ML021970102

JAFNPP B 3.7.2-7 Revision 0

CREVAS System B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Control Room Emergency Ventilation Air Supply (CREVAS) System BASES BACKGROUND The CREVAS System; a portion of the Control Room Air Conditioning (AC) System provides a radiologically controlled environment from which the plant can be safely operated following a Design Basis Accident (DBA).

The safety related function of the CREVAS System includes two redundant high efficiency air filtration subsystems for emergency treatment of outside supply air. Each subsystem consists of a prefilter, a high efficiency particulate air (HEPA) filter, two activated charcoal adsorber sections in series, a second HEPA filter, a control room emergency air supply fan, an air handling unit (excluding the condensing unit), a recirculation exhaust fan and the associated ductwork and dampers. Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay.

The CREVAS System is a standby system, parts of which also operate during normal plant operations to maintain the control room environment. Upon occurrence of a DBA or receipt of an alarm from a radiation monitor installed in the control room ventilation intake duct (indicative of conditions that could result in radiation exposure to control room personnel), the CREVAS System is manually placed in the isolate mode of operation to prevent infiltration of contaminated air into the control room. A system of dampers isolates the control room. Outside air is taken in at either the primary or secondary ventilation intake and is passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles. This filtered air is then mixed with recirculated air from one of the recirculation exhaust fans and then passed through one of two fans of the air handling units where it can be cooled before it is recirculated back to the control room. The cooling capability of the air handling units is not required to satisfy the requirements of this Specification.

The CREVAS System is designed to maintain the control room environment for a 31 day continuous occupancy after a DBA without exceeding 5 rem whole body dose or its equivalent to any part of the body. A single CREVAS subsystem will pressurize the control room to ? 0.125 inches water gauge (continued)

JAFNPP B 3.7.3-1 Revision 0

CREVAS System B 3.7.3-BASES BACKGROUND above the Turbine Building and outside atmosphere to prevent (continued) infiltration of air from surrounding buildings, since these are the only adjacent areas to the control room that could be directly contaminated by a design basis accident. CREVAS System operation in maintaining control room habitability is discussed in the UFSAR, Sections 9.9.3.11 and 14.8.2, (Refs. I and 2, respectively).

APPLICABLE The ability of the CREVAS System to maintain the SAFETY ANALYSES habitability of the control room is an explicit assumption for the safety analyses presented in the UFSAR, Chapters 6 and 14 (Refs. 3 and 4, respectively). The isolate mode of the CREVAS System is assumed to operate following a loss of coolant accident, refueling accident, main steam line break, and control rod drop accident, as discussed in the UFSAR, Section 14.8.2 (Ref. 2). The radiological doses to control room personnel as a result of the various DBAs are summarized in Reference 2.

The CREVAS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO Two redundant subsystems of the CREVAS System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem.

Total system failure could result in exceeding a dose of 5 rem to the control room operators in the event of some DBAs.

The CREVAS System is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both subsystems. A subsystem is considered OPERABLE when its associated:

a. Fans are OPERABLE (i.e., one control room emergency air supply fan, one air handling unit fan, one recirculation exhaust fan);

b. A prefilter, two HEPA filters and charcoal adsorbers are not excessively restricting flow and are capable of performing their filtration functions; and

c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

In addition, the control room boundary must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors such that the pressurization (continued)

JAFNPP B 3.7.3-2 Revision 0

CREVAS BSystem 3.7.3_

BASES LCO limit of SR 3.7.3.3 can be met. However, it is acceptable (continued) for access doors to be open for normal control room entry and exit, and not consider it to be a failure to meet the LCO.

The LCO is modified by a Note allowing the control room boundary to be opened intermittently under administrative controls. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for control room isolation is indicated.

APPLICABILITY In MODES 1, 2, and 3, the CREVAS System must be OPERABLE to control operator exposure during and following a DBA, since the DBA could lead to a fission product release.

In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the CREVAS System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

a. During operations with potential for draining the reactor vessel (OPDRVs);

b. During CORE ALTERATIONS; and

c. During movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one CREVAS subsystem inoperable, the inoperable CREVAS subsystem must be restored to OPERABLE status within 7 days.

With the plant in this condition, the remaining OPERABLE CREVAS subsystem is adequate to perform control room radiation protection. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in a loss of CREVAS System capability. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.

(continued)

JAFNPP B 3.7.3-3 Revision 0

CREVAS System B 3.7.3 BASES ACTIONS B.1 (continued)

If the control room boundary is inoperable in MODE 1, 2, or 3, the CREVAS subsystems cannot perform their intended functions. Actions must be taken to restore an OPERABLE control room boundary within 24 hours1 days 0.143 weeks 0.0329 months . During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the control room boundary.

C.1 and C.2 In MODE 1, 2, or 3, if the inoperable CREVAS subsystem or control room boundary cannot be restored to OPERABLE status within the associated Completion Time, the plant must be placed in a MODE that minimizes risk. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and in MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2.1, D.2.2, and D.2.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

(continued)

JAFNPP B 3.7.3-4 Revision 0

CREVAS System B 3.7.3_

BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued)

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if the inoperable CREVAS subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREVAS subsystem may be placed in the isolate mode. This action ensures that the remaining subsystem is OPERABLE, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

E.1 If both CREVAS subsystems are inoperable in MODE 1, 2, or 3 for reasons other than an inoperable control room boundary (i.e., Condition B), the CREVAS System may not be capable of performing the intended function and the plant is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1, F.2, and F.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODES 1, 2, or 3, the Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply.

If moving irradiated fuel assemblies while in MODE 1, 2, or 3. the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

(continued)

JAFNPP B 3.7.3-5 Revision 0

CREVAS System B 3.7.3 BASES ACTIONS F.1, F.2, and F.3 (continued)

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two CREVAS subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate. These subsystems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every three months provides an adequate check on this system. Since the CREVAS System does not contain heaters, it need only be operated for 2 15 minutes to demonstrate the function of the system. The 92 day Frequency is based on the known reliability of the equipment and the two subsystem redundancy available.

SR 3.7.3.2 This SR verifies that the required CREVAS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test frequencies and additional information are discussed in detail in the VFTP.

(continued)

JAFNPP B 3.7.3-6 Revision 0

CREVAS System B 3.7.3 BASES SURVEILLANCE SR 3.7.3.3 REQUIREMENTS (continued) This SR verifies the integrity of the control room enclosure and the assumed inleakage rates of potentially contaminated air. The control room positive pressure, with respect to potentially contaminated adjacent areas (outside and the turbine building), is periodically tested to verify proper function of the CREVAS System. During the isolate mode of operation, the CREVAS System is designed to slightly pressurize the control room 2 0.125 inches water gauge positive pressure with respect to outside and the turbine building to prevent unfiltered inleakage. The CREVAS System is designed to maintain this positive pressure at a flow rate of ; 900 scfm and

1100 scfm to the control room in the isolate mode. The Frequency of 18 months on a STAGGERED TEST BASIS is consistent with industry practice and other filtration systems SRs.

REFERENCES 1. UFSAR, Section 9.9.3.11.

2. UFSAR, Section 14.8.2.

3. UFSAR, Chapter 6.

4. UFSAR, Chapter 14.

JAFNPP B 3.7.3-7 Revision 0

Control Room AC System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Air Conditioning (AC) System BASES BACKGROUND The Control Room AC System provides temperature control for the control room while the Control Room Emergency Ventilation Air Supply (CREVAS) System (a mode of the Control Room AC) provides a radiologically controlled environment (refer to the Bases of for LCO 3.7.3, "Control Room Emergency Ventilation Air Supply (CREVAS) System").

The Control Room AC System consists of two redundant subsystems that provide cooling of recirculated control room air. Each subsystem consists of cooling coils, fans, chillers, compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control. A heater is located in the ductwork associated with each control room area.

The Control Room AC System is designed to provide a controlled environment under both normal and accident conditions. A single subsystem provides the required temperature control to maintain a suitable control room environment for a sustained occupancy of 20 persons. The design conditions for the control room environment are 750 F and 50% relative humidity. This can be accomplished when a control room chiller is providing the cooling medium to the cooling coils of an air handling unit. The control room chillers are non-safety related: however the Control Room AC System still meets safety-related QA Category I requirements when the Emergency Service Water System is aligned to directly supply the cooling coils. The resulting maximum control room environmental conditions when the Emergency Service Water System is supplying the air handling unit cooling coils is 104 0 F assuming a lake temperature of 85 0 F.

This satisfies the OPERABILITY requirements of the control room equipment. The Control Room AC System operation in maintaining the control room temperature is discussed in the UFSAR, Section 9.9.3.11 (Ref. 1).

APPLICABLE The design basis of the Control Room AC System is to SAFETY ANALYSES maintain the control room temperature for a 31 day continuous occupancy.

The Control Room AC System components are arranged in redundant safety related subsystems. During emergency operation, the Control Room AC System maintains a habitable environment and ensures the OPERABILITY of components in the (continued)

JAFNPP B 3.7.4-1 Revision 0

Control Room AC System B 3.7.4_

BASES APPLICABLE control room. A single active component failure of a SAFETY ANALYSES component of the Control Room AC System, assuming a loss of (continued) offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control.

The Control Room AC System is designed in accordance with Seismic Category I requirements. The Control Room AC System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.

The Control Room AC System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO Two redundant subsystems of the Control Room AC System are required to be OPERABLE to ensure that at least one is available, assuming a single active component failure disables the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits.

The Control Room AC System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the air handling units, recirculation exhaust fans, air handling unit fans, ductwork, dampers, and associated instrumentation and controls. The cooling coils of the air handling units may be cooled by the control room chillers, but to satisfy this LCO the Emergency Service Water System must be capable of alignment to provide cooling water directly to the cooling coils.

APPLICABILITY In MODE 1, 2, or 3, the Control Room AC System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY limits following control room isolation.

In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Room AC System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

(continued)

JAFNPP B 3.7.4-2 Revision 0

Control Room AC System B 3.7.4_

BASES APPLICABILITY a. During operations with a potential for draining the (continued) reactor vessel (OPDRVs);

b. During CORE ALTERATIONS; and

c. During movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one control room AC subsystem inoperable, the inoperable control room AC subsystem must be restored to OPERABLE status within 30 days. With the plant in this condition, the remaining OPERABLE control room AC subsystem is adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single active component failure in the OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring control room isolation, the consideration that the remaining subsystem can provide the required protection, and the availability of alternate safety and nonsafety cooling methods.

B.1 and B.2 In MODE 1. 2, or 3. if the inoperable control room AC subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be placed in a MODE that minimizes risk. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and in MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1, C.2.1, C.2.2, and C.2.3 LCO 3.0.3 is not applicable while in MODE 4 and 5. However, since irradiated fuel assembly movement can occur in MODES 1, 2, or 3 the Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply.

If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor (continued)

JAFNPP B 3.7.4-3 Revision 0

Control Room AC System B 3.7.4 BASES ACTIONS C.1, C.2.1, C.2.2, and C.2.3 (continued) operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE control room AC subsystem may be placed immediately in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

D.1 If both control room AC subsystems are inoperable in MODE 1, 2, or 3, the Control Room AC System may not be capable of performing the intended function. Therefore, LCO 3.0.3 must be entered immediately.

E.1, E.2, and E.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3 the Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

(continued)

JAFNPP B 3.7.4-4 Revision 0

Control Room AC System B 3.7.{

BASES ACTIONS E.1, E.2, and E.3 (continued)

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two control room AC subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and handling of irradiated fuel in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analyses with ESW providing water to the cooling coils of the air handling units. The SR consists of a combination of testing and calculation. It is acceptable to perform the test using chilled water as the cooling medium to the cooling coils, but a calculation must be performed to ensure that the heat load can be removed with ESW at 85 0 F. The 24 month Frequency is appropriate since significant degradation of the Control Room AC System is not expected over this time period.

REFERENCES 1. UFSAR, Section 9.9.3.11.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.4-5 Revision 0

Main Condenser SJAE Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Main Condenser Steam Jet Air Ejector (SJAE) Offgas BASES BACKGROUND During plant operation, steam from the low pressure turbine is exhausted directly into the main condenser. Air and noncondensible gases are collected in the main condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser (SJAE) Offgas System. The offgas from the main condenser normally includes radioactive gases.

The Main Condenser SJAE Offgas System has been incorporated into the plant design to reduce the gaseous radwaste emission and operates in three modes. During the startup mode, the SJAE offgas is directed to a 24 inch holdup pipe.

During the intermediate mode the SJAE offgas is first directed to a recombiner and then to the same 24 inch holdup pipe. Finally in the normal mode of operation, the SJAE offgas is directed to the recombiner and then to charcoal beds. In all modes, before discharging to the main stack the offgas passes through a parallel set of HEPA filters.

This system uses a catalytic recombiner to recombine hydrogen and oxygen from the radiolytic dissociation of reactor coolant and other sources. After the recombiner, the offgas is cooled by two condensers in series and then delivered to one of two dryers to reduce the moisture content before being passed through the charcoal beds for delay and decay of noble gas activity. The radioactivity of the gaseous mixture is monitored at the discharge of the SJAE and in the main stack.

APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser SJAE Offgas System failure event, discussed in the UFSAR, Section 11.4.7.2 (Ref. 1). The analysis assumes a gross failure in the Main Condenser SJAE Offgas System that results in the rupture of the Main Condenser SJAE Offgas System pressure boundary.

The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 100 (Ref. 2).

The main condenser offgas limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

(co-ntin-u-ed)I JAFNPP B 3.7.5-1 Revision 0

Main Condenser SJAE Offgas B 3.7.5_

BASES (continued)

LCO To ensure compliance with the assumptions of the Main Condenser SJAE Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a nominal noble gas release to the reactor coolant. The LCO is established consistent with a nominal production rate of 600,000 pCi/sec with no decay.

APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Main Condenser SJAE Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, main steam is not being exhausted to the main condenser and the requirements are not applicable.

ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours3 days 0.429 weeks 0.0986 months is allowed to restore the gross gamma activity rate to within the limit. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser SJAE Offgas System rupture.

B.1, B.2, B.3.1, and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser SJAE Offgas System from significant sources of radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain primary containment isolation valve is closed. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging plant systems.

An alternative to Required Actions B.1 and B.2 is to place the plant in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and in MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The (continued)

JAFNPP B 3.7.5-2 Revision 0

Main Condenser SJAE Offgas B 3.7.5-BASES ACTIONS B.1, B.2, B.3.1, and B.3.2 (continued) allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR, on a 31 day Frequency, requires an isotopic analysis of an offgas sample, taken at the discharge (prior to dilution and/or discharge) of the SJAE, to ensure that the required limits are satisfied. If the measured rate of radioactivity increases significantly (by Ž 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours0.167 days 0.0238 weeks 0.00548 months after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. As noted, this Frequency is only required when the gross gamma activity rate, as indicated by the SJAE monitor, is 2 5000 pCi/second. The 31 day Frequency is adequate in view of other instrumentation that continuously monitor the offgas providing offgas isolation on excessive activity, and is acceptable, based on operating experience. The 5,000 pCi/second threshold level is an administrative control to reduce the number of unnecessary grab samples. This value is approximately 1% of the SJAE trip level setting and operating at or below the threshold level will ensure the site boundary annual radiation exposures remain within the 10 CFR 50, Appendix I guidelines (Ref. 4).

This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser SJAE Offgas System at significant rates.

REFERENCES 1. UFSAR, Section 11.4.7.2.

2. 10 CFR 100.

4. 10 CFR 50, Appendix I.

