Text

Part 3 of 3 - James A. FitzPatrick Nuclear Power Plant, Technical Specifications Bases (License Amendment) as Part of Conversion to Improved Standard Technical Specifications
	ML021750549
Person / Time
Site:	FitzPatrick
Issue date:	06/12/2002
From:	; Entergy Nuclear Operations
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML021750549 (223)
	v • d • e

Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.1.3.3.

2. UFSAR, Section 5.2.3.6.

3. UFSAR, Section 5.2.4.2.

4. Preliminary Hazards Summary Report, Bodega Bay Atomic Park Unit Number 1, Docket No. 50-205, Appendix I, December 28, 1962.

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.1.7-6 Revision 0

MSLC System B 3.6.1.8 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.8 Main Steam Leakage Collection (MSLC) System BASES BACKGROUND The MSLC System supplements the isolation function of the MSIVs by processing the fission products that could leak through the closed MSIVs after a Design Basis Accident (DBA) loss of coolant accident (LOCA).

The MSLC System consists of two independent and redundant subsystems. Each subsystem collects leakage from the stem packing of all four outboard main steam isolation valves (MSIVs) and downstream of all outboard MSIVs. Each subsystem consists of valves, controls and piping which can be aligned to the Standby Gas Treatment (SGT) System for processing. During operation, the SGT System maintains sufficient negative pressure to provide the MSLC System flow required to ensure that all postulated leakage is collected and processed (Ref. 1). While both the stem packing and the downstream portion of each subsystem contribute to reducing uncontrolled or untreated MSIV leakage, the downstream portion performs the primary function of the MSLC System to collect and process the leakage across the MSIV seats. The downstream portion is provided with interlocks that prevent inadvertent operation of the system during normal operation and to prevent improper system lineup during accident conditions.

Each downstream portion of the MSLC subsystems includes a remote manual isolation valve, an automatic isolation valve, and a backup automatic isolation valve. A pressure switch which monitors MSLC System piping pressure is provided for each automatic isolation valve. These pressure switches act to prevent the opening of the valves and to automatically close the valves on high pressure. The pressure switches will indicate low pressure during normal plant operation since the remote manual isolation valves will isolate the pressure switches from main steam pressure. The operator initiates the operation of the stem packing portion of the MSLC subsystem by opening the associated remote manual isolation valve. The operator initiates operation of the downstream portion of each MSLC subsystem by first opening the associated remote manual isolation valve. The operator then places the control switch associated with the automatic isolation valves to open. If the MSLC System pressure is greater than 16 psig the valves will remain shut and automatically open at or below 16 psig.

(continued)

JAFNPP B 3.6.1.8-1 Revision 0

MSLC System B 3.6.1.8 BASES BACKGROUND The MSLC System is manually initiated approximately (continued) 20 minutes following a DBA LOCA (Ref. 2).

APPLICABLE The MSLC System mitigates the consequences of a DBA LOCA by SAFETY ANALYSES ensuring that fission products that may leak from the closed MSIVs are diverted to and filtered by the SGT System. The operation of the MSLC System prevents a release of untreated leakage for this type of event.

The MSLC System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO One MSLC subsystem can provide the required processing of the MSIV leakage. To ensure that this capability is available, assuming worst case single failure, two MSLC subsystems must be OPERABLE.

APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to primary containment. Therefore, MSLC System OPERABILITY is required during these MODES. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the MSLC System OPERABLE is not required in MODE 4 or 5 to ensure MSIV leakage is processed.

ACTIONS A.1 With one MSLC subsystem inoperable, the inoperable MSLC subsystem must be restored to OPERABLE status within 30 days. In this Condition, the remaining OPERABLE MSLC subsystem is adequate to perform the required leakage control function. However, the overall reliability is reduced because a single failure in the remaining subsystem could result in a total loss of MSIV leakage control function. The 30 day Completion Time is based on the redundant capability afforded by the remaining OPERABLE MSLC subsystem and the low probability of a DBA LOCA occurring during this period.

(continued)

JAFNPP B 3.6.1.8-2 Revision 0

MSLC System B 3.6.1.8 BASES ACTIONS B.1 (continued)

With two MSLC subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 7 days. The 7 day Completion Time is based on the low probability of the occurrence of a DBA LOCA.

C.1 and C.2 If the MSLC subsystem cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.1.8.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the MSLC System flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the MSLC System is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Frequency of 31 days is justified because the valves are operated under procedural control, improper valve position would affect only a single subsystem, the probability of an event requiring initiation of the system is low, and the subsystem is a manually initiated system. This Frequency has been shown to be acceptable based on operating experience.

(continued)

JAFNPP B 3.6.1.8-3 Revision 0

MSLC System B 3.6.1.8 BASES SURVEILLANCE SR 3.6.1.8.2 REQUIREMENTS (continued) A system functional test is performed to ensure that the MSLC System will operate through its operating sequence.

This includes verifying that the automatic positioning of the valves and the operation of each interlock are correct.

While this Surveillance can be performed with the reactor at power, operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 9.19.

2. Regulatory Guide 1.96, Revision 1, Design Of Main Steam Isolation Valve Leakage Control Systems For Boiling Water Reactor Nuclear Power Plants, June 1976.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.1.8-4 Revision 0

RHR Containment Spray System B 3.6.1.9 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.9 Residual Heat Removal (RHR) Containment Spray System BASES BACKGROUND The primary containment is designed with a suppression pool so that, in the event of a loss of coolant accident (LOCA),

steam released from the primary system is channeled through the suppression pool water and condensed without producing significant pressurization of the primary containment. The primary containment is designed so that with the pool initially at the minimum water volume and the worst single active failure of the primary containment heat removal systems, suppression pool energy absorption combined with subsequent operator controlled pool cooling will prevent the primary containment pressure from exceeding its design value. However, the primary containment must also withstand a postulated bypass leakage pathway that allows the passage of steam from the drywell directly into the suppression chamber airspace, bypassing the suppression pool. The RHR Containment Spray System is designed to mitigate the effects of bypass leakage and to prevent the drywell temperature from exceeding its design value of 309°F (Ref. 1) for a significant period of time and to ensure the safety equipment can perform its associated function during a design basis event.

There are two redundant, 100% capacity RHR containment spray subsystems. Each subsystem consists of a suction line from the suppression pool, two RHR pumps, a heat exchanger, and its associated spray header embedded in and protected by the primary shield wall located in the drywell and to a common spray header suspended in the suppression chamber above the minimum water level.

The RHR containment spray mode may be manually initiated, if required, following a LOCA, according to emergency procedures.

APPLICABLE Reference 2 contains the results of analyses that predict SAFETY ANALYSES the primary containment pressure response for a LOCA with the maximum allowable bypass leakage area.

The maximum allowable equivalent flow path area for bypass leakage has been specified to be 0.032 ft 2 . The analysis demonstrates that with containment spray operation the primary containment pressure remains within design limits.

(continued)

JAFNPP B 3.6.1.9-1 Revision 0

RHR Containment Spray System B 3.6.1.9 BASES APPLICABLE Steam line breaks have been analyzed to develop a drywell SAFETY ANALYSES air temperature history for use in equipment qualification (continued) (Refs. 3 and 4). The RHR containment sprays are assumed to be initiated at a minimum time of 10 minutes. The RHR containment spray flow rates were assumed to be 7,150 gpm for drywell sprays and 600 gpm for suppression chamber sprays. The highest air temperature envelope is 335 0 F for the first 300 seconds and this is as a result of a 0.75 ft 2 steam line break (Ref. 4). The analysis (Ref. 4) concluded containment design temperature is not exceeded since drywell spray activiation will terminate any further rise in drywell air temperature.

The RHR Containment Spray System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO In the event of a Design Basis Accident (DBA), a minimum of one RHR containment spray subsystem is required to mitigate potential bypass leakage paths and maintain the primary containment peak pressure and temperature below design limits. To ensure that these requirements are met, two RHR containment spray subsystems must be OPERABLE. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR containment spray subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE.

APPLICABILITY In MODES 1, 2, and 3, a DBA could cause pressurization and heating of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining RHR containment spray subsystems OPERABLE is not required in MODE 4 or 5.

ACTIONS A.1 With one RHR containment spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE RHR containment spray subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single active failure in the OPERABLE subsystem could result in reduced primary (continued)

JAFNPP B 3.6.1.9-2 Revision 0

RHR Containment Spray System B 3.6.1.9 BASES ACTIONS A.1 (continued) containment cooling capability. The 7 day Completion Time was chosen in light of the redundant RHR containment capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period.

B.1 With two RHR containment spray subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . In this Condition, there is a substantial loss of the primary containment bypass leakage and temperature mitigation function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available.

C.1 and C.2 If any Required Action and associated Completion Time is not met the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.1.9.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR containment spray mode flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR Containment Spray System is manually initiated.

This SR does not require any testing or valve manipulation; (continued)

JAFNPP B 3.6.1.9-3 Revision 0

RHR Containment Spray System B 3.6.1.9 BASES SURVEILLANCE SR 3.6.1.9.1 (continued)

REQUIREMENTS rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency of this SR is justified because the valves are operated under procedural control and because improper valve position would affect only a single subsystem. This Frequency has been shown to be acceptable based on operating experience.

SR 3.6.1.9.2 Verifying each required RHR pump develops a flow rate 2 7750 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle. It is tested in the pool cooling mode to demonstrate pump OPERABILITY without spraying down equipment in the drywell.

Flow is a normal test of centrifugal pump performance required by the ASME Code,Section XI (Ref. 6). This test confirms one point on the pump performance curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

SR 3.6.1.9.3 This Surveillance is performed every 10 years by introduction of air to verify that the spray nozzles are not obstructed and that flow will be provided when required.

The 10 year Frequency is adequate to detect degradation in performance due to the passive nozzle design and its normally dry state and has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Table 5.2-1.

2. UFSAR, Section 5.2.4.4.

3. UFSAR, Section 14.6.

(continued)

JAFNPP B 3.6.1.9-4 Revision 0

RHR Containment Spray System B 3.6.1.9 BASES REFERENCES 4. GE-NE-T23-00737-01, James A. FitzPatrick Nuclear Power (continued) Plant Higher RHR Service Water Temperature Analysis, August 1996.

5. 10 CFR 50.36(c)(2)(ii).

6. ASME, Boiler and Pressure Vessel Code,Section XI.

JAFNPP B 3.6.1.9-5 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.1 Suppression Pool Average Temperature BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the decay heat and sensible energy released during a reactor blowdown from safety/relief valve discharges or from Design Basis Accidents (DBAs). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment that ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (62 psig). The suppression pool must also condense steam from steam exhaust lines in the turbine driven systems (i.e., the High Pressure Coolant Injection System and Reactor Core Isolation Cooling System). Suppression pool average temperature (along with LCO 3.6.2.2, "Suppression Pool Water Level") is a key indication of the capacity of the suppression pool to fulfill these requirements.

The technical concerns that lead to the development of suppression pool average temperature limits are as follows:

a. Complete steam condensation;

b. Primary containment peak pressure and temperature;

c. Condensation oscillation loads; and

d. Chugging loads.

APPLICABLE The postulated DBA against which the primary containment SAFETY ANALYSES performance is evaluated is the entire spectrum of postulated pipe breaks within the primary containment.

Inputs to the safety analyses include initial suppression pool temperature. (Reference 1 for LOCAs and References 2 and 3 for the pool temperature analyses required by Reference 4). An initial pool temperature of 950 F is assumed for the References 1, 2, and 3 analyses. Reactor shutdown at a pool temperature of 110°F and vessel depressurization at a pool temperature of 1207F were cases addressed as part of the pool temperature analyses of Reference 2. The limiting case of rapid depressurization (continued)

JAFNPP B 3.6.2.1-1 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 BASES APPLICABLE from isolated Hot Shutdown (reactor scram and main steam SAFETY ANALYSES isolation valve closure, with initial pool temperature of (continued) 95 0 F) with assumed loss of one residual heat removal loop (Reference 2) was addressed as part of the analyses of Reference 3. The limit of 105 0 F, at which testing is terminated, is not used in the safety analyses because DBAs are assumed to not initiate during plant testing.

Suppression pool average temperature satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO A limitation on the suppression pool average temperature is required to provide assurance that the containment conditions assumed for the safety analyses are met. This limitation ensures that peak primary containment pressures and temperatures do not exceed maximum allowable values during a postulated DBA or any transient resulting in heatup of the suppression pool. The LCO requirements are:

a. Average temperature

95°F with THERMAL POWER > 1% RTP and no testing that adds heat to the suppression pool is being performed. This requirement ensures that licensing bases initial conditions are met.

b. Average temperature

105 0 F with THERMAL POWER

> 1%RTP and testing that adds heat to the suppression pool is being performed. This required value ensures that the plant has testing flexibility, and was selected to provide margin below the 110°F limit at which reactor shutdown is required. When testing ends, temperature must be restored to

95 0 F within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months according to Required Action A.2. Therefore, the time period that the temperature is > 95 0 F is short enough not to cause a significant increase in plant risk.

c. Average temperature

110°F with THERMAL POWER

1% RTP. This requirement ensures that the plant will be shut down at > 110 0 F. The pool is designed to absorb decay heat and sensible heat but could be heated beyond design limits by the steam generated if the reactor is not shut down.

Indication of 1%RTP varies with plant conditions and can be determined by more than one method. When at or near normal operating temperature, Reactor Coolant System (RCS) losses such as the Reactor Water Cleanup System, steam line drains and insulation inefficiency are approximately 1%RTP or (continued)

JAFNPP B 3.6.2.1-2 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 BASES LCO less and reactor power level can be observed on the (continued) intermediate range monitor (IRM) Instrumentation. At this condition 25/40 divisions of full scale on IRM Range 7 is a convenient measure of reactor power essentially equivalent to 1% RTP. At 1% RTP, heat input is approximately equal to normal system heat losses. When RCS temperature is significantly below the normal operating temperature, maintaining reactor power level at or below the "point of adding heat" maintains power level well below 1%RTP.

APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant heatup of the suppression pool. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining suppression pool average temperature within limits is not required in MODE 4 or 5.

ACTIONS A.1 and A.2 With the suppression pool average temperature above the specified limit when not performing testing that adds heat to the suppression pool and when above the specified power indication, the initial conditions exceed the conditions assumed for the References 1, 2, and 3 analyses. However, primary containment cooling capability still exists, and the primary containment pressure suppression function will occur at temperatures well above those assumed for safety analyses. Therefore, continued operation is allowed for a limited time. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is adequate to allow the suppression pool average temperature to be restored below the limit. Additionally, when suppression pool temperature is > 95 0 F, increased monitoring of the suppression pool temperature is required to ensure that it remains : 110'F. The once per hour Completion Time is adequate based on past experience, which has shown that pool temperature increases relatively slowly except when testing that adds heat to the suppression pool is being performed.

Furthermore, the once per hour Completion Time is considered adequate in view of other indications in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.

B.1 If the suppression pool average temperature cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO (continued)

JAFNPP B 3.6.2.1-3 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 BASES ACTIONS B.1 (continued) does not apply. To achieve this status, THERMAL POWER must be reduced to

1%RTP within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to reduce power from full power conditions in an orderly manner and without challenging plant systems.

C.1 Suppression pool average temperature is allowed to be > 950 F when THERMAL POWER > 1% RTP, and during testing that adds heat to the suppression pool. However, if the temperature is > 105 0 F, all testing must be immediately suspended to preserve the heat absorption capability of the suppression pool. With the testing suspended, Condition A is entered and the Required Actions and associated Completion Times are applicable.

D.1, D.2, and D.3 Suppression pool average temperature > 110'F requires that the reactor be shut down immediately. This is accomplished by placing the reactor mode switch in the shutdown position.

Further cooldown to Mode 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is required at normal cooldown rates (provided pool temperature remains

120'F). Additionally, when suppression pool temperature is > 110 0 F, increased monitoring of pool temperature is required to ensure that it remains

120 0 F. The once per 30 minute Completion Time is adequate, based on operating experience. Given the high suppression pool average temperature in this Condition the monitoring Frequency is increased to twice that of Condition A. Furthermore, the 30 minute Completion Time is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.

E.1 and E.2 If suppression pool average temperature cannot be maintained at : 120 0 F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the reactor pressure must be reduced to < 200 psig within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and (continued)

JAFNPP B 3.6.2.1-4 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 BASES ACTIONS E.1 and E.2 (continued) the plant must be brought to at least MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Continued addition of heat to the suppression pool with suppression pool temperature > 120°F could result in exceeding the design basis maximum allowable values for primary containment temperature or pressure. Furthermore, if a blowdown were to occur when the temperature was

> 120 0 F, the maximum allowable bulk and local temperatures could be exceeded very quickly.

SURVEILLANCE SR 3.6.2.1.1 REQUIREMENTS The suppression pool average temperature is regularly monitored to ensure that the required limits are satisfied.

The LCO 3.3.3.1, "Post Accident Monitoring (PAM)

Instrumentation," Bases contains a description of the suppression pool temperature monitoring system. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency has been shown, based on operating experience, to be acceptable. When heat is being added to the suppression pool by testing, however, it is necessary to monitor suppression pool temperature more frequently. The 5 minute Frequency during testing is justified by the rates at which tests will heat up the suppression pool, has been shown to be acceptable based on operating experience, and provides assurance that allowable pool temperatures are not exceeded.

The Frequencies are further justified in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.

REFERENCES 1. UFSAR, Section 14.6.1.3.3.

2. NEDC-24361-P, James A. FitzPatrick Nuclear Power Plant Suppression Pool Temperature Response, August 1981.

3. GE-NE-T23-00737-01, James A. FitzPatrick Nuclear Power Plant Higher RHR Service Water Temperature Analysis, August 1996.

(continued)

JAFNPP B 3.6.2.1-5 Revision 0

Suppression Pool Average Temperature B 3.6.2.1 BASES REFERENCES 4. Letter from R. W. Reid (NRC) to G. T. Berry (NYPA),

(continued) Request for Additional Information Regarding Suppression Pool Temperature Transients, December 9, 1977.

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.2.1-6 Revision 0

Suppression Pool Water Level B 3.6.2.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.2 Suppression Pool Water Level BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (DBA). The suppression pool must quench all the steam released through the Mark I Vent System downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (62 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) and provides the main emergency water supply source for the reactor vessel. The suppression pool volume ranges between approximately 105,900 ft 3 at the low water level limit of 13.88 ft and 107,400 ft 3 at the high water level limit of 14 ft.

If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, drywell vents, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively. Therefore, a minimum suppression pool water level is specified.

If the suppression pool water level is too high, it could result in excessive clearing loads from S/RV discharges and excessive pool swell loads during a DBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low.

APPLICABLE Initial suppression pool water level affects suppression SAFETY ANALYSES pool temperature response calculations, calculated drywell pressure during vent system downcomer clearing for a DBA, calculated pool swell loads for a DBA LOCA, and calculated (continued)

JAFNPP B 3.6.2.2-1 Revision 0

Suppression Pool Water Level B 3.6.2.2 BASES APPLICABLE loads due to S/RV discharges. Suppression pool water level SAFETY ANALYSES must be maintained within the limits specified so that the (continued) safety analysis of References 1 and 2 remain valid.

Suppression pool water level satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO A limit that suppression pool water level be Ž 13.88 ft and

14 ft is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation.

The LCO is modified by a note which states that the LCO is not required to be met up to four hours during Surveillances that cause suppression pool water level to be outside of limits. These Surveillances include required OPERABILITY testing of the High Pressure Coolant Injection System, the Reactor Core Isolation Cooling System, the suppression chamber-to-drywell vacuum breakers, the Core Spray System and the Residual Heat Removal System. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowance is adequate to perform the Surveillances and to restore the suppression pool water level to within limits.

APPLICABILITY In MODES 1, 2, and 3, a DBA would cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirement for maintaining suppression pool water level within limits in MODE 4 or 5 is addressed in LCO 3.5.2, "ECCS - Shutdown."

ACTIONS A.1 With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met. If water level is below the minimum level, the pressure suppression function still exists as long as the vent system downcomer lines are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Residual Heat Removal Containment Spray System.

(continued)

JAFNPP B 3.6.2.2-2 Revision 0

Suppression Pool Water Level B 3.6.2.2 BASES ACTIONS A.1 (continued)

Therefore, continued operation for a limited time is allowed. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient to restore suppression pool water level to within limits.

Also, it takes into account the low probability of an event requiring the suppression pool water level to be within limits occurring during this interval.

B.1 and B.2 If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level is to ensure that the required limits are satisfied. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency has been shown to be acceptable based on operating experience. Furthermore, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool water level condition.

REFERENCES 1. UFSAR, Section 14.6.1.3.3.

2. GE-NE-T23-00737-01, James A. FitzPatrick Nuclear Power Plant Higher RHR Service Water Temperature Analysis, August 1996.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.2.2-3 Revision 0

RHR Suppression Pool Cooling B 3.6.2.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool.

The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits. This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES.

Each RHR suppression pool cooling subsystem (loop) contains two pumps and one heat exchanger and is manually initiated and independently controlled. The two subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the ultimate heat sink.

The heat removal capability of one RHR pump is sufficient to meet the overall DBA pool cooling requirement for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or stuck open safety/relief valve (S/RV). S/RV leakage, High Pressure Coolant Injection System and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events. The RHR Suppression Pool Cooling System also ensures adequate net positive suction head (NPSH) is available for the Emergency Core Cooling System pumps.

APPLICABLE References 1 and 2 contain the results of analyses used to SAFETY ANALYSES predict primary containment pressure and temperature following large and small break LOCAs. References 2 and 3 contain the results of analyses used to predict local and bulk suppression pool temperatures following certain events including small break LOCAs and a stuck open S/RV. The analyses indicates that the heat removal capacity of the RHR (continued)

JAFNPP B 3.6.2.3-1 Revision 0

RHR Suppression Pool Cooling B 3.6.2.3 BASES APPLICABLE Suppression Pool Cooling System is adequate to maintain the SAFETY ANALYSES primary containment conditions within design limits. The (continued) suppression pool temperature is calculated to remain below the design limit.

The RHR Suppression Pool Cooling System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO Following a DBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below design limits (Ref. 3). To ensure that these requirements are met, two RHR suppression pool cooling subsystems must be OPERABLE with power from two safety related redundant power supplies.

Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active component failure. An RHR suppression pool cooling subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE.

APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment and cause a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5.

ACTIONS A.1 With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single active component failure in the OPERABLE subsystem could result in reduced primary containment cooling capability. The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period.

(continued)

JAFNPP B 3.6.2.3-2 Revision 0

RHR Suppression Pool Cooling B 3.6.2.3 BASES ACTIONS B.1 (continued)

With two RHR suppression pool cooling subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . In this condition, there is a substantial loss of the primary containment pressure and temperature mitigation function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and the potential avoidance of a plant shutdown transient that could result in the need for the RHR suppression pool cooling subsystems to operate.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Frequency of 31 days is justified because the valves are operated under procedural control, improper valve position would affect only a single subsystem, the probability of an (continued)

JAFNPP B 3.6.2.3-3 Revision 0

RHR Suppression Pool Cooling B 3.6.2.3 BASES SURVEILLANCE SR 3.6.2.3.1 (continued)

REQUIREMENTS event requiring initiation of the system is low, and the system is a manually initiated system. This Frequency has been shown to be acceptable based on operating experience.

SR 3.6.2.3.2 Verifying that each required RHR pump develops a flow rate 2 7700 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle.

Flow is a normal test of centrifugal pump performance required by ASME Code,Section XI (Ref. 5). This test confirms one point on the pump performance curve, and the results are indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

REFERENCES 1. UFSAR, Section 14.6.1.3.3.

2. GE-NE-T23-00737-01, James A. FitzPatrick Nuclear Power Plant Higher RHR Service Water Temperature Analysis, August 1996.

3. NEDC-24361-P, James. A FitzPatrick Nuclear Power Plant Suppression Pool Temperature Response, August 1981.

4. 10 CFR 50.36(c)(2)(ii).

