B 3.8.7-4 0 3.8.1-34 35 B 3.8.8-1 1 3 .8 . 1-35 35 B 3.8.8-2 1 3.8.1-36 35 B 3.8.8-3 21 3 .8. 1-37 35 B 3.8.8-4 21 3 .8.1-38 35 B 3 .8.8-5 1 3 . 8.1-39 35 B 3.8.9-1 34 3 .8.1-40 35 B 3 .8.9-2 0 3 .8. 1-41 35 B 3 . 8 .9-3 0 3 .8 .1-42 35 B 3.8.9-4 0 3 .8.1-43 35 B 3 .8.9-5 0 3 .8.1-44 35 B 3 .8.9-6 0 3.8.2-1 0 B 3.8.9-7 0 3.8.2-2 0 B 3.8.9-8 0 3.8.2-3 0 B 3.8.9-9 0 3.8.2-4 21 B 3.8.9-10 0 3.8.2-5 21 B 3.8.9-11 0 3.8.2-6 0 B 3. 8. 10-1 0 3.8.3-1 0 B 3.8.10-2 21 3 .8.3-2 0 B 3.8.10-3 0 3.8.3-3 34 Corrected B 3 .8. 10-4 0 3.8.3-4 0 B 3 .9.1-1 34 Corrected 3.8.3-5 34 B 3.9.1-2 0 3.8.3-6 0 B 3 .9.1-3 0 3 .8.3-7 0 B 3.9.1-4 0 3 . 8.3-8 0 B 3.9.2-1 15 PALO VERDE UNITS 1, 2, AND 3 7 Revision 36 February 9, 2006

TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGES Page Rev. Page Rev No. No. No. No.

B 3.9.2-2 15 B 3.9.2-3 15 B 3.9.2-4 15 B 3.9.3-1 18 B 3.9.3-2 19 B 3.9.3-3 27 B 3.9.3-4 19 B 3.9.3-5 19 B.3.9.3-6 19 B 3.9.4-1 0 B 3.9.4-2 1 B 3.9.4-3 0 B 3.9.4-4 0 B 3.9.5-1 0 B 3.9.5-2 16 B 3.9.5-3 27 B 3.9.5-4 16 B.3.9.5-5 16 B 3.9.6-1 0 B 3.9.6-2 0 B 3.9.6-3 0 B 3.9.7-1 0 B 3.9.7-2 0 B 3.9.7-3 0 PALO VERDE UNITS 1, 2, AND 3 8 Revision 36 February 9, 2006

RPS Instrumentation - Operating B 3.3.1 BASES LCO defined in the "Plant Protection System Selection of Trip (continued) Setpoint Values" (Ref. 7).

The Bases for the individual Function requirements are as follows:

1. Variable Over Power-High (RPS)

This LCO requires all four channels of Variable Over Power High 'RPS) to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Variable Over Power High (RPS) reactor trips during normal plant operations. When the RPS VOPT trip function is credited in the safety analyses, the Allowable Value is based on the analyses and is low enough for the system to maintain a margin to unacceptable fuel or fuel cladding damage should a positive reactivity excursion event occur.

2. Logarithmic Power Level - High This LCO requires all four channels of Logarithmic Power Level - High to be OPERABLE in MODE 2.

In MODES 3. 4. or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal conditions are addressed in LCO 3.3.2.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-27 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 2. Logarithmic Power Level - High (continued)

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.

The Logarithmic Power Level - High trip may be bypassed when logarithmic power is above 1E-4% NRTP to allow the reactor to be brought to power during a reactor startup. This operating bypass is automatically removed when logarithmic power decreases below 1E-4% NRTP. Above 1E-4% NRTP, the Variable Over Power - High and Pressurizer Pressure - High trips provide protection for reactivity transients.

The automatic bypass removal channel is INOPERABLE when the associated Log power channel has failed. The bypass function is manually controlled via station operating procedures and the bypass removal circuitry itself is fully capable of responding to a change in the associated input bistable. Footnotes (a) and (b) in Table 3.3.1-1 and (d)in Table 3.3.2-1 clearly require an "automatic" removal of trip bypasses. A failed Log channel may prevent, depending on the failure mode, the associated input bistable from changing state as power transitions through the automatic bypass removal setpoint. Specifically, when the indicated Log power channel is failed high (above 1E-4%). the automatic Hi-Log power trip bypass removal feature in that channel cannot function.