JAFNPP B 3.7.5-3 Revision 0

Main Turbine Bypass System B 3.7.6_

B 3.1 PLANT SYSTEMS B 3.7.6 Main Turbine Bypass System BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during plant startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system is 25% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram. The Main Turbine Bypass System consists of four valves connected to the main steam lines between the main steam isolation valves and the turbine stop valve chest. Each of these four valves is operated by porting hydraulic fluid to the operating pistons through an electrically positioned servo valve. The bypass valves are controlled by the pressure regulation function of the Turbine Electro-Hydraulic Control (EHC) System, as discussed in the UFSAR, Section 7.11 (Ref. 1). The bypass valves are normally closed, and the EHC controls the turbine control valves that direct all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the EHC controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the bypass manifold, through each bypass valve and associated connecting piping, to a pressure reducer, where a series of orifices are used to further reduce the steam pressure before the steam enters the condenser.

APPLICABLE The Main Turbine Bypass System is assumed to function during SAFETY ANALYSES some transients, as discussed in the UFSAR, Section 14.5 (Ref. 2). Opening the bypass valves during the pressurization event mitigates the increase in reactor vessel pressure, which affects the MCPR during the event.

An inoperable Main Turbine Bypass System may result in MCPR or LHGR penalties. With an inoperable Main Turbine Bypass System, the feedwater controller failure event may become the limiting event.

The Main Turbine Bypass System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that (continued)

JAFNPP B 3.7.6-1 Revision 0

Main Turbine Bypass System B 3.7.6 BASES LCO cause rapid pressurization, so that the Safety Limit MCPR is (continued) not exceeded. With the Main Turbine Bypass System inoperable, modifications to the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the LHGR limits (LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)") may be applied to allow this LCO to be met. The LHGR limit and MCPR operating limit for the inoperable Main Turbine Bypass System are specified in the COLR, if applicable. An OPERABLE Main Turbine Bypass System requires three of the four bypass valves to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analysis (Ref. 4).

APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at

25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the applicable safety analyses. As discussed in the Bases for LCO 3.2.2 and LCO 3.2.3, sufficient margin to these limits exists at < 25% RTP.

Therefore, these requirements are only necessary when operating at or above this power level.

ACTIONS A.1 If the Main Turbine Bypass System is inoperable (two or more bypass valves inoperable), and the LHGR limit and MCPR operating limit for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analysis may not be met. Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the LHGR limit and MCPR operating limit accordingly. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System.

B.1 If the Main Turbine Bypass System cannot be restored to OPERABLE status or the LHGR limit and MCPR operating limit for an inoperable Main Turbine Bypass System are not applied, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at

< 25% RTP results in sufficient margin to the required (continued)

JAFNPP B 3.7.6-2 Revision 0

Main Turbine Bypass System B 3.7.6-BASES ACTIONS B.1 (continued) limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the abnormal operational transients. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.6.1 REQUIREMENTS Cycling each required main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required.

The specified Frequency (prior to entering MODE 2 or 3 from MODE 4) is based on engineering judgment, is consistent with the procedural controls governing valve operation, ensures correct valve positions, and ensures the valves are OPERABLE prior to each reactor startup from MODE 4. Operating experience has shown that these components usually pass the SR when performed at the specified Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the required valves will actuate to their required position. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

SR 3.7.6.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analysis. The response time limits are specified in the Technical Requirements Manual (Reference 5). The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant (continued)

JAFNPP B 3.7.6-3 Revision 0

Main Turbine Bypass System B 3.7.6-BASES SURVEILLANCE SR 3.7.6.3 (continued)

REQUIREMENTS outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

REFERENCES 1. USFAR, Section 7.11.

2. UFSAR, Section 14.5.

4. Supplemental Reload Licensing Report for James A.

FitzPatrick (Revision specified in the COLR).

5. Technical Requirements Manual.

JAFNPP B 3.7.6-4 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool ensures that the assumptions of iodine decontamination factors following a refueling accident are met.

A general description of the spent fuel storage pool design is found in the UFSAR, Section 9.3 (Ref. 1). The assumptions of the refueling accident are found in the UFSAR, Section 14.6.1.4 (Ref. 2).

APPLICABLE The water level above the irradiated fuel assemblies is an SAFETY ANALYSES implicit assumption of the refueling accident. A refueling accident is evaluated to ensure that the radiological consequences (calculated whole body and thyroid doses at the exclusion area and low population zone boundaries) are ! 25%

of 10 CFR 100 (Ref. 3) exposure guidelines NUREG-0800 (Ref. 4). A refueling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.25 (Ref. 5).

The refueling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a refueling accident over the spent fuel storage pool are no more severe than those of the refueling accident over the reactor core, as discussed in the UFSAR, Section 14.6.1.1 (Ref. 6). The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere.

This absorption and transport delay reduces the potential radioactivity of the release during a refueling accident.

The spent fuel storage pool water level satisfies Criterion 2 and 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 7).

LCO The specified water level preserves the assumptions of the refueling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool.

(continued)

JAFNPP B 3.7.7-1 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7_

BASES (continued)

APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.

ACTIONS A.1 LCO 3.0.3 is not applicable while in MODE 4 and 5. However, because irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.

When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately.

Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position.

This effectively precludes a spent fuel handling accident from occurring.

SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a refueling accident. The water level in the spent fuel storage pool must be checked periodically. The 7 day Frequency is acceptable, based on operating experience, considering that the water volume in the pool is normally stable, and all water level changes are controlled by plant procedures.

REFERENCES 1. UFSAR, Section 9.3.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 100.

(continued)

JAFNPP B 3.7.7-2 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7_

BASES REFERENCES 4. NUREG-0800, Standard Review Plan for the Review of (continued) Safety Analysis Reports for Nuclear Power Plants, Section 15.7.4, Revision 1, Radiological Consequences of Fuel Handling Accident, July 1981.

5. Regulatory Guide 1.25, Assumptions Used for Evaluating The Potential Radiological Consequences Of A Fuel Handling Accident In The Fuel Handling And Storage Facility For Boiling And Pressurized Water Reactors, March 1972.

6. UFSAR, Section 14.6.1.1.

7. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.7-3 Revision 0

AC Sources- Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The AC Sources for the plant Class 1E AC Electrical Power Distribution System consist of the Main Generator (normal),

115 kV transmission network (reserve), 345 kV transmission network (backfeed, which is only available with the main generator offline and the links removed), and emergency diesel generators (EDGs) A, B, C, and D (onsite). As required by JAFNPP design criteria (Ref. 1). the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safeguards systems.

The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed.

Each load group has connections to the normal main generator source, two 115 kV transmission network sources through the associated reserve circuits, one EDG subsystem onsite source consisting of two EDGs, and the 345 kV transmission network backfeed (which is only available with the main generator offline and the links removed) source. However, neither the backfeed source nor the main generator source are considered a qualified offsite circuit.

Offsite power is supplied to the 115 kV and 345 kV switchyards from the transmission network by four transmission lines. The 115 kV switchyard is supplied by two independent 115 kV transmission lines and associated breakers. One transmission line, the Lighthouse Hill FitzPatrick line 3 (breaker 10022), connects the South 115 kV bus to the Lighthouse Hill substation. The other transmission line, Nine Mile-FitzPatrick line 4 (breaker 10012), connects the North 115 kV bus to the Nine Mile Point Unit One Nuclear Station 115 kV switchyard which is then connected to the South Oswego substation. The South 115 kV bus and the North 115 kV bus are connected by a normally closed electrically operated disconnect (10017). Each circuit breaker and disconnect is provided with two complete sets of protective relaying for tripping. In the event of a fault on a 115 kV bus the associated breaker and disconnect will open to de-energize the bus and isolate the faulted bus section. The 115 kV reserve power source is stepped down to 4.16 kV by Reserve Station Service Transformers (RSSTs) 71T-2 and 71T-3. RSST 71T-2 supplies 4.16 kV buses 10200, 10400, and 10600 for plant startup and shutdown. RSST 71T-3 (continued)

JAFNPP B 3.8.1-1 Revision 0

AC Sources- Operating B 3.8.L BASES BACKGROUND supplies 4.16 kV buses 10100, 10300, and 10500 for plant (continued) startup and shutdown. The lines connecting the RSSTs to the 115 kV transmission lines are arranged so that a failure of either line does not result in the loss of the other line.

The 345 kV switchyard is connected to the Niagara Mohawk Power Corporation's Edic Substation and the Niagara Mohawk Power Corporation's Scriba Substation. The Main Generator provides power at 24 kV to two main transformers (TIA and TIB) connected in parallel, and to the Normal Station Service Transformer (NSST) 71T-4. NSST 71T-4 steps down voltage to supply power to the 4.16 kV buses 10100, 10200, 10300, 10400 and 10700. Normal (from the Main Generator) or reserve power is supplied to emergency buses 10500 and 10600 through tie connections from buses 10300 and 10400, respectively. If normal power from NSST 71T-4 is lost, the reserve power, RSSTs 71T-2 and 71T-3, will automatically energize all plant buses via the fast or residual transfer, except bus 10700. The only power source to bus 10700 is NSST 71T-4 because the bus has no connected loads necessary for startup or safe shutdown of the plant. If the RSSTs were to fail, the EDG subsystems would automatically energize their respective buses. The 345 kV switchyard is sometimes used to backfeed NSST 71T-4. This operation requires the main generator links to be manually disconnected and therefore can only be used during plant outages. A detailed description of the 115 kV and 345 kV transmission networks and the normal, reserve, and backfeed AC power supply circuits to the plant Class 1E emergency buses is found in the UFSAR, Chapter 8 (Ref. 2).

A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the 115 kV transmission network source to the plant Class 1E emergency bus or buses. During normal plant operation, with the main generator on line, emergency buses 10500 and 10600 are energized by the normal AC power source from NSST 71T-4 via buses 10300 and 10400, respectively. Loss or degradation of the normal AC power source results in an automatic fast transfer or automatic residual transfer to the reserve AC power source through RSSTs 71T-2 and 71T-3. Each RSST is sized to supply all loads on its associated emergency and non-emergency service buses.

The onsite standby AC power sources for 4.16 kV emergency buses 10500 and 10600 consist of two independent and redundant EDG subsystems that are self contained and independent of normal, backfeed, and reserve sources. Each EDG subsystem consists of two EDGs which operate in parallel and are dedicated to an emergency power division (1 or 2).

(continued)

JAFNPP B 3.8.1-2 Revision 0

AC Sources - Operating B 3.8.1_

BASES BACKGROUND The Division 1 EDG subsystem consists of EDGs A and C and is (continued) dedicated to emergency bus 10500. The Division 2 EDG subsystem consists of EDGs B and D and is dedicated to emergency bus 10600. The EDGs start automatically on an emergency bus degraded voltage signal, an emergency bus undervoltage (LOP) signal, or a loss of coolant accident (LOCA) signal (i.e., low-low-low reactor water level signal or high drywell pressure signal). As a consequence of a LOP or degraded voltage signal, independent of or coincident with a LOCA signal, the emergency bus undervoltage control logic starts the EDGs. Coincident with the EDG starting and force paralleling, the emergency bus undervoltage control logic trips the 4.16 kV emergency bus tie breakers, trips the emergency bus load breakers (except for the 600 V emergency substations), and provides a close permissive signal to the EDG output breakers. The EDGs are automatically tied to their respective emergency buses and if a LOCA condition exists loads are sequentially connected to the emergency buses by the programmed restart time delay relays. The programmed restart time delay relays control the permissive and starting signals to motor breakers to prevent overloading the EDGs. On a LOCA signal alone the EDGs start, force parallel, and operate in the standby mode without tying to the emergency bus.

Certain required plant loads are returned to service in a predetermined sequence in the presence of a LOCA signal in order to prevent overloading of the EDGs in the process.

Within approximately 27 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the plant or maintain it in a safe condition are returned to service. While each emergency power division is designed to be supplied by an EDG pair, if an EDG were to fail during a LOCA event in conjunction with a LOP, the programmed restart logic will not start the second residual heat removal pump powered from the 4.16 kV emergency bus associated with the failed EDG so that the remaining EDG in that EDG subsystem is not overloaded.

Ratings for the EDGs satisfy the requirements of Safety Guide 9 (Ref. 3). EDGs A, B, C and D have the following ratings:

a. 2600 kW-continuous,

b. 2850 kW-2000 hours83.333 days 11.905 weeks 2.74 months ,

c. 2950 kW-160 hours6.667 days 0.952 weeks 0.219 months ,

d. 3050 kW-30 minutes.

(continued)

JAFNPP B 3.8.1-3 Revision 0

AC Sources- Operating B 3.8.1_

BASES (continued)

APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 6 (Ref. 4) and Chapter 14 (Ref. 5), assume Engineered Safeguards systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to engineered safeguards systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining the onsite (EDGs) or qualified offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and

b. A worst case single active component failure.

AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 6).

LCO Two qualified circuits between the offsite transmission network and the plant Class 1E Distribution System and two separate and independent EDG subsystems each consisting of two EDGs ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR, and are part of the licensing basis for the plant.

Each qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the emergency buses. Each qualified offsite circuit consists of the incoming disconnect device to reserve station service transformer (RSST) 71T-2 or 71T-3, the associated RSST, and the respective circuit path including feeder breakers to the (continued)

JAFNPP B 3.8.1-4 Revision 0

AC Sources- Operating B 3.8.1 BASES LCO 4.16 kV emergency bus 10500 or 10600. In addition, to (continued) ensure a fault on one qualified offsite circuit does not adversely impact the other qualified offsite circuit, the 115 kV North and South bus disconnect (10017) automatic opening feature must be OPERABLE if the disconnect is closed. If the automatic opening feature is inoperable, then one of the offsite circuits must be declared inoperable. In addition, due to the unique nature of this design, the automatic opening feature is periodically demonstrated in accordance with plant procedures.

Each EDG subsystem must be capable of starting, accelerating to rated speed and voltage, force paralleling and connecting to its respective emergency bus on detection of bus undervoltage. This sequence must be accomplished within 11 seconds. Each EDG subsystem must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses. These capabilities are required to be met with the EDGs in standby condition.

Additional EDG capabilities must be demonstrated to meet required Surveillances, e.g., capability of each EDG subsystem to reject a load greater than or equal to the load of a core spray pump. Proper sequencing of loads, including tripping of nonessential loads, is a required function for EDG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the EDGs, the separation and independence are complete. For the qualified offsite AC sources, the separation and independence are to the extent practical. A qualified offsite circuit that is not connected to an emergency bus is required to have OPERABLE automatic transfer interlock mechanisms to its associated emergency bus to support OPERABILITY of that circuit.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2.

and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients: and (continued)

JAFNPP B 3.8.1-5 Revision 0

AC Sources -Operating B 3.8.1 BASES APPLICABILITY b. Adequate core cooling is provided and containment (continued) OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second offsite circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single active failure of the associated EDG subsystem does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no power from an offsite circuit.

The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. The division has no offsite circuit OPERABLE to supply its loads; and

b. A redundant required feature on the other division is inoperable.

(continued)

JAFNPP B 3.8.1-6 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS A.2 (continued)

If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV emergency bus of the plant Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the plant is subjected to transients associated with shutdown.

The remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to the plant Class 1E Distribution System. Thus, on a component basis, single active failure protection may have been lost for the required feature's function; however, function is not lost.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to the plant Class 1E Distribution System.

The 7 day Completion Time takes into account the redundancy, capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet (continued)

JAFNPP B 3.8.1-7 Revision 0

AC Sources- Operating B 3.8.J BASES ACTIONS A.3 (continued) the LCO. If Condition A is entered while, for instance, an EDG subsystem is inoperable, and that EDG subsystem is subsequently restored OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, an EDG subsystem could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 35 days) allowed prior to complete restoration of the LCO.