5. ASME, Boiler and Pressure Vessel Code,Section XI.

JAFNPP B 3.6.2.3-4 Revision 0

Drywell -to-Suppression Chamber Differential Pressure B 3.6.2.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.4 Drywell-to-Suppression Chamber Differential Pressure BASES BACKGROUND The toroidal shaped suppression chamber, which contains the suppression pool, is connected to the drywell (part of the primary containment) by eight drywell vent pipes. The drywell vent pipes exhaust into a continuous vent header, from which 96 downcomer pipes extend into the suppression pool. The downcomer pipe exits are approximately 4 ft below the minimum suppression pool water level required by LCO 3.6.2.2, "Suppression Pool Water Level." During a loss of coolant accident (LOCA), the increasing drywell pressure will force the waterleg in the downcomer pipes into the suppression pool at substantial velocities as the "blowdown" phase of the event begins. The length of the waterleg has a significant effect on the resultant primary containment pressures and loads.

APPLICABLE The purpose of maintaining the drywell at a slightly higher SAFETY ANALYSES pressure with respect to the suppression chamber is to minimize the drywell pressure increase necessary to clear the downcomer pipes to commence condensation of steam in the suppression pool and to minimize the mass of the accelerated downcomer waterleg. This reduces the hydrodynamic loads on the torus during the LOCA blowdown (Ref. 1). The required differential pressure results in a downcomer waterleg of 0.37 ft to 0.49 ft.

Initial drywell-to-suppression chamber differential pressure affects both the dynamic pool loads on the suppression chamber and the peak drywell pressure during downcomer pipe clearing during a Design Basis LOCA. Drywell-to-suppression chamber differential pressure must be maintained within the specified limits so that the safety analysis remains valid.

Drywell-to-suppression chamber differential pressure satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO A drywell-to-suppression chamber differential pressure limit of 1.7 psi is required to ensure that the containment conditions assumed in the safety analyses are met. A drywell-to-suppression chamber differential pressure of 1.7 psi corresponds to a downcomer water leg of 0.37 ft to 0.49 ft if suppression pool level is within the limits specified in LCO 3.6.2.2. Failure to maintain the required (continued)

JAFNPP B 3.6.2.4-1 Revision 0

Drywell -to-Suppression Chamber Differential Pressure B 3.6.2.4 BASES LCO differential pressure could result in excessive forces on (continued) the suppression chamber due to higher water clearing loads from downcomer pipes and higher pressure buildup in the drywell.

The LCO is modified by a Note which states that the LCO is not required to be met up to four hours during Surveillances that cause or require drywell-to-suppression chamber differential pressure to be outside of limits. These Surveillances include required OPERABILITY testing of the High Pressure Coolant Injection System, the Reactor Core Isolation Cooling System, and the suppression chamber-to drywell vacuum breakers. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allowance is adequate to perform the Surveillances and to restore the drywell-to suppression chamber differential pressure to within limits.

APPLICABILITY Drywell-to-suppression chamber differential pressure must be controlled when the primary containment is inert. The primary containment must be inert in MODE 1, since this is the condition with the highest probability for an event that could produce hydrogen. It is also the condition with the highest probability of an event that could impose large loads on the primary containment.

Inerting primary containment is an operational problem because it prevents primary containment access without an appropriate breathing apparatus. Therefore, the primary containment is inerted as late as possible in the plant startup and is de-inerted as soon as possible in the plant shutdown. As long as reactor power is < 15% RTP, the probability of an event that generates hydrogen or excessive loads on primary containment occurring within the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following a startup or within the last 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to a shutdown is low enough that these "windows," with the primary containment not inerted, are also justified.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period is a reasonable amount time to allow plant personnel to perform inerting or de-inerting.

ACTIONS A.1 If drywell-to-suppression chamber differential pressure is not within the limit, the conditions assumed in the safety analyses are not met and the differential pressure must be restored to within the limit within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time provides sufficient time to restore (continued)

JAFNPP B 3.6.2.4-2 Revision 0

Drywell-to-Suppression Chamber Differential Pressure B 3.6.2.4 BASES ACTIONS A.1 (continued) differential pressure to within limit and takes into account the low probability of an event that would create excessive suppression chamber loads occurring during this time period.

B.1 If the differential pressure cannot be restored to within limits within the associated Completion Time, the plant must be placed in a MODE in which the LCO does not apply. This is done by reducing power to

15% RTP within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.4.1 REQUIREMENTS The drywell-to-suppression chamber differential pressure is regularly monitored to ensure that the required limits are satisfied. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency of this SR was developed based on operating experience relative to differential pressure variations during applicable MODES. Furthermore, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal pressure condition.

REFERENCES 1. UFSAR, Section 5.2.3.3.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.2.4-3 Revision 0

Primary Containment Oxygen Concentration B 3.6.3.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.1 Primary Containment Oxygen Concentration BASES BACKGROUND The primary containment is designed to withstand events that generate hydrogen either due to the zirconium metal water reaction in the core or due to radiolysis of reactor coolant. The primary method to control hydrogen is to inert the primary containment with nitrogen gas. With the primary containment inert, that is, oxygen concentration

< 4.0 volume percent (v/o), a combustible mixture cannot be present in the primary containment for any hydrogen concentration. The capability to inert the primary containment and maintain oxygen < 4.0 v/o works together with the Containment Atmosphere Dilution (CAD) System to mitigate events that produce hydrogen and oxygen. For example, an event that rapidly generates hydrogen from zirconium metal water reaction will result in excessive hydrogen in primary containment, but oxygen concentration will remain < 4.0 v/o and no combustion can occur. Long term generation of both hydrogen and oxygen from radiolytic decomposition of water is controlled by the CAD System.

This LCO ensures that oxygen concentration does not exceed 4.0 v/o during operation in the applicable conditions.

APPLICABLE The Reference 1 calculations assume that the primary SAFETY ANALYSES containment is inerted when a Design Basis loss of coolant accident (LOCA) occurs. Thus, the hydrogen assumed to be released to the primary containment as a result of metal water reaction in the reactor core will not produce combustible gas mixtures in the primary containment.

Oxygen, which is subsequently generated by radiolytic decomposition of water, is controlled by the CAD System.

Primary containment oxygen concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO The primary containment oxygen concentration is maintained

< 4.0 v/o to ensure that an event that produces any amount of hydrogen does not result in a combustible mixture inside primary containment.

APPLICABILITY The primary containment oxygen concentration must be within the specified limit when primary containment is inerted, except as allowed by the relaxations during startup and (continued)

JAFNPP B 3.6.3.1-1 Revision 0

Primary Containment Oxygen Concentration B 3.6.3.1 BASES APPLICABILITY shutdown addressed below. The primary containment must be (continued) inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen.

Inerting the primary containment is an operational problem because it prevents containment access without an appropriate breathing apparatus. Therefore, the primary containment is inerted as late as possible in the plant startup and de-inerted as soon as possible in the plant shutdown. As long as reactor power is < 15% RTP, the potential for an event that generates significant hydrogen is low and the primary containment need not be inert.

Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of a startup, or within the last 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months before a shutdown, is low enough that these "windows," when the primary containment is not inerted, are also justified. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period is a reasonable amount of time to allow plant personnel to perform inerting or de-inerting.

ACTIONS A.1 If oxygen concentration is 2 4.0 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to < 4.0 v/o within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is allowed when oxygen concentration is

Ž 4.0 v/o because of the availability of other hydrogen mitigating systems (e.g., the CAD System) and the low probability and long duration of an event that would generate significant amounts of hydrogen occurring during this period.

B.1 If oxygen concentration cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, power must be reduced to : 15% RTP within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.6.3.1-2 Revision 0

Primary Containment Oxygen Concentration B 3.6.3.1 BASES (continued)

SURVEILLANCE SR 3.6.3.1.1 REQUIREMENTS The primary containment must be determined to be inert by verifying that oxygen concentration is < 4.0 v/o. The 7 day Frequency is based on the slow rate at which oxygen concentration can change and on other indications of abnormal conditions (which would lead to more frequent checking by operators in accordance with plant procedures).

Also, this Frequency has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Section 5.2.3.8.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.3.1-3 Revision 0

CAD System B 3.6.3.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.2 Containment Atmosphere Dilution (CAD) System BASES BACKGROUND The CAD System functions to maintain combustible gas concentrations within the primary containment at or below the flammability limits following a postulated loss of coolant accident (LOCA) by diluting hydrogen and oxygen with nitrogen. To ensure that a combustible gas mixture does not occur, oxygen concentration is kept < 4.0 volume percent (v/o).

The CAD System is manually initiated and consists of two independent, 100% capacity subsystems. Each subsystem includes a liquid nitrogen supply tank, ambient vaporizer, electric heater, and connected piping to supply the drywell and suppression chamber volumes. The CAD subsystems are utilized for normal makeup. The CAD subsystems also provide the pneumatic supply requirements of instruments and controls inside the drywell including the long term (100 days) pneumatic supply requirements of the Automatic Depressurization System (ADS) valves and accumulators following a LOCA. In addition, separate lines from each liquid nitrogen storage tank with separate ambient heat exchangers and pressure control valves provides the pneumatic supply for the CAD subsystem pneumatically operated valves. The nitrogen storage tanks each contain 2 1400 gal, which is adequate for 3 days of CAD subsystem operation. This provides sufficient time to replenish the tanks for the long term supply requirements.

The CAD System operates in conjunction with emergency operating procedures that are used to reduce primary containment pressure periodically during CAD System operation. This combination results in a feed and bleed approach to maintaining hydrogen and oxygen concentrations below combustible levels.

APPLICABLE To evaluate the potential for hydrogen and oxygen SAFETY ANALYSES accumulation in primary containment following a LOCA, hydrogen and oxygen generation is calculated (as a function of time following the initiation of the accident). The assumptions stated in Reference 1 are used to maximize the amount of hydrogen and oxygen generated. The calculation confirms that when the mitigating systems are actuated in accordance with emergency operating procedures, the peak oxygen concentration in primary containment is < 4.0 v/o (Ref. 2).

(continued)

JAFNPP B 3.6.3.2-1 Revision 0

CAD System B 3.6.3.2 BASES APPLICABLE Hydrogen and oxygen may accumulate within primary SAFETY ANALYSES containment following a LOCA as a result of:

(continued)

a. A metal water reaction between the zirconium fuel rod cladding and the reactor coolant; or

b. Radiolytic decomposition of water in the Reactor Coolant System.

The CAD System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO Two CAD subsystems must be OPERABLE. This ensures operation of at least one CAD subsystem in the event of a worst case single active component failure. Operation of at least one CAD subsystem is designed to maintain primary containment post-LOCA oxygen concentration < 4.0 v/o for 3 days.

APPLICABILITY In MODES 1 and 2, the CAD System is required to maintain the oxygen concentration within primary containment below the flammability limit of 5.0 v/o following a LOCA. This ensures that the relative leak tightness of primary containment is adequate and prevents damage to safety related equipment and instruments located within primary containment.

In MODE 3, both the hydrogen and oxygen production rates and the total amounts produced after a LOCA would be less than those calculated for the Design Basis LOCA. Thus, if the analysis were to be performed starting with a LOCA in MODE 3. the time to reach a flammable concentration would be extended beyond the time conservatively calculated for MODES 1 and 2. The extended time would allow hydrogen removal from the primary containment atmosphere by other means and also allow repair of an inoperable CAD subsystem, if CAD were not available. Therefore, the CAD System is not required to be OPERABLE in MODE 3.

In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations of these MODES. Therefore, the CAD System is not required to be OPERABLE in MODES 4 and 5.

(continued)

JAFNPP B 3.6.3.2-2 Revision 0

CAD System B 3.6.3.2 BASES (continued)

ACTIONS A.1 If one CAD subsystem is inoperable, it must be restored to OPERABLE status within 30 days. In this Condition, the remaining OPERABLE CAD subsystem is adequate to perform the oxygen control function. However, the overall reliability is reduced because a single active failure in the OPERABLE subsystem could result in reduced oxygen control capability.

The 30 day Completion Time is based on the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limit, the amount of time available after the event for operator action to prevent exceeding this limit, and the availability of the OPERABLE CAD subsystem and other hydrogen mitigating systems.

Required Action A.1 has been modified by a Note that indicates that the provisions of LCO 3.0.4 are not applicable. As a result, a MODE change is allowed when one CAD subsystem is inoperable. This allowance is provided because of the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limit, the low probability of the failure of the OPERABLE subsystem, the amount of time available after a postulated LOCA for operator action to prevent exceeding the flammability limit, and the availability of other hydrogen mitigating systems.

B.1 and B.2 With two CAD subsystems inoperable, the ability to perform the hydrogen control function via alternate capabilities must be verified by administrative means within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The alternate hydrogen control capabilities are provided by the Primary Containment Inerting System. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time allows a reasonable period of time to verify that a loss of hydrogen control function does not exist. In addition, the alternate hydrogen control system capability must be verified once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter to ensure its continued availability. Both the initial verification and all subsequent verifications may be performed as an administrative check by examining logs or other information to determine the availability of the alternate hydrogen control system. It does not mean to perform the Surveillances needed to demonstrate OPERABILITY of the alternate hydrogen control system. If the ability to perform the hydrogen control function is maintained, continued operation is permitted with two CAD subsystems (continued)

JAFNPP B 3.6.3.2-3 Revision 0

CAD System B 3.6.3.2 BASES ACTIONS B.1 and B.2 (continued) inoperable for up to 7 days. Seven days is a reasonable time to allow two CAD subsystems to be inoperable because the hydrogen control function is maintained and because of the low probability of the occurrence of a LOCA that would generate hydrogen in amounts capable of exceeding the flammability limit.

C.1 If any Required Action cannot be met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.3.2.1 REQUIREMENTS Verifying that there is Ž 1400 gal of liquid nitrogen supply in each CAD subsystem will ensure at least 3 days of post LOCA CAD operation. This minimum volume of liquid nitrogen allows sufficient time after an accident to replenish the nitrogen supply for long term inerting. This is verified every 31 days to ensure that the system is capable of performing its intended function when required. The 31 day Frequency is based on operating experience, which has shown 31 days to be an acceptable period to verify the liquid nitrogen supply and on the availability of other hydrogen mitigating systems.

SR 3.6.3.2.2 Verifying the correct alignment for manual, power operated, and automatic valves in each of the CAD subsystem flow paths provides assurance that the proper flow paths exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing.

(continued)

JAFNPP B 3.6.3.2-4 Revision 0

CAD System B 3.6.3.2 BASES SURVEILLANCE SR 3.6.3.2.2 (continued)

REQUIREMENTS A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable because the CAD System is manually initiated.

This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The 31 day Frequency is appropriate because the valves are operated under procedural control, improper valve position would only affect a single subsystem, the probability of an event requiring initiation of the system is low, and the system is a manually initiated system.

REFERENCES 1. Safety Guide 7, March 10, 1971.

2. UFSAR, Section 5.2.3.8.3.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.3.2-5 Revision 0

Secondary Containment B 3.6.4.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment BASES BACKGROUND The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment following a Design Basis Accident (DBA).

In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment.

The secondary containment is a structure that surrounds the primary containment and is designed to provide secondary containment for postulated loss-of-coolant accidents inside the primary containment. The Secondary Containment also surrounds the refueling facilities and is designed to provide primary containment for the postulated refueling accident. This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions). To prevent ground level exfiltration while allowing the secondary containment to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for these systems are specified separately in LCO 3.6.4.2, "Secondary Containment "Standby Gas Isolation Treatment Valves (SCIVs)," and LCO 3.6.4.3, (SGT) System."

APPLICABLE There are two principal accidents for which credit is taken SAFETY ANALYSES for secondary containment OPERABILITY. These are a loss of coolant accident (LOCA) (Ref. 1) and a refueling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to each of these limiting events; however, its leak tightness is required to ensure that fission products entrapped within the secondary containment structure will be treated by the SGT System prior to discharge to the environment.

Secondary containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

(continued)

JAFNPP B 3.6.4.1-1 Revision 0

Secondary Containment B 3.6.4.1 BASES (continued)

LCO An OPERABLE secondary containment provides a control volume into which fission products that leak from primary containment, or are released from the reactor coolant pressure boundary components located in secondary containment, or are released directly to the secondary containment as a result of a refueling accident, can be processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum can be established and maintained.

APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY.

In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal.

B.1 and B.2 If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The (continued)

JAFNPP B 3.6.4.1-2 Revision 0

Secondary Containment B 3.6.4.1 BASES ACTIONS B.1 and B.2 (continued) allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1, C.2, and C.3 Movement of irradiated fuel assemblies in the secondary containment, CORE ALTERATIONS, and OPDRVs can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable.

Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position. Also, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended.

LCO 3.0.3 is not applicable in MODES 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.1.1 REQUIREMENTS This SR ensures that the secondary containment boundary is sufficiently leak tight to preclude exfiltration under expected wind conditions. Momentary transients on the installed instrumentation due to gusty wind conditions are considered acceptable and not cause for failure of this SR.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency of this SR was developed based on operating experience related to secondary containment vacuum variations during the applicable MODES and the low probability of a DBA occurring between surveillances.

(continued)

JAFNPP B 3.6.4.1-3 Revision 0

Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.1 (continued)

REQUIREMENTS Furthermore, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal secondary containment vacuum condition.

SR 3.6.4.1.2 and SR 3.6.4.1.3 Verifying that secondary containment equipment hatches and one access door in each access opening are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur. Verifying that all such openings are closed provides adequate assurance that exfiltration from the secondary containment will not occur. SR 3.6.4.1.2 also requires equipment hatches to be sealed. In this application, the term "sealed" has no connotation of leak tightness. Maintaining secondary containment OPERABILITY requires verifying one door in the access opening is closed.

An access opening contains one inner and one outer door. In some cases, secondary containment access openings are shared such that a secondary containment barrier may have multiple outer doors. The intent is to not breach the secondary containment at any time when secondary containment is required. This is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, all secondary containment access doors are normally kept closed, except when the access opening is being used for entry and exit or when maintenance is being performed on an access opening.

The 31 day Frequency of SR 3.6.4.1.2 is considered adequate, based on operating experience, and in view of strict administrative procedures required to open a hatch. The 31 day Frequency for SR 3.6.4.1.3 has been shown to be adequate, based on operating experience, and in view of local indication of door status and strict administrative procedures required to be followed for entry and exit.

SR 3.6.4.1.4 The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment.

To ensure that all fission products released to the secondary containment are treated, SR 3.6.4.1.4 verifies that a pressure in the secondary containment that is less (continued)

JAFNPP B 3.6.4.1-4 Revision 0

Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.4 (continued)

REQUIREMENTS than the lowest postulated pressure external to the secondary containment boundary can be maintained. When the SGT System is operating as designed, the maintenance of secondary containment pressure cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.4 demonstrates that the pressure in the secondary containment can be maintained 2 0.25 inches of vacuum water gauge for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months using one SGT subsystem at a flow rate

6000 cfm under calm wind conditions. Calm wind conditions will result in little, if any, infiltration to the secondary containment. Therefore, if the test is performed at other wind conditions and the results are acceptable, this test may be considered met. This test method is acceptable since extreme wind conditions are only expected to be present for a few hours a year. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months test period allows secondary containment to be in thermal equilibrium at steady state conditions. The primary purpose of this SR is to ensure secondary containment boundary integrity. The secondary purpose of this SR is to ensure that the SGT subsystem being tested functions as designed. There is a separate LCO with Surveillance Requirements which serves the primary purpose of ensuring OPERABILITY of the SGT System. This SR need not be performed for each SGT subsystem. The SGT subsystem used for this Surveillance is staggered to ensure that in addition to the requirements of LCO 3.6.4.3, either SGT subsystem will perform this test. The inoperability of the SGT subsystem does not necessarily constitute a failure of this Surveillance relative to the secondary containment OPERABILITY. Operating experience has shown the secondary containment boundary usually passes this Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 14.6.1.3.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.4.1-5 Revision 0

SCIVs B 3.6.4.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)

BASES BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Refs. 1 and 2). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment following a DBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary.

The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), and blind flanges are considered passive devices.

Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a DBA or other accidents.

Other penetrations are isolated by the use of valves in the closed position or blind flanges.

APPLICABLE The SCIVs must be OPERABLE to ensure the secondary SAFETY ANALYSES containment barrier to fission product releases is established. The principal accidents for which the secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a refueling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events, but the boundary established by SCIVs is required to ensure that leakage from the primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment.

(conti nued)

JAFNPP B 3.6.4.2-1 Revision 0

SCIVs B 3.6.4.2 BASES APPLICABLE Maintaining SCIVs OPERABLE with isolation times within SAFETY ANALYSES limits ensures that fission products will remain trapped (continued) inside secondary containment so that they can be treated by the SGT System prior to discharge to the environment.

SCIVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 3).

LCO SCIVs form a part of the secondary containment boundary.

The SCIV safety function is related to control of offsite radiation releases resulting from DBAs.

The power operated automatic isolation valves are considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Reference 4.

The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic SCIVs are de-activated and secured in their closed position, and blind flanges are in place. These passive isolation valves or devices are listed in Reference 4.

APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required.

In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining SCIVs OPERABLE is not required in MODE 4 or 5, except for situations under which significant radioactive releases can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.

ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is (continued)

JAFNPP B 3.6.4.2-2 Revision 0

SCIVs B 3.6.4.2 BASES ACTIONS in continuous communication with the control room, at the (continued) controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.

The second Note provides clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV.

A.1 and A.2 In the event that there are one or more penetration flow paths with one SCIV inoperable, the affected penetration flow path(s) must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic SCIV, a closed manual valve, and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment. The Required Action must be completed within the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time. The specified time period is reasonable considering the time required to isolate the penetration, and the probability of a DBA, which requires the SCIVs to close, occurring during this short time is very low.

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the valves are operated under administrative controls and the probability of their (continued)

JAFNPP B 3.6.4.2-3 Revision 0

SCIVs B 3.6.4.2 BASES ACTIONS A.1 and A.2 (continued) misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated.

Required Action A.2 is modified by two Notes. Note 1 applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls.

Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low.

B.1 With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to isolate the penetration and the probability of a DBA, which requires the SCIVs to close, occurring during this short time, is very low.

The Condition has been modified by a Note stating that Condition B is only applicable to penetration flow paths with two isolation valves. This clarifies that only Condition A is entered if only one SCIV is inoperable in multiple penetrations.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 (continued)

JAFNPP B 3.6.4.2-4 Revision 0

SCIVs B 3.6.4.2 BASES ACTIONS C.1 and C.2 (continued) within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2, and D.3 If any Required Action and associated Completion Time are not met, the plant must be placed in a condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be immediately initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and the subsequent potential for fission product release.

Actions must continue until OPDRVs are suspended.

LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action D.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those SCIVs in secondary containment that are capable of being mispositioned are in the correct position.

(continued)

JAFNPP B 3.6.4.2-5 Revision 0

SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.1 (continued)

REQUIREMENTS Since these SCIVs are readily accessible to personnel during normal operation and verification of their position is relatively easy, the 31 day Frequency was chosen to provide added assurance that the SCIVs are in the correct positions.

This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these SCIVs, once they have been verified to be in the proper position, is low.

A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open. These controls consist of stationing a dedicated operator at the controls of the valve who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.

SR 3.6.4.2.2 Verifying that the isolation time of each power operated, automatic SCIV is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses. The Frequency of this SR is 92 days.

SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a DBA or other accidents. This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM (continued)

JAFNPP B 3.6.4.2-6 Revision 0

SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.3 (continued)

REQUIREMENTS FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 14.6.1.3.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 50.36(c)(2)(ii).

4. Technical Requirements Manual.

JAFNPP B 3.6.4.2-7 Revision 0

SGT System B 3.6.4.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASES BACKGROUND The SGT System is required by UFSAR, Section 16.6 (Ref. 1).

The function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (DBA) are filtered and adsorbed prior to exhausting to the environment.