Similarly, when the indicated Log power channel is failed low (below 1E-4%). the automatic DNBR-LPD trip bypass removal feature in that channel cannot function.

Although one bypass removal feature is applicable above 1E-4% NRTP and the other is applicable below 1E-4%

NRTP, both are affected by a failed Log power channel and should therefore be considered INOPERABLE.

(continued)

PALO VERDE UNITS 1.2,3 B 3.3.1-28 REVISION 35 CORRECTED PAGE

RPS Instrumentation - Operating B 3.3.1 BASES LCO 2. Logarithmic Power Level - High (continued)

When a Log channel is INOPERABLE, both the Hi-Log power and DNBR/LPI) automatic trip bypass removal features in that channel are also INOPERABLE, requiring entry into LCO 3.3.1 Condition C or LCO 3.3.2 Condition C depending oln plant operating MODE. Required Action C.1 for both LCOs 3.3.1 and 3.3.2 require the bypass channel to be disabled. Compliance with C.1 is met by placing the CR switches in "off" and "normal" for the Hi-Log power and DNBR/LPD bypasses respectively. No further action (key removal, periodic verification.

etc.) is required. These CR switches are administratively controlled via station procedure therefore, the requirements of C.1 are continuously met.

3. Pressurizer Pressure - High This LCO requires four channels of Pressurizer Pressure - -igh to be OPERABLE in MODES 1 and 2.

The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these valves during normal plant operation. In the event of a loss of condenser vacuum at 100% power, this setpoint ensures the reactor trip will take place.

thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS.

4. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2.

The Allowable Value is set low enough to prevent a reactor trip during normal plant operation and pressurizer pressure transients. However, the setpoint is high enough that with a LOCA. the reactor trip will occur soon enough to allow the ESF systems to perform as expected in the analyses and mitigate the consequences of the accident.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-29 REVISION 35

RPS Instrumentation - Operating B 3.3.1 BASES LCO 5. Containment Pressure - High (continued)

The LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. It is set low enough to initiate a reactor trip when an abnormal condition is indicated.

6. 7. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low to be OPERABLE in MODES 1 and 2.

This UFSAR Trip Setpoint is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core. If the moderator temperature coefficient is negative a reactor trip is required to offset that effect.

The trip setpoint may be manually decreased as steam generator pressure is reduced during controlled plant cooldown, provided the margin between steam generator pressure and the setpoint is maintained < 200 psia.

This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until the time is reached when the setpoints are no longer needed to protect the plant. The setpoint increases automatically as steam generator pressure increases until the specified trip setpoint is reached.

Footnote (aa), which is divided into two parts, will ensure compliance with 10 CFR 50.36 in the event that the instrument set points are found not to be conservative with respect to the as-found acceptance criteria. Part 1 requires evaluation of instrument performance for the condition where the as-found setting for these instruments in outside its As-Found (continued)

PALO VERDE UNITS 1.2.3 B 3.3.1-30 REVISION 35 CORRECTED PAGE

RPS Instrumentation - Operating B 3.3.1 BASES LCO 6, 7.Steam Generator Pressure - Low (continued)

Tolerance (AFT) but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions.

The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to maintain a stable trip setpoint within the As-Left Tolerance (ALT). The technician's evaluation will be reviewed by on shift personnel both during the approval of the surveillance data and as a result of entry of the deviation in the site's corrective action program. In accordance with procedures, entry into the corrective action program will require review and documentation of the condition for operability.

Additional evaluation and Potential corrective actions as necessary will ensure that any as-found setting found outside the AFT is evaluated for long-term operability trends.

Part 2 requires that the as-left setting for the instrument be returned to within the ALT of the specified trip setpoint. The specified field installed trip setpoint is termed as the Design Setpoint (DSp) and is equal to or more conservative than the UFSAR Trip Setpoint. The general relationship among the PVNGS trip setpoint terms is as follows: The calculated limiting setpoint (LSp) is determined within the plant specific setpoint analysis and is based on the Analytical Limit and Total Loop Uncertainty. The UFSAR Trip Setpoint is equal to or more conservative than the LSp and is specified in the UFSAR. The DSp is the field installed setting and is equal to or more conservative than the UFSAR Trip Setpoint. This relationship ensures that sufficient margin to the safety and/or analytical limit is maintained. If the as-found instrument setting is found to be non-conservative with respect to the AV specified in the technical specifications, or the as-left instrument setting cannot be returned to a setting within the ALT, or the instrument is not functioning as required: then the instrument channel shall be declared inoperable.