The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Similar to Required Action A.2, the second Completion Time of Required Action A.3 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

B.1 To ensure a highly reliable power source remains with one EDG subsystem inoperable, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG subsystem is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e.,

single division systems are not included). Redundant (continued)

JAFNPP B 3.8.1-8 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS B.2 (continued) required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable EDG subsystem.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable EDG subsystem exists; and

b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one EDG subsystem inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering one EDG subsystem inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE EDG subsystem results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the plant to transients associated with shutdown.

The remaining OPERABLE EDG subsystem and offsite circuits are adequate to supply electrical power to the plant Class 1E Distribution System. Thus, on a component basis, single active failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

(continued)

JAFNPP B 3.8.1-9 Revision 0

AC Sources -Operating B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued)

Required Action B.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG subsystem. If it can be determined that the cause of the inoperable EDG subsystem does not exist on the OPERABLE EDG subsystem, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other EDG subsystem, the EDG subsystem is declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable EDG subsystem cannot be confirmed not to exist on the remaining EDG subsystem, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of the remaining EDG subsystem.

In the event the inoperable EDG subsystem is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours1 days 0.143 weeks 0.0329 months is a reasonable time to confirm that the remaining OPERABLE EDG subsystem is not affected by the same problem as the inoperable EDG.

B.4 The design of the AC Sources allows operation to continue in Condition B for a period that should not exceed 14 days. In Condition B, the remaining OPERABLE EDG subsystem and offsite circuits are adequate to supply electrical power to the plant Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. In addition, the 14 day completion time is based on a risk-informed assessment of the EDG subsystem inoperability. EDG subsystem inoperability and the simultaneous inoperability of other plant equipment is assessed in accordance with Specification 5.5.13, Configuration Risk Management Program (CRMP).

(continued)

JAFNPP B 3.8.1-10 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS B.4 (continued)

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored to OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 21 days, since initial failure of the LCO, to restore the EDG subsystem. At this time, an offsite circuit could again become inoperable, the EDG subsystem restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 21 day Completion Ti-imes means that both Completion Times apply simultaneously, and the more restrictive must be met.

Similar to Required Action B.2, the second Completion Time of Required Action B.4 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

C.1 and C.2 Required Action C.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two offsite circuits.

Required Action C.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours0.5 days 0.0714 weeks 0.0164 months from that allowed with one division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours0.5 days 0.0714 weeks 0.0164 months is that a Completion Time of 7 days for two required offsite circuits inoperable is acceptable based upon the assumption that two complete safety divisions are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours0.5 days 0.0714 weeks 0.0164 months is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features (continued)

JAFNPP B 3.8.1-11 Revision 0

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. Both offsite circuits are inoperable; and

b. A redundant required feature is inoperable.

If, at any time during the existence of this Condition (two offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Operation may continue in Condition C for a period that should not exceed 7 days. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible reserve power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more EDG subsystems inoperable.

However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure: and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

JAFNPP B 3.8.1-12 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued)

With both of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the plant in a safe shutdown condition in the event of a DBA or transient.

In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single active component failure were postulated as a part of the design basis in the safety analysis. The 7 day Completion Time in Required Action C.2 provides a period of time to effect restoration of both offsite circuits commensurate with the importance of maintaining AC electrical power system capable of meeting its design criteria.

With both offsite circuits inoperable, operation may continue for 7 days. In this situation Conditions A and C must be entered concurrently. If both offsite circuits are restored within 7 days, unrestricted operation may continue.

If only one offsite source is restored within 7 days, entry into Condition F is required. If the offsite circuits were not found to be inoperable concurrently, the Completion Time of Required Action A.3 must be met for the first inoperable circuit in accordance with the guidance of Section 1.3 (Completion Times). This will ensure that the maximum time two offsite circuits could be inoperable simultaneously without entering Condition F is limited.

D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any 4.16 kV emergency bus ACTIONS for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one EDG subsystem without regard to whether a division is de-energized.

LCO 3.8.7 provides the appropriate restrictions for a de-energized division.

According to recommendations in Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition D for a period that should not exceed 12 hours0.5 days 0.0714 weeks 0.0164 months . In Condition D, individual redundancy is lost in both the offsite power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, (continued)

JAFNPP B 3.8.1-13 Revision 0

AC Sources- Operating B 3.8.1_

BASES ACTIONS D.1 and D.2 (continued) however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources,reasonable time for repairs, and the low probability of a DBA occurring during this period.

E.1 With two EDG subsystems inoperable, there is no remaining onsite AC source. Thus, with an assumed loss of offsite electrical power, insufficient onsite AC sources are available to power the minimum required engineered safeguards functions. Since the offsite electrical power system is the only source of AC power for the majority of engineered safeguards equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent Main Generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to the recommendations in Regulatory Guide 1.93 (Ref. 8), with both EDG subsystems inoperable, operation may continue for a period that should not exceed 2 hours0.0833 days 0.0119 weeks 0.00274 months .

F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and to MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.8.1-14 Revision 0

AC Sources -Operating B 3.8.1 BASES ACTIONS G.1 (continued)

Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. Entry into Condition G is necessary when both offsite circuits and one EDG subsystem are inoperable (where the EDG subsystem is inoperable due to an inoperability of one or both EDGs within the EDG subsystem), both EDG subsystems and one offsite circuit are inoperable, or both offsite circuits and both EDG subsystems are inoperable. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The plant is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with Reference 1. Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the EDG subsystems are in general conformance with the recommendations of Safety Guide 9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10).

Where the SRs discussed herein specify steady state voltage and frequency tolerances, the following summary is applicable. The minimum steady state output voltage of 3900 V is approximately 94% of the nominal 4160 V output voltage. This value, which is slightly greater than that specified in ANSI C84.1 (Ref. 11), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of name plate rating. The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V motors.

It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the EDG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Safety Guide 9 (Ref. 3).

(continued)

JAFNPP B 3.8.1-15 Revision 0

AC Sources- Operating B 3.8.1_

BASES SURVEILLANCE SR 3.8.1.1 REQUIREMENTS (continued) This SR ensures proper circuit continuity for the offsite AC electrical power supply to the plant distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that emergency buses and loads can be or are connected to their offsite power source and that appropriate independence of offsite circuits is maintained. Offsite circuit alignment verification can be accomplished by verifying that an offsite circuit bus is energized and that the status of offsite circuit supply breakers and disconnects displayed in the control room is correct. Offsite source power availability can be verified by communication with Niagara Mohawk for the Nine Mile Point Unit One switchyard, South Oswego substation, and Light House Hill substation. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room. In addition, the Frequency is adequate since administrative controls are in place that require plant notification by Niagara Mohawk of distribution system problems that affect power availability.

SR 3.8.1.2 This SR helps to ensure the availability of the onsite electrical power supply to mitigate DBAs and transients and maintain the plant in a safe shutdown condition.

To minimize the wear on moving parts, this SR has been modified by a Note to indicate that all EDG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading.

For the purposes of this testing, the EDGs are started from standby conditions. Standby conditions for an EDG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

This SR requires that, at a 31 day Frequency, the EDG subsystem starts from standby conditions, force parallels, and achieves required voltage and frequency within 10 seconds. The 10 second start requirement supports the assumptions in the design basis LOCA analysis of UFSAR, Section 6.5 (Ref. 12).

(continued)

JAFNPP B 3.8.1-16 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 (continued)

REQUIREMENTS In addition to the SR requirements, the time for the EDG subsystem to reach steady state operation is periodically monitored and the trend evaluated to identify degradation of governor and voltage regulator performance.

The 31 day Frequency for SR 3.8.1.2 is consistent with Regulatory Guide 1.108 (Ref. 9). This Frequency provides adequate assurance of EDG subsystem OPERABILITY, while minimizing degradation resulting from testing.

SR 3.8.1.3 This SR verifies that the EDG subsystems are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the EDG subsystem is paralleled with the normal, reserve or backfeed power source.

Although no power factor requirements are established by this SR, the EDG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation to ensure circulating currents are minimized.

The load band is provided to avoid routine overloading of the EDG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 31 day Frequency for this Surveillance is consistent with Safety Guide 9 (Ref. 3).

Note 1 modifies this SR to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized.

Note 2 modifies this SR by stating that momentary transients because of changing bus loads do not invalidate this test.

Similarly, momentary power factor transients above the limit do not invalidate the test.

Note 3 indicates that this SR should be conducted on only one EDG subsystem at a time in order to avoid common cause failures that might result from normal, reserve or backfeed power source perturbations.

(continued)

JAFNPP B 3.8.1-17 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS Note 4 stipulates a prerequisite requirement for performance of this SR. A successful EDG subsystem start must precede this test to credit satisfactory performance.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level at which the low level alarm is annunciated. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 1.5 hours0.208 days 0.0298 weeks 0.00685 months of EDG operation at full load.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and plant operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is consistent with Regulatory Guide 1.137 (Ref. 10). This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance.

SR 3.8.1.6 This SR demonstrates that at least one fuel oil transfer pump associated with each OPERABLE EDG operates and automatically transfers fuel oil from its associated storage (continued)

JAFNPP B 3.8.1-18 Revision 0

AC Sources -Operating B 3.8.1_

BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS tank to its associated day tank. It is required to support continuous operation of onsite power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE for each EDG.

The Frequency for this SR is consistent with the Frequency for testing the EDG subsystem in SR 3.8.1.3. EDG operation for SR 3.8.1.3 is normally long enough that fuel oil level in the day tank will be reduced to the point where the fuel oil transfer pump automatically starts to restore fuel oil level in the day tank.

SR 3.8.1.7 Automatic residual transfer of each 4.16 kV emergency bus power supply from the normal (main generator) source (NSST 71T-4) to each offsite circuit demonstrates the OPERABILITY of the offsite circuit distribution network to power the shutdown loads. As Noted, the SR is only required to be met for each offsite circuit that is not energizing its respective 4.16 kV emergency bus (i.e., the bus is being energized by the NSST), since the automatic transfer must be OPERABLE when the 4.16 kV emergency bus is being supplied by the main generator. The 24 month Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed on the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

In lieu of an actual automatic residual transfer, testing that adequately demonstrates the automatic residual transfer capability is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire automatic residual transfer function and emergency bus energization is verified.

(continued)

JAFNPP B 3.8.1-19 Revision 0

AC Sources- Operating B 3.8.1L BASES SURVEILLANCE SR 3.8.1.8 REQUIREMENTS (continued) Each EDG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the EDG subsystem capability to reject the largest single load without exceeding a predetermined frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each EDG subsystem is a core spray pump (1250 bhp). This Surveillance may be accomplished by:

a. Tripping the EDG output breakers with the EDG subsystem carrying greater than or equal to its associated single largest post-accident load while paralleled with normal, reserve, or backfeed power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the EDG subsystem solely supplying the bus.

Consistent with Safety Guide 9 (Ref. 3), the load rejection test is acceptable if the diesel speed does not exceed the nominal (synchronous) speed plus 75% of the difference between nominal speed and the overspeed trip setpoint, or 115% of nominal speed, whichever is lower.

The Frequency of 24 months, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. In order to ensure that the EDG subsystem is tested under load conditions that are as close to design basis conditions as possible, the Note requires that, if paralleled with normal, reserve or backfeed power, testing must be performed using a power factor g 0.9. This power factor is chosen to be representative of the actual design basis inductive loading that the EDG subsystem would experience. However, if the grid conditions do not permit, the power factor limit is not required to be met. In this condition the test is performed with a power factor as close to the design rating of the machine as practicable. This is permitted since, with a high grid voltage it may not be possible to raise the EDG subsystem output voltage sufficiently to obtain the required power factor without creating an overvoltage condition on the emergency bus.

(continued)

JAFNPP B 3.8.1-20 Revision 0

AC Sources -Operating B 3.8.1_

BASES SURVEILLANCE SR 3.8.1.9 REQUIREMENTS (continued) Consistent with Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(1), this SR demonstrates the as designed operation of the onsite power sources due to an emergency bus loss of power (LOP) signal. This test verifies all actions required following receipt of the LOP signal, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the EDG subsystem. It further demonstrates the capability of the EDG subsystem to automatically achieve the required voltage and frequency within the specified time.

The EDG auto-start time of 11 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the EDG subsystem loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation.

For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 24 months, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

(continued)

JAFNPP B 3.8.1-21 Revision 0

AC Sources- Operating B 3.8.:L BASES SURVEILLANCE SR 3.8.1.10 REQUIREMENTS (continued) This SR demonstrates that the EDG subsystem automatically starts, force parallels and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for ; 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.10.d and SR 3.8.1.10.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without a LOP signal.

The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

In addition to the SR requirements, the time for the EDG subsystem to reach steady state operation is periodically monitored and the trend evaluated to identify degradation of governor and voltage regulator performance.

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

(continued)

JAFNPP B 3.8.1-22 Revision 0

AC Sources- Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 REQUIREMENTS (continued) Consistent with IEEE-387 (Ref. 13), Section 7.5.9 and Table 3, this SR requires demonstration that the EDGs can run continuously at full load capability for an interval of not less than 8 hours0.333 days 0.0476 weeks 0.011 months -6 hours0.25 days 0.0357 weeks 0.00822 months of which is at a load equivalent to 90-100% of the continuous rating of the EDG, and 2 hours0.0833 days 0.0119 weeks 0.00274 months of which is at a load equivalent to 105% to 110%

of the continuous duty rating of the EDG. The EDG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

In order to ensure that the EDG subsystem is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor This power factor is chosen to be representative of the actual design basis inductive loading that the EDG subsystem could experience. A load band is provided to avoid routine overloading of the EDG subsystem. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 24 month Frequency is consistent with the recommendations of IEEE-387 (Ref. 13), Section 7.5.9 and Table 3 which takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test.

Note 2 is provided in recognition that when grid conditions do not permit, the power factor limit is not required to be met. In this condition, the test is performed with a power factor as close to the design rating of the machine as practicable. This is permitted since, with a high grid voltage it may not be possible to raise the EDG output voltage sufficiently to obtain the required power factor without creating an overvoltage condition on the emergency bus.

(continued)

JAFNPP B 3.8.1-23 Revision 0

AC Sources- Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 REQUIREMENTS (continued) In the event of a DBA coincident with an emergency bus loss of power signal, the EDGs are required to supply the necessary power to Engineered Safeguards systems so that the fuel, RCS, and containment design limits are not exceeded.

This SR demonstrates EDG subsystem operation, as discussed in the Bases for SR 3.8.1.9, during an emergency bus LOP signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

SR 3.8.1.13 Under accident conditions loads are sequentially connected to the bus by the individual time delay relays. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the EDGs due to high motor starting currents. The minimum load sequence time interval tolerance ensures that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding engineered safeguards equipment time delays are not violated. There is no upper limit for the load sequence time interval since, for a single load interval (i.e., the time between two load blocks), the capability of the EDG to restore frequency and voltage prior to applying the second load is not negatively affected by a longer than designed load interval, and if there are additional load blocks (i.e., the design includes multiple load intervals), then the lower limit requirements will (continued)

JAFNPP B 3.8.1-24 Revision 0

AC Sources- Operating B 3.8.1_

BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the remaining load blocks (i.e., all load intervals must be greater than or equal to the minimum design interval).

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle lengths.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Chapter 8.

3. Safety Guide 9, Selection Of Diesel Generator Set Capacity For Standby Power Supplies, March 1971.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 14.

6. 10 CFR 50.36(c)(2)(ii).

7. Generic Letter 84-15, Proposed Staff Actions To Improve And Maintain Diesel Generator Reliability, July 1984.

8. Regulatory Guide 1.93, Availability Of Electric Power Sources, December 1974.

9. Regulatory Guide 1.108, Revision 1, Periodic Testing of Diesel Generator Units Used As Onsite Electric Power Systems At Nuclear Power Plants, August 1977.