The SGT System consists of two fully redundant subsystems, each with its own set of ductwork, dampers, charcoal filter assembly, centrifugal fan and controls. The SGT subsystems share a common inlet line. The inlet line is connected through separate valved connections to the reactor building above the refuel floor, reactor building below refuel floor, primary containment drywell and suppression chamber, HPCI turbine gland seal exhauster, main steam leak collection system and Auxiliary Gas Treatment System. Both 100%

capacity SGT subsystem fans exhaust to the elevated release point (the main stack), through a common exhaust duct. The SGT subsystem fans are designed to automatically start upon a secondary containment isolation signal.

The fan suctions are cross connected by a single line and two normally opened manual cross tie valves to accommodate decay heat removal. Air for decay heat removal enters the idle SGT subsystem from the SGT room via a motor operated valve and restricting orifice. The air is drawn through the filter, removing the decay heat from the idle subsystem filters, passes through the cross tie line to the opposite operating SGT subsystem fan, and is exhausted to the main stack.

Each SGT filter assembly consists of (components listed in order of the direction of the air flow):

a. A demister;

b. An electric heater;

c. A prefilter;

d. A high efficiency particulate air (HEPA) filter; (continued)

JAFNPP B 3.6.4.3-1 Revision 0

SGT System B 3.6.4.3 BASES BACKGROUND e. A charcoal adsorber; and (continued)

f. A second HEPA filter.

The SGT System equipment and components are sized to reduce and maintain the secondary containment at a negative pressure of 0.25 inches water gauge when the system is in operation under neutral wind conditions and the SGT fans exhausting at a rate of 6,000 cfm.

The demister is provided to remove entrained water in the air, while the electric heater reduces the relative humidity of the airstream to less than 70% (Ref. 2). The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling. The charcoal adsorber removes gaseous elemental iodine and organic iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber.

The SGT System automatically starts and operates in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation, both SGT subsystem fans start. Upon verification that both subsystems are operating, one subsystem is normally shut down.

APPLICABLE The design basis for the SGT System is to mitigate the SAFETY ANALYSES consequences of a loss of coolant accident and refueling accidents (Ref. 3). For all events analyzed, the SGT System is shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment.

The SGT System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO Following a DBA, a minimum of one SGT subsystem is required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for two OPERABLE subsystems ensures operation of at least one SGT subsystem in the event of a single active failure. An OPERABLE SGT subsystem consists of a demister, heater, prefilter, HEPA filter, charcoal adsorber, a final HEPA filter, centrifugal fan, and associated ductwork, dampers, valves and controls.

(continued)

JAFNPP B 3.6.4.3-2 Revision 0

SGT System B 3.6.4.3 BASES (continued)

APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, SGT System OPERABILITY is required during these MODES.

In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the SGT System in OPERABLE status is not required in MODE 4 or 5, except for other situations under which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status in 7 days. In this Condition, the remaining OPERABLE SGT subsystem is adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in the OPERABLE subsystem could result in the radioactivity release control function not being adequately performed. The 7 day Completion Time is based on consideration of such factors as the availability of the OPERABLE redundant SGT subsystem and the low probability of a DBA occurring during this period.

B.1 and B.2 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.6.4.3-3 Revision 0

SGT System B 3.6.4.3 BASES ACTIONS C.1, C.2.1, C.2.2, and C.2.3 (continued)

During movement of irradiated fuel assemblies, in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, when Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE SGT subsystem should immediately be placed in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that represent a potential for releasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended.

LCO 3.0.3 is not applicable in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the Required Actions of Condition C have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

D.1 If both SGT subsystems are inoperable in MODE 1, 2, or 3, the SGT System may not be capable of supporting the required radioactivity release control function. Therefore, action is required to enter LCO 3.0.3 immediately.

(continued)

JAFNPP B 3.6.4.3-4 Revision 0

SGT System B 3.6.4.3 BASES ACTIONS E.1, E.2, and E.3 (continued)

When two SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended.

Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended.

LCO 3.0.3 is not applicable in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action E.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each SGT subsystem fan for Ž 10 continuous hours ensures that both subsystems are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. Operation with the heaters on for 2 10 continuous hours every 31 days eliminates moisture on the adsorbers and HEPA filters. The 31 day Frequency was developed in consideration of the known reliability of fan motors and controls and the redundancy available in the system.

SR 3.6.4.3.2 This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test frequencies and additional information are discussed in detail in the VFTP.

(continued)

JAFNPP B 3.6.4.3-5 Revision 0

SGT System B 3.6.4.3 BASES SURVEILLANCE SR 3.6.4.3.3 REQUIREMENTS (continued) This SR verifies that each SGT subsystem starts on receipt of an actual or simulated initiation signal. In addition, the OPERABILITY of each SGT decay heat cooling valve is verified to ensure the valve closes on subsystem initiation (interlocked with the suction valve) and opens when shutdown. This will ensure the mitigation function as well as the decay heat cooling mode of each SGT subsystem is available. While this Surveillance can be performed with the reactor at power, operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

SR 3.6.4.3.4 This SR verifies that the filter cooling cross-tie valves are OPERABLE. This ensures that the decay heat cooling mode of SGT System operation is available. The 24 month Frequency has been shown to be adequate, based on operating experience, and in view of the strict administrative controls required for entry into the area of these valves.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 5.3.3.4.

3. UFSAR, Section 14.6.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.6.4.3-6 Revision 0

RHRSW System B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Residual Heat Removal Service Water (RHRSW) System BASES BACKGROUND The RHRSW System is designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. The RHRSW System is operated whenever the RHR heat exchangers are required to operate in the shutdown cooling mode or in the suppression pool cooling or spray mode of the RHR System.

The RHRSW System consists of two independent and redundant subsystems. Each subsystem is made up of a header, two 4000 gpm pumps, a suction source, valves, piping, heat exchanger, and associated instrumentation. Either of the two subsystems is capable of providing the required cooling capacity with two pumps operating to maintain safe shutdown conditions. The RHRSW System is designed with sufficient redundancy so that no single active component failure can prevent it from achieving its design function. The RHRSW System is described in the UFSAR, Section 9.7.3, Reference 1.

Cooling water is pumped by the RHRSW pumps from the intake structure through the tube side of the RHR heat exchangers, and discharges to the discharge structure via the Service Water System.

The system is initiated manually from the control room. If operating during a loss of coolant accident (LOCA), the system is automatically tripped to allow the diesel generators to automatically power only that equipment necessary to reflood the core. The system is assumed in the analysis to be manually started 10 minutes after the LOCA.

APPLICABLE The RHRSW System removes heat from the suppression pool via SAFETY ANALYSES the RHR System to limit the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the RHRSW System to support long term cooling of the reactor or primary containment is discussed in the UFSAR, Sections 4.8, 5.1 and Chapter 14 (Refs. 2, 3 and 4, respectively). These analyses explicitly assume that the RHRSW System will (continued)

JAFNPP B 3.7.1-1 Revision 0

RHRSW System B 3.7.1 BASES APPLICABLE provide adequate cooling support to the equipment required SAFETY ANALYSES for safe shutdown. These analyses include the evaluation of (continued) the long term primary containment response after a design basis LOCA.

The safety analyses for long term cooling were performed for various combinations of RHR System failures. The worst case single active failure that would affect the performance of the RHRSW System is any failure that would disable one subsystem of the RHRSW System. As discussed in the UFSAR, Section 14.6.1.3.3 (Ref. 5) for these analyses, manual initiation of the OPERABLE RHRSW subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The RHRSW flow assumed in the analyses is 4000 gpm per pump with two pumps operating in one loop. In this case, the maximum suppression chamber water temperature is 213°F which is below the design temperature of 220'F.

The RHRSW System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 6).

LCO Two RHRSW subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.

An RHRSW subsystem is considered OPERABLE when:

a. Two pumps are OPERABLE; and

b. An OPERABLE flow path is capable of taking suction from the intake structure and transferring the water to the RHR heat exchangers at the assumed flow rate and discharging the water to the discharge structure.

The requirements of the ultimate heat sink are not addressed in this LCO since the requirements of the ultimate heat sink are addressed by the emergency service water pump requirements (LCO 3.7.2, "Emergency Service Water (ESW)

System and Ultimate Heat Sink (UHS)").

APPLICABILITY In MODES 1, 2, and 3, the RHRSW System is required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, "Residual Heat Removal (RHR) Suppression Pool Cooling," and LCO 3.6.1.9, (continued)

JAFNPP B 3.7.1-2 Revision 0

RHRSW System B 3.7.1 BASES APPLICABILITY "Residual Heat Removal (RHR) Containment Spray") and decay (continued) heat removal (LCO 3.4.7, "Residual Heat Removal (RHR)

Shutdown Cooling System-Hot Shutdown"). The Applicability is therefore consistent with the requirements of these systems.

In MODES 4 and 5, the OPERABILITY requirements of the RHRSW System are determined by the systems it supports and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the RHR Shutdown Cooling System (LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown," LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level," and LCO 3.9.8, "Residual Heat Removal (RHR)-Low Water Level"),

which require portions of the RHRSW System to be OPERABLE, will govern RHRSW System operation in MODES 4 and 5.

ACTIONS A.1 With one RHRSW pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the plant in this condition, the remaining OPERABLE RHRSW pumps are adequate to perform the RHRSW heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced RHRSW capability. The 30 day Completion Time is based on the remaining RHRSW heat removal capability, and the low probability of a DBA with concurrent worst case single failure.

B.1 With one RHRSW pump inoperable in each subsystem, if no additional failures occur in the RHRSW System, then the remaining OPERABLE pumps and flow paths provide adequate heat removal capacity following a design basis LOCA.

However, capability for this alignment is not assumed in long term containment response analysis and an additional single failure in the RHRSW System could reduce the system capacity below that assumed in the safety analysis.

Therefore, continued operation is permitted only for a limited time. One inoperable pump is required to be restored to OPERABLE status within 7 days. The 7 day Completion Time for restoring one inoperable RHRSW pump to (continued)

JAFNPP B 3.7.1-3 Revision 0

RHRSW System B 3.7.1 BASES ACTIONS B.1 (continued)

OPERABLE status is based on engineering judgment, considering the level of redundancy provided and low probability of an event occurring requiring RHRSW during this time period.

C.1 Required Action C.1 is intended to handle the inoperability of one RHRSW subsystem for reasons other than Condition A (e.g., inoperable flow path, or both pumps inoperable). The Completion Time of 7 days is allowed to restore the RHRSW subsystem to OPERABLE status. With the plant in this condition, the remaining OPERABLE RHRSW subsystem is adequate to perform the RHRSW heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE RHRSW subsystem could result in loss of RHRSW function. The Completion Time is based on the redundant RHRSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring RHRSW during this period.

The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem.

This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

D.1 With both RHRSW subsystems inoperable for reasons other than Condition B (e.g., both subsystems with inoperable flow paths, or one subsystem with an inoperable pump and one subsystem with an inoperable flow path), the RHRSW System is not capable of performing its intended function. At least one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time for restoring one RHRSW subsystem to OPERABLE status, is based on the Completion Times provided for the RHR suppression pool cooling and spray functions.

(continued)

JAFNPP B 3.7.1-4 Revision 0

RHRSW System B 3.7.1 BASES ACTIONS D.1 (continued)

The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem.

This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

E.1 and E.2 If any Required Action and associated Completion Time is not met, the plant must be placed in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verifying the correct alignment for each manual, power operated, and automatic valve in each RHRSW subsystem flow path provides assurance that the proper flow paths will exist for RHRSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the RHRSW System is a manually initiated system.

This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

(continued)

JAFNPP B 3.7.1-5 Revision 0

RHRSW System B 3.7.1 BASES (continued)

REFERENCES 1. UFSAR, Section 9.7.3.

2. UFSAR, Section 4.8.

3. UFSAR, Section 5.1.

4. UFSAR, Chapter 14.

5. UFSAR, Section 14.6.1.3.3.

6. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.1-6 Revision 0

ESW System and UHS B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Emergency Service Water (ESW) System and Ultimate Heat Sink (UHS)

BASES BACKGROUND The ESW System is designed to provide cooling water for the removal of heat from equipment, such as the emergency diesel generators (EDGs), electric bay coolers, crescent area coolers, cable tunnel/switchgear room coolers and control room and relay room air handling units, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. Upon receipt of a loss of offsite power or loss of coolant accident (LOCA) signal, the EDGs will start which in turn starts the associated ESW pump. Each ESW pump will automatically pump to the associated EDG cooler. The remaining ESW loads will be automatically cooled when the associated ESW supply header isolation valve opens and the associated ESW minimum flow valve closes. This occurs when the ESW lockout matrix logic actuates upon low reactor building closed loop cooling water pump discharge pressure.

This logic is discussed in LCO 3.3.7.3, "Emergency Service Water (ESW) System Instrumentation". In addition, the ESW pumps will automatically start in response to the ESW lockout matrix logic. However, this function is not required for safe reactor shutdown since the ESW pumps will start when any associated EDG starts.

The ESW System consists of the UHS and two independent and redundant subsystems. Each of the two ESW subsystems is made up of a header, one 3700 gpm pump, a suction source, valves, piping and associated instrumentation. The two subsystems are separated from each other so failure of one subsystem will not affect the OPERABILITY of the other system. The ESW System is described in UFSAR, Section 9.7.1 (Ref. 1).

Cooling water flows from Lake Ontario (UHS) through the intake tunnel to the screenwell where the water is pumped by the ESW pumps to components through the two main headers.

After removing heat from the components, the water is discharged to the discharge tunnel where it returns to Lake Ontario.

The lake intake structure is a reinforced concrete structure sitting on the lake bottom at a distance of approximately 900 ft from the shoreline in approximately 25 ft of water.

The top surface of the intake structure is at the 233 ft elevation (above sea level), which is approximately 10 ft below the historically lowest monthly mean lake level. The (continued)

JAFNPP B 3.7.2-1 Revision 0

ESW System and UHS B 3.7.2 BASES BACKGROUND intake is a roofed structure which draws water in through (continued) side openings that are protected with bar racks spaced at 1 ft centers to block the entrance of large debris. This results in water being taken in at lower levels and prevents the formation of vortices at the surface, thus minimizing the possibility of floating ice being drawn down from the surface. The side intake area of approximately 8 ft by 70 ft, less bar rack area, provides a net clear area of 552 ft 2 . During normal operation, with a maximum nominal operating flow of 388,600 gpm from three circulating water pumps and two normal service water pumps, the average intake velocity is approximately 1.6 ft per second. However, during safe shutdown conditions with only two Residual Heat Removal Service Water (RHRSW) pumps and one ESW pump in operation, the maximum nominal flow is reduced to 10,000 gpm, corresponding to an average intake velocity of 0.04 ft per second.

The formation of frazil ice on the steel bar racks at the intake structure openings is common in northern climates.

This kind of ice is formed when meteorological conditions are such that the water is subcooled below its freezing point due to radiational cooling. Under these conditions, frazil ice can form on intake bar racks or spongy masses of this ice, formed in other parts of the lake and carried past an intake by wind-driven currents, can adhere to the bar racks. Sufficient transport velocity exists to move buoyant frazil ice from the lake surface to the intake structure during normal operation, but not under safe shutdown conditions. If ice formation does occur on the bar racks during normal operation, sufficient local erosion velocities will develop to limit total ice accumulation such that the remaining net clear intake area would be sufficient to meet required safe shutdown flows. In an effort to suppress the formation of frazil ice on the bar racks, each of the 88 rack bars is heated by a deicing heater. Each deicing heater is rated at 1670 watts and is normally energized.

Forty four heaters are powered by one division while the remaining 44 heaters are powered by the other division.

APPLICABLE Since Lake Ontario is the UHS, sufficient water inventory is SAFETY ANALYSES available for all ESW System post LOCA cooling requirements for a 30 day period. The OPERABILITY of the ESW System is assumed in evaluations of the equipment required for safe reactor shutdown presented in the UFSAR, Chapters 5 and 14 (Refs. 2 and 3, respectively). These analyses include the evaluation of the long term primary containment response after a design basis LOCA.

(continued)

JAFNPP B 3.7.2-2 Revision 0

ESW System and UHS B 3.7.2 BASES APPLICABLE The ability of the ESW System to provide adequate cooling to SAFETY ANALYSES the identified safety equipment is an implicit assumption (continued) for the safety analyses evaluated in References 2 and 3.

The ability to provide onsite emergency AC power is dependent on the ability of the ESW System to cool the EDGs.

The long term cooling capability of RHR and core spray pumps is dependent on the capability of the ESW System to provide cooling to the EDGs as well as the crescent area coolers.

The ESW System, together with the UHS, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO The ESW subsystems are independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one subsystem of ESW is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water.

To ensure this requirement is met, two subsystems of ESW must be OPERABLE. At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power.

A subsystem is considered OPERABLE when it has an OPERABLE UHS, one OPERABLE pump, and an OPERABLE flow path capable of taking suction from the intake structure and transferring the water to the appropriate equipment. OPERABILITY of equipment cooled by the ESW System is based on heat transfer, not flow rates; OPERABILITY of the ESW pumps is based on measured performance remaining within allowable IST Program acceptance criteria.

The OPERABILITY of the UHS is based on having a minimum water level in the screenwell of 236.5 ft mean sea level and a maximum water temperature of 85 0 F. With UHS temperature 0

37 F, conditions become increasingly favorable for the formation of frazil ice on the intake structure bar racks during normal operation. Therefore, in an effort to suppress the formation of frazil ice on the intake structure bar racks, at least 18 out of the 44 deicing heaters (each heater producing 1670 watts) in each electrical division are maintained OPERABLE whenever UHS temperature is < 37 0 F.

The isolation of the ESW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ESW System.

(continued)

JAFNPP B 3.7.2-3 Revision 0

ESW System and UHS B 3.7.2 BASES (continued)

APPLICABILITY In MODES 1, 2, and 3, the ESW System and UHS are required to be OPERABLE to support OPERABILITY of the equipment serviced by the ESW System. Therefore, the ESW System and UHS are required to be OPERABLE in these MODES.

In MODES 4 and 5, the OPERABILITY requirements of the ESW System and UHS are determined by the systems they support and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, LCO 3.7.4, "Control Room AC System," and LCO 3.8.2, "AC Sources-Shutdown," which require the ESW System to be OPERABLE, will govern ESW System operation in MODES 4 and 5.

ACTIONS A.1 With one ESW subsystem inoperable, the ESW subsystem must be restored to OPERABLE status within 7 days. With the plant in this condition, the remaining OPERABLE ESW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single active component failure in the OPERABLE ESW subsystem could result in loss of ESW function.

The 7 day Completion Time is based on the redundant ESW System capabilities afforded by the OPERABLE subsystem, the low probability of an accident occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable EDG subsystem.

Required Action A.1 is modified by a Note indicating that the applicable Conditions of LCO 3.8.1, "AC Sources Operating," be entered and Required Actions taken if the inoperable ESW subsystem results in an inoperable EDG subsystem. This is in accordance with LCO 3.0.6 and ensures the proper actions are taken for this component.

B.1 With one division of deicing heaters inoperable, the deicing heaters must be restored to OPERABLE status within 7 days.

With the plant in this condition, the remaining OPERABLE division of deicing heaters is adequate to perform the required function. However, the overall reliability of the deicing heaters is reduced.

(continued)

JAFNPP B 3.7.2-4 Revision 0

ESW System and UHS B 3.7.2 BASES ACTIONS B.1 (continued)

The 7 day Completion Time is based on the redundant capabilities afforded by the OPERABLE division of deicing heaters, the low probability of an accident occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable EDG subsystem.

C.1 and C.2 If the ESW subsystem cannot be restored to OPERABLE status within the associated Completion Time, or both ESW subsystems are inoperable, or the UHS is determined inoperable the plant must be placed in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies the water level in the screenwell to be sufficient for the proper operation of the ESW and RHRSW pumps (net positive suction head and pump vortexing are considered in determining this limit). The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.

SR 3.7.2.2 Verification of the UHS temperature ensures that the heat removal capability of the ESW System is within the assumptions of the DBA analysis. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.

SR 3.7.2.3, SR 3.7.2.5, and SR 3.7.2.6 These SRs are modified by a NOTE indicating that these SRs are not required to be met if UHS temperature is > 370 F.

Industry experience has shown that frazil ice will not (continued)

JAFNPP B 3.7.2-5 Revision 0

ESW System and UHS B 3.7.2 BASES SURVEILLANCE SR 3.7.2.3, SR 3.7.2.5, and SR 3.7.2.6 (continued)

REQUIREMENTS adhere to the bar racks that are above freezing temperatures. Therefore at these elevated temperatures, blockage of the intake is unlikely and the deicing heaters are not required to be OPERABLE.

Verification of the required deicing feeder current in SR 3.7.2.3 and the required deicing heater power in SR 3.7.2.5 will help ensure that adequate heat is being provided at the bar racks to help ensure that frazil ice does not adhere to them. Verification of the required deicing heater resistance to ground in SR 3.7.2.6 is performed to monitor long term degradation of the cable and heater insulations. SR 3.7.2.3 can be performed by measuring the current in all three phases of the feeder cables to each division and ensuring the total current is within limits to confirm that at least 18 deicing heaters are OPERABLE in each division. SR 3.7.2.5 is performed to verify that at least 18 deicing heaters in each division are each dissipating at least 1670 watts. The 7 day Frequency of SR 3.7.2.3 and the 6 month Frequency of SR 3.7.2.5 is based on operating experience that shows the heaters are reliable. The 12 month Frequency of SR 3.7.2.6 has shown that the components usually pass the SR when performed at the 12 month Frequency. Therefore, this Frequency is considered to be acceptable from a reliability standpoint.

SR 3.7.2.4 Verifying the correct alignment for each manual, power operated, and automatic valve in each ESW subsystem flow path provides assurance that the proper flow paths will exist for ESW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

(continued)

JAFNPP B 3.7.2-6 Revision 0

ESW System and UHS B 3.7.2 BASES SURVEILLANCE SR 3.7.2.4 (continued)

REQUIREMENTS This SR is modified by a Note indicating that isolation of the ESW System to components or systems may render those components or systems inoperable, but does not necessarily affect the OPERABILITY of the ESW System. As such, when all ESW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the ESW System may still be considered OPERABLE.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.2.7 This SR verifies the automatic start capability of the ESW pump in each subsystem. This is demonstrated by the use of an actual or simulated initiation signal associated with each EDG. In addition, the proper positioning of the ESW supply header isolation valves and the ESW minimum flow valves, upon actual or simulated ESW lockout matrix logic actuation, must be demonstrated in this SR. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.7.3 overlaps this Surveillance to provide complete testing of the assumed safety function. ESW will not be supplied to the Reactor Building Closed Loop Cooling System during the performance of this test to avoid contaminating this system with lake water.

Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency.

Therefore, this Frequency is concluded to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 9.7.1.

2. UFSAR, Chapter 5.

3. UFSAR, Chapter 14.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.2-7 Revision 0

CREVAS System B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Control Room Emergency Ventilation Air Supply (CREVAS) System BASES BACKGROUND The CREVAS System; a portion of the Control Room Air Conditioning (AC) System provides a radiologically controlled environment from which the plant can be safely operated following a Design Basis Accident (DBA).

The safety related function of the CREVAS System includes two redundant high efficiency air filtration subsystems for emergency treatment of outside supply air. Each subsystem consists of a prefilter, a high efficiency particulate air (HEPA) filter, two activated charcoal adsorber sections in series, a second HEPA filter, a control room emergency air supply fan, an air handling unit (excluding the condensing unit), a recirculation exhaust fan and the associated ductwork and dampers. Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay.

The CREVAS System is a standby system, parts of which also operate during normal plant operations to maintain the control room environment. Upon occurrence of a DBA or receipt of an alarm from a radiation monitor installed in the control room ventilation intake duct (indicative of conditions that could result in radiation exposure to control room personnel), the CREVAS System is manually placed in the isolate mode of operation to prevent infiltration of contaminated air into the control room. A system of dampers isolates the control room. Outside air is taken in at either the primary or secondary ventilation intake and is passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles. This filtered air is then mixed with recirculated air from one of the recirculation exhaust fans and then passed through one of two fans of the air handling units where it can be cooled before it is recirculated back to the control room. The cooling capability of the air handling units is not required to satisfy the requirements of this Specification.