(continued)

PALO VERDE UNITS 1,2.3 B 3.3.1-31 REVISION 35 CORRECTED PAGE

RPS Instrumentation - Operating B 3.3.1 BASES LCO 8, 9. Steam Generator Level - Low (continued)

This LCO requires four channels of Steam Generator #1 Level - Low and Steam Generator #2 Level - Low for each steam generator to be OPERABLE in MODES 1 and 2. The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.

The input signal providing the reactor trip input also provides an input to a bistable that initiates auxiliary feedwater to the affected generator via the Auxiliary Feedwater Actuation Signal (AFAS). The trip setpoint ensures that there will be sufficient water inventory in the steam generator at the time of the trip to provide a margin of at least 10 minutes before auxiliary feedwater is required to prevent degraded core cooling. The reactor trip will remove the heat source (except decay heat), thereby conserving the reactor heat sink.

10, 11. Steam Generator Level - High This LCO requires four channels of Steam Generator #1 Level - High and Steam Generator #2 Level - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to allow for normal plant operation and transients without causing a reactor trip. It is set low enough to ensure a reactor trip occurs before the level reaches the steam dryers. Having steam generator water level at the trip value is indicative of the plant not being operated in a controlled manner.

12, 13. Reactor Coolant Flow - Low This LCO requires four channels of Reactor Coolant Flow Steam Generator #1-Low and Reactor Coolant Flow Steam Generator # 2-Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal plant operations while providing the required protection.

Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event.

LCO 3.4.5. "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," ensure adequate RCS flow rate is maintained.

(continued)

PALO VERDE UNITS 1,2,3 B 3.3.1-32 REVISION 35 CORRECTED PAGE

Containment Isolation Valves B 3.6.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment Isolation Valves BASES BACKGROUND The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on an automatic isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analysis. One of these barriers may be a closed system.

The containment penetration consists of the containment isolation valves and all piping and the associated vent, drain, and test valves located between the containment isolation valves (Ref. 7). All manual vent, drain, and test valves within a Containment Penetration (i.e.. between the Containment Isolation Valves) will be maintained locked closed per the locked valve administrative program or surveilled closed per Technical Specification SR 3.6.3.3 or SR 3.6.3.4. Containment penetration isolation criteria are governed by 10 CI:R 50. Appendix A, General Design Criteria 54 through 57 (Ref. 6). The applicable GDC for each penetration can be found in UFSAR Table 6.2.4-1 (Ref. 1).

Containment isolation occurs upon receipt of a high containment pressure signal or a low pressurizer pressure signal. The containment isolation signal closes automatic containment isolation valves in fluid penetrations not required for operation of Engineered Safety Feature Systems in order to prevent leakage of radioactive material. Upon actuation of safety injection. automatic containment isolation valves also isolate systems not required for containment or RCS heat removal. Other penetrations are isolated by the use of valves in the closed position or blind flanges. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated in the event of a release of radioactive material to containment atmosphere from the RCS following a Design Basis Accident (DBA).

(continued)

PALO VERDE UNITS 1,2.3 B 3.6.3-1 REVISION 36

Containment Isolation Valves B 3.6.3 BASES BACKGROUND The OPERABILITY requirements for containment isolation (continued) valves help ensure that containment is isolated within the time limits assumed in the safety analysis. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the accident analysis will be maintained.

The purge valves were designed for intermittent operation, providing a means of removing airborne radioactivity caused by minor RCS leakage prior to personnel entry into containment. There are two sets of purge valves: refueling purge valves and power access purge valves. The refueling and power access supply and exhaust lines are each supplied with inside and outside containment isolation valves but share common supply and exhaust headers.