10. Regulatory Guide 1.137, Revision 1, Fuel-Oil Systems for Standby Diesel Generators, October 1979.

11. ANSI C84.1, Voltage Ratings for Electric Power Systems and Equipment, 1982.

12. UFSAR, Section 6.5.

13. IEEE-387, IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations, 1995.

JAFNPP B 3.8.1-25 Revision 0

AC Sources - Shutdown B 3.8.2_

B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources -Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating." In addition to the reserve AC sources described in LCO 3.8.1, during plant shutdown with the main generator off line, the plant emergency buses may be supplied using the 345 kV (backfeed)

AC source. The 345 kV backfeed requires removing the main generator disconnect links that tie the main generator to the 24 kV bus, and providing power from the 345 kV transmission network to energize the main transformers (TIA and TIB), 24 kV bus, normal station service transformer (NSST) 71T-4, and subsequent 4.16 kV distribution and emergency buses. However, the backfeed AC Source is not considered a qualified offsite circuit.

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 SAFETY ANALYSES and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

In general, when the plant is shutdown the Technical Specifications requirements ensure that the plant has the capability to mitigate the consequences of postulated accidents. However, assuming a single active component failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Postulated worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor coolant pressure boundary (RCPB), reactor coolant temperature and pressure, (continued)

JAFNPP B 3.8.2-1 Revision 0

AC Sources- Shutdown B 3.8.2 BASES APPLICABLE and corresponding stresses result in the probabilities of SAFETY ANALYSES occurrences significantly reduced or eliminated, and minimal (continued) consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS. This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as an economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.

c. Prudent consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (emergency diesel generator (EDG)) power.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 1).

LCO One qualified offsite circuit capable of supplying one division of the plant Class 1E AC power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems-Shutdown,"

(continued)

JAFNPP B 3.8.2-2 Revision 0

AC Sources - Shutdown B 3.8.2_

BASES LCO and one qualified offsite circuit, which may be the same (continued) circuit required above, capable of supplying the other division of the plant Class 1E AC power distribution subsystem(s) when a second division is required by LCO 3.8.8, ensures that all required loads are powered from offsite power. An OPERABLE EDG subsystem, associated with a 4.16 kV emergency bus required OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and EDG subsystem ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown). Automatic initiation of the required EDG during shutdown conditions is specified in LCO 3.3.5.1, "ECCS Instrumentation," and LCO 3.3.8.1, "LOP Instrumentation."

The qualified offsite circuit(s) must be capable of maintaining rated frequency and voltage while connected to its respective 4.16 kV emergency bus(es), and of accepting required loads during an accident. Qualified offsite circuits are those that are described in LCO 3.8.1 Bases and the UFSAR and are part of the licensing basis for the plant.

However, since the plant is shutdown, when two offsite circuits are required, they may share one of the incoming switchyard breakers provided the North and South bus disconnect is closed. Also, while in this condition, the automatic opening feature of the disconnect is not required to be OPERABLE. This is allowed since the two offsite circuits are not required to be independent while shutdown.

The required EDG subsystem must be capable of starting, accelerating to rated speed and voltage, force paralleling, and connecting to its respective emergency bus on detection of bus undervoltage. This sequence must be accomplished within 11 seconds. The required EDG subsystem must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses.

These capabilities are required to be met with the EDG subsystem in standby condition.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for EDG subsystem OPERABILITY. The necessary portions of the Emergency Service Water System and Ultimate Heat Sink are also (continued)

JAFNPP B 3.8.2-3 Revision 0

AC Sources- Shutdown B 3.8.2 BASES LCO required to provide appropriate cooling to the required EDG (continued) subsystem. In addition, proper sequence operation is an integral part of offsite circuit OPERABILITY since its inoperability impacts the ability to start and maintain energized loads required OPERABLE by LCO 3.8.8.

No automatic transfer capability is required for offsite circuits to be considered OPERABLE.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:

a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, or 3 would require the unit to be shutdown unnecessarily.

A.1 An offsite circuit is considered inoperable if it is not available to one required 4.16 kV emergency bus. If two 4.16 kV emergency buses are required per LCO 3.8.8, one (continued)

JAFNPP B 3.8.2-4 Revision 0

AC Sources - Shutdown B 3.8.2_

BASES ACTIONS A.1 (continued) division with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.

By the allowance of the option to declare required features inoperable with no offsite power, appropriate restrictions can be implemented in accordance with the affected required feature(s) LCOs' ACTIONS.

A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 With an offsite circuit not available to all required 4.16 kV emergency buses, the option still exists to declare all required features inoperable per Required Action A.1.

Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required EDG subsystem inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required 4.16 kV emergency bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A (continued)

JAFNPP B 3.8.2-5 Revision 0

AC Sources - Shutdown B 3.8.2_

BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) to provide requirements for the loss of an offsite circuit whether or not a division is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized division.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1. 2, and 3. SR 3.8.1.7 is not required to be met since the main generator is not used to provide AC power while shutdown. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

This SR is modified by two Notes. The reason for Note 1 is to preclude requiring the OPERABLE EDG subsystem from being paralleled with the reserve power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4.16 kV emergency bus or disconnecting a required reserve circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required reserve circuit and EDG subsystem. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the EDG subsystem and reserve circuit is required to be OPERABLE.

Note 2 states that SRs 3.8.1.10 and 3.8.1.12 are not required to be met when its associated ECCS subsystem(s) are not required to be OPERABLE. These SRs demonstrate the EDG response to an ECCS signal (either alone or in conjunction with a loss of power signal). This is consistent with the ECCS instrumentation requirements that do not require the ECCS signal when the ECCS System is not required to be OPERABLE per LCO 3.5.2, "ECCS-Shutdown."

REFERENCES 1. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.8.2-6 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each emergency diesel generator (EDG) subsystem is provided with two fuel oil storage tanks. Each storage tank has a fuel oil capacity sufficient to operate one EDG for a period of 7 days while the EDG is supplying full load. The maximum post loss of coolant accident (LOCA) load demand discussed in UFSAR, Section 8.6.2 (Ref. 1) is calculated using the assumption that at least two EDGs are operating. This onsite fuel oil capacity is sufficient to operate the EDGs for longer than the time to replenish the onsite supply from outside sources.

Normally fuel oil is transferred from storage tanks to day tanks by either of two transfer pumps associated with each storage tank. In addition the fuel oil transfer pumps can be manually aligned to permit fuel oil transfer, within the EDG subsystem, from either of the two fuel oil storage tanks to either of the two fuel oil day tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one EDG. All fuel oil storage tanks are located underground. Fuel oil day tanks and transfer pumps are located in the associated EDG room.

For proper operation of the EDGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (absolute specific gravity or API gravity), and impurity level.

The EDG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated EDG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The onsite storage in addition to the engine oil sump is sufficient to ensure 7 days' continuous operation.

This supply is sufficient to operate the EDGs for longer than the time to replenish the onsite lube oil supply from outside sources.

(continued)

JAFNPP B 3.8.3-1 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3L BASES BACKGROUND Each EDG has an air start system with adequate capacity for (continued) five successive starts on the EDG without recharging or realigning the air start receivers. Each EDG air start system consists of piping and valves which supply all associated EDG air start motors simultaneously when aligned to one of two sets of 5 air start receivers.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 14 (Ref. 4), assume Engineered Safeguards systems are OPERABLE. The EDGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and starting air subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of EDGs required to shut down the reactor and to maintain it in a safe condition for an abnormal operational transient or a postulated DBA with loss of power. EDG day tank fuel oil requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

The starting air system is required to have a minimum capacity for five successive EDG starts without recharging or realigning the air start receivers.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition (continued)

JAFNPP B 3.8.3-2 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3_

BASES APPLICABILITY after an abnormal operational transient or a postulated DBA.

(continued) Because stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated EDG subsystem is required to be OPERABLE.

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each EDG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable EDG. Complying with the Required Actions for one inoperable EDG may allow for continued operation, and subsequent inoperable EDG(s) governed by separate Condition entry and application of associated Required Actions.

A.1 With fuel oil level < 32,000 gallons in a storage tank, the 7 day fuel oil supply for an EDG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (28,000 gallons).

These circumstances may be caused by events such as:

a. Full load operation required for an inadvertent start while at minimum required level; or

b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.

This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours2 days 0.286 weeks 0.0658 months is considered sufficient to complete restoration of the required level prior to declaring the EDG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that action will be initiated to obtain replenishment, and the low probability of an event during this brief period.

(continued)

JAFNPP B 3.8.3-3 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3_

BASES ACTIONS B.1 (continued)

With lube oil inventory < 168 gal, sufficient lube oil to support 7 days of continuous EDG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours2 days 0.286 weeks 0.0658 months is considered sufficient to complete restoration of the required volume prior to declaring the EDG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that action will be initiated to obtain replenishment, and the low probability of an event during this brief period.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated EDG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the EDG fuel oil.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combination of these procedures. Even if an (continued)

JAFNPP B 3.8.3-4 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS D.1 (continued)

EDG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the EDG would still be capable of performing its intended function. If the new fuel oil has not yet been added to the fuel oil storage tanks, entry into this condition is not necessary.

E.1 With required starting air receiver pressure < 150 psig, sufficient capacity for five successive EDG starts does not exist. However, as long as the receiver pressure is

Ž 110 psig, there is adequate capacity for at least one start, and the EDG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours2 days 0.286 weeks 0.0658 months is considered sufficient to complete restoration to the required pressure prior to declaring the EDG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most EDG starts are accomplished on the first attempt, and the low probability of an event during this brief period.

F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A, B, C, D, or E, the associated EDG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each EDG's operation for 7 days at full load. The 7 day period is sufficient time to place the plant in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since plant operators would be aware of any large uses of fuel oil during this period.

(continued)

JAFNPP B 3.8.3-5 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3-BASES SURVEILLANCE SR 3.8.3.2 REQUIREMENTS (continued) This SR ensures that sufficient lubricating oil inventory is available to support at least 7 days of full load operation for each EDG. The 168 gal requirement is based on the EDG manufacturer's consumption values for the run time of the EDG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the EDG, when the EDG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level.

A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since EDG starts and run time are closely monitored by the plant staff.

SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding test results) of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:

a. Sample the new fuel oil in accordance with ASTM D4057-1995 (Ref. 6);

b. Verify in accordance with the tests specified in ASTM D975-1995 (Ref. 6) that the sample has an absolute specific gravity at 60/60°F of > 0.83 and < 0.89 or an API gravity at 60°F of > 270 and < 390, a kinematic viscosity at 40'C of > 1.9 centistokes, and

< 4.1 centistokes, and a flash point of > 125 0 F; and

c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-1993 (Ref. 6).

(continued)

JAFNPP B 3.8.3-6 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3_

BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO since the fuel oil is not added to the storage tanks.

Following the initial new fuel oil sample, the fuel oil is analyzed within 31 days following addition of the new fuel oil to the fuel oil storage tanks to establish that the other properties specified in Table 1 of ASTM D975-1995 (Ref. 6) are met for new fuel oil when tested in accordance with ASTM D975-1995 (Ref. 6), except that the analysis for sulfur may be performed in accordance with ASTM D1552-1995 (Ref. 6) or ASTM D2622-1994 (Ref. 6). The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on EDG operation. This Surveillance ensures the availability of high quality fuel oil for the EDGs.

Fuel oil degradation during long term storage shows up as an increase in particulate concentration, mostly due to oxidation. The presence of particulates does not mean that the fuel oil will not burn properly in a diesel engine. The particulates can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTM D6217-1998 (Ref. 6), except that the specified filters may be replaced with filters up to 3.0 microns. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SR 3.8.3.4 This SR ensures that, without the aid of the refill compressor, sufficient air start capacity for each EDG is available. The system design requirements provide for a (continued)

JAFNPP B 3.8.3-7 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.4 (continued)

REQUIREMENTS minimum of five engine start cycles without recharging or realigning air start receivers. For the purposes of the air start system, a start cycle is defined as the period required from a start signal until the engine speed reaches 200 rpm (the point at which the air start system valves are signaled to close). The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished.

The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 2) as supplemented by ANSI N195 (Ref. 3). This SR is for preventive maintenance.

The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

REFERENCES 1. UFSAR, Section 8.6.2.

2. Regulatory Guide 1.137, Revision 1, Fuel-Oil Systems For Standby Diesel Generators, October 1979.

3. ANSI N195, Appendix B, 1976.

4. UFSAR, Chapter 14.

(continued)

JAFNPP B 3.8.3-8 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES REFERENCES 5. 10 CFR 50.36(c)(2)(ii).

(continued)

6. ASTM Standards: D4057-1995, Standard Practice for Manual Sampling of Petroleum and Petroleum Products; D975-1995, Standard Specification for Diesel Fuel Oils; D4176-1993, Standard Test Method for Free Water and Particulate Contamination in Distillate Fuels (Visual Inspection Procedures); D1552-1995, Standard Test Method for Sulfur in Petroleum Products (High Temperature Method); D2622-1994, Standard Test Method for Sulfur in Petroleum Products by X-Ray Spectrometry; and D6217-1998, Standard Test Method for Particulate Contamination in Middle Distallate Fuels by Laboratory Filtration.

JAFNPP B 3.8.3-9 Revision 0

DC Sources- Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-Operating BASES BACKGROUND The plant DC electrical power system consists of, the Class 1E, 125 VDC Power System, and the 419 VDC low pressure coolant injection (LPCI) MOV independent power supply subsystems.

The 125 VDC Power System provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by JAFNPP design criteria (Ref. 1), the 125 VDC Power System is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The 125 VDC Power System also conforms to the recommendations of Safety Guide 6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC power sources provide both motive and control power to selected safety related equipment, as well as circuit breaker control power for the nonsafety related 4160 V and selected 600 V AC distribution systems. Each 125 VDC subsystem is energized by one 125 VDC battery and one 125 VDC battery charger. Each battery is exclusively associated with a single 125 VDC bus. Each battery charger is exclusively associated with a 125 VDC subsystem and cannot be interconnected with any other 125 VDC subsystem.

The chargers are supplied from the same AC load groups for which the associated 125 VDC subsystem supplies the control power. The loads between the redundant 125 VDC subsystem are not transferable except for the Automatic Depressurization System (ADS). The ADS valve solenoids are normally fed from the Division 1 125 VDC subsystem and the Division 2 125 VDC subsystem provides a backup. In addition, the Division 1 125 VDC subsystem provides a backup to the Division 2 ADS logic circuits.

The 419 VDC low pressure coolant injection (LPCI) MOV independent power supply subsystems provide the 600 VAC LPCI Independent Power Supply System with a reliable source of power to operate the motor operated valves associated with the LPCI subsystems and provide power to one RCIC pump enclosure exhaust fan via the 600 VAC LPCI independent power supply inverters and associated distribution system. The requirements of these inverters are specified in LCO 3.5.1, "ECCS-Operating." The 419 VDC LPCI MOV independent power supply system consists of two subsystems.

(continued)

JAFNPP B 3.8.4-1 Revision 0

DC Sources-Operating B 3.8.4_

BASES BACKGROUND Each 419 VDC LPCI MOV independent power supply subsystem is (continued) energized by the associated 419 VDC battery or the associated 419 VDC rectifier/charger. Each battery and rectifier/charger is exclusively associated with a 419 VDC LPCI MOV independent power supply subsystem and cannot be interconnected with the other 419 VDC LPCI MOV independent power supply subsystem.

During normal operation, the DC loads are powered from the battery chargers with the batteries floating on the system.

In cases where momentary loads are greater than the charger capability, or battery charger output voltage is low, or on loss of normal power to the battery charger, the DC loads are automatically powered from the batteries. Also, on a LPCI automatic actuation signal, the 419 VDC rectifier/

charger AC input breakers will open and the 600 VAC LPCI independent power supply inverters will be powered from the 419 VDC LPCI MOV independent power supply batteries.

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System-Operating,"

and LCO 3.8.8, "Distribution System-Shutdown."