The CREVAS System is designed to maintain the control room environment for a 31 day continuous occupancy after a DBA without exceeding 5 rem whole body dose or its equivalent to any part of the body. A single CREVAS subsystem will pressurize the control room to Ž 0.125 inches water gauge (continued)

JAFNPP B 3.7.3-1 Revision 0

CREVAS System B 3.7.3 BASES BACKGROUND above the Turbine Building and outside atmosphere to prevent (continued) infiltration of air from surrounding buildings, since these are the only adjacent areas to the control room that could be directly contaminated by a design basis accident. CREVAS System operation in maintaining control room habitability is discussed in the UFSAR, Sections 9.9.3.11 and 14.8.2, (Refs. 1 and 2, respectively).

APPLICABLE The ability of the CREVAS System to maintain the SAFETY ANALYSES habitability of the control room is an explicit assumption for the safety analyses presented in the UFSAR, Chapters 6 and 14 (Refs. 3 and 4, respectively). The isolate mode of the CREVAS System is assumed to operate following a loss of coolant accident, refueling accident, main steam line break, and control rod drop accident, as discussed in the UFSAR, Section 14.8.2 (Ref. 2). The radiological doses to control room personnel as a result of the various DBAs are summarized in Reference 2.

The CREVAS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO Two redundant subsystems of the CREVAS System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem.

Total system failure could result in exceeding a dose of 5 rem to the control room operators in the event of some DBAs.

The CREVAS System is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both subsystems. A subsystem is considered OPERABLE when its associated:

a. Fans are OPERABLE (i.e., one control room emergency air supply fan, one air handling unit fan, one recirculation exhaust fan);

b. A prefilter, two HEPA filters and charcoal adsorbers are not excessively restricting flow and are capable of performing their filtration functions: and

c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

In addition, the control room boundary must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors such that the pressurization (continued)

JAFNPP B 3.7.3-2 Revision 0

CREVAS System B 3.7.3 BASES LCO limit of SR 3.7.3.3 can be met. However, it is acceptable (continued) for access doors to be open for normal control room entry and exit, and not consider it to be a failure to meet the LCO.

The LCO is modified by a Note allowing the control room boundary to be opened intermittently under administrative controls. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for control room isolation is indicated.

APPLICABILITY In MODES 1, 2, and 3, the CREVAS System must be OPERABLE to control operator exposure during and following a DBA, since the DBA could lead to a fission product release.

In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the CREVAS System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

a. During operations with potential for draining the reactor vessel (OPDRVs);

b. During CORE ALTERATIONS; and

c. During movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one CREVAS subsystem inoperable, the inoperable CREVAS subsystem must be restored to OPERABLE status within 7 days.

With the plant in this condition, the remaining OPERABLE CREVAS subsystem is adequate to perform control room radiation protection. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in a loss of CREVAS System capability. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.

(continued)

JAFNPP B 3.7.3-3 Revision 0

CREVAS System B 3.7.3 BASES ACTIONS B.1 (continued)

If the control room boundary is inoperable in MODE 1, 2, or 3, the CREVAS subsystems cannot perform their intended functions. Actions must be taken to restore an OPERABLE control room boundary within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the control room boundary.

C.1 and C.2 In MODE 1, 2, or 3, if the inoperable CREVAS subsystem or control room boundary cannot be restored to OPERABLE status within the associated Completion Time, the plant must be placed in a MODE that minimizes risk. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2.1, D.2.2, and D.2.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

(continued)

JAFNPP B 3.7.3-4 Revision 0

CREVAS System B 3.7.3 BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued)

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if the inoperable CREVAS subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREVAS subsystem may be placed in the isolate mode. This action ensures that the remaining subsystem is OPERABLE, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

E.1 If both CREVAS subsystems are inoperable in MODE 1, 2, or 3 for reasons other than an inoperable control room boundary (i.e., Condition B), the CREVAS System may not be capable of performing the intended function and the plant is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1, F.2, and F.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODES 1, 2, or 3, the Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply.

If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

(continued)

JAFNPP B 3.7.3-5 Revision 0

CREVAS System B 3.7.3 BASES ACTIONS F.1, F.2, and F.3 (continued)

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two CREVAS subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate. These subsystems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every three months provides an adequate check on this system. Since the CREVAS System does not contain heaters, it need only be operated for Ž 15 minutes to demonstrate the function of the system. The 92 day Frequency is based on the known reliability of the equipment and the two subsystem redundancy available.

SR 3.7.3.2 This SR verifies that the required CREVAS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test frequencies and additional information are discussed in detail in the VFTP.

(continued)

JAFNPP B 3.7.3-6 Revision 0

CREVAS System B 3.7.3 BASES SURVEILLANCE SR 3.7.3.3 REQUIREMENTS (continued) This SR verifies the integrity of the control room enclosure and the assumed inleakage rates of potentially contaminated air. The control room positive pressure, with respect to potentially contaminated adjacent areas (outside and the turbine building), is periodically tested to verify proper function of the CREVAS System. During the isolate mode of operation, the CREVAS System is designed to slightly pressurize the control room k 0.125 inches water gauge positive pressure with respect to outside and the turbine building to prevent unfiltered inleakage. The CREVAS System is designed to maintain this positive pressure at a flow rate of k 900 scfm and

1100 scfm to the control room in the isolate mode. The Frequency of 18 months on a STAGGERED TEST BASIS is consistent with industry practice and other filtration systems SRs.

REFERENCES 1. UFSAR, Section 9.9.3.11.

2. UFSAR, Section 14.8.2.

3. UFSAR, Chapter 6.

4. UFSAR, Chapter 14.

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.3-7 Revision 0

Control Room AC System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Air Conditioning (AC) System BASES BACKGROUND The Control Room AC System provides temperature control for the control room while the Control Room Emergency Ventilation Air Supply (CREVAS) System (a mode of the Control Room AC) provides a radiologically controlled environment (refer to the Bases of for LCO 3.7.3, "Control Room Emergency Ventilation Air Supply (CREVAS) System").

The Control Room AC System consists of two redundant subsystems that provide cooling of recirculated control room air. Each subsystem consists of cooling coils, fans, chillers, compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control. A heater is located in the ductwork associated with each control room area.

The Control Room AC System is designed to provide a controlled environment under both normal and accident conditions. A single subsystem provides the required temperature control to maintain a suitable control room environment for a sustained occupancy of 20 persons. The design conditions for the control room environment are 750 F and 50% relative humidity. This can be accomplished when a control room chiller is providing the cooling medium to the cooling coils of an air handling unit. The control room chillers are non-safety related; however the Control Room AC System still meets safety-related QA Category I requirements when the Emergency Service Water System is aligned to directly supply the cooling coils. The resulting maximum control room environmental conditions when the Emergency Service Water System is supplying the air handling unit cooling coils is 104 0 F assuming a lake temperature of 85 0 F.

This satisfies the OPERABILITY requirements of the control room equipment. The Control Room AC System operation in maintaining the control room temperature is discussed in the UFSAR, Section 9.9.3.11 (Ref. 1).

APPLICABLE The design basis of the Control Room AC System is to SAFETY ANALYSES maintain the control room temperature for a 31 day continuous occupancy.

The Control Room AC System components are arranged in redundant safety related subsystems. During emergency operation, the Control Room AC System maintains a habitable environment and ensures the OPERABILITY of components in the (continued)

JAFNPP B 3.7.4-1 Revision 0

Control Room AC System B 3.7.4 BASES APPLICABLE control room. A single active component failure of a SAFETY ANALYSES component of the Control Room AC System, assuming a loss of (continued) offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control.

The Control Room AC System is designed in accordance with Seismic Category I requirements. The Control Room AC System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.

The Control Room AC System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO Two redundant subsystems of the Control Room AC System are required to be OPERABLE to ensure that at least one is available, assuming a single active component failure disables the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits.

The Control Room AC System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the air handling units, recirculation exhaust fans, air handling unit fans, ductwork, dampers, and associated instrumentation and controls. The cooling coils of the air handling units may be cooled by the control room chillers, but to satisfy this LCO the Emergency Service Water System must be capable of alignment to provide cooling water directly to the cooling coils.

APPLICABILITY In MODE 1, 2, or 3, the Control Room AC System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY limits following control room isolation.

In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Room AC System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

(continued)

JAFNPP B 3.7.4-2 Revision 0

Control Room AC System B 3.7.4 BASES APPLICABILITY a. During operations with a potential for draining the (continued) reactor vessel (OPDRVs);

b. During CORE ALTERATIONS; and

c. During movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one control room AC subsystem inoperable, the inoperable control room AC subsystem must be restored to OPERABLE status within 30 days. With the plant in this condition, the remaining OPERABLE control room AC subsystem is adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single active component failure in the OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring control room isolation, the consideration that the remaining subsystem can provide the required protection, and the availability of alternate safety and nonsafety cooling methods.

B.1 and B.2 In MODE 1, 2, or 3, if the inoperable control room AC subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be placed in a MODE that minimizes risk. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1, C.2.1, C.2.2, and C.2.3 LCO 3.0.3 is not applicable while in MODE 4 and 5. However, since irradiated fuel assembly movement can occur in MODES 1, 2, or 3 the Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply.

If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor (continued)

JAFNPP B 3.7.4-3 Revision 0

Control Room AC System B 3.7.4 BASES ACTIONS C.1, C.2.1, C.2.2, and C.2.3 (continued) operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE control room AC subsystem may be placed immediately in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

D.1 If both control room AC subsystems are inoperable in MODE 1, 2, or 3, the Control Room AC System may not be capable of performing the intended function. Therefore, LCO 3.0.3 must be entered immediately.

E.1, E.2, and E.3 LCO 3.0.3 is not applicable when in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3 the Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

(continued)

JAFNPP B 3.7.4-4 Revision 0

Control Room AC System B 3.7.4 BASES ACTIONS E.1, E.2, and E.3 (continued)

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.

During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two control room AC subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the plant in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and handling of irradiated fuel in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Action must continue until the OPDRVs are suspended.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analyses with ESW providing water to the cooling coils of the air handling units. The SR consists of a combination of testing and calculation. It is acceptable to perform the test using chilled water as the cooling medium to the cooling coils, but a calculation must be performed to ensure that the heat load can be removed with ESW at 85°F. The 24 month Frequency is appropriate since significant degradation of the Control Room AC System is not expected over this time period.

REFERENCES 1. UFSAR, Section 9.9.3.11.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.4-5 Revision 0

Main Condenser SJAE Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Main Condenser Steam Jet Air Ejector (SJAE) Offgas BASES BACKGROUND During plant operation, steam from the low pressure turbine is exhausted directly into the main condenser. Air and noncondensible gases are collected in the main condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser (SJAE) Offgas System. The offgas from the main condenser normally includes radioactive gases.

The Main Condenser SJAE Offgas System has been incorporated into the plant design to reduce the gaseous radwaste emission and operates in three modes. During the startup mode, the SJAE offgas is directed to a 24 inch holdup pipe.

During the intermediate mode the SJAE offgas is first directed to a recombiner and then to the same 24 inch holdup pipe. Finally in the normal mode of operation, the SJAE offgas is directed to the recombiner and then to charcoal beds. In all modes, before discharging to the main stack the offgas passes through a parallel set of HEPA filters.

This system uses a catalytic recombiner to recombine hydrogen and oxygen from the radiolytic dissociation of reactor coolant and other sources. After the recombiner, the offgas is cooled by two condensers in series and then delivered to one of two dryers to reduce the moisture content before being passed through the charcoal beds for delay and decay of noble gas activity. The radioactivity of the gaseous mixture is monitored at the discharge of the SJAE and in the main stack.

APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser SJAE Offgas System failure event, discussed in the UFSAR, Section 11.4.7.2 (Ref. 1). The analysis assumes a gross failure in the Main Condenser SJAE Offgas System that results in the rupture of the Main Condenser SJAE Offgas System pressure boundary.

The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 100 (Ref. 2).

The main condenser offgas limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

(conti nued)

JAFNPP B 3.7.5-1 Revision 0

Main Condenser SJAE Offgas B 3.7.5 BASES (continued)

LCO To ensure compliance with the assumptions of the Main Condenser SJAE Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a nominal noble gas release to the reactor coolant. The LCO is established consistent with a nominal production rate of 600,000 pCi/sec with no decay.

APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Main Condenser SJAE Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, main steam is not being exhausted to the main condenser and the requirements are not applicable.

ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to restore the gross gamma activity rate to within the limit. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser SJAE Offgas System rupture.

B.1, B.2, B.3.1, and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser SJAE Offgas System from significant sources of radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain primary containment isolation valve is closed. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging plant systems.

An alternative to Required Actions B.1 and B.2 is to place the plant in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The (continued)

JAFNPP B 3.7.5-2 Revision 0

Main Condenser SJAE Offgas B 3.7.5 BASES ACTIONS B.1, B.2, B.3.1, and B.3.2 (continued) allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR, on a 31 day Frequency, requires an isotopic analysis of an offgas sample, taken at the discharge (prior to dilution and/or discharge) of the SJAE, to ensure that the required limits are satisfied. If the measured rate of radioactivity increases significantly (by Ž 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. As noted, this Frequency is only required when the gross gamma activity rate, as indicated by the SJAE monitor, is Ž 5000 pCi/second. The 31 day Frequency is adequate in view of other instrumentation that continuously monitor the offgas providing offgas isolation on excessive activity, and is acceptable, based on operating experience. The 5,000 pCi/second threshold level is an administrative control to reduce the number of unnecessary grab samples. This value is approximately 1% of the SJAE trip level setting and operating at or below the threshold level will ensure the site boundary annual radiation exposures remain within the 10 CFR 50, Appendix I guidelines (Ref. 4).

This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser SJAE Offgas System at significant rates.

REFERENCES 1. UFSAR, Section 11.4.7.2.

2. 10 CFR 100.

3. 10 CFR 50.36(c)(2)(ii).

4. 10 CFR 50, Appendix I.

JAFNPP B 3.7.5-3 Revision 0

Main Turbine Bypass System B 3.7.6 B 3.1 PLANT SYSTEMS B 3.7.6 Main Turbine Bypass System BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during plant startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system is 25% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram. The Main Turbine Bypass System consists of four valves connected to the main steam lines between the main steam isolation valves and the turbine stop valve chest. Each of these four valves is operated by porting hydraulic fluid to the operating pistons through an electrically positioned servo valve. The bypass valves are controlled by the pressure regulation function of the Turbine Electro-Hydraulic Control (EHC) System, as discussed in the UFSAR, Section 7.11 (Ref. 1). The bypass valves are normally closed, and the EHC controls the turbine control valves that direct all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the EHC controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the bypass manifold, through each bypass valve and associated connecting piping, to a pressure reducer, where a series of orifices are used to further reduce the steam pressure before the steam enters the condenser.

APPLICABLE The Main Turbine Bypass System is assumed to function during SAFETY ANALYSES some transients, as discussed in the UFSAR, Section 14.5 (Ref. 2). Opening the bypass valves during the pressurization event mitigates the increase in reactor vessel pressure, which affects the MCPR during the event.

An inoperable Main Turbine Bypass System may result in MCPR or LHGR penalties. With an inoperable Main Turbine Bypass System, the feedwater controller failure event may become the limiting event.

The Main Turbine Bypass System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that (continued)

JAFNPP B 3.7.6-1 Revision 0

Main Turbine Bypass System B 3.7.6 BASES LCO cause rapid pressurization, so that the Safety Limit MCPR is (continued) not exceeded. With the Main Turbine Bypass System inoperable, modifications to the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the LHGR limits (LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)") may be applied to allow this LCO to be met. The LHGR limit and MCPR operating limit for the inoperable Main Turbine Bypass System are specified in the COLR, if applicable. An OPERABLE Main Turbine Bypass System requires three of the four bypass valves to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analysis (Ref. 4).

APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at

Ž 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the applicable safety analyses. As discussed in the Bases for LCO 3.2.2 and LCO 3.2.3, sufficient margin to these limits exists at < 25% RTP.

Therefore, these requirements are only necessary when operating at or above this power level.

ACTIONS A.1 If the Main Turbine Bypass System is inoperable (two or more bypass valves inoperable), and the LHGR limit and MCPR operating limit for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analysis may not be met. Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the LHGR limit and MCPR operating limit accordingly. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System.

B.1 If the Main Turbine Bypass System cannot be restored to OPERABLE status or the LHGR limit and MCPR operating limit for an inoperable Main Turbine Bypass System are not applied, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at

< 25% RTP results in sufficient margin to the required (continued)

JAFNPP B 3.7.6-2 Revision 0

Main Turbine Bypass System B 3.7.6 BASES ACTIONS B.1 (continued) limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the abnormal operational transients. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.6.1 REQUIREMENTS Cycling each required main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required.

The specified Frequency (prior to entering MODE 2 or 3 from MODE 4) is based on engineering judgment, is consistent with the procedural controls governing valve operation, ensures correct valve positions, and ensures the valves are OPERABLE prior to each reactor startup from MODE 4. Operating experience has shown that these components usually pass the SR when performed at the specified Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the required valves will actuate to their required position. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

SR 3.7.6.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analysis. The response time limits are specified in the Technical Requirements Manual (Reference 5). The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant (continued)

JAFNPP B 3.7.6-3 Revision 0

Main Turbine Bypass System B 3.7.6 BASES SURVEILLANCE SR 3.7.6.3 (continued)

REQUIREMENTS outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

REFERENCES 1. USFAR, Section 7.11.

2. UFSAR, Section 14.5.

3. 10 CFR 50.36(c)(2)(ii).

4. Supplemental Reload Licensing Report for James A.

FitzPatrick (Revision specified in the COLR).

5. Technical Requirements Manual.

JAFNPP B 3.7.6-4 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool ensures that the assumptions of iodine decontamination factors following a refueling accident are met.

A general description of the spent fuel storage pool design is found in the UFSAR, Section 9.3 (Ref. 1). The assumptions of the refueling accident are found in the UFSAR, Section 14.6.1.4 (Ref. 2).

APPLICABLE The water level above the irradiated fuel assemblies is an SAFETY ANALYSES implicit assumption of the refueling accident. A refueling accident is evaluated to ensure that the radiological consequences (calculated whole body and thyroid doses at the exclusion area and low population zone boundaries) are

25%

of 10 CFR 100 (Ref. 3) exposure guidelines NUREG-0800 (Ref. 4). A refueling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.25 (Ref. 5).

The refueling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a refueling accident over the spent fuel storage pool are no more severe than those of the refueling accident over the reactor core, as discussed in the UFSAR, Section 14.6.1.1 (Ref. 6). The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere.

This absorption and transport delay reduces the potential radioactivity of the release during a refueling accident.

The spent fuel storage pool water level satisfies Criterion 2 and 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 7).

LCO The specified water level preserves the assumptions of the refueling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool.

(continued)

JAFNPP B 3.7.7-1 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7 BASES (continued)

APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.

ACTIONS A.1 LCO 3.0.3 is not applicable while in MODE 4 and 5. However, because irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.

When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately.

Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position.

This effectively precludes a spent fuel handling accident from occurring.

SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a refueling accident. The water level in the spent fuel storage pool must be checked periodically. The 7 day Frequency is acceptable, based on operating experience, considering that the water volume in the pool is normally stable, and all water level changes are controlled by plant procedures.

REFERENCES 1. UFSAR, Section 9.3.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 100.

(continued)

JAFNPP B 3.7.7-2 Revision 0

Spent Fuel Storage Pool Water Level B 3.7.7 BASES REFERENCES 4. NUREG-0800, Standard Review Plan for the Review of (continued) Safety Analysis Reports for Nuclear Power Plants, Section 15.7.4, Revision 1, Radiological Consequences of Fuel Handling Accident, July 1981.

5. Regulatory Guide 1.25, Assumptions Used for Evaluating The Potential Radiological Consequences Of A Fuel Handling Accident In The Fuel Handling And Storage Facility For Boiling And Pressurized Water Reactors, March 1972.

6. UFSAR, Section 14.6.1.1.

7. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.7.7-3 Revision 0

AC Sources- Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The AC Sources for the plant Class 1E AC Electrical Power Distribution System consist of the Main Generator (normal),

115 kV transmission network (reserve), 345 kV transmission network (backfeed, which is only available with the main generator offline and the links removed), and emergency diesel generators (EDGs) A, B, C, and D (onsite). As required by JAFNPP design criteria (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safeguards systems.

The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed.

Each load group has connections to the normal main generator source, two 115 kV transmission network sources through the associated reserve circuits, one EDG subsystem onsite source consisting of two EDGs, and the 345 kV transmission network backfeed (which is only available with the main generator offline and the links removed) source. However, neither the backfeed source nor the main generator source are considered a qualified offsite circuit.

Offsite power is supplied to the 115 kV and 345 kV switchyards from the transmission network by four transmission lines. The 115 kV switchyard is supplied by two independent 115 kV transmission lines and associated breakers. One transmission line, the Lighthouse Hill FitzPatrick line 3 (breaker 10022), connects the South 115 kV bus to the Lighthouse Hill substation. The other transmission line, Nine Mile-FitzPatrick line 4 (breaker 10012), connects the North 115 kV bus to the Nine Mile Point Unit One Nuclear Station 115 kV switchyard which is then connected to the South Oswego substation. The South 115 kV bus and the North 115 kV bus are connected by a normally closed electrically operated disconnect (10017). Each circuit breaker and disconnect is provided with two complete sets of protective relaying for tripping. In the event of a fault on a 115 kV bus the associated breaker and disconnect will open to de-energize the bus and isolate the faulted bus section. The 115 kV reserve power source is stepped down to 4.16 kV by Reserve Station Service Transformers (RSSTs) 71T-2 and 71T-3. RSST 71T-2 supplies 4.16 kV buses 10200, 10400, and 10600 for plant startup and shutdown. RSST 71T-3 (continued)

JAFNPP B 3.8.1-1 Revision 0

AC Sources - Operating B 3.8.1 BASES BACKGROUND supplies 4.16 kV buses 10100, 10300, and 10500 for plant (continued) startup and shutdown. The lines connecting the RSSTs to the 115 kV transmission lines are arranged so that a failure of either line does not result in the loss of the other line.

The 345 kV switchyard is connected to the Niagara Mohawk Power Corporation's Edic Substation and the Niagara Mohawk Power Corporation's Scriba Substation. The Main Generator provides power at 24 kV to two main transformers (TIA and TiB) connected in parallel, and to the Normal Station Service Transformer (NSST) 71T-4. NSST 71T-4 steps down voltage to supply power to the 4.16 kV buses 10100, 10200, 10300, 10400 and 10700. Normal (from the Main Generator) or reserve power is supplied to emergency buses 10500 and 10600 through tie connections from buses 10300 and 10400, respectively. If normal power from NSST 71T-4 is lost, the reserve power, RSSTs 71T-2 and 71T-3, will automatically energize all plant buses via the fast or residual transfer, except bus 10700. The only power source to bus 10700 is NSST 71T-4 because the bus has no connected loads necessary for startup or safe shutdown of the plant. If the RSSTs were to fail, the EDG subsystems would automatically energize their respective buses. The 345 kV switchyard is sometimes used to backfeed NSST 71T-4. This operation requires the main generator links to be manually disconnected and therefore can only be used during plant outages. A detailed description of the 115 kV and 345 kV transmission networks and the normal, reserve, and backfeed AC power supply circuits to the plant Class 1E emergency buses is found in the UFSAR, Chapter 8 (Ref. 2).

A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the 115 kV transmission network source to the plant Class 1E emergency bus or buses. During normal plant operation, with the main generator on line, emergency buses 10500 and 10600 are energized by the normal AC power source from NSST 71T-4 via buses 10300 and 10400, respectively. Loss or degradation of the normal AC power source results in an automatic fast transfer or automatic residual transfer to the reserve AC power source through RSSTs 71T-2 and 71T-3. Each RSST is sized to supply all loads on its associated emergency and non-emergency service buses.