The refueling purge valves are designed for purging the containment atmosphere to the unit stack while introducing filtered makeup from the outside to provide adequate ventilation for personnel comfort when the unit is shut down during refueling operations and maintenance. Motor operated isolation valves are provided inside and outside the containment. The valves are operated manually from the control room. The valves will close automatically upon receipt of a containment purge isolation actuation signal and a containment isolation actuation signal. Because of their large size, the refueling purge valves are not qualified for automatic closure from their open position under DBA conditions. Therefore, the refueling purge valves are maintained closed in MODES 1, 2, 3. and 4 to ensure the containment boundary is maintained.

Open refueling purge valves, or a failure of the power access purge valves to close, following an accident that releases contamination to the containment atmosphere would cause a significant increase in the containment leakage rate.

APPLICABLE The containment isolation valve LCO was derived from the SAFETY ANALYSES assumptions related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.3-2 REVISION 27

Containment Isolation Valves B 3.6.3 BASES APPLICABLE The DBAs that result in a release of radioactive material SAFETY ANALYSES within containment are a Loss Of Coolant Accident (LOCA). a Main Steam Line Break (MSLB). a feedwater line break, and a control element assembly ejection accident. In the analysis for each of these accidents, it is assumed that containment isolation valves are either closed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analysis assumes that the refueling purge valves are closed at event initiation.

The DBA analysis assumes that, within 60 seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate, L,.

The containment -isolation total response time of 60 seconds includes signal delay, diesel generator startup (for loss of offsite power), and containment isolation valve stroke times.

The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred. The inboard and outboard isolation valves on each line are provided with diverse power sources.

The refueling purge valves may be unable to close in the environment following a LOCA. Therefore, each of the refueling purge valves is required to remain sealed closed during MODES 1, 2, 3, and 4. In this case, the single failure criterion remains applicable to the containment refueling purge valves due to failure in the control circuit associated with each valve. Again, the purge system valve design precludes a single failure from compromising the containment boundary as long as the system is operated in accordance with the subject LCO.

The power access purge valves are capable of closing under accident conditions. Therefore, they are allowed to be open for limited periods during power operation.

The OPERABILITY of main steam safety valves, main steam isolation valves, main feedwater isolation valves, and main steam atmospheric dump valves is covered by Specifications 3.7.1. 3.7.2. 3.7.3 and 3.7.4 respectively.

(continued)

PALO VERDE UNITS 1,2,3 B 3.6.3-3 REVISION 27

Containment Isolation Valves B 3.6.3 BASES APPLICABLE SAFETY ANALYSES The containment isolation valves satisfy Criterion 3 of (continued) 10 CFR 50.36 (c)(2)(ii).

LCO Containment isolation valves, (CIVs) form a part of the containment boundary. A containment penetration is considered to be the area bounded by the inboard and outboard CIVs and includes all valves, piping, and connections within this boundary (e.g., vents, drains, and test connections)

(Ref. 7). The containment isolation valve safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA. The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The refueling purge valves must be maintained sealed closed. All manual vent, drain, and test valves within a Containment Penetration (i.e., between the Containment Isolation Valves) will be maintained locked closed per the locked valve administrative program or surveilled closed per Technical Specification SR 3.6.3.3 or SR 3.6.3.4. The valves covered by this LCO are listed with their associated stroke times in the UFSAR (Ref. 1). The analyses assume the containment is isolated within 60 seconds following an isolation signal (CIAS).

CIVs are considered OPERABLE for LCO 3.6.3 when they are closed (i.e., manual valves are closed, automatic valves are de-activated and secured in their closed position), blind flanges are in place, and closed systems are intact. The Steam Generating System and the Containment Pressure Monitoring System are the only credited closed systems at PVNGS. Placement of CIVs in this configuration may impact the operability of the associated system. If the required valve surveillances have lapsed for a CIV secured in its closed position, the CIV is considered OPERABLE for LCO 3.6.3 because it was OPERABLE when it isolated the penetration and it continues to perform its isolation function (Ref. 9). The passive isolation valves or devices are those listed in Reference 2.

The general actions for an inoperable CIV are to isolate the associated penetration with a component that is not susceptible to an active failure (i.e., a passive component).

The appropriate LCO 3.6.3 Condition for each CIV is listed in TRM Table 7.0.300. In addition, isolation of an inoperable CIV should be made with a valve(s) having similar leakage criteria to preserve the overall containment leakage rate.