Each 125 VDC battery has adequate storage capacity to carry the required load continuously for approximately 2 hours0.0833 days 0.0119 weeks 0.00274 months (Ref. 4). Each 419 VDC LPCI MOV independent power supply battery has adequate storage capacity for one repositioning of the LPCI subsystem motor operated valves (MOVs) on its respective MOV bus.

Each 125 VDC and 419 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically'and electrically from its redundant subsystem to ensure that a single failure in one subsystem does not cause a failure in the redundant subsystem. There is no sharing between redundant subsystems such as batteries, battery chargers, or distribution panels.

The 125 VDC batteries are sized to supply associated DC loads required for safe shutdown of the plant, following abnormal operational transients and postulated accidents, until AC power sources are restored (Ref. 4). The 419 VDC batteries are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage limit for each 125 VDC battery is 105 VDC.

The minimum design voltage limit of each 419 VDC LPCI MOV independent power supply battery is 325.5 VDC.

(continued)

JAFNPP B 3.8.4-2 Revision 0

DC Sources -Operating B 3.8.4 BASES BACKGROUND Each 125 VDC and 419 VDC battery charger has ample power (continued) output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each 125 VDC battery charger has sufficient capacity to restore the battery after discharging through its duty cycle to its fully charged state while supplying normal control loads (Ref. 4).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 5) and Chapter 14 (Ref. 6), assume that Engineered Safeguards systems are OPERABLE. The 125 VDC Power System provides normal and emergency DC electrical power for the EDGs, emergency auxiliaries, and control and switching during all MODES of operation. The 419 VDC LPCI MOV independent power supplies provide normal and emergency power for LPCI MOVs during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all normal and reserve AC power or all onsite AC power: and

b. A worst case single failure.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 7).

LCO The 125 VDC and 419 VDC LPCI MOV independent power supply subsystems-with each subsystem consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus- are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 3).

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe plant operation and to ensure that:

(continued)

JAFNPP B 3.8.4-3 Revision 0

DC Sources- Operating B 3.8.4_

BASES APPLICABILITY a. Acceptable fuel design limits and reactor coolant (continued) pressure boundary limits are not exceeded as a result of abnormal operational transients: and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 4 and 5 and other specified conditions in which the DC electrical power sources are required are addressed in LCO 3.8.5, "DC Sources Shutdown."

ACTIONS A.1 Condition A represents one division of the 125 VDC Power System with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for complete loss of 125 VDC power to the affected division. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months limit is consistent with the allowed time for an inoperable DC Distribution System division.

If one of the required 125 VDC power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger, or inoperable battery charger and associated inoperable battery), the remaining 125 VDC power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of minimum necessary 125 VDC power subsystems to mitigate a worst case accident, continued power operation should not exceed 8 hours0.333 days 0.0476 weeks 0.011 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time reflects a reasonable time to assess plant status as a function of the inoperable 125 VDC power subsystem and, if the 125 VDC power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe plant shutdown.

B.1 and B.2 If the 125 VDC power subsystem cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and to MODE 4 within (continued)

JAFNPP B 3.8.4-4 Revision 0

DC Sources -Operating B 3.8.4_

BASES ACTIONS B.1 and B.2 (continued) 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the plant to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8).

C.1 If one or both 419 VDC LPCI MOV independent power supply subsystems are inoperable (e.g., inoperable battery, inoperable battery charger, or inoperable battery charger and associated inoperable battery), the associated LPCI subsystem may be incapable of performing its intended function and must be immediately declared inoperable. This declaration also requires entry into applicable Conditions and Required Actions for an inoperable LPCI subsystem, LCO 3.5.1.

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the connected loads and the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations.

The 7 day Frequency is conservative when compared with manufacturer recommendations and IEEE-450 (Ref. 9).

SR 3.8.4.2 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 3). According to UFSAR, Section 8.7 (Ref. 4), the battery charger is sized to restore the battery after discharging through its duty cycle (continued)

JAFNPP B 3.8.4-5 Revision 0

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.2 (continued)

REQUIREMENTS to the fully charged state, while supplying the normal control loads. The minimum required amperes and duration ensures that these requirements can be satisfied.

The Frequency is acceptable, given the plant conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

SR 3.8.4.3 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length corresponds to the design duty cycle requirements.

The Frequency of 24 months is acceptable, given plant conditions required to perform the test and the other requirements existing to ensure adequate battery performance during this 24 month interval. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

A modified performance discharge test may be performed in lieu of a service test. This substitution is acceptable because a modified performance discharge test represents a more severe test of battery capacity than the service test.

The modified performance discharge test is a complete test which envelopes both the service test and the performance discharge test requirements. The modified performance discharge test discharge current envelopes the peak duty cycle loads of the service test followed by a constant discharge current (temperature corrected) for the performance discharge test. Since the ampere-hours removed by peak duty cycle loads represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

(continued)

JAFNPP B 3.8.4-6 Revision 0

DC Sources- Operating B 3.8.4_

BASES SURVEILLANCE SR 3.8.4.3 (continued)

REQUIREMENTS The purpose of the modified performance discharge test is to demonstrate the battery has sufficient capacity to meet the system design requirements and to provide trendable performance data to compare the available capacity in the battery to previous capacity test results. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required 125 VDC power subsystem from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1. 2, or 3 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy the Surveillance.

SR 3.8.4.4 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

(continued)

JAFNPP B 3.8.4-7 Revision 0

DC Sources- Operating B 3.8.4_

BASES SURVEILLANCE SR 3.8.4.4 (continued)

REQUIREMENTS A battery modified performance discharge test is described in the Bases for SR 3.8.4.3. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.4; however, only the modified performance discharge test may be used to satisfy SR 3.8.4.4 while satisfying the requirements of SR 3.8.4.3 at the same time.

The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 9). This reference recommends that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 85%

of its expected life and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity Ž 100% of the manufacturer's rating.

Degradation is indicated, according to IEEE-450 (Ref. 9),

when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the manufacturer's rating. All these Frequencies are consistent with the recommendations in IEEE-450 (Ref. 9).

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required 125 VDC power subsystem from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a (continued)

JAFNPP B 3.8.4-8 Revision 0

DC Sources- Operating B 3.8.4_

BASES SURVEILLANCE SR 3.8.4.4 (continued)

REQUIREMENTS perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy the Surveillance.

REFERENCES 1. UFSAR, Section 16.6.

2. Safety Guide 6, Independence Between Redundant Standby (Onsite) Power Sources And Between Their Distribution Systems, March 1971.

3. IEEE Standard 308, IEEE Standard Criteria for Class IE Electric Systems for Nuclear Power Generating Stations, 1971.

4. UFSAR, Section 8.7.

5. UFSAR, Chapter 6.

6. UFSAR, Chapter 14.

7. 10 CFR 50.36(c)(2)(ii).

8. Regulatory Guide 1.93, Availability Of Electric Power Sources, December 1974.

9. IEEE Standard 450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead Acid Batteries for Stationary Applications, 1995.

JAFNPP B 3.8.4-9 Revision 0

DC Sources - Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources- Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume that Engineered Safeguards systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency diesel generators (EDGs), emergency auxiliaries, and control and switching during all MODES of operation and during movement of irradiated fuel assemblies in the secondary containment.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a refueling accident.

In general, when the unit is shutdown, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the (continued)

JAFNPP B 3.8.5-1 Revision 0

DC Sources- Shutdown B 3.8.5 BASES APPLICABLE reactor pressure boundary, reactor coolant temperature and SAFETY ANALYSES pressure, and the corresponding stresses result in the (continued) probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The shutdown Technical Specification requirements are designed to ensure that the unit has the capability to mitigate the consequences of certain postulated accidents.

Worst case Design Basis Accidents which are analyzed for operating MODES are generally viewed not to be a significant concern during shutdown MODES due to the lower energies involved. The Technical Specifications therefore require a lesser complement of electrical equipment to be available during shutdown than is required during operating MODES.

More recent work completed on the potential risks associated with shutdown, however, have found significant risk associated with certain shutdown evolutions. As a result, in addition to the requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," as an Industry initiative to manage shutdown tasks and associated electrical support to maintain risk at an acceptable low level. This may require the availability of additional equipment beyond that required by the shutdown Technical Specifications.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 3).

LCO One 125 VDC electrical power subsystem consisting of one 125 V battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus is required to be OPERABLE to support one DC distribution subsystem required OPERABLE by LCO 3.8.8, "Distribution Systems- Shutdown." This requirement ensures the availability of sufficient DC electrical power sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., refueling accidents and inadvertent reactor vessel draindown).

(continued)

JAFNPP B 3.8.5-2 Revision 0

DC Sources - Shutdown B 3.8.5 BASES (continued)

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;

b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2 or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, or 3 would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2. A.2.3, and A.2.4 By allowance of the option to declare required features inoperable with the associated DC electrical power subsystem inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. However in many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).

(continued)

JAFNPP B 3.8.5-3 Revision 0

DC Sources - Shutdown B 3.8.5ý BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued)

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystem and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.4. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC electrical power subsystem from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

JAFNPP B 3.8.5-4 Revision 0

Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources Operating," and LCO 3.8.5, "DC Sources-Shutdown."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume Engineered Safeguards systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the emergency diesel generators (EDGs), emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant as discussed in the Bases for LCO 3.8.4 and LCO 3.8.5.

Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA.

Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.

APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem.

Therefore, these battery cell parameters are only required when the associated DC electrical power subsystem is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5.

(continued)

JAFNPP B 3.8.6-1 Revision 0

Battery Cell Parameters B 3.8.6_

BASES (continued)

ACTIONS The ACTIONS Table is modified by a Note which indicates that separate Condition entry is allowed for each battery. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DC subsystem. Complying with the Required Actions for one inoperable DC subsystem may allow for continued operation, and subsequent inoperable DC subsystems are governed by separate Condition entry and application of associated Required Actions.

A.1, A.2, and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period.

The pilot cell(s) electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cell(s).

One hour is considered a reasonable amount of time to perform the required verification.

Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours1 days 0.143 weeks 0.0329 months is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A and B limits. This periodic verification is consistent with the guidance provided in IEEE-450 (Ref. 4) of monitoring battery conditions at regular intervals (not to exceed one week) while completing corrective actions.

(continued)

JAFNPP B 3.8.6-2 Revision 0

Battery Cell Parameters B 3.8.6_

BASES ACTIONS A.1, A.2, and A.3 (continued)

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable.

B.1 When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potential conditions, such as any Required Action of Condition A and associated Completion Time not met, or average electrolyte temperature of representative cells < 65 0 F for each 125 VDC battery, or

< 50°F for each 419 VDC LPCI MOV independent power supply battery, also are cause for immediately declaring the associated DC electrical power subsystem inoperable.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 4), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells.

SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 4), which recommends augmentation of the battery inspections conducted in SR 3.8.6.1 at least once per quarter by checking voltage, specific gravity and electrolyte temperature.

(continued)

JAFNPP B 3.8.6-3 Revision 0

Battery Cell Parameters B 3.8.6_

BASES SURVEILLANCE SR 3.8.6.3 REQUIREMENTS (continued) This Surveillance verification that the average electrolyte temperature of representative cells (10% of total) is within limits is consistent with a recommendation of IEEE-450 (Ref. 4) that states that the temperature of electrolyte in representative cells should be determined on a quarterly basis.

Lower than normal electrolyte temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range, based on assumptions in the battery sizing analyses.

Table 3.8.6-1 This Table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below.

Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.

The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 4), with the extra

'4inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote (a) to Table 3.8.6-1 permits the electrolyte level to be temporarily above the specified maximum level during and, for a limited time, following an equalizing charge (normally up to 3 days following the completion of an equalization charge to allow electrolyte stabilization), provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 4) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours3 days 0.429 weeks 0.0986 months .

(continued)

JAFNPP B 3.8.6-4 Revision 0

Battery Cell Parameters B 3.8.6.

BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category A limit specified for float voltage is 2 2.13 V per cell,. This value is based on the recommendation of IEEE-450 (Ref. 4), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells.

The Category A limit specified for specific gravity for each pilot cell is : 1.195 (0.020 below the manufacturer's fully charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity.

According to IEEE-450 (Ref. 4), the specific gravity readings are based on a temperature of 77 0 F (25 0 C).

The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 30 F below 77 0 F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations.

Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out.

The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is 2 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

Category C defines the limits for each connected cell.

These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

(continued)

JAFNPP B 3.8.6-5 Revision 0

Battery Cell Parameters B 3.8.6_

BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category C limit specified for electrolyte level (above the top of the plates and not overflowing) ensures that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C limit for voltage is based on IEEE-450 Appendix C (Ref. 4), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

The Category C limit on average specific gravity 2 1.195, is based on manufacturer's recommendations (0.020 below the manufacturer's recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote (b) of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is

< 2 amps for 125 VDC batteries and < 1.0 amp for 419 VDC LPCI MOV independent power supply batteries. This current provides, in general, an indication of acceptable overall battery condition.

Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize.

A stabilized charging current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 4). Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge. Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements may be made in less than 7 days.

(continued)

JAFNPP B 3.8.6-6 Revision 0

Battery Cell Parameters B 3.8.6_

BASES (continued)

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

4. IEEE Standard 450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead Acid Batteries for Stationary Applications, 1995.

JAFNPP B 3.8.6-7 Revision 0

Distribution Systems - Operating B 3.8.7_

B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems-Operating BASES BACKGROUND The plant Class 1E AC and 125 VDC electrical power distribution system is divided into redundant and independent AC, and 125 VDC electrical power distribution subsystems.

The primary AC distribution system consists of two 4.16 kV emergency buses each having an offsite source of power as well as a dedicated onsite emergency diesel generator (EDG) source. Each 4.16 kV emergency bus is normally connected to the normal station service transformer (71T-4). During a loss of the normal power source to the 4.16 kV emergency buses, each emergency bus will be automatically transferred to its associated reserve station service transformer (71T-2 or 71T-3). The normal and reserve sources feed their associated 4.16 kV emergency bus via a non-emergency bus and the associated breakers. If both normal and reserve sources are unavailable, the onsite EDGs supply power to the 4.16 kV emergency buses.

The secondary plant distribution system includes 600 VAC emergency buses, and associated load centers, and transformers.

There are two independent 125 VDC electrical power distribution subsystems that support the necessary power for engineered safeguards functions.

The list of required distribution buses is presented in Table B 3.8.7-1.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2). assume engineered safeguards systems are OPERABLE. The AC and 125 VDC electrical power distribution subsystems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6 Containment Systems.

(continued)

JAFNPP B 3.8.7-1 Revision 0

Distribution Systems -Operating B 3.8.7_

BASES APPLICABLE The OPERABILITY of the AC, and 125 VDC electrical power SAFETY ANALYSES distribution subsystems is consistent with the initial (continued) assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all reserve power or all onsite AC electrical power; and

b. A worst case single active component failure.

The AC and 125 VDC electrical power distribution subsystems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The required electrical power distribution subsystems listed in Table B 3.8.7-1 ensure the availability of AC, and 125 VDC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. The AC and 125 VDC electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Division 1 and Division 2 AC and 125 VDC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of Engineered Safeguards systems is not defeated. Therefore, a single active component failure within any system or a single failure within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages. OPERABLE 125 VDC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger.

Based on the number of safety significant electrical loads associated with each bus listed in Table B 3.8.7-1, if one or more of the buses becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required. Other buses, such as motor control centers (MCC) and distribution panels, which help comprise the AC and 125 VDC distribution systems are not listed in Table B 3.8.7-1. The loss of electrical loads associated with these buses may not result in a complete loss of redundant safety function necessary to shut down the reactor and maintain it in a safe condition.