The onsite standby AC power sources for 4.16 kV emergency buses 10500 and 10600 consist of two independent and redundant EDG subsystems that are self contained and independent of normal, backfeed, and reserve sources. Each EDG subsystem consists of two EDGs which operate in parallel and are dedicated to an emergency power division (1 or 2).

(continued)

JAFNPP B 3.8.1-2 Revision 0

AC Sources-Operating B 3.8.1 BASES BACKGROUND The Division 1 EDG subsystem consists of EDGs A and C and is (continued) dedicated to emergency bus 10500. The Division 2 EDG subsystem consists of EDGs B and D and is dedicated to emergency bus 10600. The EDGs start automatically on an emergency bus degraded voltage signal, an emergency bus undervoltage (LOP) signal, or a loss of coolant accident (LOCA) signal (i.e., low-low-low reactor water level signal or high drywell pressure signal). As a consequence of a LOP or degraded voltage signal, independent of or coincident with a LOCA signal, the emergency bus undervoltage control logic starts the EDGs. Coincident with the EDG starting and force paralleling, the emergency bus undervoltage control logic trips the 4.16 kV emergency bus tie breakers, trips the emergency bus load breakers (except for the 600 V emergency substations), and provides a close permissive signal to the EDG output breakers. The EDGs are automatically tied to their respective emergency buses and if a LOCA condition exists loads are sequentially connected to the emergency buses by the programmed restart time delay relays. The programmed restart time delay relays control the permissive and starting signals to motor breakers to prevent overloading the EDGs. On a LOCA signal alone the EDGs start, force parallel, and operate in the standby mode without tying to the emergency bus.

Certain required plant loads are returned to service in a predetermined sequence in the presence of a LOCA signal in order to prevent overloading of the EDGs in the process.

Within approximately 27 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the plant or maintain it in a safe condition are returned to service. While each emergency power division is designed to be supplied by an EDG pair, if an EDG were to fail during a LOCA event in conjunction with a LOP, the programmed restart logic will not start the second residual heat removal pump powered from the 4.16 kV emergency bus associated with the failed EDG so that the remaining EDG in that EDG subsystem is not overloaded.

Ratings for the EDGs satisfy the requirements of Safety Guide 9 (Ref. 3). EDGs A, B, C and D have the following ratings:

a. 2600 kW-continuous,

b. 2850 kW- 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months ,

c. 2950 kW-160 hours,

d. 3050 kW-30 minutes.

(con TInu e-d)

JAFNPP B 3.8.1-3 Revision 0

AC Sources- Operating B 3.8.1 BASES (continued)

APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 6 (Ref. 4) and Chapter 14 (Ref. 5), assume Engineered Safeguards systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to engineered safeguards systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits: Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining the onsite (EDGs) or qualified offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and

b. A worst case single active component failure.

AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 6).

LCO Two qualified circuits between the offsite transmission network and the plant Class 1E Distribution System and two separate and independent EDG subsystems each consisting of two EDGs ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR, and are part of the licensing basis for the plant.

Each qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the emergency buses. Each qualified offsite circuit consists of the incoming disconnect device to reserve station service transformer (RSST) 711-2 or 711-3, the associated RSST, and the respective circuit path including feeder breakers to the (continued)

JAFNPP B 3.8.1-4 Revision 0

AC Sources -Operating B 3.8.1 BASES LCO 4.16 kV emergency bus 10500 or 10600. In addition, to (continued) ensure a fault on one qualified offsite circuit does not adversely impact the other qualified offsite circuit, the 115 kV North and South bus disconnect (10017) automatic opening feature must be OPERABLE if the disconnect is closed. If the automatic opening feature is inoperable, then one of the offsite circuits must be declared inoperable. In addition, due to the unique nature of this design, the automatic opening feature is periodically demonstrated in accordance with plant procedures.

Each EDG subsystem must be capable of starting, accelerating to rated speed and voltage, force paralleling and connecting to its respective emergency bus on detection of bus undervoltage. This sequence must be accomplished within 11 seconds. Each EDG subsystem must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses. These capabilities are required to be met with the EDGs in standby condition.

Additional EDG capabilities must be demonstrated to meet required Surveillances, e.g., capability of each EDG subsystem to reject a load greater than or equal to the load of a core spray pump. Proper sequencing of loads, including tripping of nonessential loads, is a required function for EDG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the EDGs, the separation and independence are complete. For the qualified offsite AC sources, the separation and independence are to the extent practical. A qualified offsite circuit that is not connected to an emergency bus is required to have OPERABLE automatic transfer interlock mechanisms to its associated emergency bus to support OPERABILITY of that circuit.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and (continued)

JAFNPP B 3.8.1-5 Revision 0

AC Sources - Operating B 3.8.1 BASES APPLICABILITY b. Adequate core cooling is provided and containment (continued) OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second offsite circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single active failure of the associated EDG subsystem does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no power from an offsite circuit.

The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. The division has no offsite circuit OPERABLE to supply its loads; and

b. A redundant required feature on the other division is inoperable.

(continued)

JAFNPP B 3.8.1-6 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS A.2 (continued)

If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV emergency bus of the plant Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the plant is subjected to transients associated with shutdown.

The remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to the plant Class 1E Distribution System. Thus, on a component basis, single active failure protection may have been lost for the required feature's function; however, function is not lost.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to the plant Class 1E Distribution System.

The 7 day Completion Time takes into account the redundancy, capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet (continued)

JAFNPP B 3.8.1-7 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS A.3 (continued) the LCO. If Condition A is entered while, for instance, an EDG subsystem is inoperable, and that EDG subsystem is subsequently restored OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, an EDG subsystem could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 35 days) allowed prior to complete restoration of the LCO.

The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Similar to Required Action A.2, the second Completion Time of Required Action A.3 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

B.1 To ensure a highly reliable power source remains with one EDG subsystem inoperable, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG subsystem is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e.,

single division systems are not included). Redundant (continued)

JAFNPP B 3.8.1-8 Revision 0

AC Sources - Operating B 3.8.1 BASES ACTIONS B.2 (continued) required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable EDG subsystem.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable EDG subsystem exists; and

b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one EDG subsystem inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering one EDG subsystem inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE EDG subsystem results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the plant to transients associated with shutdown.

The remaining OPERABLE EDG subsystem and offsite circuits are adequate to supply electrical power to the plant Class 1E Distribution System. Thus, on a component basis, single active failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

(continued)

JAFNPP B 3.8.1-9 Revision 0

AC Sources -Operating B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued)

Required Action B.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG subsystem. If it can be determined that the cause of the inoperable EDG subsystem does not exist on the OPERABLE EDG subsystem, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other EDG subsystem, the EDG subsystem is declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable EDG subsystem cannot be confirmed not to exist on the remaining EDG subsystem, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of the remaining EDG subsystem.

In the event the inoperable EDG subsystem is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time to confirm that the remaining OPERABLE EDG subsystem is not affected by the same problem as the inoperable EDG.

B.4 The design of the AC Sources allows operation to continue in Condition B for a period that should not exceed 14 days. In Condition B, the remaining OPERABLE EDG subsystem and offsite circuits are adequate to supply electrical power to the plant Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. In addition, the 14 day completion time is based on a risk-informed assessment of the EDG subsystem inoperability. EDG subsystem inoperability and the simultaneous inoperability of other plant equipment is assessed in accordance with Specification 5.5.13, Configuration Risk Management Program (CRMP).

(continued)

JAFNPP B 3.8.1-10 Revision 0

AC Sources -Operating B 3.8.1 BASES ACTIONS B.4 (continued)

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored to OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 21 days, since initial failure of the LCO, to restore the EDG subsystem. At this time, an offsite circuit could again become inoperable, the EDG subsystem restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 21 day Completion TTimes means that both Completion Times apply simultaneously, and the more restrictive must be met.

Similar to Required Action B.2, the second Completion Time of Required Action B.4 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

C.1 and C.2 Required Action C.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two offsite circuits.

Required Action C.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed with one division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that a Completion Time of 7 days for two required offsite circuits inoperable is acceptable based upon the assumption that two complete safety divisions are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features (continued)

JAFNPP B 3.8.1-11 Revision 0

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. Both offsite circuits are inoperable; and

b. A redundant required feature is inoperable.

If, at any time during the existence of this Condition (two offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Operation may continue in Condition C for a period that should not exceed 7 days. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible reserve power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more EDG subsystems inoperable.

However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

JAFNPP B 3.8.1-12 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued)

With both of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the plant in a safe shutdown condition in the event of a DBA or transient.

In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single active component failure were postulated as a part of the design basis in the safety analysis. The 7 day Completion Time in Required Action C.2 provides a period of time to effect restoration of both offsite circuits commensurate with the importance of maintaining AC electrical power system capable of meeting its design criteria.

With both offsite circuits inoperable, operation may continue for 7 days. In this situation Conditions A and C must be entered concurrently. If both offsite circuits are restored within 7 days, unrestricted operation may continue.

If only one offsite source is restored within 7 days, entry into Condition F is required. If the offsite circuits were not found to be inoperable concurrently, the Completion Time of Required Action A.3 must be met for the first inoperable circuit in accordance with the guidance of Section 1.3 (Completion Times). This will ensure that the maximum time two offsite circuits could be inoperable simultaneously without entering Condition F is limited.

D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any 4.16 kV emergency bus ACTIONS for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one EDG subsystem without regard to whether a division is de-energized.

LCO 3.8.7 provides the appropriate restrictions for a de-energized division.

According to recommendations in Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In Condition D, individual redundancy is lost in both the offsite power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, (continued)

JAFNPP B 3.8.1-13 Revision 0

AC Sources- Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued) however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources,reasonable time for repairs, and the low probability of a DBA occurring during this period.

E.1 With two EDG subsystems inoperable, there is no remaining onsite AC source. Thus, with an assumed loss of offsite electrical power, insufficient onsite AC sources are available to power the minimum required engineered safeguards functions. Since the offsite electrical power system is the only source of AC power for the majority of engineered safeguards equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent Main Generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to the recommendations in Regulatory Guide 1.93 (Ref. 8), with both EDG subsystems inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.8.1-14 Revision 0

AC Sources -Operating B 3.8.1 BASES ACTIONS G.1 (continued)

Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. Entry into Condition G is necessary when both offsite circuits and one EDG subsystem are inoperable (where the EDG subsystem is inoperable due to an inoperability of one or both EDGs within the EDG subsystem), both EDG subsystems and one offsite circuit are inoperable, or both offsite circuits and both EDG subsystems are inoperable. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The plant is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with Reference 1. Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the EDG subsystems are in general conformance with the recommendations of Safety Guide 9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10).

Where the SRs discussed herein specify steady state voltage and frequency tolerances, the following summary is applicable. The minimum steady state output voltage of 3900 V is approximately 94% of the nominal 4160 V output voltage. This value, which is slightly greater than that specified in ANSI C84.1 (Ref. 11), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of name plate rating. The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V motors.

It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the EDG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Safety Guide 9 (Ref. 3).

(continued)

JAFNPP B 3.8.1-15 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.1 REQUIREMENTS (continued) This SR ensures proper circuit continuity for the offsite AC electrical power supply to the plant distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that emergency buses and loads can be or are connected to their offsite power source and that appropriate independence of offsite circuits is maintained. Offsite circuit alignment verification can be accomplished by verifying that an offsite circuit bus is energized and that the status of offsite circuit supply breakers and disconnects displayed in the control room is correct. Offsite source power availability can be verified by communication with Niagara Mohawk for the Nine Mile Point Unit One switchyard, South Oswego substation, and Light House Hill substation. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room. In addition, the Frequency is adequate since administrative controls are in place that require plant notification by Niagara Mohawk of distribution system problems that affect power availability.

SR 3.8.1.2 This SR helps to ensure the availability of the onsite electrical power supply to mitigate DBAs and transients and maintain the plant in a safe shutdown condition.

To minimize the wear on moving parts, this SR has been modified by a Note to indicate that all EDG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading.

For the purposes of this testing, the EDGs are started from standby conditions. Standby conditions for an EDG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

This SR requires that, at a 31 day Frequency, the EDG subsystem starts from standby conditions, force parallels, and achieves required voltage and frequency within 10 seconds. The 10 second start requirement supports the assumptions in the design basis LOCA analysis of UFSAR, Section 6.5 (Ref. 12).

(continued)

JAFNPP B 3.8.1-16 Revision 0

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 (continued)

REQUIREMENTS In addition to the SR requirements, the time for the EDG subsystem to reach steady state operation is periodically monitored and the trend evaluated to identify degradation of governor and voltage regulator performance.

The 31 day Frequency for SR 3.8.1.2 is consistent with Regulatory Guide 1.108 (Ref. 9). This Frequency provides adequate assurance of EDG subsystem OPERABILITY, while minimizing degradation resulting from testing.

SR 3.8.1.3 This SR verifies that the EDG subsystems are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the EDG subsystem is paralleled with the normal, reserve or backfeed power source.

Although no power factor requirements are established by this SR, the EDG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation to ensure circulating currents are minimized.

The load band is provided to avoid routine overloading of the EDG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 31 day Frequency for this Surveillance is consistent with Safety Guide 9 (Ref. 3).

Note 1 modifies this SR to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized.

Note 2 modifies this SR by stating that momentary transients because of changing bus loads do not invalidate this test.

Similarly, momentary power factor transients above the limit do not invalidate the test.

Note 3 indicates that this SR should be conducted on only one EDG subsystem at a time in order to avoid common cause failures that might result from normal, reserve or backfeed power source perturbations.

(continued)

JAFNPP B 3.8.1-17 Revision 0

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS Note 4 stipulates a prerequisite requirement for performance of this SR. A successful EDG subsystem start must precede this test to credit satisfactory performance.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level at which the low level alarm is annunciated. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months of EDG operation at full load.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and plant operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is consistent with Regulatory Guide 1.137 (Ref. 10). This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance.

SR 3.8.1.6 This SR demonstrates that at least one fuel oil transfer pump associated with each OPERABLE EDG operates and automatically transfers fuel oil from its associated storage (continued)

JAFNPP B 3.8.1-18 Revision 0

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS tank to its associated day tank. It is required to support continuous operation of onsite power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE for each EDG.

The Frequency for this SR is consistent with the Frequency for testing the EDG subsystem in SR 3.8.1.3. EDG operation for SR 3.8.1.3 is normally long enough that fuel oil level in the day tank will be reduced to the point where the fuel oil transfer pump automatically starts to restore fuel oil level in the day tank.

SR 3.8.1.7 Automatic residual transfer of each 4.16 kV emergency bus power supply from the normal (main generator) source (NSST 71T-4) to each offsite circuit demonstrates the OPERABILITY of the offsite circuit distribution network to power the shutdown loads. As Noted, the SR is only required to be met for each offsite circuit that is not energizing its respective 4.16 kV emergency bus (i.e., the bus is being energized by the NSST), since the automatic transfer must be OPERABLE when the 4.16 kV emergency bus is being supplied by the main generator. The 24 month Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed on the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

In lieu of an actual automatic residual transfer, testing that adequately demonstrates the automatic residual transfer capability is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire automatic residual transfer function and emergency bus energization is verified.

(continued)

JAFNPP B 3.8.1-19 Revision 0

AC Sources- Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 REQUIREMENTS (continued) Each EDG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the EDG subsystem capability to reject the largest single load without exceeding a predetermined frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each EDG subsystem is a core spray pump (1250 bhp). This Surveillance may be accomplished by:

a. Tripping the EDG output breakers with the EDG subsystem carrying greater than or equal to its associated single largest post-accident load while paralleled with normal, reserve, or backfeed power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the EDG subsystem solely supplying the bus.

Consistent with Safety Guide 9 (Ref. 3), the load rejection test is acceptable if the diesel speed does not exceed the nominal (synchronous) speed plus 75% of the difference between nominal speed and the overspeed trip setpoint, or 115% of nominal speed, whichever is lower.

The Frequency of 24 months, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. In order to ensure that the EDG subsystem is tested under load conditions that are as close to design basis conditions as possible, the Note requires that, if paralleled with normal, reserve or backfeed power, testing must be performed using a power factor g 0.9. This power factor is chosen to be representative of the actual design basis inductive loading that the EDG subsystem would experience. However, if the grid conditions do not permit, the power factor limit is not required to be met. In this condition the test is performed with a power factor as close to the design rating of the machine as practicable. This is permitted since, with a high grid voltage it may not be possible to raise the EDG subsystem output voltage sufficiently to obtain the required power factor without creating an overvoltage condition on the emergency bus.

(continued)

JAFNPP B 3.8.1-20 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 REQUIREMENTS (continued) Consistent with Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(1), this SR demonstrates the as designed operation of the onsite power sources due to an emergency bus loss of power (LOP) signal. This test verifies all actions required following receipt of the LOP signal, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the EDG subsystem. It further demonstrates the capability of the EDG subsystem to automatically achieve the required voltage and frequency within the specified time.

The EDG auto-start time of 11 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the EDG subsystem loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation.

For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 24 months, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

(continued)

JAFNPP B 3.8.1-21 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 REQUIREMENTS (continued) This SR demonstrates that the EDG subsystem automatically starts, force parallels and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for ! 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.10.d and SR 3.8.1.10.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without a LOP signal.

The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

In addition to the SR requirements, the time for the EDG subsystem to reach steady state operation is periodically monitored and the trend evaluated to identify degradation of governor and voltage regulator performance.

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

(continued)

JAFNPP B 3.8.1-22 Revision 0

AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 REQUIREMENTS (continued) Consistent with IEEE-387 (Ref. 13), Section 7.5.9 and Table 3, this SR requires demonstration that the EDGs can run continuously at full load capability for an interval of not less than 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months s-6 hours of which is at a load equivalent to 90-100% of the continuous rating of the EDG, and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at a load equivalent to 105% to 110%

of the continuous duty rating of the EDG. The EDG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

In order to ensure that the EDG subsystem is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor

0.9. This power factor is chosen to be representative of the actual design basis inductive loading that the EDG subsystem could experience. A load band is provided to avoid routine overloading of the EDG subsystem. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 24 month Frequency is consistent with the recommendations of IEEE-387 (Ref. 13), Section 7.5.9 and Table 3 which takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test.

Note 2 is provided in recognition that when grid conditions do not permit, the power factor limit is not required to be met. In this condition, the test is performed with a power factor as close to the design rating of the machine as practicable. This is permitted since, with a high grid voltage it may not be possible to raise the EDG output voltage sufficiently to obtain the required power factor without creating an overvoltage condition on the emergency bus.

(continued)

JAFNPP B 3.8.1-23 Revision 0

AC Sources- Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 REQUIREMENTS (continued) In the event of a DBA coincident with an emergency bus loss of power signal, the EDGs are required to supply the necessary power to Engineered Safeguards systems so that the fuel, RCS, and containment design limits are not exceeded.

This SR demonstrates EDG subsystem operation, as discussed in the Bases for SR 3.8.1.9, during an emergency bus LOP signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG subsystem to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.

This SR is modified by a Note. The reason for the Note is to minimize the wear and tear on the EDGs during testing.

For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.

SR 3.8.1.13 Under accident conditions loads are sequentially connected to the bus by the individual time delay relays. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the EDGs due to high motor starting currents. The minimum load sequence time interval tolerance ensures that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding engineered safeguards equipment time delays are not violated. There is no upper limit for the load sequence time interval since, for a single load interval (i.e., the time between two load blocks), the capability of the EDG to restore frequency and voltage prior to applying the second load is not negatively affected by a longer than designed load interval, and if there are additional load blocks (i.e., the design includes multiple load intervals), then the lower limit requirements will (continued)

JAFNPP B 3.8.1-24 Revision 0

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the remaining load blocks (i.e., all load intervals must be greater than or equal to the minimum design interval).

The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle lengths.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Chapter 8.

3. Safety Guide 9, Selection Of Diesel Generator Set Capacity For Standby Power Supplies, March 1971.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 14.

6. 10 CFR 50.36(c)(2)(ii).

7. Generic Letter 84-15, Proposed Staff Actions To Improve And Maintain Diesel Generator Reliability, July 1984.

8. Regulatory Guide 1.93, Availability Of Electric Power Sources, December 1974.

9. Regulatory Guide 1.108, Revision 1, Periodic Testing of Diesel Generator Units Used As Onsite Electric Power Systems At Nuclear Power Plants, August 1977.

10. Regulatory Guide 1.137, Revision 1, Fuel-Oil Systems for Standby Diesel Generators, October 1979.

11. ANSI C84.1, Voltage Ratings for Electric Power Systems and Equipment, 1982.

12. UFSAR, Section 6.5.

13. IEEE-387, IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations, 1995.

JAFNPP B 3.8.1-25 Revision 0

AC Sources - Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources- Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating." In addition to the reserve AC sources described in LCO 3.8.1, during plant shutdown with the main generator off line, the plant emergency buses may be supplied using the 345 kV (backfeed)

AC source. The 345 kV backfeed requires removing the main generator disconnect links that tie the main generator to the 24 kV bus, and providing power from the 345 kV transmission network to energize the main transformers (TIA and TIB), 24 kV bus, normal station service transformer (NSST) 71T-4, and subsequent 4.16 kV distribution and emergency buses. However, the backfeed AC Source is not considered a qualified offsite circuit.

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 SAFETY ANALYSES and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

In general, when the plant is shutdown the Technical Specifications requirements ensure that the plant has the capability to mitigate the consequences of postulated accidents. However, assuming a single active component failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Postulated worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor coolant pressure boundary (RCPB), reactor coolant temperature and pressure, (continued)

JAFNPP B 3.8.2-1 Revision 0

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE and corresponding stresses result in the probabilities of SAFETY ANALYSES occurrences significantly reduced or eliminated, and minimal (continued) consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS. This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as an economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.

c. Prudent consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (emergency diesel generator (EDG)) power.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 1).

LCO One qualified offsite circuit capable of supplying one division of the plant Class 1E AC power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems- Shutdown,"

(continued)

JAFNPP B 3.8.2-2 Revision 0

AC Sources -Shutdown B 3.8.2 BASES LCO and one qualified offsite circuit, which may be the same (continued) circuit required above, capable of supplying the other division of the plant Class 1E AC power distribution subsystem(s) when a second division is required by LCO 3.8.8, ensures that all required loads are powered from offsite power. An OPERABLE EDG subsystem, associated with a 4.16 kV emergency bus required OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and EDG subsystem ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown). Automatic initiation of the required EDG during shutdown conditions is specified in LCO 3.3.5.1, "ECCS Instrumentation," and LCO 3.3.8.1, "LOP Instrumentation."

The qualified offsite circuit(s) must be capable of maintaining rated frequency and voltage while connected to its respective 4.16 kV emergency bus(es), and of accepting required loads during an accident. Qualified offsite circuits are those that are described in LCO 3.8.1 Bases and the UFSAR and are part of the licensing basis for the plant.

However, since the plant is shutdown, when two offsite circuits are required, they may share one of the incoming switchyard breakers provided the North and South bus disconnect is closed. Also, while in this condition, the automatic opening feature of the disconnect is not required to be OPERABLE. This is allowed since the two offsite circuits are not required to be independent while shutdown.

The required EDG subsystem must be capable of starting, accelerating to rated speed and voltage, force paralleling, and connecting to its respective emergency bus on detection of bus undervoltage. This sequence must be accomplished within 11 seconds. The required EDG subsystem must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses.

These capabilities are required to be met with the EDG subsystem in standby condition.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for EDG subsystem OPERABILITY. The necessary portions of the Emergency Service Water System and Ultimate Heat Sink are also (continued)

JAFNPP B 3.8.2-3 Revision 0

AC Sources - Shutdown B 3.8.2 BASES LCO required to provide appropriate cooling to the required EDG (continued) subsystem. In addition, proper sequence operation is an integral part of offsite circuit OPERABILITY since its inoperability impacts the ability to start and maintain energized loads required OPERABLE by LCO 3.8.8.

No automatic transfer capability is required for offsite circuits to be considered OPERABLE.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:

a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, or 3 would require the unit to be shutdown unnecessarily.