For example, if a Type C tested CIV becomes inoperable, a (continued)

PALO VERDE UNITS 1.2,3 B 3.6.3-4 REVISION 36

Containment Isolation Valves B 3.6.3 BASES LCO Type C tested valve should be used for isolation purposes. If (continued) an inoperable Type C tested CIV cannot be isolated with another Type C tested valve, then another valve may be used to isolate the penetration per LCO 3.6.3. but engineering shall evaluate this condition to ensure the overall CONTAINMENT leakage rate remains valid per the requirements of LCO 3.6.1 (Ref. 8).

Check valves used to isolate a containment penetration are considered secured in their actuated position when flow through the valve is secured and prevented from unintentional operation (i.e., all upstream flow paths are isolated and administratively controlled). This administrative control process will be via use of a permit or the locked valve program for those upstream sources. Certain containment penetrations with multiple piping connections require isolating the upstream source in lieu of crediting the inboard check valve when the CIV outside contairment becomes inoperable. The following penetrations are provided as examples:

  • AFA-V079 and AFE-V080 - AFW - Pen 75 and 76
  • SIE-V113, -V123. -V133, and -V143 - HPSI - Pen 13 through 16 For the above examples, preventing flow through, and unintentional operation of, the inboard check valve would impact multiple trEins of equipment; therefore, this condition is undesirable. In that case, the inoperable CIV is isolated using an upstream passive device, the associated train is declared inoperable, the applicable LCO Condition is entered, and the Required Ac:tions performed.

Manual containment isolation valves include those specified in TRM Table 7.0.300, manual valves used to isolate a penetration (including a deactivated, non-automatic valve), and all vents, drains, and test connections located within a containment penetration. Manual containment isolation valves may be opened intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. This operator may have other concurrent duties as long as those duties do not impact the ability to close the valve within 60 seconds when containment isolation is required. The Shift Manager/CRS determines the allowable concurrent duties. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.

Manual vent, drair and test connection valves within a penetration may be opened under administrative control on only one side of the containment wall. The opening of a manual vent, drain and test connection valve on both sides of the containment wall provides a direct bypass of the containment barrier and would necessitate declaring the (continued)

PALO VERDE UNITS 1,2,3 B 3.6.3-5 REVISION 36

Containment Isolation Valves B 3.6.3 BASES LCO penetration inoperable per LCO 3.6.3 and could impact (containment) containment operability per LCO 3.6.1.

Containment Isolation Valves (CIVs) required open during accident conditions are considered "dual function" valves and may be secured in the closed position to conservatively comply with LCO 3.6.3. However, a closed CIV would result in entry into the applicable system LCO.

When a CIV required OPEN during accident conditions becomes inoperable, and there is only one CIV in the penetration, and plant and/or equipment conditions do not support securing the CIV in the closed position to restore operability per LCO 3.6.3, an alternate valve (including a non-automatic.

non-manual valve) in the piping connected to the affected penetration may be used as an isolation valve to satisfy the requirement of LCO 3.6.3. The alternate valve must be secured in the closed position and prevented from unintentional operation (via PVNGS administrative controls such as the locked valve or clearance and tagging program or the removal of motive power. as appropriate), and any vent/drain valve and test connection within the new boundary must be closed and capped. To ensure penetration integrity, it is only allowable to use an alternate valve as the isolation valve in the affected penetration if the piping between the inoperable CIV and the valve used for penetration isolation have both of the following characteristics:

  • A pressure rating equivalent to the containment design pressure (i.e., 60 psig) AND
  • The inoperable CIV does not require Type "C" testing (reference the list of CIVs in the Technical Requirements Manual).

Alternatively, some "dual function" CIVs may be administratively controlled in their ESF actuated open position (to prevent unintentional operation) to comply with both LCO 3.6.3 and the associated system LCO. When placed in the OPEN position and OPERABLE pursuant to LCO 3.6.3, the control room's ability to remote-manually close the valve for containment isolation must be maintained (i.e.. actuating and control power must be retained). The administrative controls prevent a valve from unintentional operation. This position ensures compliance with containment isolation functions specified by General Design Criteria 54 through 57. The valve is inoperable and entry into the applicable action statement of LCO 3.6.3 will be required until the administrative controls are in place. If. for any reason, a CIV is placed in the administratively controlled OPEN (continued)

PALO VERDE UNITS 1.2.3 B 3.6.3-6 REVISION 27