(continued)

JAFNPP B 3.8.7-2 Revision 0

Distribution Systems- Operating B 3.8.7_

BASES LCO Therefore, should one or more of these buses become (continued) inoperable due to failure not affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g., a breaker supplying a single MCC fails open), the individual loads on the bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. However, if one or more of these buses is inoperable due to a failure also affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g.,

loss of a 4.16 kV emergency bus, which results in de energization of all buses powered from the 4.16 kV emergency bus), then although the individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4.16 kV emergency bus).

In addition, tie breakers between redundant safety related AC, and 125 VDC power distribution subsystems must be open.

This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers between redundant safety related AC or 125 VDC power distribution subsystems are closed, the electrical power distribution subsystem that is not being powered from its normal source (i.e., it is being powered from its redundant electrical power distribution subsystem) is considered inoperable. This applies to the onsite, safety related, redundant electrical power distribution subsystems.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

(continued)

JAFNPP B 3.8.7-3 Revision 0

Distribution Systems - Operating B 3.8.7_

BASES APPLICABILITY Electrical power distribution subsystem requirements for (continued) MODES 4 and 5 and other conditions in which AC and 125 VDC electrical power distribution subsystems are required are covered in the Bases for LCO 3.8.8, "Distribution Systems Shutdown."

ACTIONS A.1 With one or more required AC electrical power distribution subsystems inoperable and a loss of function has not occurred, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.

The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required engineered safeguards functions not being supported. Therefore, the required AC electrical power distribution subsystems must be restored to OPERABLE status within 8 hours0.333 days 0.0476 weeks 0.011 months .

The Condition A worst scenario is one division without AC power (i.e., no reserve or normal power to the division and the associated EDG subsystem inoperable). In this Condition, the plant is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the plant operators' attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the plant, and on restoring power to the affected division.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a plant shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the plant operators' attention is diverted from the evaluations and actions necessary to restore power to the affected division to the actions associated with taking the plant to shutdown within this time limit.

b. The low potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.12, "Safety Function Determination Program (SFDP).")

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of (continued)

JAFNPP B 3.8.7-4 Revision 0

Distribution Systems - Operating B 3.8.7 BASES ACTIONS A.1 (continued) failing to meet the LCO. If Condition A is entered while, for instance, a 125 VDC bus is inoperable and subsequently returned OPERABLE, this LCO may already have been not met for up to 8 hours0.333 days 0.0476 weeks 0.011 months . This situation could lead to a total duration of 16 hours0.667 days 0.0952 weeks 0.0219 months , since initial failure of the LCO, to restore the AC electrical power distribution system. At this time a 125 VDC bus could again become inoperable, and the AC electrical power distribution system could be restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This results in establishing the "time zero" at the time this LCO was initially not met, instead of at the time Condition A was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

B.1 With one 125 VDC electrical power distribution subsystems inoperable, the remaining 125 VDC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining 125 VDC electrical power distribution subsystem could result in the minimum required engineered safeguards functions not being supported. Therefore, the required 125 VDC electrical power distribution subsystem must be restored to OPERABLE status within 8 hours0.333 days 0.0476 weeks 0.011 months by powering the bus from the associated battery or charger.

Condition B represents one division without adequate 125 VDC power, potentially with both a battery significantly degraded and the associated charger nonfunctioning. In this situation the plant is significantly more vulnerable to a complete loss of all 125 VDC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining divisions, and restoring power to the affected division.

(continued)

JAFNPP B 3.8.7-5 Revision 0

Distribution Systems - Operating B 3.8.7_

BASES ACTIONS B.1 (continued)

This 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate 125 VDC power, which would have Required Action Completion Times shorter than 8 hours0.333 days 0.0476 weeks 0.011 months , is acceptable because of:

a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;

b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without 125 VDC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division;

c. The potential for an event in conjunction with a single failure of a redundant component.

The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 8 hours0.333 days 0.0476 weeks 0.011 months . This situation could lead to a total duration of 16 hours0.667 days 0.0952 weeks 0.0219 months , since initial failure of the LCO, to restore the 125 VDC electrical power distribution subsystem.

At this time, an AC bus could again become inoperable, and 125 VDC electrical power distribution could be restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This allowance results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time Condition B was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely.

(continued)

JAFNPP B 3.8.7-6 Revision 0

Distribution Systems- Operating B 3.8.7_

BASES ACTIONS C.1 and C.2 (continued)

If the inoperable distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and to MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 Condition D corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one AC or 125 VDC electrical power distribution subsystem is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and 125 VDC, electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, and 125 VDC electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

JAFNPP B 3.8.7-7 Revision 0

Distribution Systems -Operating B 3.8.7_

Table B 3.8.7-1 (page 1 of 1)

AC and 125 VDC Electrical Power Distribution Systems TYPE VOLTAGE DIVISION 1* DIVISION 2*

AC safety 4160 V Emergency Bus 10500 Emergency Bus 10600 buses 600 V Load Centers Load Centers 11500, 12500 11600, 12600 125 VDC 125 VDC Bus 71BCB-2A Bus 71BCB-2B buses

Each division of the AC and 125 VDC electrical power distribution systems is a subsystem.

JAFNPP B 3.8.7-8 Revision 0

Distribution Systems- Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems-Shutdown BASES BACKGROUND A description of the AC and 125 VDC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems- Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume Engineered Safeguards systems are OPERABLE. The AC and 125 VDC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC and 125 VDC electrical power distribution systems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC and 125 VDC electrical power sources and associated power distribution subsystems during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The AC and 125 VDC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary (continued)

JAFNPP B 3.8.8-1 Revision 0

Distribution Systems - Shutdown B 3.8.8_

BASES LCO support required features. This LCO explicitly requires (continued) energization of the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specification required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The AC and 125 VDC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

The AC, and 125 VDC electrical power distribution subsystem requirements for MODES 1. 2, and 3 are covered in LCO 3.8.7.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2. or 3 would require the unit to be shutdown unnecessarily.

(continued)

JAFNPP B 3.8.8-2 Revision 0

Distribution Systems- Shutdown B 3.8.8_

BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)

Although redundant required features may require redundant divisions of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem division may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.

By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and 125 VDC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.

Not withstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.

(continued)

JAFNPP B 3.8.8-3 Revision 0

Distribution Systems - Shutdown B 3.8.8_

BASES (continued)

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and 125 VDC electrical power distribution subsystems are functioning properly, with the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, as well as other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

JAFNPP B 3.8.8-4 Revision 0

Refueling Equipment Interlocks B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce plant procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents.

Two channels of instrumentation are provided to sense the full insertion of all control rods. One channel of instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple, the loading of the refueling platform frame mounted hoist, the loading of the refueling platform trolley mounted (monorail) hoist, and the fuel grapple in the not fully up position. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to establish appropriate restrictions on refueling equipment operations and control rod movement.

A control rod not at its full-in position disables the control circuitry permissive to the refueling equipment to prevent operating the equipment near or over the reactor core when loaded with a fuel assembly or if the fuel grapple is not fully up. Conversely, with the refueling platform near or over the core and loaded with fuel or the fuel grapple is not fully up a control rod withdrawal block is inserted in the Reactor Manual Control System to prevent withdrawing a control rod.

The refueling platform has two mechanical switches that open before the platform or any of its hoists are physically located over the reactor vessel. However, only one of these switches provides input to the required refueling interlock (continued)

JAFNPP B 3.9.1-1 Revision 0

Refueling Equipment Interlocks B 3.9.1 BASES BACKGROUND circuitry with the reactor mode switch in the refuel (continued) position. Each control rod full-in position channel provides input to two all-rods-in channels. Both all-rods in channels must register for the refueling interlock circuitry to indicate the all-rods-in condition. All refueling hoists have switches that open when the hoists are loaded with fuel. The hoist switches open at a load lighter than the weight of a single fuel assembly in water. In addition, a switch will open if the fuel grapple is not fully up.

The refueling interlocks use these indications to prevent operation of the refueling equipment near or over the core with fuel loaded or the fuel grapple not fully up whenever any control rod is withdrawn, or to prevent control rod withdrawal whenever the refueling equipment is near or over the core and loaded with fuel or the fuel grapple is not fully up (Ref. 2).

APPLICABLE The refueling interlocks are explicitly assumed in the UFSAR SAFETY ANALYSES analyses for the control rod withdrawal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn.

A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.

Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading.

The refueling platform location switches activate at a point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core.

Refueling equipment interlocks satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)(Ref.5).

(continued)

JAFNPP B 3.9.1-2 Revision 0

Refueling Equipment Interlocks B 3.9.1 BASES (continued)

LCO To prevent criticality during refueling, the refueling equipment interlocks associated with the reactor mode switch in the refuel position ensure that fuel assemblies are not loaded into the core with any control rod withdrawn.

To prevent these conditions from developing, the all-rods in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform trolley mounted (monorail) hoist fuel loaded, the refueling platform frame mounted hoist fuel loaded, and the refueling platform fuel grapple not full up position inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment control circuitry permissive interruptions or control rod blocks to prevent operations that could result in criticality during refueling operations.

APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks when the reactor mode switch is in the refuel position. The interlocks are not required when the reactor mode switch is in the shutdown position because a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation")

ensures control rod withdrawal cannot occur simultaneously with in-vessel fuel movements.

In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and fuel loading activities are not possible.

Therefore, the refueling interlocks are not required to be OPERABLE in these MODES.

ACTIONS A.1, A.2.1, and A.2.2 With one or more of the required refueling equipment interlocks inoperable, the plant must be placed in a condition in which the LCO does not apply or the Surveillances are not needed. This can be performed by ensuring fuel assemblies are not moved in the reactor vessel or by ensuring that the control rods are inserted and cannot be withdrawn. Therefore, Required Action A.1 requires that in-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment (continued)

JAFNPP B 3.9.1-3 Revision 0

Refueling Equipment Interlocks B 3.9.1_

BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position.

Alternately, Required Actions A.2.1 and A.2.2 require that a control rod withdrawal block be inserted and that all control rods are subsequently verified to be fully inserted.

Required Action A.2.1 ensures that no control rods can be withdrawn. This action ensures that control rods cannot be inappropriately withdrawn because an electrical or hydraulic block to control rod withdrawal is in place. Required Action A.2.2 is performed after placing the rod withdrawal block in effect. This verification that all control rods are fully inserted is in addition to the periodic verifications required by SR 3.9.3.1 and SR 3.10.6.2. Like Required Action A.1, Required Actions A.2.1 and A.2.2 ensure that unacceptable operations are blocked (e.g., loading fuel into a cell with the control rod withdrawn).

SURVEILLANCE SR 3.9.1.1 REQUIREMENTS Performance of a CHANNEL FUNCTIONAL TEST demonstrates each required refueling equipment interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.

The 7 day Frequency is based on engineering judgment and is considered adequate in view of other indications of refueling interlocks and their associated input status that are available to plant operations personnel.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 7.6.3.

3. UFSAR, Section 14.5.4.3.

4. UFSAR, Section 14.5.4.4.

JAFNPP B 3.9.1-4 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce plant procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn except as allowed by LCO 3.10.6, "Multiple Control Rod Withdrawal -Refueling".

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System).

This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3.

APPLICABLE The refueling position one-rod-out interlock is explicitly SAFETY ANALYSES assumed in the UFSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling.

A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.

The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), prevent criticality.

The interlock prevents withdrawal of more than one control rod and adequate SDM ensures that the core will remain subcritical with the highest worth control rod fully withdrawn, thereby preventing any prompt critical excursion.

The refuel position one-rod-out interlock satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(continued)

JAFNPP B 3.9.2-1 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2_

BASES (continued)

LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE and the reactor mode switch must be locked in the refuel position to support the OPERABILITY of these channels.

APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions.

In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed.

In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation") and the control rods (LCO 3.1.3, "Control Rod OPERABILITY") provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation") ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.

ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality.

Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in the refuel position. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required (continued)

JAFNPP B 3.9.2-2 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2_

BASES SURVEILLANCE SR 3.9.2.1 (continued)

REQUIREMENTS interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be OPERABLE when required. By "locking" the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation.

The Frequency of 12 hours0.5 days 0.0714 weeks 0.0164 months is sufficient in view of other administrative controls utilized during refueling operations to ensure safe operation.

SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The 7 day Frequency is considered adequate because of demonstrated circuit reliability, procedural controls on control rod withdrawals, and visual and audible indications available in the control room to alert the operator to control rods not fully inserted. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Therefore, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after any control rod is withdrawn.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 7.6.3.

(continued)

JAFNPP B 3.9.2-3 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2_

BASES REFERENCES 3. UFSAR, Section 14.5.4.3.

(continued)

JAFNPP B 3.9.2-4 Revision 0

Control Rod Position B 3.9.3_

B 3.9 REFUELING OPERATIONS B 3.9.3 Control Rod Position BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Reactor Manual Control System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1, "Control Rod Block Instrumentation").

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted (Ref. 2), except as allowed by LCO 3.10.6, "Multiple Control Rod Withdrawal -Refueling". This precludes criticality during refueling operations.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2). the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1).

The safety analysis for the control rod removal error during refueling in the UFSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality.

Control rod position satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(cont-inu-ed)

JAFNPP B 3.9.3-1 Revision 0

Control Rod Position B 3.9.3-BASES (continued)

LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.

APPLICABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality.

Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn.

In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES.

ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the UFSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency takes into consideration the procedural controls on control rod movement during refueling as well as the redundant functions of the refueling interlocks.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

JAFNPP B 3.9.3-2 Revision 0

Control Rod Position Indication B 3.9.4-B 3.9 REFUELING OPERATIONS B 3.9.4 Control Rod Position Indication BASES BACKGROUND The full-in position indication channel (i.e., the full-in switch providing the green full-in light) for each control rod provides necessary information to the refueling interlocks to prevent inadvertent criticalities during refueling operations. During refueling, the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks" and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") use the full-in position indication channel to limit the operation of the refueling equipment and the movement of the control rods. The absence of the full-in position channel signal for any control rod removes the all-rods-in permissive for the refueling equipment interlocks and prevents fuel loading. Also, this condition causes the refuel position one-rod-out interlock to not allow the withdrawal of any other control rod.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").

The safety analysis for the control rod withdrawal error during refueling (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. The full-in position indication channel is required to be OPERABLE so that the refueling interlocks can ensure that fuel cannot be loaded with any control rod withdrawn and that no more than one control rod can be withdrawn at a time.

Control rod position indication satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(continued)

JAFNPP B 3.9.4-1 Revision 0

Control Rod Position Indication B 3.9.4 BASES (continued)

LCO Each control rod full-in position indication channel must be OPERABLE to provide the required input to the refueling interlocks. A channel is OPERABLE if it provides correct position indication to the refueling interlock logic.

APPLICABILITY During MODE 5, the control rods must have OPERABLE full-in position indication channels to ensure the applicable refueling interlocks will be OPERABLE.

In MODES 1 and 2, requirements for control rod position are specified in LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.

ACTIONS A Note has been provided to modify the ACTIONS related to control rod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable control rod position indication channels provide appropriate compensatory measures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for each inoperable required control rod position indication channel.

A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 With one or more full-in position indication channels inoperable, compensating actions must be taken to protect against potential reactivity excursions from fuel assembly insertions or control rod withdrawals. This may be accomplished by immediately suspending in-vessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Actions must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, (continued)

JAFNPP B 3.9.4-2 Revision 0

Control Rod Position Indication B 3.9.4_

BASES ACTIONS A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 (continued) therefore, do not have to be inserted. Suspension of in-vessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position.

Alternatively, actions must be immediately initiated to fully insert the control rod(s) associated with the inoperable full-in position indicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can be hydraulically disarmed by closing the drive water and exhaust water valves. A control rod can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Actions must continue until all associated control rods are fully inserted and drives are disarmed. Under these conditions (control rod fully inserted and disarmed), an inoperable full-in channel may be bypassed to allow refueling operations to proceed. An alternate method must be used to ensure the control rod is fully inserted (e.g., use the "00" notch position indication).