A.1 An offsite circuit is considered inoperable if it is not available to one required 4.16 kV emergency bus. If two 4.16 kV emergency buses are required per LCO 3.8.8, one (continued)

JAFNPP B 3.8.2-4 Revision 0

AC Sources- Shutdown B 3.8.2 BASES ACTIONS A.1 (continued) division with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.

By the allowance of the option to declare required features inoperable with no offsite power, appropriate restrictions can be implemented in accordance with the affected required feature(s) LCOs' ACTIONS.

A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 With an offsite circuit not available to all required 4.16 kV emergency buses, the option still exists to declare all required features inoperable per Required Action A.1.

Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required EDG subsystem inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required 4.16 kV emergency bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A (continued)

JAFNPP B 3.8.2-5 Revision 0

AC Sources - Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) to provide requirements for the loss of an offsite circuit whether or not a division is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized division.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.7 is not required to be met since the main generator is not used to provide AC power while shutdown. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

This SR is modified by two Notes. The reason for Note 1 is to preclude requiring the OPERABLE EDG subsystem from being paralleled with the reserve power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4.16 kV emergency bus or disconnecting a required reserve circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required reserve circuit and EDG subsystem. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the EDG subsystem and reserve circuit is required to be OPERABLE.

Note 2 states that SRs 3.8.1.10 and 3.8.1.12 are not required to be met when its associated ECCS subsystem(s) are not required to be OPERABLE. These SRs demonstrate the EDG response to an ECCS signal (either alone or in conjunction with a loss of power signal). This is consistent with the ECCS instrumentation requirements that do not require the ECCS signal when the ECCS System is not required to be OPERABLE per LCO 3.5.2, "ECCS-Shutdown."

REFERENCES 1. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.8.2-6 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each emergency diesel generator (EDG) subsystem is provided with two fuel oil storage tanks. Each storage tank has a fuel oil capacity sufficient to operate one EDG for a period of 7 days while the EDG is supplying full load. The maximum post loss of coolant accident (LOCA) load demand discussed in UFSAR, Section 8.6.2 (Ref. 1) is calculated using the assumption that at least two EDGs are operating. This onsite fuel oil capacity is sufficient to operate the EDGs for longer than the time to replenish the onsite supply from outside sources.

Normally fuel oil is transferred from storage tanks to day tanks by either of two transfer pumps associated with each storage tank. In addition the fuel oil transfer pumps can be manually aligned to permit fuel oil transfer, within the EDG subsystem, from either of the two fuel oil storage tanks to either of the two fuel oil day tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one EDG. All fuel oil storage tanks are located underground. Fuel oil day tanks and transfer pumps are located in the associated EDG room.

For proper operation of the EDGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (absolute specific gravity or API gravity), and impurity level.

The EDG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated EDG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The onsite storage in addition to the engine oil sump is sufficient to ensure 7 days' continuous operation.

This supply is sufficient to operate the EDGs for longer than the time to replenish the onsite lube oil supply from outside sources.

(continued)

JAFNPP B 3.8.3-1 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND Each EDG has an air start system with adequate capacity for (continued) five successive starts on the EDG without recharging or realigning the air start receivers. Each EDG air start system consists of piping and valves which supply all associated EDG air start motors simultaneously when aligned to one of two sets of 5 air start receivers.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 14 (Ref. 4), assume Engineered Safeguards systems are OPERABLE. The EDGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits:

Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and starting air subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of EDGs required to shut down the reactor and to maintain it in a safe condition for an abnormal operational transient or a postulated DBA with loss of power. EDG day tank fuel oil requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

The starting air system is required to have a minimum capacity for five successive EDG starts without recharging or realigning the air start receivers.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition (continued)

JAFNPP B 3.8.3-2 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES APPLICABILITY after an abnormal operational transient or a postulated DBA.

(continued) Because stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated EDG subsystem is required to be OPERABLE.

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each EDG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable EDG. Complying with the Required Actions for one inoperable EDG may allow for continued operation, and subsequent inoperable EDG(s) governed by separate Condition entry and application of associated Required Actions.

A.1 With fuel oil level < 32,000 gallons in a storage tank, the 7 day fuel oil supply for an EDG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (28,000 gallons).

These circumstances may be caused by events such as:

a. Full load operation required for an inadvertent start while at minimum required level; or

b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.

This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required level prior to declaring the EDG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that action will be initiated to obtain replenishment, and the low probability of an event during this brief period.

(continued)

JAFNPP B 3.8.3-3 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS B.1 (continued)

With lube oil inventory < 168 gal, sufficient lube oil to support 7 days of continuous EDG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required volume prior to declaring the EDG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that action will be initiated to obtain replenishment, and the low probability of an event during this brief period.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated EDG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the EDG fuel oil.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combination of these procedures. Even if an (continued)

JAFNPP B 3.8.3-4 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS D.1 (continued)

EDG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the EDG would still be capable of performing its intended function. If the new fuel oil has not yet been added to the fuel oil storage tanks, entry into this condition is not necessary.

E.1 With required starting air receiver pressure < 150 psig, sufficient capacity for five successive EDG starts does not exist. However, as long as the receiver pressure is k 110 psig, there is adequate capacity for at least one start, and the EDG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration to the required pressure prior to declaring the EDG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most EDG starts are accomplished on the first attempt, and the low probability of an event during this brief period.

F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A, B, C, D, or E, the associated EDG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each EDG's operation for 7 days at full load. The 7 day period is sufficient time to place the plant in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since plant operators would be aware of any large uses of fuel oil during this period.

(continued)

JAFNPP B 3.8.3-5 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.2 REQUIREMENTS (continued) This SR ensures that sufficient lubricating oil inventory is available to support at least 7 days of full load operation for each EDG. The 168 gal requirement is based on the EDG manufacturer's consumption values for the run time of the EDG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the EDG, when the EDG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level.

A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since EDG starts and run time are closely monitored by the plant staff.

SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding test results) of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:

a. Sample the new fuel oil in accordance with ASTM D4057-1995 (Ref. 6);

b. Verify in accordance with the tests specified in ASTM D975-1995 (Ref. 6) that the sample has an absolute specific gravity at 60/60°F of Ž 0.83 and - 0.89 or an API gravity at 60°F of Ž 270 and - 390, a kinematic viscosity at 40 0 C of ý 1.9 centistokes, and

4.1 centistokes, and a flash point of Ž 125 0 F; and

c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-1993 (Ref. 6).

(continued)

JAFNPP B 3.8.3-6 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO since the fuel oil is not added to the storage tanks.

Following the initial new fuel oil sample, the fuel oil is analyzed within 31 days following addition of the new fuel oil to the fuel oil storage tanks to establish that the other properties specified in Table 1 of ASTM D975-1995 (Ref. 6) are met for new fuel oil when tested in accordance with ASTM D975-1995 (Ref. 6), except that the analysis for sulfur may be performed in accordance with ASTM D1552-1995 (Ref. 6) or ASTM D2622-1994 (Ref. 6). The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on EDG operation. This Surveillance ensures the availability of high quality fuel oil for the EDGs.

Fuel oil degradation during long term storage shows up as an increase in particulate concentration, mostly due to oxidation. The presence of particulates does not mean that the fuel oil will not burn properly in a diesel engine. The particulates can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTM D6217-1998 (Ref. 6), except that the specified filters may be replaced with filters up to 3.0 microns. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SR 3.8.3.4 This SR ensures that, without the aid of the refill compressor, sufficient air start capacity for each EDG is available. The system design requirements provide for a (continued)

JAFNPP B 3.8.3-7 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.4 (continued)

REQUIREMENTS minimum of five engine start cycles without recharging or realigning air start receivers. For the purposes of the air start system, a start cycle is defined as the period required from a start signal until the engine speed reaches 200 rpm (the point at which the air start system valves are signaled to close). The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished.

The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 2) as supplemented by ANSI N195 (Ref. 3). This SR is for preventive maintenance.

The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

REFERENCES 1. UFSAR, Section 8.6.2.

2. Regulatory Guide 1.137, Revision 1, Fuel-Oil Systems For Standby Diesel Generators, October 1979.

3. ANSI N195, Appendix B, 1976.

4. UFSAR, Chapter 14.

(continued)

JAFNPP B 3.8.3-8 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES REFERENCES 5. 10 CFR 50.36(c)(2)(ii).

(continued)

6. ASTM Standards: D4057-1995, Standard Practice for Manual Sampling of Petroleum and Petroleum Products:

D975-1995, Standard Specification for Diesel Fuel Oils: D4176-1993, Standard Test Method for Free Water and Particulate Contamination in Distillate Fuels (Visual Inspection Procedures); D1552-1995, Standard Test Method for Sulfur in Petroleum Products (High Temperature Method); D2622-1994, Standard Test Method for Sulfur in Petroleum Products by X-Ray Spectrometry; and D6217-1998, Standard Test Method for Particulate Contamination in Middle Distallate Fuels by Laboratory Filtration.

JAFNPP B 3.8.3-9 Revision 0

DC Sources -Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-Operating BASES BACKGROUND The plant DC electrical power system consists of, the Class 1E, 125 VDC Power System, and the 419 VOC low pressure coolant injection (LPCI) MOV independent power supply subsystems.

The 125 VDC Power System provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by JAFNPP design criteria (Ref. 1), the 125 VDC Power System is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The 125 VDC Power System also conforms to the recommendations of Safety Guide 6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC power sources provide both motive and control power to selected safety related equipment, as well as circuit breaker control power for the nonsafety related 4160 V and selected 600 V AC distribution systems. Each 125 VDC subsystem is energized by one 125 VDC battery and one 125 VDC battery charger. Each battery is exclusively associated with a single 125 VDC bus. Each battery charger is exclusively associated with a 125 VDC subsystem and cannot be interconnected with any other 125 VDC subsystem.

The chargers are supplied from the same AC load groups for which the associated 125 VDC subsystem supplies the control power. The loads between the redundant 125 VDC subsystem are not transferable except for the Automatic Depressurization System (ADS). The ADS valve solenoids are normally fed from the Division 1 125 VDC subsystem and the Division 2 125 VDC subsystem provides a backup. In addition, the Division 1 125 VDC subsystem provides a backup to the Division 2 ADS logic circuits.

The 419 VDC low pressure coolant injection (LPCI) MOV independent power supply subsystems provide the 600 VAC LPCI Independent Power Supply System with a reliable source of power to operate the motor operated valves associated with the LPCI subsystems and provide power to one RCIC pump enclosure exhaust fan via the 600 VAC LPCI independent power supply inverters and associated distribution system. The requirements of these inverters are specified in LCO 3.5.1, "ECCS-Operating." The 419 VDC LPCI MOV independent power supply system consists of two subsystems.

(continued)

JAFNPP B 3.8.4-1 Revision 0

DC Sources- Operating B 3.8.4 BASES BACKGROUND Each 419 VDC LPCI MOV independent power supply subsystem is (continued) energized by the associated 419 VDC battery or the associated 419 VDC rectifier/charger. Each battery and rectifier/charger is exclusively associated with a 419 VDC LPCI MOV independent power supply subsystem and cannot be interconnected with the other 419 VDC LPCI MOV independent power supply subsystem.

During normal operation, the DC loads are powered from the battery chargers with the batteries floating on the system.

In cases where momentary loads are greater than the charger capability, or battery charger output voltage is low, or on loss of normal power to the battery charger, the DC loads are automatically powered from the batteries. Also, on a LPCI automatic actuation signal, the 419 VDC rectifier/

charger AC input breakers will open and the 600 VAC LPCI independent power supply inverters will be powered from the 419 VDC LPCI MOV independent power supply batteries.

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System-Operating,"

and LCO 3.8.8, "Distribution System-Shutdown."

Each 125 VDC battery has adequate storage capacity to carry the required load continuously for approximately 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (Ref. 4). Each 419 VDC LPCI MOV independent power supply battery has adequate storage capacity for one repositioning of the LPCI subsystem motor operated valves (MOVs) on its respective MOV bus.

Each 125 VDC and 419 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from its redundant subsystem to ensure that a single failure in one subsystem does not cause a failure in the redundant subsystem. There is no sharing between redundant subsystems such as batteries, battery chargers, or distribution panels.

The 125 VDC batteries are sized to supply associated DC loads required for safe shutdown of the plant, following abnormal operational transients and postulated accidents, until AC power sources are restored (Ref. 4). The 419 VDC batteries are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage limit for each 125 VDC battery is 105 VDC.

The minimum design voltage limit of each 419 VDC LPCI MOV independent power supply battery is 325.5 VDC.

(continued)

JAFNPP B 3.8.4-2 Revision 0

DC Sources - Operating B 3.8.4 BASES BACKGROUND Each 125 VDC and 419 VDC battery charger has ample power (continued) output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each 125 VDC battery charger has sufficient capacity to restore the battery after discharging through its duty cycle to its fully charged state while supplying normal control loads (Ref. 4).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 5) and Chapter 14 (Ref. 6), assume that Engineered Safeguards systems are OPERABLE. The 125 VDC Power System provides normal and emergency DC electrical power for the EDGs, emergency auxiliaries, and control and switching during all MODES of operation. The 419 VDC LPCI MOV independent power supplies provide normal and emergency power for LPCI MOVs during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all normal and reserve AC power or all onsite AC power; and

b. A worst case single failure.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 7).

LCO The 125 VDC and 419 VDC LPCI MOV independent power supply subsystems-with each subsystem consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus-are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 3).

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe plant operation and to ensure that:

(continued)

JAFNPP B 3.8.4-3 Revision 0

DC Sources -Operating B 3.8.4 BASES APPLICABILITY a. Acceptable fuel design limits and reactor coolant (continued) pressure boundary limits are not exceeded as a result of abnormal operational transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 4 and 5 and other specified conditions in which the DC electrical power sources are required are addressed in LCO 3.8.5, "DC Sources Shutdown."

ACTIONS A.1 Condition A represents one division of the 125 VDC Power System with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for complete loss of 125 VDC power to the affected division. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months limit is consistent with the allowed time for an inoperable DC Distribution System division.

If one of the required 125 VDC power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger, or inoperable battery charger and associated inoperable battery), the remaining 125 VDC power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of minimum necessary 125 VDC power subsystems to mitigate a worst case accident, continued power operation should not exceed 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time reflects a reasonable time to assess plant status as a function of the inoperable 125 VDC power subsystem and, if the 125 VDC power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe plant shutdown.

B.1 and B.2 If the 125 VDC power subsystem cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within (continued)

JAFNPP B 3.8.4-4 Revision 0

DC Sources -Operating B 3.8.4 BASES ACTIONS B.1 and B.2 (continued) 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the plant to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8).

C.1 If one or both 419 VDC LPCI MOV independent power supply subsystems are inoperable (e.g., inoperable battery, inoperable battery charger, or inoperable battery charger and associated inoperable battery), the associated LPCI subsystem may be incapable of performing its intended function and must be immediately declared inoperable. This declaration also requires entry into applicable Conditions and Required Actions for an inoperable LPCI subsystem, LCO 3.5.1.

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the connected loads and the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations.

The 7 day Frequency is conservative when compared with manufacturer recommendations and IEEE-450 (Ref. 9).

SR 3.8.4.2 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 3). According to UFSAR, Section 8.7 (Ref. 4), the battery charger is sized to restore the battery after discharging through its duty cycle (continued)

JAFNPP B 3.8.4-5 Revision 0

DC Sources -Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.2 (continued)

REQUIREMENTS to the fully charged state, while supplying the normal control loads. The minimum required amperes and duration ensures that these requirements can be satisfied.

The Frequency is acceptable, given the plant conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

SR 3.8.4.3 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length corresponds to the design duty cycle requirements.

The Frequency of 24 months is acceptable, given plant conditions required to perform the test and the other requirements existing to ensure adequate battery performance during this 24 month interval. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

A modified performance discharge test may be performed in lieu of a service test. This substitution is acceptable because a modified performance discharge test represents a more severe test of battery capacity than the service test.

The modified performance discharge test is a complete test which envelopes both the service test and the performance discharge test requirements. The modified performance discharge test discharge current envelopes the peak duty cycle loads of the service test followed by a constant discharge current (temperature corrected) for the performance discharge test. Since the ampere-hours removed by peak duty cycle loads represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

(continued)

JAFNPP B 3.8.4-6 Revision 0

DC Sources -Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.3 (continued)

REQUIREMENTS The purpose of the modified performance discharge test is to demonstrate the battery has sufficient capacity to meet the system design requirements and to provide trendable performance data to compare the available capacity in the battery to previous capacity test results. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required 125 VDC power subsystem from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy the Surveillance.

SR 3.8.4.4 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

(continued)

JAFNPP B 3.8.4-7 Revision 0

DC Sources- Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.4 (continued)

REQUIREMENTS A battery modified performance discharge test is described in the Bases for SR 3.8.4.3. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.4: however, only the modified performance discharge test may be used to satisfy SR 3.8.4.4 while satisfying the requirements of SR 3.8.4.3 at the same time.

The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 9). This reference recommends that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 85%

of its expected life and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity Ž 100% of the manufacturer's rating.

Degradation is indicated, according to IEEE-450 (Ref. 9),

when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the manufacturer's rating. All these Frequencies are consistent with the recommendations in IEEE-450 (Ref. 9).

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required 125 VDC power subsystem from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a (continued)

JAFNPP B 3.8.4-8 Revision 0

DC Sources -Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.4 (continued)

REQUIREMENTS perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy the Surveillance.

REFERENCES 1. UFSAR, Section 16.6.

2. Safety Guide 6, Independence Between Redundant Standby (Onsite) Power Sources And Between Their Distribution Systems, March 1971.

3. IEEE Standard 308, IEEE Standard Criteria for Class IE Electric Systems for Nuclear Power Generating Stations, 1971.

4. UFSAR, Section 8.7.

5. UFSAR, Chapter 6.

6. UFSAR, Chapter 14.

7. 10 CFR 50.36(c)(2)(ii).

8. Regulatory Guide 1.93, Availability Of Electric Power Sources, December 1974.

9. IEEE Standard 450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead Acid Batteries for Stationary Applications, 1995.

JAFNPP B 3.8.4-9 Revision 0

DC Sources- Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources -Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume that Engineered Safeguards systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency diesel generators (EDGs), emergency auxiliaries, and control and switching during all MODES of operation and during movement of irradiated fuel assemblies in the secondary containment.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a refueling accident.

In general, when the unit is shutdown, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the (continued)

JAFNPP B 3.8.5-1 Revision 0

DC Sources- Shutdown B 3.8.5 BASES APPLICABLE reactor pressure boundary, reactor coolant temperature and SAFETY ANALYSES pressure, and the corresponding stresses result in the (continued) probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The shutdown Technical Specification requirements are designed to ensure that the unit has the capability to mitigate the consequences of certain postulated accidents.

Worst case Design Basis Accidents which are analyzed for operating MODES are generally viewed not to be a significant concern during shutdown MODES due to the lower energies involved. The Technical Specifications therefore require a lesser complement of electrical equipment to be available during shutdown than is required during operating MODES.

More recent work completed on the potential risks associated with shutdown, however, have found significant risk associated with certain shutdown evolutions. As a result, in addition to the requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," as an Industry initiative to manage shutdown tasks and associated electrical support to maintain risk at an acceptable low level. This may require the availability of additional equipment beyond that required by the shutdown Technical Specifications.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 3).

LCO One 125 VDC electrical power subsystem consisting of one 125 V battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus is required to be OPERABLE to support one DC distribution subsystem required OPERABLE by LCO 3.8.8, "Distribution Systems-Shutdown." This requirement ensures the availability of sufficient DC electrical power sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., refueling accidents and inadvertent reactor vessel draindown).

(continued)

JAFNPP B 3.8.5-2 Revision 0

DC Sources - Shutdown B 3.8.5 BASES (continued)

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;

b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2 or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, or 3 would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2, A.2.3, and A.2.4 By allowance of the option to declare required features inoperable with the associated DC electrical power subsystem inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. However in many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).

(continued)

JAFNPP B 3.8.5-3 Revision 0

DC Sources- Shutdown B 3.8.5 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued)

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystem and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.4. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC electrical power subsystem from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.8.5-4 Revision 0

Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources Operating," and LCO 3.8.5, "DC Sources-Shutdown."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume Engineered Safeguards systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the emergency diesel generators (EDGs), emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant as discussed in the Bases for LCO 3.8.4 and LCO 3.8.5.

Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA.

Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.

APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem.

Therefore, these battery cell parameters are only required when the associated DC electrical power subsystem is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5.

(continued)

JAFNPP B 3.8.6-1 Revision 0

Battery Cell Parameters B 3.8.6 BASES (continued)

ACTIONS The ACTIONS Table is modified by a Note which indicates that separate Condition entry is allowed for each battery. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DC subsystem. Complying with the Required Actions for one inoperable DC subsystem may allow for continued operation, and subsequent inoperable DC subsystems are governed by separate Condition entry and application of associated Required Actions.

A.1, A.2, and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period.

The pilot cell(s) electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cell(s).

One hour is considered a reasonable amount of time to perform the required verification.

Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A and B limits. This periodic verification is consistent with the guidance provided in IEEE-450 (Ref. 4) of monitoring battery conditions at regular intervals (not to exceed one week) while completing corrective actions.

(continued)

JAFNPP B 3.8.6-2 Revision 0

Battery Cell Parameters B 3.8.6 BASES ACTIONS A.1, A.2, and A.3 (continued)

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable.

B.1 When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potential conditions, such as any Required Action of Condition A and associated Completion Time not met, or average electrolyte temperature of representative cells < 650 F for each 125 VDC battery, or

< 50°F for each 419 VDC LPCI MOV independent power supply battery, also are cause for immediately declaring the associated DC electrical power subsystem inoperable.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 4), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells.

SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 4), which recommends augmentation of the battery inspections conducted in SR 3.8.6.1 at least once per quarter by checking voltage, specific gravity and electrolyte temperature.

(continued)

JAFNPP B 3.8.6-3 Revision 0

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE SR 3.8.6.3 REQUIREMENTS (continued) This Surveillance verification that the average electrolyte temperature of representative cells (10% of total) is within limits is consistent with a recommendation of IEEE-450 (Ref. 4) that states that the temperature of electrolyte in representative cells should be determined on a quarterly basis.

Lower than normal electrolyte temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range, based on assumptions in the battery sizing analyses.

Table 3.8.6-1 This Table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below.

Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.

The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 4), with the extra

% inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote (a) to Table 3.8.6-1 permits the electrolyte level to be temporarily above the specified maximum level during and, for a limited time, following an equalizing charge (normally up to 3 days following the completion of an equalization charge to allow electrolyte stabilization), provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 4) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(continued)

JAFNPP B 3.8.6-4 Revision 0

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category A limit specified for float voltage is t 2.13 V per cell. This value is based on the recommendation of IEEE-450 (Ref. 4), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells.

The Category A limit specified for specific gravity for each pilot cell is 2 1.195 (0.020 below the manufacturer's fully charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity.

According to IEEE-450 (Ref. 4), the specific gravity readings are based on a temperature of 777F (25°C).

The specific gravity readings are corrected for actual electrolyte temperature and level. For each 30 F (1.67 0 C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 30 F below 770 F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations.

Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out.

The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is

Ž 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

Category C defines the limits for each connected cell.

These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

(continued)

JAFNPP B 3.8.6-5 Revision 0

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category C limit specified for electrolyte level (above the top of the plates and not overflowing) ensures that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C limit for voltage is based on IEEE-450 Appendix C (Ref. 4), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

The Category C limit on average specific gravity Ž 1.195, is based on manufacturer's recommendations (0.020 below the manufacturer's recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote (b) of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is

< 2 amps for 125 VDC batteries and < 1.0 amp for 419 VDC LPCI MOV independent power supply batteries. This current provides, in general, an indication of acceptable overall battery condition.

Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize.

A stabilized charging current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 4). Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge. Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements may be made in less than 7 days.

(continued)

JAFNPP B 3.8.6-6 Revision 0

Battery Cell Parameters B 3.8.6 BASES (continued)

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

4. IEEE Standard 450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead Acid Batteries for Stationary Applications, 1995.