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS The full-in position indication channels provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-in permissive. The interlocks are actuated when the full-in position indication for any control rod is not present, since this indicates that all rods are not fully inserted. Therefore, testing of the full-in position indication channels is performed to ensure that when a control rod is withdrawn, the full-in position indication is not present. Note that failure to indicate full-in when the control rod is not withdrawn results in conservative actuation of the one-rod-out interlock, and therefore, is not explicitly required to be verified by this SR. The full-in position indication channel is considered inoperable even with the control rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn. Performing the SR each time a control rod is withdrawn is considered adequate because of the procedural controls on control rod withdrawals and the visual indications and alarms available in the control room to alert the operator to control rods not fully inserted.

(continued)

JAFNPP B 3.9.4-3 Revision 0

Control Rod Position Indication B 3.9.4_

BASES (continued)

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

JAFNPP B 3.9.4-4 Revision 0

Control Rod OPERABILITY-Refueling B 3.9.5_

B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY-Refueling BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD)

System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").

The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur.

Control rod OPERABILITY during refueling satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is Ž 940 psig and the control rod is capable of (continued)

JAFNPP B 3.9.5-1 Revision 0

Control Rod OPERABILITY-Refueling B 3.9.5_

BASES LCO being automatically inserted upon receipt of a scram signal.

(continued) Inserted control rods have already completed their reactivity control function, and therefore are not required to be OPERABLE.

APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical.

For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions.

ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected.

Actions must continue until the inoperable control rod(s) is fully inserted.

SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator pressure is 2 940 psig.

The 7 day Frequency takes into consideration equipment reliability, procedural controls over the scram accumulators, and control room alarms and indicating lights that indicate low accumulator charge pressures.

(continued)

JAFNPP B 3.9.5-2 Revision 0

Control Rod OPERABILITY-Refueling B 3.9.5_

BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued)

REQUIREMENTS SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance.

This acknowledges that the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

JAFNPP B 3.9.5-3 Revision 0

RPV Water Level B 3.9.6-B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 22 ft 2 inches above the top of the RPV flange. During refueling, this maintains a sufficient water level in the reactor vessel cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a refueling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to ! 25% of 10 CFR 100 (Ref. 3) limits, as provided by the guidance of Reference 4.

APPLICABLE During movement of fuel assemblies or handling of control SAFETY ANALYSES rods, the water level in the RPV is an initial condition in the analysis of a refueling accident postulated by Reference 1. A minimum water level of 22 ft 2 inches above the top of the RPV flange allows a decontamination factor of 100 to be used in the accident analysis for iodine since more than 23 feet of water is available over the top of the reactor core (Ref. 1). This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all damaged fuel assembly rods is retained by the water. The fuel pellet to cladding gap is assumed to contain 10% of the total fuel rod iodine inventory (Ref. 1).

Analysis of the refueling accident inside containment is described in Reference 2. With a minimum water level of 22 ft 2 inches above the top of the RPV flange and a minimum decay time of 24 hours1 days 0.143 weeks 0.0329 months prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated refueling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 3). While the worst case assumptions include the dropping of the irradiated fuel assembly being handled onto the reactor core loaded with irradiated fuel, the possibility exists of the dropped assembly striking the RPV flange and releasing fission products. Therefore, the minimum depth for water coverage to ensure acceptable radiological consequences is specified from the RPV flange.

Since the worst case event results in failed fuel assemblies seated in the core, as well as the dropped assembly, dropping an assembly on the RPV flange will result in (continued)

JAFNPP B 3.9.6-1 Revision 0

RPV Water Level B 3.9.6L BASES APPLICABLE reduced releases of fission gases. Based on analysis of SAFETY ANALYSES the physical dimensions which preclude normal operation (continued) with water level 23 feet above the flange, this water level is acceptable.

RPV water level satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO A minimum water level of 22 ft 2 inches above the top of the RPV flange is required to ensure that the radiological consequences of a postulated refueling accident are within acceptable limits, as provided by the guidance of Reference 4.

APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a refueling accident that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated refueling accident. Requirements for fuel movement in the spent fuel storage pool are covered by LCO 3.7.7, "Spent Fuel Storage Pool Water Level."

ACTIONS A.1 If the water level is < 22 ft 2 inches above the top of the RPV flange, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 22 ft 2 inches above the top of the RPV flange ensures that the design basis for the postulated refueling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a refueling accident in containment (Ref. 2).

(continued)

JAFNPP B 3.9.6-2 Revision 0

RPV Water Level B 3.9.6 BASES SURVEILLANCE SR 3.9.6.1 (continued)

REQUIREMENTS The Frequency of 24 hours1 days 0.143 weeks 0.0329 months is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls on valve positions, which make significant unplanned level changes unlikely.

REFERENCES 1. Regulatory Guide 1.25, Assumptions Used for Evaluating The Potential Radiological Consequences Of A Fuel Handling Accident In The Fuel Handling And Storage Facility For Boiling And Pressurized Water Reactors, March 23, 1972.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 100.11.

4. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 15.7.4, Revision 1, Radiological Consequences of Fuel Handling Accident, July 1981.

JAFNPP B 3.9.6-3 Revision 0

RHR-High Water Level B 3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR)-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by the UFSAR (Ref. 1). Either of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled.

In addition to the RHR shutdown cooling mode, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal.

APPLICABLE With the plant in MODE 5, the RHR shutdown cooling mode is SAFETY ANALYSES not required to mitigate any events or accidents evaluated in the safety analyses. The RHR shutdown cooling mode is required for removing decay heat to maintain the temperature of the reactor coolant.

The RHR shutdown cooling mode satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE in MODE 5 with irradiated fuel in the RPV and the water level 2 22 ft 2 inches above the top of the RPV flange. Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability.

An OPERABLE RHR shutdown cooling subsystem consists of an capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross tie valves are not required to be closed; thus, the valves may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem.

(continued)

JAFNPP B 3.9.7-1 Revision 0

RHR-High Water Level B 3.9.7_

BASES LCO Additionally, each RHR shutdown cooling subsystem is (continued) considered OPERABLE if it can be manually aligned (from the control room or locally) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required.

APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE in MODE 5, with irradiated fuel in the reactor pressure vessel and with the water level ; 22 ft 2 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the reactor pressure vessel and with the water level < 22 ft 2 inches above the top of the RPV flange are given in LCO 3.9.8, "Residual Heat Removal (RHR)-Low Water Level".

ACTIONS A.1 With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . In this condition, the volume of water above the top of the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of the alternate method must be reconfirmed every 24 hours1 days 0.143 weeks 0.0329 months thereafter. This will ensure continued heat removal capability.

Alternate decay heat removal methods are available to the operators for review and preplanning in the plant Operating Procedures. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. For example, this may include the use of the Spent Fuel Pool Cooling System and the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System or Condensate System. In addition, the Decay Heat Removal (continued)

JAFNPP B 3.9.7-2 Revision 0

RHR-High Water Level B 3.9.7 BASES ACTIONS A.1 (continued)

System can also be used as a method. The method used to remove the decay heat should be the most prudent choice based on plant conditions. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.

B.1, B.2, B.3, and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV.

Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem is OPERABLE; and secondary containment isolation capability is available in each associated penetration flowpath not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing an operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a surveillance may need to be performed to restore the component to OPERABLE status.

Actions must continue until all required components are OPERABLE.

(continued)

JAFNPP B 3.9.7-3 Revision 0

RHR-High Water Level B 3.9.T BASES (continued)

SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR shutdown cooling flow path provides assurance that the proper flow paths will exist for RHR operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that can be manually (from the control room or locally) aligned is allowed to be in a non-RHR shutdown cooling position provided the valve can be repositioned. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control. This Frequency has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Section 16.6.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.7-4 Revision 0

RHR- Low Water Level B 3.9.8_

B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR)-Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by the UFSAR (Ref. 1). Either of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled.

APPLICABLE With the plant in MODE 5, the RHR shutdown cooling mode is SAFETY ANALYSES not required to mitigate any events or accidents evaluated in the safety analyses. The RHR shutdown cooling mode is required for removing decay heat to maintain the temperature of the reactor coolant.

The RHR shutdown cooling mode satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO In MODE 5 with irradiated fuel in the reactor pressure vessel (RPV) and the water level < 22 ft 2 inches above the top of the reactor pressure vessel (RPV) flange two RHR shutdown cooling subsystems must be OPERABLE.

An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, an RHR service water pump capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. To meet the LCO, two RHR pumps and two RHR service water pumps in one loop or one RHR pump and one RHR service water pump in each of the two loops must be OPERABLE. In MODE 5, the RHR cross tie valves are not required to be closed; thus, the valves may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem.

Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (from the control room or locally) in the shutdown cooling mode for (continued)

JAFNPP B 3.9.8-1 Revision 0

RHR- Low Water Level B 3.9.8L BASES LCO removal of decay heat. Operation (either continuous or (continued) intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required.

APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE in MODE 5, with irradiated fuel in the RPV and with the water level < 22 ft 2 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and with the water level Ž 22 ft 2 inches above the top of the RPV flange are given in LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level."

ACTIONS A.1 With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method must be reconfirmed every 24 hours1 days 0.143 weeks 0.0329 months thereafter. This will ensure continued heat removal capability.

Alternate decay heat removal methods are available to the operators for review and preplanning in the plant Operating Procedures. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capacity to maintain or reduce temperature. For example, this may include the use of the Spent Fuel Pool Cooling System and the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System (continued)

JAFNPP B 3.9.8-2 Revision 0

Level RHR-Low WaterB 3.9.8_

BASES ACTIONS A.1 (continued) or Condensate System. The method used to remove decay heat should be the most prudent choice based on plant conditions.

Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.

B.1, B.2, and B.3 With the required decay heat removal subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem is OPERABLE; and secondary containment isolation capability is available in each associated penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing an operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the surveillance may need to be performed to restore the component to OPERABLE status.

Actions must continue until all required components are OPERABLE.

SURVEILLANCE SR 3.9.8.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR shutdown cooling flow paths provides assurance that the proper flow paths will exist for RHR operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to (continued)

JAFNPP B 3.9.8-3 Revision 0

RHR-Low Water Level B 3.9.8 BASES SURVEILLANCE SR 3.9.8.1 (continued)

REQUIREMENTS locking, sealing, or securing. A valve that can be manually (from the control room or locally) aligned is allowed to be in a non-RHR shutdown cooling position provided the valve can be repositioned. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control. This Frequency has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Section 16.6.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.8-4 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.L B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 when the metallurgical characteristics of the reactor pressure vessel (RPV) require the pressure testing at temperatures > 212°F (normally corresponding to MODE 3).

Inservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation, decay heat and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (P/T) limits required by LCO 3.4.9, "Reactor Coolant System (RCS) Pressure and Temperature (P/T) Limits."

These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.

With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure.

Periodic updates to the RCS P/T limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel.

APPLICABLE Allowing the reactor to be considered in MODE 4 during SAFETY ANALYSES hydrostatic or leak testing, when the reactor coolant temperature is > 212 0 F, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the hydrostatic or leak tests are performed nearly water solid, at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for failed fuel and a subsequent increase in coolant activity above the LCO 3.4.6, "RCS Specific Activity," limits are minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur (continued)

JAFNPP B 3.10.1-1 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1L BASES APPLICABLE during the performance of hydrostatic or leak testing. The SAFETY ANALYSES required pressure testing conditions provide adequate (continued) assurance that the consequences of a recirculation line break (Refs. 2 and 3) will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 4. Therefore, these requirements will conservatively limit radiation releases to the environment.

In the event of a large primary system leak, the reactor vessel would rapidly depressurize, allowing the low pressure core cooling systems to operate. The capability of the low pressure coolant injection and core spray subsystems, as required in MODE 4 by LCO 3.5.2, "ECCS-Shutdown," would be more than adequate to keep the core flooded under this low decay heat load condition. Small system leaks would be detected by leakage inspections before significant inventory loss occurred.

For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 5) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 212°F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to P/T limits, however, which require testing at temperatures

> 212 0 F, while performance of inservice leak and hydrostatic testing results in inoperability of subsystems required when

> 212 0 F.

(continued)

JAFNPP B 3.10.1-2 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.L BASES LCO If it is desired to perform these tests while complying with (continued) this Special Operations LCO, then the MODE 4 applicable LCOs and specified MODE 3 LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to "NA" and suspending the requirements of LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures

> 212°F for the purpose of performing either an inservice leak or hydrostatic test.

This LCO allows primary containment to be open for frequent unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements that are in effect immediately prior to and immediately after this operation.

APPLICABILITY The MODE 4 requirements may only be modified for the performance of inservice leak or hydrostatic tests so that these operations can be considered as in0 MODE 4, even though the reactor coolant temperature is > 212 F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the plant to any event that may occur.

Operations in all other MODES are unaffected by this LCO.

ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

(continued)

B 3.10.1-3 Revision 0 JAFNPP

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES ACTIONS A. 1 (continued)

If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements are entered immediately and complied with. Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the to g 212 0 F.

average reactor coolant temperature A.2.1 and A.2.2 Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours1 days 0.143 weeks 0.0329 months for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to < 212°F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3.

SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met.

A discussion of the applicable SRs is provided in their respective Bases.

REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code,Section XI.

2. JAF-CALC-MULT-02238, Revision 1, JAF-HELB Analysis During Hydrostatic Test, May 27, 1999.

3. JAF-CALC-RBC-03400, Revision 0, Evaluation of Reactor Building Ducts and Doors for Recirc. Break During Hydro, August 9, 1999.

(continued)

B 3.10.1-4 Revision 0 JAFNPP

Inservice Leak and Hydrostatic Testing Operation B 3.10,L BASES REFERENCES 4. UFSAR, Section 14.6.1.5.

(continued)

JAFNPP B 3.10.1-5 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 B 3.10 SPECIAL OPERATIONS B 3.10.2 Reactor Mode Switch Interlock Testing BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5.

The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:

a. Shutdown-Initiates a reactor scram; bypasses main steam line isolation scrams;

b. Refuel -Selects Reactor Protection System (RPS) Neutron Monitoring System (NMS) scram function for low neutron flux level operation (but does not disable the average power range monitor scram); bypasses main steam line isolation;

c. Startup/Hot Standby- Selects RPS NMS scram function for low neutron flux level operation (intermediate range monitors and average power range monitors); bypasses main steam line isolation scram; and

d. Run-Selects RPS NMS scram function for power range operation.

The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling equipment interlocks, and main steam isolation valve isolations.

APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of the shutdown and refuel positions normally maintained for the reactor mode switch in MODES 3, 4, and 5 are provided to preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot (continued)

B 3.10.2-1 Revision 0 JAFNPP

Reactor Mode Switch Interlock BTesting 3.10.2 BASES APPLICABLE standby, or refuel) while in MODE 3, 4, or 5, requires SAFETY ANALYSES administratively maintaining all control rods inserted and (continued) no CORE ALTERATIONS in progress. With all control rods inserted in core cells containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing.

For postulated accidents, such as control rod withdrawal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality, thereby preventing fuel failure.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 4) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation,"

LCO 3.10.3, "Single Control Rod Withdrawal -Hot Shutdown,"

LCO 3.10.4, "Single Control Rod Withdrawal-Cold Shutdown,"

and LCO 3.10.8. "SDM Test-Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block is initiated. Therefore, all control rods in core cells that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is (continued)

JAFNPP B 3.10.2-2 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES LCO appropriate for MODE 5 operations, as discussed below, and (continued) is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place.

In MODE 5, with the reactor mode switch in the refuel position, only one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks")

appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests.

APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in plant trips. In MODES 3, 4, and 5, this Special Operations LCO allows reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing that must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e.,

refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests.

ACTIONS A.1, A.2, A.3.1, and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations LCO.

(continued)

JAFNPP B 3.10.2-3 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES ACTIONS A.1, A.2, A.3.1, and A.3.2 (continued)

All CORE ALTERATIONS, except control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.

Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a component to a safe condition.

Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1.

Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is only applicable in MODE 5, since only the shutdown position is allowed in MODES 3 and 4. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended.

SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements.

The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillances performed at the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequencies are intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.

(continued)

JAFNPP B 3.10.2-4 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.Z.

BASES (continued)

REFERENCES 1. UFSAR, Section 7.2.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

JAFNPP B 3.10.2-5 Revision 0

Single Control Rod Withdrawal-Hot Shutdown B 3.10.3L B 3.10 SPECIAL OPERATIONS B 3.10.3 Single Control Rod Withdrawal -Hot Shutdown BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3.

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of a postulated accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.

The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.

Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal.

(continued)

JAFNPP B 3.10.3-1 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e.,

LCO 3.10.2, "Reactor Mode Switch Interlock Testing," without meeting this Special Operations LCO or its ACTIONS.

However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn.

To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.l. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal (Item d.2), the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (Item d.2) is completed, the LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod.

(continued)

JAFNPP B 3.10.3-2 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3_

BASES APPLICABILITY This allowance is only provided with the reactor mode switch (continued) in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, "Control Rod Position Indication"),

full insertion requirements for all other control rods and scram functions (LCO 3.3.1.1. "Reactor Protection System (RPS) Instrumentation", and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, preclude unacceptable reactivity excursions.

ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that claries the intent of any other LCO's Required Action, to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO.

(continued)

JAFNPP B 3.10.3-3 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES ACTIONS A.2.1 and A.2.2 (continued)

Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability.

Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.

SURVEILLANCE SR 3.10.3.1, SR 3.10.3.2, and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. The control rods can be hydraulically disarmed by closing the drive water and exhaust header water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable because of the administrative controls on control rod withdrawal, the protection afforded by the LCOs involved, and hardwire interlocks that preclude additional control rod withdrawals.

REFERENCES 1. UFSAR, Section 14.5.4.3.

2. UFSAR, Section 14.5.4.4.

JAFNPP B 3.10.3-4 Revision 0

Single Control Rod Withdrawal-Cold Shutdown B 3.10.4_

B 3.10 SPECIAL OPERATIONS B 3.10.4 Single Control Rod Withdrawal -Cold Shutdown BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of a postulated accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.

The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal. This alternate backup protection is required when removing a CRD because this removal renders the withdrawn control rod incapable of being scrammed.

(continued)

JAFNPP B 3.10.4-1 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied.

"Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.

The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn.

The requirements of LCO 3.9.4, "Control Rod Position Indication" can continue to be met even when the control rod position indication probe is disconnected to allow de coupling, provided the withdrawn control rod does not erroneously indicate "full-in." However, in the event the control rod does indicate "full-in" (either due to component malfunction or intentional jumpering to cause a "full-in" indication), a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained.

To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram function is not OPERABLE, or when the CRD is to be removed, a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once (continued)

JAFNPP B 3.10.4-2 Revision 0

Single Control Rod Withdrawal-Cold Shutdown B 3.10.4 BASES LCO this alternate (Item c.2) is completed, the LCO 3.1.1, (continued) "SHUTDOWN MARGIN (SDM)," SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1. 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod.

This allowance is only provided with the reactor mode switch in the refuel position.

During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4),

and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions.

ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods (continued)

Revision 0 JAFNPP B 3.10.4-3

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) inserted) or with the exceptions allowed in this Special Operations LCO. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position.

A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO.

Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.

B.1, B.2.1, and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.

SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met.

If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the (continued)

JAFNPP B 3.10.4-4 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES SURVEILLANCE SR 3.10.4.1. SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS (continued) drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids.

Verification that all the other control rods are fully inserted is required to meet the SDM requirements.

Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable because of the administrative controls on control rod withdrawals, the protection afforded by the LCOs involved, and hardwire interlocks to preclude an additional control rod withdrawal.

SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied.

REFERENCES 1. UFSAR, Section 14.5.4.3.

2. UFSAR, Section 14.5.4.4.

JAFNPP B 3.10.4-5 Revision 0

Single CRD Removal -Refueling B 3.10.5 B 3.10 SPECIAL OPERATIONS B 3.10.5 Single Control Rod Drive (CRD) Removal -Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the "full-in" position indicators to determine the position of all control rods. If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.

The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY- Refueling").

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of (continued)

JAFNPP B 3.10.5-1 Revision 0

Single CRD Removal -Refueling B 3.10.5 BASES APPLICABLE accidents. Explicit safety analyses in the UFSAR (Refs. 1 SAFETY ANALYSES and 2) demonstrate that proper operation of the refueling (continued) interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1).

The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.

Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod are inserted and disarmed, and all other control rods are inserted and are incapable of being withdrawn (by insertion of a control rod block).

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS.

(continued)

JAFNPP B 3.10.5-2 Revision 0

Single CRD Removal -Refueling B 3.10.5 BASES LCO However, if a single CRD removal from a core cell containing (continued) one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1. LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied.

By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided.

Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce the potential for reactivity excursions.

ACTIONS A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the (continued)

JAFNPP B 3.10.5-3 Revision 0

Single CRD Removal -Refueling B 3.10.5_

BASES ACTIONS A.1, A.2.1, and A.2.2 (continued)

CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.

Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.

SURVEILLANCE SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3, SR 3.10.5.4, REQUIREMENTS and SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied.

Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable, given the administrative controls on control rod removal and hardwire interlock to block an additional control rod withdrawal.

REFERENCES 1. UFSAR, Section 14.5.4.3

2. UFSAR, Section 14.5.4.4.

JAFNPP B 3.10.5-4 Revision 0

Multiple Control Rod Withdrawal -Refueling B 3.10.6 B 3.10 SPECIAL OPERATIONS B 3.10.6 Multiple Control Rod Withdrawal -Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel.

The refueling interlocks use the "full-in" position indicators to determine the position of all control rods.

If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.

To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the "full-in" position indicators.

APPLICABLE Explicit safety analyses in the UFSAR (Refs. 1, 2 and 3)

SAFETY ANALYSES demonstrate that the functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the "full in" position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading (continued)

JAFNPP B 3.10.6-1 Revision 0

Multiple Control Rod Withdrawal -Refueling B 3.10.6 BASES APPLICABLE fuel into the cell, however, the associated control rod must SAFETY ANALYSES be inserted to ensure that an inadvertent criticality does (continued) not occur, as evaluated in the Reference 2 analysis.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 4) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, "Control Rod Position," LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, "Control Rod OPERABILITY-Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed.

"Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.

When fuel is loaded into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel. For an unloaded core the spiral reload may commence at either the core center around a "dunking type detector" or, around one of the source range monitors. Placement of the "dunking type detector" in the core cell does not violate the intent of the spiral reload pattern. Fuel assemblies may be loaded into this location when the "dunking type detector" is removed.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all (continued)

B 3.10.6-2 Revision 0 JAFNPP

Multiple Control Rod Withdrawal -Refueling B 3.10.6 BASES APPLICABILITY fuel to be removed from cells whose "full-in" indications (continued) are allowed to be bypassed. This bypassing must be verified by a second licensed operator or a reactor engineer.

ACTIONS A.1, A.2, A.3.1, and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO.

SURVEILLANCE SR 3.10.6.1, SR 3.10.6.2, and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. In addition, SR 3.10.6.1 must be verified by one licensed operator and a reactor engineer. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable, given the administrative controls on fuel assembly and control rod removal, and takes into account other indications of control rod status available in the control room.

REFERENCES 1. UFSAR, Section 7.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

JAFNPP B 3.10.6-3 Revision 0

Control Rod Testing-Operating B 3.10.7 B 3.10 SPECIAL OPERATIONS B 3.10.7 Control Rod Testing-Operating BASES BACKGROUND The purpose of this Special Operations LCO is to permit control rod testing, while in MODES 1 and 2, by imposing certain administrative controls. Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), such that only the specified control rod sequences and relative positions required by LCO 3.1.6, "Rod Pattern Control," are allowed over the operating range from all control rods inserted to 10% RTP.

The sequences effectively limit the potential amount and rate of reactivity increase that could occur during a control rod drop accident (CRDA). During these conditions, control rod testing is sometimes required that may result in control rod patterns not in compliance with the prescribed sequences of LCO 3.1.6. These tests include SDM testing, control rod scram time testing, and control rod friction testing. This Special Operations LCO provides the necessary exemption to the requirements of LCO 3.1.6 and provides additional administrative controls to allow the deviations in such tests from the prescribed sequences in LCO 3.1.6.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the CRDA are summarized in References 1 and 2. CRDA analyses assume the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analyses. The RWM provides backup to operator control of the withdrawal sequences to ensure the initial conditions of the CRDA analyses are not violated. For special sequences developed for control rod testing, the initial control rod patterns assumed in the safety analyses of References 1 and 2 may not be preserved.

Therefore special CRDA analyses are required to demonstrate that these special sequences will not result in unacceptable consequences, should a CRDA occur during the testing. These analyses, performed in accordance with an NRC approved methodology, are dependent on the specific test being performed.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations (continued)

JAFNPP B 3.10.7-1 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES APPLICABLE LCOs provide flexibility to perform certain operations by SAFETY ANALYSES appropriately modifying requirements of other LCOs. A (continued) discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Control rod testing may be performed in compliance with the prescribed sequences of LCO 3.1.6, and during these tests, no exceptions to the requirements of LCO 3.1.6 are necessary. For testing performed with a sequence not in compliance with LCO 3.1.6, the requirements of LCO 3.1.6 may be suspended, provided additional administrative controls are placed on the test to ensure that the assumptions of the special safety analysis for the test sequence are satisfied. Assurances that the test sequence is followed can be provided by either programming the test sequence into the RWM, with conformance verified as specified in SR 3.3.2.1.8 and allowing the RWM to monitor control rod withdrawal and provide appropriate control rod blocks if necessary, or by verifying conformance to the approved test sequence by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer).

These controls are consistent with those normally applied to operation in the startup range as defined in the SRs and ACTIONS of LCO 3.3.2.1, "Control Rod Block Instrumentation."

APPLICABILITY Control rod testing, while in MODES 1 and 2, with THERMAL POWER greater than 10% RTP, is adequately controlled by the existing LCOs on power distribution limits and control rod block instrumentation. Control rod movement during these conditions is not restricted to prescribed sequences and can be performed within the constraints of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.3.2.1. With THERMAL POWER less than or equal to 10% RTP, the provisions of this Special Operations LCO are necessary to perform special tests that are not in conformance with the prescribed sequences of LCO 3.1.6.

While in MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, "Single Control Rod Withdrawal -Hot Shutdown,"

or Special Operations LCO 3.10.4, "Single Control Rod Withdrawal -Cold Shutdown," which provide adequate controls (continued)

JAFNPP B 3.10.7-2 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES APPLICABILITY to ensure that the assumptions of the safety analyses of (continued) Reference 1 and 2 are satisfied. During these Special Operations and while in MODE 5, the one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock,") and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls prescribed in the applicable Special Operations LCOs, provide mitigation of potential reactivity excursions.

ACTIONS A.1 With the requirements of the LCO not met (e.g., the control rod pattern is not in compliance with the special test sequence or the sequence is improperly loaded in the RWM) the testing is required to be immediately suspended. Upon suspension of the special test, the provisions of LCO 3.1.6 are no longer excepted, and appropriate actions are to be taken to restore the control rod sequence to the prescribed sequence of LCO 3.1.6, or to shut down the reactor, if required by LCO 3.1.6.

SURVEILLANCE SR 3.10.7.1 REQUIREMENTS With the special test sequence not programmed into the RWM, a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer) is required to verify conformance with the approved sequence for the test. This verification must be performed during control rod movement to prevent deviations from the specified sequence. A Note is added to indicate that this Surveillance does not need to be met if SR 3.10.7.2 is satisfied.

SR 3.10.7.2 When the RWM provides conformance to the special test sequence, the test sequence must be verified to be correctly loaded into the RWM prior to control rod movement. This Surveillance demonstrates compliance with SR 3.3.2.1.8, thereby demonstrating that the RWM is OPERABLE. A Note has been added to indicate that this Surveillance does not need to be met if SR 3.10.7.1 is satisfied.

(continued)

JAFNPP B 3.10.7-3 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.1.2.

2. UFSAR, Section 14.6.3.

JAFNPP B 3.10.7-4 Revision 0

SDM Test -Refueling B 3.10.8_

B 3.10 SPECIAL OPERATIONS B 3.10.8 SHUTDOWN MARGIN (SDM) Test-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned.

LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," requires that adequate SDM be verified following fuel movements or control rod replacement within the RPV. The verification must be performed prior to or within 4 hours0.167 days 0.0238 weeks 0.00548 months after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed).

While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SOM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned.

APPLICABLE Prevention and mitigation of unacceptable reactivity SAFETY ANALYSES excursions during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the intermediate range monitor (IRM) neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA).

CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. For SDM tests performed within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the (continued)

JAFNPP B 3.10.8-1 Revision 0

SDM Test-Refueling B 3.10.8 BASES APPLICABLE safety analyses of References 1 and 2 may not be met.

SAFETY ANALYSES Therefore, special CRDA analyses, performed in accordance (continued) with an NRC approved methodology, are required to verify the SDM test sequence will not result in unacceptable consequences should a CRDA occur during the testing. For the purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, APRM, and control rod coupling, the notch out mode is specified for out of sequence withdrawals. Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection, beyond the normally required IRMs, the APRMs are also required to be OPERABLE (LCO 3.3.1.1, Functions 2.a and 2.d) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2. MODE 2), or must be verified by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer). To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control," (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity (continued)

JAFNPP B 3.10.8-2 Revision 0

SDM Test - Refueling B 3.10.8 BASES LCO insertion associated with each movement. Coupling integrity (continued) of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram.

Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in progress.

Furthermore, since the control rod scram function with the RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5.

APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO.

ACTIONS A.1 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours0.125 days 0.0179 weeks 0.00411 months and disarmed (electrically or hydraulically) within 4 hours0.167 days 0.0238 weeks 0.00548 months . Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations.

The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids.

Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the (continued)

B 3.10.8-3 Revision 0 JAFNPP

SDM Test -Refueling B 3.10.8 BASES ACTIONS A.1 (continued) inoperable control rods and continued operation.

LCO 3.3.2.1, "Control Rod Block Instrumentation," Actions provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.

Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.

B.1 With one or more of the requirements of this LCO not met for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.

SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2.a and 2.d, made applicable in this Special Operations LCO, are required to have applicable Surveillances met to establish that this Special Operations LCO is being met (SR 3.10.8.1). However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer). As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3).

(continued)

JAFNPP B 3.10.8-4 Revision 0

SDM Test -Refueling B 3.10.8 BASES SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 (continued)

REQUIREMENTS This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These Surveillances provide adequate assurance that the specified test sequence is being followed.

SR 3.10.8.4 Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.

SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the "full-out" notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved as well as operating experience related to uncoupling events.

SR 3.10.8.6 CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were to be required, capability for rapid control rod insertion would exist. The minimum charging water header pressure of 940 psig is well below the expected pressure of 1390 to 1580 psig, while still ensuring sufficient pressure for rapid control rod insertion. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room.

(continued)

JAFNPP B 3.10.8-5 Revision 0

SDM Test- Refueling B 3.10.8 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.1.2.

2. UFSAR, Section 14.6.3.