JAFNPP B 3.8.6-7 Revision 0

Distribution Systems -Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems-Operating BASES BACKGROUND The plant Class 1E AC and 125 VDC electrical power distribution system is divided into redundant and independent AC, and 125 VDC electrical power distribution subsystems.

The primary AC distribution system consists of two 4.16 kV emergency buses each having an offsite source of power as well as a dedicated onsite emergency diesel generator (EDG) source. Each 4.16 kV emergency bus is normally connected to the normal station service transformer (71T-4). During a loss of the normal power source to the 4.16 kV emergency buses, each emergency bus will be automatically transferred to its associated reserve station service transformer (71T-2 or 71T-3). The normal and reserve sources feed their associated 4.16 kV emergency bus via a non-emergency bus and the associated breakers. If both normal and reserve sources are unavailable, the onsite EDGs supply power to the 4.16 kV emergency buses.

The secondary plant distribution system includes 600 VAC emergency buses, and associated load centers, and transformers.

There are two independent 125 VDC electrical power distribution subsystems that support the necessary power for engineered safeguards functions.

The list of required distribution buses is presented in Table B 3.8.7-1.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume engineered safeguards systems are OPERABLE. The AC and 125 VDC electrical power distribution subsystems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6 Containment Systems.

(continued)

JAFNPP B 3.8.7-1 Revision 0

Distribution Systems - Operating B 3.8.7 BASES APPLICABLE The OPERABILITY of the AC, and 125 VDC electrical power SAFETY ANALYSES distribution subsystems is consistent with the initial (continued) assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all reserve power or all onsite AC electrical power; and

b. A worst case single active component failure.

The AC and 125 VDC electrical power distribution subsystems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The required electrical power distribution subsystems listed in Table B 3.8.7-1 ensure the availability of AC, and 125 VDC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. The AC and 125 VDC electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Division 1 and Division 2 AC and 125 VDC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of Engineered Safeguards systems is not defeated. Therefore, a single active component failure within any system or a single failure within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages. OPERABLE 125 VDC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger.

Based on the number of safety significant electrical loads associated with each bus listed in Table B 3.8.7-1, if one or more of the buses becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required. Other buses, such as motor control centers (MCC) and distribution panels, which help comprise the AC and 125 VDC distribution systems are not listed in Table B 3.8.7-1. The loss of electrical loads associated with these buses may not result in a complete loss of redundant safety function necessary to shut down the reactor and maintain it in a safe condition.

(continued)

JAFNPP B 3.8.7-2 Revision 0

Distribution Systems - Operating B 3.8.7 BASES LCO Therefore, should one or more of these buses become (continued) inoperable due to failure not affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g., a breaker supplying a single MCC fails open), the individual loads on the bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. However, if one or more of these buses is inoperable due to a failure also affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g.,

loss of a 4.16 kV emergency bus, which results in de energization of all buses powered from the 4.16 kV emergency bus), then although the individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4.16 kV emergency bus).

In addition, tie breakers between redundant safety related AC, and 125 VDC power distribution subsystems must be open.

This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers between redundant safety related AC or 125 VDC power distribution subsystems are closed, the electrical power distribution subsystem that is not being powered from its normal source (i.e., it is being powered from its redundant electrical power distribution subsystem) is considered inoperable. This applies to the onsite, safety related, redundant electrical power distribution subsystems.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

(continued)

JAFNPP B 3.8.7-3 Revision 0

Distribution Systems -Operating B 3.8.7 BASES APPLICABILITY Electrical power distribution subsystem requirements for (continued) MODES 4 and 5 and other conditions in which AC and 125 VDC electrical power distribution subsystems are required are covered in the Bases for LCO 3.8.8, "Distribution Systems Shutdown."

ACTIONS A.1 With one or more required AC electrical power distribution subsystems inoperable and a loss of function has not occurred, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.

The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required engineered safeguards functions not being supported. Therefore, the required AC electrical power distribution subsystems must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

The Condition A worst scenario is one division without AC power (i.e., no reserve or normal power to the division and the associated EDG subsystem inoperable). In this Condition, the plant is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the plant operators' attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the plant, and on restoring power to the affected division.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a plant shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the plant operators' attention is diverted from the evaluations and actions necessary to restore power to the affected division to the actions associated with taking the plant to shutdown within this time limit.

b. The low potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.12, "Safety Function Determination Program (SFDP).")

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of (continued)

JAFNPP B 3.8.7-4 Revision 0

Distribution Systems - Operating B 3.8.7 BASES ACTIONS A.1 (continued) failing to meet the LCO. If Condition A is entered while, for instance, a 125 VDC bus is inoperable and subsequently returned OPERABLE, this LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This situation could lead to a total duration of 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , since initial failure of the LCO, to restore the AC electrical power distribution system. At this time a 125 VDC bus could again become inoperable, and the AC electrical power distribution system could be restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This results in establishing the "time zero" at the time this LCO was initially not met, instead of at the time Condition A was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

B.1 With one 125 VDC electrical power distribution subsystems inoperable, the remaining 125 VDC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining 125 VDC electrical power distribution subsystem could result in the minimum required engineered safeguards functions not being supported. Therefore, the required 125 VDC electrical power distribution subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months by powering the bus from the associated battery or charger.

Condition B represents one division without adequate 125 VDC power, potentially with both a battery significantly degraded and the associated charger nonfunctioning. In this situation the plant is significantly more vulnerable to a complete loss of all 125 VDC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining divisions, and restoring power to the affected division.

(continued)

JAFNPP B 3.8.7-5 Revision 0

Distribution Systems -Operating B 3.8.7 BASES ACTIONS B.1 (continued)

This 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate 125 VDC power, which would have Required Action Completion Times shorter than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , is acceptable because of:

a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;

b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without 125 VDC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division;

c. The potential for an event in conjunction with a single failure of a redundant component.

The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This situation could lead to a total duration of 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , since initial failure of the LCO, to restore the 125 VDC electrical power distribution subsystem.

At this time, an AC bus could again become inoperable, and 125 VDC electrical power distribution could be restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This allowance results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time Condition B was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely.

(continued)

JAFNPP B 3.8.7-6 Revision 0

Distribution Systems -Operating B 3.8.7 BASES ACTIONS C.1 and C.2 (continued)

If the inoperable distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 Condition D corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one AC or 125 VDC electrical power distribution subsystem is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and 125 VDC, electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, and 125 VDC electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.8.7-7 Revision 0

Distribution Systems- Operating B 3.8.7 Table B 3.8.7-1 (page 1 of 1)

AC and 125 VDC Electrical Power Distribution Systems TYPE VOLTAGE DIVISION 1* DIVISION 2*

AC safety 4160 V Emergency Bus 10500 Emergency Bus 10600 buses 600 V Load Centers Load Centers 11500, 12500 11600, 12600 125 VDC 125 VDC Bus 71BCB-2A Bus 71BCB-2B buses

Each division of the AC and 125 VDC electrical power distribution systems is a subsystem.

JAFNPP B 3.8.7-8 Revision 0

Distribution Systems - Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems -Shutdown BASES BACKGROUND A description of the AC and 125 VDC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems- Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 14 (Ref. 2), assume Engineered Safeguards systems are OPERABLE. The AC and 125 VDC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to Engineered Safeguards systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC and 125 VDC electrical power distribution systems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC and 125 VDC electrical power sources and associated power distribution subsystems during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the plant status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The AC and 125 VDC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary (continued)

JAFNPP B 3.8.8-1 Revision 0

Distribution Systems- Shutdown B 3.8.8 BASES LCO support required features. This LCO explicitly requires (continued) energization of the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specification required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The AC and 125 VDC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the plant in a cold shutdown condition or refueling condition.

The AC, and 125 VDC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.

ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, or 3 would require the unit to be shutdown unnecessarily.

(continued)

JAFNPP B 3.8.8-2 Revision 0

Distribution Systems- Shutdown B 3.8.8 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)

Although redundant required features may require redundant divisions of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem division may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.

By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and 125 VDC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.

Not withstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.

(continued)

JAFNPP B 3.8.8-3 Revision 0

Distribution Systems - Shutdown B 3.8.8 BASES (continued)

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and 125 VDC electrical power distribution subsystems are functioning properly, with the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, as well as other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.8.8-4 Revision 0

Refueling Equipment Interlocks B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce plant procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents.

Two channels of instrumentation are provided to sense the full insertion of all control rods. One channel of instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple, the loading of the refueling platform frame mounted hoist, the loading of the refueling platform trolley mounted (monorail) hoist, and the fuel grapple in the not fully up position. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to establish appropriate restrictions on refueling equipment operations and control rod movement.

A control rod not at its full-in position disables the control circuitry permissive to the refueling equipment to prevent operating the equipment near or over the reactor core when loaded with a fuel assembly or if the fuel grapple is not fully up. Conversely, with the refueling platform near or over the core and loaded with fuel or the fuel grapple is not fully up a control rod withdrawal block is inserted in the Reactor Manual Control System to prevent withdrawing a control rod.

The refueling platform has two mechanical switches that open before the platform or any of its hoists are physically located over the reactor vessel. However, only one of these switches provides input to the required refueling interlock (continued)

JAFNPP B 3.9.1-1 Revision 0

Refueling Equipment Interlocks B 3.9.1 BASES BACKGROUND circuitry with the reactor mode switch in the refuel (continued) position. Each control rod full-in position channel provides input to two all-rods-in channels. Both all-rods in channels must register for the refueling interlock circuitry to indicate the all-rods-in condition. All refueling hoists have switches that open when the hoists are loaded with fuel. The hoist switches open at a load lighter than the weight of a single fuel assembly in water. In addition, a switch will open if the fuel grapple is not fully up.

The refueling interlocks use these indications to prevent operation of the refueling equipment near or over the core with fuel loaded or the fuel grapple not fully up whenever any control rod is withdrawn, or to prevent control rod withdrawal whenever the refueling equipment is near or over the core and loaded with fuel or the fuel grapple is not fully up (Ref. 2).

APPLICABLE The refueling interlocks are explicitly assumed in the UFSAR SAFETY ANALYSES analyses for the control rod withdrawal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn.

A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.

Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading.

The refueling platform location switches activate at a point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core.

Refueling equipment interlocks satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)(Ref.5).

(co-n-t-inued)

JAFNPP B 3.9.1-2 Revision 0

Refueling Equipment Interlocks B 3.9.1 BASES (continued)

LCO To prevent criticality during refueling, the refueling equipment interlocks associated with the reactor mode switch in the refuel position ensure that fuel assemblies are not loaded into the core with any control rod withdrawn.

To prevent these conditions from developing, the all-rods in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform trolley mounted (monorail) hoist fuel loaded, the refueling platform frame mounted hoist fuel loaded, and the refueling platform fuel grapple not full up position inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment control circuitry permissive interruptions or control rod blocks to prevent operations that could result in criticality during refueling operations.

APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks when the reactor mode switch is in the refuel position. The interlocks are not required when the reactor mode switch is in the shutdown position because a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation")

ensures control rod withdrawal cannot occur simultaneously with in-vessel fuel movements.

In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and fuel loading activities are not possible.

Therefore, the refueling interlocks are not required to be OPERABLE in these MODES.

ACTIONS A.1, A.2.1, and A.2.2 With one or more of the required refueling equipment interlocks inoperable, the plant must be placed in a condition in which the LCO does not apply or the Surveillances are not needed. This can be performed by ensuring fuel assemblies are not moved in the reactor vessel or by ensuring that the control rods are inserted and cannot be withdrawn. Therefore, Required Action A.1 requires that in-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment (continued)

JAFNPP B 3.9.1-3 Revision 0

Refueling Equipment Interlocks B 3.9.1 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position.

Alternately, Required Actions A.2.1 and A.2.2 require that a control rod withdrawal block be inserted and that all control rods are subsequently verified to be fully inserted.

Required Action A.2.1 ensures that no control rods can be withdrawn. This action ensures that control rods cannot be inappropriately withdrawn because an electrical or hydraulic block to control rod withdrawal is in place. Required Action A.2.2 is performed after placing the rod withdrawal block in effect. This verification that all control rods are fully inserted is in addition to the periodic verifications required by SR 3.9.3.1 and SR 3.10.6.2. Like Required Action A.1, Required Actions A.2.1 and A.2.2 ensure that unacceptable operations are blocked (e.g., loading fuel into a cell with the control rod withdrawn).

SURVEILLANCE SR 3.9.1.1 REQUIREMENTS Performance of a CHANNEL FUNCTIONAL TEST demonstrates each required refueling equipment interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.

The 7 day Frequency is based on engineering judgment and is considered adequate in view of other indications of refueling interlocks and their associated input status that are available to plant operations personnel.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 7.6.3.

3. UFSAR, Section 14.5.4.3.

4. UFSAR, Section 14.5.4.4.

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.1-4 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce plant procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn except as allowed by LCO 3.10.6, "Multiple Control Rod Withdrawal -Refueling".

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System).

This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3.

APPLICABLE The refueling position one-rod-out interlock is explicitly SAFETY ANALYSES assumed in the UFSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling.

A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.

The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), prevent criticality.

The interlock prevents withdrawal of more than one control rod and adequate SDM ensures that the core will remain subcritical with the highest worth control rod fully withdrawn, thereby preventing any prompt critical excursion.

The refuel position one-rod-out interlock satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(continued)

JAFNPP. B 3.9.2-1 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2 BASES (continued)

LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE and the reactor mode switch must be locked in the refuel position to support the OPERABILITY of these channels.

APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions.

In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed.

In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation") and the control rods (LCO 3.1.3, "Control Rod OPERABILITY") provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation") ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.

ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality.

Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in the refuel position. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required (continued)

JAFNPP B 3.9.2-2 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2 BASES SURVEILLANCE SR 3.9.2.1 (continued)

REQUIREMENTS interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be OPERABLE when required. By "locking" the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation.

The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient in view of other administrative controls utilized during refueling operations to ensure safe operation.

SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The 7 day Frequency is considered adequate because of demonstrated circuit reliability, procedural controls on control rod withdrawals, and visual and audible indications available in the control room to alert the operator to control rods not fully inserted. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Therefore, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after any control rod is withdrawn.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 7.6.3.

(continued)

JAFNPP B 3.9.2-3 Revision 0

Refuel Position One-Rod-Out Interlock B 3.9.2 BASES REFERENCES 3. UFSAR, Section 14.5.4.3.

(continued)

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.2-4 Revision 0

Control Rod Position B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Contra] Rod Position BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Reactor Manual Control System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1, "Control Rod Block Instrumentation").

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted (Ref. 2), except as allowed by LCO 3.10.6, "Multiple Control Rod Withdrawal-Refueling". This precludes criticality during refueling operations.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1).

The safety analysis for the control rod removal error during refueling in the UFSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality.

Control rod position satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(conti-nued)T JAFNPP B 3.9.3-1 Revision 0

Control Rod Position B 3.9.3 BASES (continued)

LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.

APPLICABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality.

Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn.

In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES.

ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the UFSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency takes into consideration the procedural controls on control rod movement during refueling as well as the redundant functions of the refueling interlocks.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.3-2 Revision 0

Control Rod Position Indication B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Control Rod Position Indication BASES BACKGROUND The full-in position indication channel (i.e., the full-in switch providing the green full-in light) for each control rod provides necessary information to the refueling interlocks to prevent inadvertent criticalities during refueling operations. During refueling, the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks" and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") use the full-in position indication channel to limit the operation of the refueling equipment and the movement of the control rods. The absence of the full-in position channel signal for any control rod removes the all-rods-in permissive for the refueling equipment interlocks and prevents fuel loading. Also, this condition causes the refuel position one-rod-out interlock to not allow the withdrawal of any other control rod.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").

The safety analysis for the control rod withdrawal error during refueling (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. The full-in position indication channel is required to be OPERABLE so that the refueling interlocks can ensure that fuel cannot be loaded with any control rod withdrawn and that no more than one control rod can be withdrawn at a time.

Control rod position indication satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

(continued)

JAFNPP B 3.9.4-1 Revision 0

Control Rod Position Indication B 3.9.4 BASES (continued)

LCO Each control rod full-in position indication channel must be OPERABLE to provide the required input to the refueling interlocks. A channel is OPERABLE if it provides correct position indication to the refueling interlock logic.

APPLICABILITY During MODE 5, the control rods must have OPERABLE full-in position indication channels to ensure the applicable refueling interlocks will be OPERABLE.

In MODES 1 and 2, requirements for control rod position are specified in LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.

ACTIONS A Note has been provided to modify the ACTIONS related to control rod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable control rod position indication channels provide appropriate compensatory measures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for each inoperable required control rod position indication channel.

A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 With one or more full-in position indication channels inoperable, compensating actions must be taken to protect against potential reactivity excursions from fuel assembly insertions or control rod withdrawals. This may be accomplished by immediately suspending in-vessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Actions must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, (continued)

JAFNPP B 3.9.4-2 Revision 0

Control Rod Position Indication B 3.9.4 BASES ACTIONS A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 (continued) therefore, do not have to be inserted. Suspension of in-vessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position.

Alternatively, actions must be immediately initiated to fully insert the control rod(s) associated with the inoperable full-in position indicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can be hydraulically disarmed by closing the drive water and exhaust water valves. A control rod can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Actions must continue until all associated control rods are fully inserted and drives are disarmed. Under these conditions (control rod fully inserted and disarmed), an inoperable full-in channel may be bypassed to allow refueling operations to proceed. An alternate method must be used to ensure the control rod is fully inserted (e.g., use the "00" notch position indication).

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS The full-in position indication channels provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-in permissive. The interlocks are actuated when the full-in position indication for any control rod is not present, since this indicates that all rods are not fully inserted. Therefore, testing of the full-in position indication channels is performed to ensure that when a control rod is withdrawn, the full-in position indication is not present. Note that failure to indicate full-in when the control rod is not withdrawn results in conservative actuation of the one-rod-out interlock, and therefore, is not explicitly required to be verified by this SR. The full-in position indication channel is considered inoperable even with the control rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn. Performing the SR each time a control rod is withdrawn is considered adequate because of the procedural controls on control rod withdrawals and the visual indications and alarms available in the control room to alert the operator to control rods not fully inserted.

(conti nued)

JAFNPP B 3.9.4-3 Revision 0

Control Rod Position Indication B 3.9.4 BASES (continued)

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.4-4 Revision 0

Control Rod OPERABILITY- Refueling B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY-Refueling BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD)

System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System.

UFSAR, Section 16.6, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).

The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").

The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur.

Control rod OPERABILITY during refueling satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is 2 940 psig and the control rod is capable of (continued)

JAFNPP B 3.9.5-1 Revision 0

Control Rod OPERABILITY-Refueling B 3.9.5 BASES LCO being automatically inserted upon receipt of a scram signal.

(continued) Inserted control rods have already completed their reactivity control function, and therefore are not required to be OPERABLE.

APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical.

For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions.

ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected.

Actions must continue until the inoperable control rod(s) is fully inserted.

SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator pressure is Ž 940 psig.

The 7 day Frequency takes into consideration equipment reliability, procedural controls over the scram accumulators, and control room alarms and indicating lights that indicate low accumulator charge pressures.

(continued)

JAFNPP B 3.9.5-2 Revision 0

Control Rod OPERABILITY-Refueling B 3.9.5 BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued)

REQUIREMENTS SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance.

This acknowledges that the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.5-3 Revision 0

RPV Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 22 ft 2 inches above the top of the RPV flange. During refueling, this maintains a sufficient water level in the reactor vessel cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a refueling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to

25% of 10 CFR 100 (Ref. 3) limits, as provided by the guidance of Reference 4.

APPLICABLE During movement of fuel assemblies or handling of control SAFETY ANALYSES rods, the water level in the RPV is an initial condition in the analysis of a refueling accident postulated by Reference 1. A minimum water level of 22 ft 2 inches above the top of the RPV flange allows a decontamination factor of 100 to be used in the accident analysis for iodine since more than 23 feet of water is available over the top of the reactor core (Ref. 1). This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all damaged fuel assembly rods is retained by the water. The fuel pellet to cladding gap is assumed to contain 10% of the total fuel rod iodine inventory (Ref. 1).

Analysis of the refueling accident inside containment is described in Reference 2. With a minimum water level of 22 ft 2 inches above the top of the RPV flange and a minimum decay time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated refueling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 3). While the worst case assumptions include the dropping of the irradiated fuel assembly being handled onto the reactor core loaded with irradiated fuel, the possibility exists of the dropped assembly striking the RPV flange and releasing fission products. Therefore, the minimum depth for water coverage to ensure acceptable radiological consequences is specified from the RPV flange.

Since the worst case event results in failed fuel assemblies seated in the core, as well as the dropped assembly, dropping an assembly on the RPV flange will result in (continued)

JAFNPP B 3.9.6-1 Revision 0

RPV Water Level B 3.9.6 BASES APPLICABLE reduced releases of fission gases. Based on analysis of SAFETY ANALYSES the physical dimensions which preclude normal operation (continued) with water level 23 feet above the flange, this water level is acceptable.

RPV water level satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO A minimum water level of 22 ft 2 inches above the top of the RPV flange is required to ensure that the radiological consequences of a postulated refueling accident are within acceptable limits, as provided by the guidance of Reference 4.

APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a refueling accident that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated refueling accident. Requirements for fuel movement in the spent fuel storage pool are covered by LCO 3.7.7, "Spent Fuel Storage Pool Water Level."

ACTIONS A.1 If the water level is < 22 ft 2 inches above the top of the RPV flange, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 22 ft 2 inches above the top of the RPV flange ensures that the design basis for the postulated refueling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a refueling accident in containment (Ref. 2).

(continued)

JAFNPP B 3.9.6-2 Revision 0

RPV Water Level B 3.9.6 BASES SURVEILLANCE SR 3.9.6.1 (continued)

REQUIREMENTS The Frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls on valve positions, which make significant unplanned level changes unlikely.

REFERENCES 1. Regulatory Guide 1.25, Assumptions Used for Evaluating The Potential Radiological Consequences Of A Fuel Handling Accident In The Fuel Handling And Storage Facility For Boiling And Pressurized Water Reactors, March 23, 1972.

2. UFSAR, Section 14.6.1.4.

3. 10 CFR 100.11.

4. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 15.7.4, Revision 1, Radiological Consequences of Fuel Handling Accident, July 1981.

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.6-3 Revision 0

RHR-High Water Level B 3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR)-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by the UFSAR (Ref. 1). Either of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled.

In addition to the RHR shutdown cooling mode, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal.

APPLICABLE With the plant in MODE 5, the RHR shutdown cooling mode is SAFETY ANALYSES not required to mitigate any events or accidents evaluated in the safety analyses. The RHR shutdown cooling mode is required for removing decay heat to maintain the temperature of the reactor coolant.

The RHR shutdown cooling mode satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE in MODE 5 with irradiated fuel in the RPV and the water level Ž 22 ft 2 inches above the top of the RPV flange. Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability.

An OPERABLE RHR shutdown cooling subsystem consists of an capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross tie valves are not required to be closed; thus, the valves may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem.

(continued)

JAFNPP B 3.9.7-1 Revision 0

RHR-High Water Level B 3.9.7 BASES LCO Additionally, each RHR shutdown cooling subsystem is (continued) considered OPERABLE if it can be manually aligned (from the control room or locally) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required.

APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE in MODE 5, with irradiated fuel in the reactor pressure vessel and with the water level 2 22 ft 2 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the reactor pressure vessel and with the water level < 22 ft 2 inches above the top of the RPV flange are given in LCO 3.9.8, "Residual Heat Removal (RHR)- Low Water Level".

ACTIONS A.1 With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . In this condition, the volume of water above the top of the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of the alternate method must be reconfirmed every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. This will ensure continued heat removal capability.

Alternate decay heat removal methods are available to the operators for review and preplanning in the plant Operating Procedures. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. For example, this may include the use of the Spent Fuel Pool Cooling System and the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System or Condensate System. In addition, the Decay Heat Removal (continued)

JAFNPP B 3.9.7-2 Revision 0

RHR-High Water Level B 3.9.7 BASES ACTIONS A.1 (continued)

System can also be used as a method. The method used to remove the decay heat should be the most prudent choice based on plant conditions. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.

B.1, B.2, B.3, and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV.

Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem is OPERABLE; and secondary containment isolation capability is available in each associated penetration flowpath not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing an operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a surveillance may need to be performed to restore the component to OPERABLE status.

Actions must continue until all required components are OPERABLE.

(continued)

JAFNPP B 3.9.7-3 Revision 0

RHR-High Water Level B 3.9.7 BASES (continued)

SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR shutdown cooling flow path provides assurance that the proper flow paths will exist for RHR operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that can be manually (from the control room or locally) aligned is allowed to be in a non-RHR shutdown cooling position provided the valve can be repositioned. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control. This Frequency has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Section 16.6.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.7-4 Revision 0

RHR-Low Water Level B 3.9.8 B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR)- Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by the UFSAR (Ref. 1). Either of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled.

APPLICABLE With the plant in MODE 5, the RHR shutdown cooling mode is SAFETY ANALYSES not required to mitigate any events or accidents evaluated in the safety analyses. The RHR shutdown cooling mode is required for removing decay heat to maintain the temperature of the reactor coolant.

The RHR shutdown cooling mode satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO In MODE 5 with irradiated fuel in the reactor pressure vessel (RPV) and the water level < 22 ft 2 inches above the top of the reactor pressure vessel (RPV) flange two RHR shutdown cooling subsystems must be OPERABLE.

An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, an RHR service water pump capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. To meet the LCO, two RHR pumps and two RHR service water pumps in one loop or one RHR pump and one RHR service water pump in each of the two loops must be OPERABLE. In MODE 5, the RHR cross tie valves are not required to be closed; thus, the valves may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem.

Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (from the control room or locally) in the shutdown cooling mode for (continued)

JAFNPP B 3.9.8-1 Revision 0

RHR- Low Water Level B 3.9.8 BASES LCO removal of decay heat. Operation (either continuous or (continued) intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required.

APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE in MODE 5, with irradiated fuel in the RPV and with the water level < 22 ft 2 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and with the water level 2 22 ft 2 inches above the top of the RPV flange are given in LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level."

ACTIONS A.1 With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method must be reconfirmed every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. This will ensure continued heat removal capability.

Alternate decay heat removal methods are available to the operators for review and preplanning in the plant Operating Procedures. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capacity to maintain or reduce temperature. For example, this may include the use of the Spent Fuel Pool Cooling System and the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System (continued)

JAFNPP B 3.9.8-2 Revision 0

RHR- Low Water Level B 3.9.8 BASES ACTIONS A.1 (continued) or Condensate System. The method used to remove decay heat should be the most prudent choice based on plant conditions.

Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.

B.1, B.2, and B.3 With the required decay heat removal subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem is OPERABLE; and secondary containment isolation capability is available in each associated penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing an operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the surveillance may need to be performed to restore the component to OPERABLE status.

Actions must continue until all required components are OPERABLE.

SURVEILLANCE SR 3.9.8.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR shutdown cooling flow paths provides assurance that the proper flow paths will exist for RHR operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to (continued)

JAFNPP B 3.9.8-3 Revision 0

RHR- Low Water Level B 3.9.8 BASES SURVEILLANCE SR 3.9.8.1 (continued)

REQUIREMENTS locking, sealing, or securing. A valve that can be manually (from the control room or locally) aligned is allowed to be in a non-RHR shutdown cooling position provided the valve can be repositioned. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control. This Frequency has been shown to be acceptable through operating experience.

REFERENCES 1. UFSAR, Section 16.6.

2. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.9.8-4 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 when the metallurgical characteristics of the reactor pressure vessel (RPV) require the pressure testing at temperatures > 212'F (normally corresponding to MODE 3).

Inservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation, decay heat and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (P/T) limits required by LCO 3.4.9, "Reactor Coolant System (RCS) Pressure and Temperature (P/T) Limits."

These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.

With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure.

Periodic updates to the RCS P/T limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel.

APPLICABLE Allowing the reactor to be considered in MODE 4 during SAFETY ANALYSES hydrostatic or leak testing, when the reactor coolant temperature is > 212 0 F. effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the hydrostatic or leak tests are performed nearly water solid, at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for failed fuel and a subsequent increase in coolant activity above the LCO 3.4.6, "RCS Specific Activity," limits are minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur (continued)

JAFNPP B 3.10.1-1 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE during the performance of hydrostatic or leak testing. The SAFETY ANALYSES required pressure testing conditions provide adequate (continued) assurance that the consequences of a recirculation line break (Refs. 2 and 3) will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 4. Therefore, these requirements will conservatively limit radiation releases to the environment.

In the event of a large primary system leak, the reactor vessel would rapidly depressurize, allowing the low pressure core cooling systems to operate. The capability of the low pressure coolant injection and core spray subsystems, as required in MODE 4 by LCO 3.5.2, "ECCS-Shutdown," would be more than adequate to keep the core flooded under this low decay heat load condition. Small system leaks would be detected by leakage inspections before significant inventory loss occurred.

For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 5) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 212°F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to P/T limits, however, which require testing at temperatures

> 212'F, while performance of inservice leak and hydrostatic testing results in inoperability of subsystems required when

> 212 0 F.

(continued)

JAFNPP B 3.10.1-2 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES LCO If it is desired to perform these tests while complying with (continued) this Special Operations LCO, then the MODE 4 applicable LCOs and specified MODE 3 LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to "NA" and suspending the requirements of LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures

> 212'F for the purpose of performing either an inservice leak or hydrostatic test.

This LCO allows primary containment to be open for frequent unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements that are in effect immediately prior to and immediately after this operation.

APPLICABILITY The MODE 4 requirements may only be modified for the performance of inservice leak or hydrostatic tests so that these operations can be considered as in MODE 4, even though the reactor coolant temperature is > 212'F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the plant to any event that may occur.

Operations in all other MODES are unaffected by this LCO.

ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

(continued)

JAFNPP B 3.10.1-3 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES ACTIONS A.1 (continued)

If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements are entered immediately and complied with. Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to g 212 0 F.

A.2.1 and A.2.2 Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to < 212°F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3.

SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met.

A discussion of the applicable SRs is provided in their respective Bases.

REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code,Section XI.

2. JAF-CALC-MULT-02238, Revision 1, JAF-HELB Analysis During Hydrostatic Test, May 27, 1999.

3. JAF-CALC-RBC-03400, Revision 0, Evaluation of Reactor Building Ducts and Doors for Recirc. Break During Hydro, August 9, 1999.

(continued)

JAFNPP B 3.10.1-4 Revision 0

Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES REFERENCES 4. UFSAR, Section 14.6.1.5.

(continued)

5. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.1-5 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 B 3.10 SPECIAL OPERATIONS B 3.10.2 Reactor Mode Switch Interlock Testing BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5.

The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:

a. Shutdown- Initiates a reactor scram; bypasses main steam line isolation scrams;

b. Refuel -Selects Reactor Protection System (RPS) Neutron Monitoring System (NMS) scram function for low neutron flux level operation (but does not disable the average power range monitor scram); bypasses main steam line isolation;

c. Startup/Hot Standby-Selects RPS NMS scram function for low neutron flux level operation (intermediate range monitors and average power range monitors); bypasses main steam line isolation scram; and

d. Run-Selects RPS NMS scram function for power range operation.

The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling equipment interlocks, and main steam isolation valve isolations.

APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of the shutdown and refuel positions normally maintained for the reactor mode switch in MODES 3, 4, and 5 are provided to preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot (continued)

JAFNPP B 3.10.2-1 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES APPLICABLE standby, or refuel) while in MODE 3, 4, or 5, requires SAFETY ANALYSES administratively maintaining all control rods inserted and (continued) no CORE ALTERATIONS in progress. With all control rods inserted in core cells containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing.

For postulated accidents, such as control rod withdrawal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality, thereby preventing fuel failure.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 4) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation,"

LCO 3.10.3, "Single Control Rod Withdrawal -Hot Shutdown,"

LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown,"

and LCO 3.10.8, "SDM Test-Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block is initiated. Therefore, all control rods in core cells that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is (continued)

JAFNPP B 3.10.2-2 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES LCO appropriate for MODE 5 operations, as discussed below, and (continued) is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place.

In MODE 5, with the reactor mode switch in the refuel position, only one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks")

appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests.

APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in plant trips. In MODES 3, 4, and 5, this Special Operations LCO allows reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing that must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e.,

refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests.

ACTIONS A.1, A.2, A.3.1, and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations LCO.

(continued)

JAFNPP B 3.10.2-3 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES ACTIONS A.1, A.2, A.3.1, and A.3.2 (continued)

All CORE ALTERATIONS, except control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.

Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a component to a safe condition.

Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1.

Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is only applicable in MODE 5, since only the shutdown position is allowed in MODES 3 and 4. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended.

SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements.

The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillances performed at the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequencies are intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.

(conti nued)

JAFNPP B 3.10.2-4 Revision 0

Reactor Mode Switch Interlock Testing B 3.10.2 BASES (continued)

REFERENCES 1. UFSAR, Section 7.2.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.2-5 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 B 3.10 SPECIAL OPERATIONS B 3.10.3 Single Control Rod Withdrawal -Hot Shutdown BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3.

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of a postulated accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.

The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.

Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal.

(continued)

JAFNPP B 3.10.3-1 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e.,

LCO 3.10.2, "Reactor Mode Switch Interlock Testing," without meeting this Special Operations LCO or its ACTIONS.

However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn.

To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.l. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal (Item d.2), the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (Item d.2) is completed, the LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod.

(continued)

JAFNPP B 3.10.3-2 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES APPLICABILITY This allowance is only provided with the reactor mode switch (continued) in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, "Control Rod Position Indication"),

full insertion requirements for all other control rods and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation", and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, preclude unacceptable reactivity excursions.

ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that claries the intent of any other LCO's Required Action, to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO.

(continued)

JAFNPP B 3.10.3-3 Revision 0

Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES ACTIONS A.2.1 and A.2.2 (continued)

Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability.

Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.

SURVEILLANCE SR 3.10.3.1, SR 3.10.3.2, and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. The control rods can be hydraulically disarmed by closing the drive water and exhaust header water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable because of the administrative controls on control rod withdrawal, the protection afforded by the LCOs involved, and hardwire interlocks that preclude additional control rod withdrawals.

REFERENCES 1. UFSAR, Section 14.5.4.3.

2. UFSAR, Section 14.5.4.4.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.3-4 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 B 3.10 SPECIAL OPERATIONS B 3.10.4 Single Control Rod Withdrawal -Cold Shutdown RASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of a postulated accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.

The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal. This alternate backup protection is required when removing a CRD because this removal renders the withdrawn control rod incapable of being scrammed.

(continued)

JAFNPP B 3.10.4-1 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied.

"Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.

The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn.

The requirements of LCO 3.9.4, "Control Rod Position Indication" can continue to be met even when the control rod position indication probe is disconnected to allow de coupling, provided the withdrawn control rod does not erroneously indicate "full-in." However, in the event the control rod does indicate "full-in" (either due to component malfunction or intentional jumpering to cause a "full-in" indication), a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained.

To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram function is not OPERABLE, or when the CRD is to be removed, a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once (continued)

JAFNPP B 3.10.4-2 Revision 0

Single Control Rod Withdrawal-Cold Shutdown B 3.10.4 BASES LCO this alternate (Item c.2) is completed, the LCO 3.1.1, (continued) "SHUTDOWN MARGIN (SDM)," SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod.

This allowance is only provided with the reactor mode switch in the refuel position.

During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4),

and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions.

ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods (continued)

JAFNPP B 3.10.4-3 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) inserted) or with the exceptions allowed in this Special Operations LCO. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position.

A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO.

Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.

B.1, B.2.1, and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.

SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met.

If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the (continued)

JAFNPP B 3.10.4-4 Revision 0

Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS (continued) drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids.

Verification that all the other control rods are fully inserted is required to meet the SDM requirements.

Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable because of the administrative controls on control rod withdrawals, the protection afforded by the LCOs involved, and hardwire interlocks to preclude an additional control rod withdrawal.

SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied.

REFERENCES 1. UFSAR, Section 14.5.4.3.

2. UFSAR, Section 14.5.4.4.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.4-5 Revision 0

Single CRD Removal -Refueling B 3.10.5 B 3.10 SPECIAL OPERATIONS B 3.10.5 Single Control Rod Drive (CRD) Removal -Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the "full-in" position indicators to determine the position of all control rods. If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.

The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY- Refueling").

APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of (continued)

JAFNPP B 3.10.5-1 Revision 0

Single CRD Removal -Refueling B 3.10.5 BASES APPLICABLE accidents. Explicit safety analyses in the UFSAR (Refs. 1 SAFETY ANALYSES and 2) demonstrate that proper operation of the refueling (continued) interlocks and adequate SDM will preclude unacceptable reactivity excursions.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1).

The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.

Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod are inserted and disarmed, and all other control rods are inserted and are incapable of being withdrawn (by insertion of a control rod block).

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS.

(continued)

JAFNPP B 3.10.5-2 Revision 0

Single CRD Removal -Refueling B 3.10.5 BASES LCO However, if a single CRD removal from a core cell containing (continued) one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied.

By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks ([CO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided.

Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn untrippable control rod to be the single highest worth control rod.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce the potential for reactivity excursions.

ACTIONS A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the (continued)

JAFNPP B 3.10.5-3 Revision 0

Single CRD Removal - Refueling B 3.10.5 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued)

CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.

Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.

SURVEILLANCE SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3. SR 3.10.5.4, REQUIREMENTS and SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied.

Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable, given the administrative controls on control rod removal and hardwire interlock to block an additional control rod withdrawal.

REFERENCES 1. UFSAR, Section 14.5.4.3

2. UFSAR, Section 14.5.4.4.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.5-4 Revision 0

Multiple Control Rod Withdrawal -Refueling B 3.10.6 B 3.10 SPECIAL OPERATIONS B 3.10.6 Multiple Control Rod Withdrawal-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls.

Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel.

The refueling interlocks use the "full-in" position indicators to determine the position of all control rods.

If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.

To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the "full-in" position indicators.

APPLICABLE Explicit safety analyses in the UFSAR (Refs. 1, 2 and 3)

SAFETY ANALYSES demonstrate that the functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the "full in" position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading (continued)

JAFNPP B 3.10.6-1 Revision 0

Multiple Control Rod Withdrawal-Refueling B 3.10.6 BASES APPLICABLE fuel into the cell, however, the associated control rod must SAFETY ANALYSES be inserted to ensure that an inadvertent criticality does (continued) not occur, as evaluated in the Reference 2 analysis.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional. and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 4) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, "Control Rod Position," LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, "Control Rod OPERABILITY-Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed.

"Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.

When fuel is loaded into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel. For an unloaded core the spiral reload may commence at either the core center around a "dunking type detector" or, around one of the source range monitors. Placement of the "dunking type detector" in the core cell does not violate the intent of the spiral reload pattern. Fuel assemblies may be loaded into this location when the "dunking type detector" is removed.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all (continued)

JAFNPP B 3.10.6-2 Revision 0

Multiple Control Rod Withdrawal -Refueling B 3.10.6 BASES APPLICABILITY fuel to be removed from cells whose "full-in" indications (continued) are allowed to be bypassed. This bypassing must be verified by a second licensed operator or a reactor engineer.

ACTIONS A.1, A.2, A.3.1, and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO.

SURVEILLANCE SR 3.10.6.1, SR 3.10.6.2, and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. In addition, SR 3.10.6.1 must be verified by one licensed operator and a reactor engineer. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is acceptable, given the administrative controls on fuel assembly and control rod removal, and takes into account other indications of control rod status available in the control room.

REFERENCES 1. UFSAR, Section 7.6.

2. UFSAR, Section 14.5.4.3.

3. UFSAR, Section 14.5.4.4.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.6-3 Revision 0

Control Rod Testing- Operating B 3.10.7 B 3.10 SPECIAL OPERATIONS B 3.10.7 Control Rod Testing- Operating BASES BACKGROUND The purpose of this Special Operations LCO is to permit control rod testing, while in MODES 1 and 2, by imposing certain administrative controls. Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), such that only the specified control rod sequences and relative positions required by LCO 3.1.6, "Rod Pattern Control," are allowed over the operating range from all control rods inserted to 10% RTP.

The sequences effectively limit the potential amount and rate of reactivity increase that could occur during a control rod drop accident (CRDA). During these conditions, control rod testing is sometimes required that may result in control rod patterns not in compliance with the prescribed sequences of LCO 3.1.6. These tests include SDM testing, control rod scram time testing, and control rod friction testing. This Special Operations LCO provides the necessary exemption to the requirements of LCO 3.1.6 and provides additional administrative controls to allow the deviations in such tests from the prescribed sequences in LCO 3.1.6.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the CRDA are summarized in References 1 and 2. CRDA analyses assume the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analyses. The RWM provides backup to operator control of the withdrawal sequences to ensure the initial conditions of the CRDA analyses are not violated. For special sequences developed for control rod testing, the initial control rod patterns assumed in the safety analyses of References 1 and 2 may not be preserved.

Therefore special CRDA analyses are required to demonstrate that these special sequences will not result in unacceptable consequences, should a CRDA occur during the testing. These analyses, performed in accordance with an NRC approved methodology, are dependent on the specific test being performed.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations (continued)

JAFNPP B 3.10.7-1 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES APPLICABLE LCOs provide flexibility to perform certain operations by SAFETY ANALYSES appropriately modifying requirements of other LCOs. A (continued) discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Control rod testing may be performed in compliance with the prescribed sequences of LCO 3.1.6, and during these tests, no exceptions to the requirements of LCO 3.1.6 are necessary. For testing performed with a sequence not in compliance with LCO 3.1.6, the requirements of LCO 3.1.6 may be suspended, provided additional administrative controls are placed on the test to ensure that the assumptions of the special safety analysis for the test sequence are satisfied. Assurances that the test sequence is followed can be provided by either programming the test sequence into the RWM, with conformance verified as specified in SR 3.3.2.1.8 and allowing the RWM to monitor control rod withdrawal and provide appropriate control rod blocks if necessary, or by verifying conformance to the approved test sequence by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer).

These controls are consistent with those normally applied to operation in the startup range as defined in the SRs and ACTIONS of LCO 3.3.2.1, "Control Rod Block Instrumentation."

APPLICABILITY Control rod testing, while in MODES 1 and 2, with THERMAL POWER greater than 10% RTP, is adequately controlled by the existing LCOs on power distribution limits and control rod block instrumentation. Control rod movement during these conditions is not restricted to prescribed sequences and can be performed within the constraints of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.3.2.1. With THERMAL POWER less than or equal to 10% RTP, the provisions of this Special Operations LCO are necessary to perform special tests that are not in conformance with the prescribed sequences of LCO 3.1.6.

While in MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, "Single Control Rod Withdrawal -Hot Shutdown,"

or Special Operations LCO 3.10.4, "Single Control Rod Withdrawal -Cold Shutdown," which provide adequate controls (continued)

JAFNPP B 3.10.7-2 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES APPLICABILITY to ensure that the assumptions of the safety analyses of (continued) Reference 1 and 2 are satisfied. During these Special Operations and while in MODE 5, the one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock,") and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY-Refueling"), or the added administrative controls prescribed in the applicable Special Operations LCOs, provide mitigation of potential reactivity excursions.

ACTIONS A.1 With the requirements of the LCO not met (e.g., the control rod pattern is not in compliance with the special test sequence or the sequence is improperly loaded in the RWM) the testing is required to be immediately suspended. Upon suspension of the special test, the provisions of LCO 3.1.6 are no longer excepted, and appropriate actions are to be taken to restore the control rod sequence to the prescribed sequence of LCO 3.1.6, or to shut down the reactor, if required by LCO 3.1.6.

SURVEILLANCE SR 3.10.7.1 REQUIREMENTS With the special test sequence not programmed into the RWM, a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer) is required to verify conformance with the approved sequence for the test. This verification must be performed during control rod movement to prevent deviations from the specified sequence. A Note is added to indicate that this Surveillance does not need to be met if SR 3.10.7.2 is satisfied.

SR 3.10.7.2 When the RWM provides conformance to the special test sequence, the test sequence must be verified to be correctly loaded into the RWM prior to control rod movement. This Surveillance demonstrates compliance with SR 3.3.2.1.8, thereby demonstrating that the RWM is OPERABLE. A Note has been added to indicate that this Surveillance does not need to be met if SR 3.10.7.1 is satisfied.

(conti nued)

JAFNPP B 3.10.7-3 Revision 0

Control Rod Testing-Operating B 3.10.7 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.1.2.

2. UFSAR, Section 14.6.3.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.7-4 Revision 0

SDM Test- Refueling B 3.10.8 B 3.10 SPECIAL OPERATIONS B 3.10.8 SHUTDOWN MARGIN (SDM) Test-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned.

LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," requires that adequate SDM be verified following fuel movements or control rod replacement within the RPV. The verification must be performed prior to or within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed).

While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned.

APPLICABLE Prevention and mitigation of unacceptable reactivity SAFETY ANALYSES excursions during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the intermediate range monitor (IRM) neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA).

CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. For SDM tests performed within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the (continued)

JAFNPP B 3.10.8-1 Revision 0

SDM Test-Refueling B 3.10.8 BASES APPLICABLE safety analyses of References 1 and 2 may not be met.

SAFETY ANALYSES Therefore, special CRDA analyses, performed in accordance (continued) with an NRC approved methodology, are required to verify the SDM test sequence will not result in unacceptable consequences should a CRDA occur during the testing. For the purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, APRM, and control rod coupling, the notch out mode is specified for out of sequence withdrawals. Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of 10 CFR 50.36(c)(2)(ii) (Ref. 3) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7. compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection, beyond the normally required IRMs, the APRMs are also required to be OPERABLE (LCO 3.3.1.1, Functions 2.a and 2.d) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer). To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control," (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity (continued)

JAFNPP B 3.10.8-2 Revision 0

SDM Test-Refueling B 3.10.8 BASES LCO insertion associated with each movement. Coupling integrity (continued) of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram.

Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in progress.

Furthermore, since the control rod scram function with the RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5.

APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO.

ACTIONS A.1 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and disarmed (electrically or hydraulically) within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations.

The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids.

Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the (continued)

JAFNPP B 3.10.8-3 Revision 0

SDM Test-Refueling B 3.10.8 BASES ACTIONS A.1 (continued) inoperable control rods and continued operation.

LCO 3.3.2.1, "Control Rod Block Instrumentation," Actions provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.

Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.

B.1 With one or more of the requirements of this LCO not met for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.

SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2.a and 2.d, made applicable in this Special Operations LCO, are required to have applicable Surveillances met to establish that this Special Operations LCO is being met (SR 3.10.8.1). However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator (Reactor Operator or Senior Operator) or other qualified member of the technical staff (i.e., reactor engineer). As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3).

(continued)

JAFNPP B 3.10.8-4 Revision 0

SDM Test- Refueling B 3.10.8 BASES SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2. and SR 3.10.8.3 (continued)

REQUIREMENTS This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These Surveillances provide adequate assurance that the specified test sequence is being followed.

SR 3.10.8.4 Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.

SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the "full-out" notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved as well as operating experience related to uncoupling events.

SR 3.10.8.6 CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were to be required, capability for rapid control rod insertion would exist. The minimum charging water header pressure of 940 psig is well below the expected pressure of 1390 to 1580 psig, while still ensuring sufficient pressure for rapid control rod insertion. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room.

(continued)

JAFNPP B 3.10.8-5 Revision 0

SDM Test- Refueling B 3.10.8 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.1.2.

2. UFSAR, Section 14.6.3.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.10.8-6 Revision 0

ML021750549

Text

Navigation menu

Search